Our lab is now ready to handle more cases. All of the computers have their forensic software installed and are networked with each other. The agency that I worked with has recently received an increased budget for training and new equipment. Unfortunately, I will not be the one continuing from here, as I have moved on elsewhere.
The investigator that I worked with was impressed with my work and recommended me to a private company in the industry. I will now be working there as a forensic technician.
Friday, June 1, 2007
Tuesday, May 15, 2007
Standard Operating Procedures
Standard operating procedures (SOPs) are a set of procedures that employees are expected to perform for a given task. By having consistent methodologies, errors are less likely to occur. If employees followed their own rules, it would be difficult to track exactly what was done. Should an employee leave, the company or agency may be left with confusion. At the local agency I am working for, each investigator currently has their own methods. This works here because there are only a few investigators that use the lab. Each case is also handled by one investigator from beginning to end. However, SOPs can still be useful for the lab. New investigators who are not familiar with the agency's procedures can read them like a manual and perform the steps correctly. If we have a forensic duplicator that a technician is not familiar with, he or she can look at the SOP, follow the steps, and still complete the task. SOPs are not procedures set in stone. Not all cases are the same and may require different procedures to be performed.
Tuesday, May 1, 2007
Forensic Lab Update
We received the computers for the lab and I already set them up. Now, we need to add a network switch in the room so that each computer can communicate with each other. Once the switch is in place, we can share the hard drives from each computer to allow easy file transfers among the machines.
Although there are three computers, we are only using two monitors. We have the two LCD monitors that came with the new PCs and two huge CRT monitors. However, due to limited space, we removed the CRT monitors from the room. Instead, we are using a KVM switch for two of the computers. We also need to get the forensic server up. I am trying to get all of this set up as soon as possible because it will be put to the test soon!
Some companies in the private sector do some things to impress a client such as running simulated processes on multiple screens. It's all for show. However, the public sector is different. There are no clients to impress. Sometimes, we need to work with what we have and aim for functionality. That's not to say that labs in the public sector are not impressive. I have seen some very nice labs from the state and federal government.
Although there are three computers, we are only using two monitors. We have the two LCD monitors that came with the new PCs and two huge CRT monitors. However, due to limited space, we removed the CRT monitors from the room. Instead, we are using a KVM switch for two of the computers. We also need to get the forensic server up. I am trying to get all of this set up as soon as possible because it will be put to the test soon!
Some companies in the private sector do some things to impress a client such as running simulated processes on multiple screens. It's all for show. However, the public sector is different. There are no clients to impress. Sometimes, we need to work with what we have and aim for functionality. That's not to say that labs in the public sector are not impressive. I have seen some very nice labs from the state and federal government.
Saturday, April 28, 2007
Forensic Network
Our plan is to have a forensic network separate from the agency's network. The forensic network should not have any connection to the Internet. This is to prevent any chance of outside access to the evidence. We have three forensic machines and one forensic server. The forensic server will be used to store the case files and images we acquire. It is still best to work on the images locally. Therefore, we would copy the images to our local machines, examine the data, and then upload the case files and report to the server. This has many advantages. First, instead of storing different cases on each forensic machine, we have one centralized location. This allows each machine to have access to all cases from the server. Second, we can archive each case more easily. The standard cables we use are cat5e. For faster access, we may switch to fiber optic, but this is more expensive.
We want to make the lab more efficient for investigators and let them focus only on examinations. They do not need to worry about running out of space or backing up the evidence. The agency's IT staff or forensic technicians can take care of this. If the forensic server is located in the data center, it can be maintained accordingly.
For convenience, it would be nice to have a machine with internet connection next to the forensic machines so that the investigator can use the Internet for reference, get software updates (and transfer it to a forensic machine to install), look for assistance on forums, and check emails.
One more thing I like to do is to remote into the other forensic machines from my forensic machine, and do work on each one from one location. Then I can easily check up on each, without having to get up and look at each screen.
We want to make the lab more efficient for investigators and let them focus only on examinations. They do not need to worry about running out of space or backing up the evidence. The agency's IT staff or forensic technicians can take care of this. If the forensic server is located in the data center, it can be maintained accordingly.
