Octopus
Multi-Protocol Forensic
Ac q u i s i t i o n D e vi c e
User Manual
December, 2015
Octopus Multi-Protocol Forensic Acquisition Device User Manual
Content
1 INTRODUCTION ............................................................................... 1
Overview ........................................................................................... 1
Functions........................................................................................... 1
2 COMPONENTS ................................................................................. 3
Front Panel........................................................................................ 3
Accessories ....................................................................................... 4
3 DEVICE CONNECTION .................................................................... 7
4 USAGE .............................................................................................. 9
Acquisition ......................................................................................... 9
File Management ............................................................................ 13
Menu Item ....................................................................................... 15
5 OFFLINE WINFE ACQUISITION .................................................... 16
Offline Acquisition ........................................................................... 17
6 FAQ ................................................................................................. 18
I
Octopus Multi-Protocol Forensic Acquisition Device User Manual
1 Introduction
Overview
Octopus Multi-Protocol Forensic Acquisition Device is a
multi-protocol forensic imager to provide very fast data imaging
from a target computer. Compared to single-channel imager, the
Octopus can provide 4-times of data transfer speed.
Functions

High-speed acquisition, achieves 45.5 GB/min when 4
channels working simultaneously.

Flexible settings, automatically recognizes basic information
of source device and allows manual setting of acquisition
channel order.

Fault Tolerance, when an error occurs on a channel, other
channels are not affected.

Rich interfaces, provide USB 3.0 (compatible to USB 2.0),
eSATA, Thunderbolt interfaces.

Continued imaging, if data imaging is stopped unexpectedly,
the Octopus automatically records the progress and can
continue the imaging when the task is resumed.

Disk Changing, you are able to acquire data from target
devices of larger capacity and no longer limited to the
capacity of the disks in four channels.

Continued export, you can export the image file acquired
before and after disk changing to target paths respectively.

View content, you can view the content of an image file in
read-only mode.

Image storage, allow regrouping of image files. Image files
1
Octopus Multi-Protocol Forensic Acquisition Device User Manual
can be saved to a file server.

Parallel acquisition, perform acquisition on multiple devices if
the capacity of the disks is large enough.

File management, you can manage image files using the
application, remove image files at any time.