For convenience, it would be nice to have a machine with internet connection next to the forensic machines so that the investigator can use the Internet for reference, get software updates (and transfer it to a forensic machine to install), look for assistance on forums, and check emails.
One more thing I like to do is to remote into the other forensic machines from my forensic machine, and do work on each one from one location. Then I can easily check up on each, without having to get up and look at each screen.
Tuesday, April 24, 2007
Ultimate Toolkit
We are mainly an EnCase shop here, but I managed to convince the supervisor to spend a little more for AccessData's Ultimate Toolkit (UTK). They bought UTK with the AccessData Bootcamp training for one of their investigators to attend. The reason I am excited is because we are currently working on a case that requires extensive searches using many keywords. Yes, EnCase has a new index function in its current version. However, we did not get it to work properly yet. It also requires us to use conditions to find the terms we want. FTK's index feature is much easier to use. Index the case, and use the search box. It works as expected. Hopefully, it arrives soon so that I can show them how to use it. UTK also includes Password Recovery Toolkit (PRTK), Registry Viewer, and Distributed Network Attack (DNA). PRTK is a powerful tool for decrypting password-protected files using different schemes from a dictionary attack to a brute force attack. DNA is similar to PRTK, but allows multiple computers to work together to decrpyt the encrypted files. Registry Viewer provides an easy way to decode data in the Windows registry.
Thursday, April 19, 2007
Computer Forensics Hardware
Although our forensic machines are capable of performing multiple tasks such as wiping, duplicating, and archiving data, dedicated hardware can make our lab more efficient. While we cannot currently afford any of these equipment, we are trying to get the money to do so. These are some of the equipment that I have experience using and will recommend to my supervisor.
Wiping:
Wiping a drive can take several minutes or hours to wipe each, depending on size and method used. If we were wiping one drive at a time, we can spend a whole day wiping drives on a machine that could have otherwise been use for investigations. For wiping multiple drives, I would use Logicube's Omniclone 5Xi.
This model has six bays, one for the master drive, and five for the drives to be wiped. It also has other capabilities, such as copying, although I am not certain that it does forensic copies. The light bar, which resembles a stop light, notifies the technicians when it is functioning properly (green), waiting for a response (yellow), or an error occurred (red). The good thing about this is that we can wipe multiple drives, walk away, come back, and check up on it. It also does not tie down our forensic machines. We usually wipe drives of the same size so that they all finish at the same time. For much larger drives, we wipe them overnight (to not tie down the Omniclone itself) and come back the next day.
Duplicating:
We always create forensic duplicates of the original evidence, and usually do so in EnCase or FTK Imager. However, there are times when we have to go outside the lab to perform an acquisition. It would be impractical to take our lab machines with us to the scene. Therefore, we usually rely on a mobile solution. This can include a laptop in a briefcase, with the forensic software installed. However, I prefer to use Logicube's Forensic Talon.
The source (evidence drive) goes outside, destination (forensic copy) inside. Within a few minutes, we can have it set up and creating dd images. We bring the copies back to our lab, and can either convert them to EnCase images, which are compressed to save space, or just add the images directly into the case. Because dd images are not compressed, and we don't know the size of the evidence drive to begin with, we usually carry high capacity hard drives. Also, the destination drive inside the case can get really hot, so we keep the Talon open when acquiring.
Archiving:
Image files are usually placed on our forensic servers and take up space when they are no longer needed. Once a case becomes inactive, we need to archive it. If it is a large case, we usually archive to tape. However, many cases are small enough to fit on DVDs. Currently, we are using one of our forensic machine to burn these files to DVD. However, this manual task can get tedious. First, we have to make sure the files all fit in one DVD. If not, we must manually split them. Then, once each DVD is done, we must manually remove one DVD and put the next one in and repeat the process. This wastes the investigator's time and the machine used to burn the DVDs. A better method is to use an automated machine. I have had good experience with Primera's Optivault Archival Appliance.
This robot uses the Retrospect backup software that lets you archive, backup, and restore files to DVDs and other media. The best part of this machine is that it is pretty much a start and forget system. Once we archive a case, the machine will take care of burning the files, switching DVDs, printing labels, and verifying that files were copied correctly. This minimizes both human and CPU time.
We usually create two sets per case. One is sent to a remote location and one stays in-house. This is so that we can restore the case if necessary and can get the second backup if something is wrong with the first.
Wiping:
Wiping a drive can take several minutes or hours to wipe each, depending on size and method used. If we were wiping one drive at a time, we can spend a whole day wiping drives on a machine that could have otherwise been use for investigations. For wiping multiple drives, I would use Logicube's Omniclone 5Xi.
This model has six bays, one for the master drive, and five for the drives to be wiped. It also has other capabilities, such as copying, although I am not certain that it does forensic copies. The light bar, which resembles a stop light, notifies the technicians when it is functioning properly (green), waiting for a response (yellow), or an error occurred (red). The good thing about this is that we can wipe multiple drives, walk away, come back, and check up on it. It also does not tie down our forensic machines. We usually wipe drives of the same size so that they all finish at the same time. For much larger drives, we wipe them overnight (to not tie down the Omniclone itself) and come back the next day.Duplicating:
We always create forensic duplicates of the original evidence, and usually do so in EnCase or FTK Imager. However, there are times when we have to go outside the lab to perform an acquisition. It would be impractical to take our lab machines with us to the scene. Therefore, we usually rely on a mobile solution. This can include a laptop in a briefcase, with the forensic software installed. However, I prefer to use Logicube's Forensic Talon.
The source (evidence drive) goes outside, destination (forensic copy) inside. Within a few minutes, we can have it set up and creating dd images. We bring the copies back to our lab, and can either convert them to EnCase images, which are compressed to save space, or just add the images directly into the case. Because dd images are not compressed, and we don't know the size of the evidence drive to begin with, we usually carry high capacity hard drives. Also, the destination drive inside the case can get really hot, so we keep the Talon open when acquiring.Archiving:
Image files are usually placed on our forensic servers and take up space when they are no longer needed. Once a case becomes inactive, we need to archive it. If it is a large case, we usually archive to tape. However, many cases are small enough to fit on DVDs. Currently, we are using one of our forensic machine to burn these files to DVD. However, this manual task can get tedious. First, we have to make sure the files all fit in one DVD. If not, we must manually split them. Then, once each DVD is done, we must manually remove one DVD and put the next one in and repeat the process. This wastes the investigator's time and the machine used to burn the DVDs. A better method is to use an automated machine. I have had good experience with Primera's Optivault Archival Appliance.
This robot uses the Retrospect backup software that lets you archive, backup, and restore files to DVDs and other media. The best part of this machine is that it is pretty much a start and forget system. Once we archive a case, the machine will take care of burning the files, switching DVDs, printing labels, and verifying that files were copied correctly. This minimizes both human and CPU time.We usually create two sets per case. One is sent to a remote location and one stays in-house. This is so that we can restore the case if necessary and can get the second backup if something is wrong with the first.
Saturday, April 14, 2007
Accessories
I was asked to take a look at what we could buy with the remaining funds. Therefore, I decided to buy several accessories to handle different types of media that is expected to arrive at our lab.
First, standard cables such as IDE cables, power cables, SATA cables, USB A to B, USB A to mini-B, and CAT5e cable. Since these are usually inexpensive, I both a pair of each just in case.
Next, we bought some adapters. A USB-to-SATA/IDE 2.5/IDE 3.5 adapter lets us connect SATA drives, laptop drives, and IDE drives to standard USB ports. A SATA-to-IDE cable lets us connect SATA drives to our IDE write blockers. This is a cheaper alternative than buying a separate SATA write blocker and IDE write blocker.
Other accessories we bought were extra hard drives and external hard drive enclosures. With this, we can easily add disk space to our forensic machines and move them to other machines. We also bought USB flash drives for quick file transfers among the machines.