WinFE startup, you can start a computer in using WinFE OS,
without modifying the original data on computer.
2
Octopus Multi-Protocol Forensic Acquisition Device User Manual
2 Components
Front Panel
The following figure shows the front panel of the Octopus.
Where
1 Channel 1 Thunderbolt Port
2 Channel 1 USB 3.0 Port
3 Channel 2 USB 3.0 Port
4 Channel 2 1394B Port
5 Channel 3 USB 3.0 Port
6 Channel 3 eSATA Port
7 Channel 4 USB 3.0 Port
8 Channel 4 eSATA Port
3
Octopus Multi-Protocol Forensic Acquisition Device User Manual
Accessories
4-Port USB 3.0 Hub
The 4-Port USB 3.0 hub is used to provide extra USB 3.0 interfaces
for an computer. It provides a maximum of four USB 3.0 interfaces
and allows connection at the same time.
The following figure shows the front panel of 4-Port USB 3.0 Hub.
Where:
1 USB 3.0 interface indicator
2 USB 3.0 interface
3 USB 3.0 data cable Interface
4 Power interface
To use the USB 3.0 Hub, connect the USB Hub to the USB 3.0
interface on the rear panel of the Octopus.
4
Octopus Multi-Protocol Forensic Acquisition Device User Manual
Cables
Cables provided by the Octopus are shown in the following figure.
Where
1 USB 3.0 Data Cable (Channel 1)
5
Octopus Multi-Protocol Forensic Acquisition Device User Manual
2 USB 3.0 Data Cable
3 eSATA Data Cable
4 Thunderbolt Data Cable
5 1394B Cable
6
Octopus Multi-Protocol Forensic Acquisition Device User Manual
3 Device Connection
Perform the following steps to connect the Octopus to computer.
1 Use USB 3.0 or eSATA data cable to connect the HOST
channel of Octopus to the target computer.
 NOTE: Channel 1 provides 2 ports. You are recommended to
use USB 3.0 port. If you choose the thunderbolt port, please
connect the devices before starting the computer. If both
connected, the computer will recognize the thunderbolt port.
 CAUTION: If both ports of Channel 1 are connected, it might
result in failure to start WinFE.
2 Use USB 3.0 data cables to connect channel 2, 3, and 4 to
computer.
 NOTES: The following items should be noted when
connecting Channel 2, Channel 3 and Channel 4:
a. When both channel 2 ports are connected, the computer
recognizes the port that connects first.
b. Regarding Channel 3 and 4, do not connect eSATA port if
you want to use the USB 3.0 port. If you want to use
eSATA port, connect the eSATA cable for data transfer
and USB 3.0 cable for power supply.
7
Octopus Multi-Protocol Forensic Acquisition Device User Manual
c. If computer ports are not enough, use the 4-Port USB 3.0
Hub to provide additional ports. Refer to Section “4-Port
USB 3.0 Hub” for specific usage.
8
Octopus Multi-Protocol Forensic Acquisition Device User Manual
4 Usage
Octopus provides two main functions: Acquisition and File
Management. Image acquisition is used to acquire data from the
target computer using startup USB thumb drive. File Management
is used to view, export, and delete image files and browse reports.
Acquisition
1 Connect Octopus to the target computer. See Chapter 3
"Device Connection" for reference.
2 Wait for the target OS to recognize Octopus.
 NOTE: Besides HOST 1, there are three other channels, that
is, Channel 2, 3, and 4.Connect all these channels to the
target computer to acquire higher data imaging speed.
9
Octopus Multi-Protocol Forensic Acquisition Device User Manual
3 (Optional) Close all running antivirus software on the target
computer.
4 Go to the root directory of HOST 1, and double-click
“Lanuch.exe” to start Octopus application.
 CAUTION: Do not remove HOST 1 channel data cable while
using the Octopus application.
5 In the initial interface, move the cursor to the function area of
“Copy disk” and “Manage files” to view description. Click the
button to use the respective function.
10
Octopus Multi-Protocol Forensic Acquisition Device User Manual
6 In the Main Interface, select the disk or partition that you want
to acquire. The selected object will be added to the task list in
the right pane.
 NOTE: To deselect a disk, uncheck it to remove it from the
task list.
7 Click
and set acquisition parameters on the right pane.
The meaning and setting method of the parameters are
shown in the following table.
Parameter
Description
Verify
Specifies the verification mode. Two modes are available:
MD5 and SHA-1.
NOTE: This mode is only available in WinFE mode.
Verification during acquisition will largely reduce acquisition
speed.
Read Error
Sets the way to deal with errors in reading source disks.
Specifies the times of retry and specific method.
11
Octopus Multi-Protocol Forensic Acquisition Device User Manual
Parameter
Description
Write Error
Sets the way to deal with errors in writing into target disks.
Specifies the times of retry and specific method.
Resume
Specifies whether to record the progress when an
Setting
acquisition task is stopped. If recorded, the task can be
continued next time.
NOTE: Continued acquisition may cause data rollback.
Therefore, the average speed may not equal to Task
Capacity/Acquisition Time.
8 Click Apply to apply the settings.
. The imaging begins and the imaging process is
9 Click
displayed in the lower pane.
 NOTE: Before starting the acquisition task, click Initialize to
remove historical data stored on Octopus.
During acquisition, information such as current speed and
time left is displayed in the meter. If you want to stop
acquisition, click
in the meter or X in the right pane.
 NOTE: During acquisition, if there is not sufficient remaining
space in the channel disks (not the host channel), the
12
Octopus Multi-Protocol Forensic Acquisition Device User Manual
following dialog box is displayed, click OK to continue after
you change the disks in the corresponding channel.
10 After acquisition is completed, the following dialog box is
displayed. Click OK and the system enters File Manager
interface for you to manage files and reports.
File Management
Click
to display the File Manager interface.
In the File Manager interface, the Time column displays the
acquisition start time. Disk Info column displays the disk model,
size, task status, channel information, and so forth. In the Operation
13
Octopus Multi-Protocol Forensic Acquisition Device User Manual
column, you can perform the following operations:
Operation
View File
Description
Click
, or select a task and select View in the dialog
box that pops up, to load an image file. You can view its
contents in Windows Resource Manager.
NOTE: Loading an image file may consume a lot of time.
Please wait patiently.
Export File
Click
, or select a task and select Export in the dialog
box that pops up, to export the files acquired in the
selected task to the specified path.
NOTE: It you change the disks during a task, when you
export the files, a prompt informing that the exported is
stopped is displayed. If you continue to click
, the
program informs you that the files are incomplete in the
current channel. Please change the disks and continue
the export.
14
Octopus Multi-Protocol Forensic Acquisition Device User Manual
Operation
Description
View
Click
to view the task report.
Report
Delete File
Click
to delete the selected task and the
corresponding files.
Menu Item
Click
to display the system menu.
Where:


Help: Display the help document of Octopus.
About: Display the version of Octopus.
15
Octopus Multi-Protocol Forensic Acquisition Device User Manual
5 Offline WinFE Acquisition
When a target computer is shut down, you can use WinFE OS to
start the computer and acquire image file. The operating procedure
is as follows:

If the OS of the target computer is Windows:
1 Connect Octopus to the target computer. See Chapter 3
"Device Connection" for reference.
2 Go to the BIOS setting of the target computer, navigate to
BOOT > Hard Drive BBS Priorities settings, and press Enter
key in the keyboard.
3 Select “ASMT 2015 0” and set the HOST channel as the
primary boot device.
 NOTE: The BIOS setting might vary among different models
of computers.
4 Save and quit BIOS.
5 Select the operating system after the computer is turned on,
as shown below. The Windows 64-bit is selected by default.
16
Octopus Multi-Protocol Forensic Acquisition Device User Manual

If the OS of the target computer is MacOS:
1 Connect Octopus to the target computer. See Chapter 3
"Device Connection" for reference.
2 Start the target computer. Press and hold the Option key in
the keyboard to enter the BOOT selection interface.
3 Select “EFI Boot”, as shown below.
 CAUTION: If you cannot start WinFE OS after the preceding
steps, try to use the WinFE startup thumb drive to start
WinFE. See Chapter 6, “FAQ” for details.
 CAUTION: In BIOS, set the system to boot from USB flash
drives. In the case when there are three options related to
Sandisk, if the booting fails when the first one is selected, try
the second or the third one.
Offline Acquisition
1 In the WinFE system, if the host channel is already
connected, the program of Octopus Multiple-Protocol
Forensic Acquisition Device runs automatically.
2 Perform acquisition in the program. Refer to Section
“Acquisition” on online acquisition for details.
 CAUTION: Compared to online acquisition, MD5 and SHA-1
verification are performed during offline acquisition to confirm
whether there is any change in the source data.
17
Octopus Multi-Protocol Forensic Acquisition Device User Manual
6 FAQ
Q1 Will Initialize Device operation remove external files in the
HOST channel?
A1:
External files which are manually copied to HOST channel
cannot be deleted using Initialize Device operation. You need
to delete them manually.
Q2 Why WinFE OS cannot be started after setting HOST 1
channel as the primary boot device in BIOS?
A2:
If WinFE OS cannot be started through HOST 1 channel, set
primary boot device to USB, and use the WinFE USB thumb
drive to start WinFE OS.
Q3 Why the thunderbolt interface cannot be recognized?
A3:
The thunderbolt interface currently does not support
hot-plugging. To recognize the thunderbolt interface, you
need to shut down the computer, connect the thunderbolt
device to computer, and start the computer again.
Q4 Why some channels are not recognized if connected to front
panel of a computer?
A4:
There are two causes:
-
Insufficient power supply on the computer front panel.
-
The internal wiring for the front panel USB interfaces is too
long, causing the connection unstable.
You are recommended to connect the Octopus to the rear
panel.
Q5 Why the data transfer speed varies among different
computers?
18
Octopus Multi-Protocol Forensic Acquisition Device User Manual
A5:
The Octopus can reach a maximum of 45.5 GB/min data
transfer speed. The speed however, may be affected in three
aspects: 1. The data-out speed of the hard disk on target
computer (5-7.5 GB/min commonly) 2. Channel data transfer
speed limit (USB 2.0 for example, cannot provide USB 3.0
data transfer speed) 3. The number of channels connected to
the computer, more channels connected, faster data transfer
speed.
Q6 If a target is already acquired, can I acquire it a second time?
A6:
No, you cannot acquire a target that is already acquired. If
you want to perform a second acquisition, you need to modify
channel settings (such as add or reduce connected channels)
or delete the acquisition information of this channel in the File
Manager panel, and then add this task again.
19