At this point, we can handle floppies, CDs/DVDs, IDE hard drives, SATA hard drives, and USB devices. These are the more common types of media we receive. However, there will be times when we will receive other types of media such as SCSI drives, tape drives, and other media that we may not have a solution for. At this point, we have several options. We can buy equipment to handle these types of media or we can outsource this to a company that specializes in data conversion. Of course, if required, it must be forensically sound. Our decision would depend on our budget and experience of the technicians.
First, standard cables such as IDE cables, power cables, SATA cables, USB A to B, USB A to mini-B, and CAT5e cable. Since these are usually inexpensive, I both a pair of each just in case.
Next, we bought some adapters. A USB-to-SATA/IDE 2.5/IDE 3.5 adapter lets us connect SATA drives, laptop drives, and IDE drives to standard USB ports. A SATA-to-IDE cable lets us connect SATA drives to our IDE write blockers. This is a cheaper alternative than buying a separate SATA write blocker and IDE write blocker.
Other accessories we bought were extra hard drives and external hard drive enclosures. With this, we can easily add disk space to our forensic machines and move them to other machines. We also bought USB flash drives for quick file transfers among the machines.
At this point, we can handle floppies, CDs/DVDs, IDE hard drives, SATA hard drives, and USB devices. These are the more common types of media we receive. However, there will be times when we will receive other types of media such as SCSI drives, tape drives, and other media that we may not have a solution for. At this point, we have several options. We can buy equipment to handle these types of media or we can outsource this to a company that specializes in data conversion. Of course, if required, it must be forensically sound. Our decision would depend on our budget and experience of the technicians.
Wednesday, April 11, 2007
Computer Forensics Software
There are many computer forensics software available that serve different purposes.
In fact, some programs were not designed for forensics, but is used as a tool to assist. Some are free, some are expensive. We'll go over each one. Of course, these are just my own personal opinions. For the record, we are using EnCase 6 and Paraben's Email Examiner. I plan to install FTK Imager, Robocopy, R-Studio, and M2CFG Writeblock Utility.
Analysis Software:
EnCase 6 is an expensive, but powerful software that is used mainly for imaging and analysis. Personally, I do not like the interface but since they are the largest software company in the industry, many investigators are use to it. I don't like the fact that you have to scroll horizontally to access some functions. I would prefer to see everything at once. The new index function is not as good as FTK's yet. Searching is awkward. I would think by clicking the Search function, I can start searching. However, it is not that intuitive. You need to enter keywords (for live search) or conditions (for the index) on a separate window than the Search function. However, it is a powerful software. It just has a higher learning curve than other programs. I'm sure I would like it more once I take their training courses. An important note is that it has been proven in court over and over again, that it has been accepted by the courts.
Forensic Toolkit (FTK) 1.7 is less expensive than EnCase, but just as powerful. FTK's interface looks overwhelming at first as there are many buttons on the main window. However, their basic training course makes it very easy to learn. With that said, everything is where you expect it to be. Images, email, and search are easy to use and straightforward. The reports feature creates a nice and clean report of what the investigator found. The index feature makes it easy to do multiple keyword searches. Although it takes a long time to start the case, as it indexes everything first, search results are instant afterwards. FTK 2.0 (not out yet as of this writing) uses multiple threads to allow the investigator to work directly into the case, while indexing at the same time. Although I prefer FTK over EnCase, but it is important to know both as you may find some cases where EnCase can find things that FTK cannot and the other way around.
Imaging:
FTK Imager provides an easy way to image a hard drive. It allows the investigator to create dd images, Smart images, and EnCase images. The program loads quickly, allows easy previewing of a hard drive, and is my preferred choice for imaging. It is also available free from AccessData.
Forensic Copy:
Robocopy is a free program and is part of the Windows Server 2003 Resource Kit Tools. Although previous versions did not copy forensically, the new version does. This is a very fast and efficient program that will retry copying automatically if it fails. There were times when I had to copy logical files from one drive to another and hope the copy does not fail. With this program, I can leave it overnight and not worry about it. Pinpoint Labs provides a free user interface for Robocopy. They also provide other free tools that is worth checking out.
XXCopy is another good copy program. The professional version is not free, but is still inexpensive. However, between the two copy programs mentioned, I would choose Robocopy over this.
USB Software Writeblock:
Windows XP SP2 allows users to writeblock USB devices through the registry. A white paper for this is provided by AccessData here. The Mid-Michigan Computer Forensics Group provides a user interface utility for this feature. To work properly, the USB device must not be connected to the computer first. Then enable the writeblock. Then plug the device. Any devices currently connected when the writeblock was enabled will not be protected. As always, verify that all software you use works properly. One problem that I have with this program is that it does not state the current status of the writeblock (enabled or disabled). I also prefer to use a hardware writeblocker over software.
Mounting Images:
Sometimes we want to mount images to preview the drive. Although FTK Imager is capable to achieving this function, sometimes it is easier to see it mounted in an interface we are use to. Mount Image Pro 2.0 is an inexpensive software that lets us mount dd and EnCase images as Windows drives. From there, we can preview the drive as if it were part of our local computer.
Another great software is Mount Everything. One time, we received many UNIX drives to investigate. We had to boot a system using Knoppix, create a Samba server, and from there, image the drive through the network. At that time, I did not know about Mount Everything. This program lets us mount the UNIX drive as a Windows partition. It shows as another drive on Windows Explorer, which makes it much easier to image.
Wiping Drives:
EnCase can be used to wipe drives, however I prefer to use WinHex. WinHex is a powerful, but affordable software that provides a low-level view of drives. When I am wiping multiple drives, I prefer to use a hardware solution that allows multiple drives to be connected at once. However, to verify that a drive has been zeroed out, or to wipe a single drive, I prefer to use WinHex. WinHex lets us decide whether to do a single pass or a Department of Defense (DoD) wipe. To quickly verify a wiped drive, I like to run the checksum function and see that it adds up to 0.
There are so many tools out there. The ones listed are some that I currently use. You should use programs that you know well. As long as you know how the software works and can defend the software you use, it should be in your arsenal.
In fact, some programs were not designed for forensics, but is used as a tool to assist. Some are free, some are expensive. We'll go over each one. Of course, these are just my own personal opinions. For the record, we are using EnCase 6 and Paraben's Email Examiner. I plan to install FTK Imager, Robocopy, R-Studio, and M2CFG Writeblock Utility.
Analysis Software:
EnCase 6 is an expensive, but powerful software that is used mainly for imaging and analysis. Personally, I do not like the interface but since they are the largest software company in the industry, many investigators are use to it. I don't like the fact that you have to scroll horizontally to access some functions. I would prefer to see everything at once. The new index function is not as good as FTK's yet. Searching is awkward. I would think by clicking the Search function, I can start searching. However, it is not that intuitive. You need to enter keywords (for live search) or conditions (for the index) on a separate window than the Search function. However, it is a powerful software. It just has a higher learning curve than other programs. I'm sure I would like it more once I take their training courses. An important note is that it has been proven in court over and over again, that it has been accepted by the courts.
Forensic Toolkit (FTK) 1.7 is less expensive than EnCase, but just as powerful. FTK's interface looks overwhelming at first as there are many buttons on the main window. However, their basic training course makes it very easy to learn. With that said, everything is where you expect it to be. Images, email, and search are easy to use and straightforward. The reports feature creates a nice and clean report of what the investigator found. The index feature makes it easy to do multiple keyword searches. Although it takes a long time to start the case, as it indexes everything first, search results are instant afterwards. FTK 2.0 (not out yet as of this writing) uses multiple threads to allow the investigator to work directly into the case, while indexing at the same time. Although I prefer FTK over EnCase, but it is important to know both as you may find some cases where EnCase can find things that FTK cannot and the other way around.
Imaging:
FTK Imager provides an easy way to image a hard drive. It allows the investigator to create dd images, Smart images, and EnCase images. The program loads quickly, allows easy previewing of a hard drive, and is my preferred choice for imaging. It is also available free from AccessData.
Forensic Copy:
Robocopy is a free program and is part of the Windows Server 2003 Resource Kit Tools. Although previous versions did not copy forensically, the new version does. This is a very fast and efficient program that will retry copying automatically if it fails. There were times when I had to copy logical files from one drive to another and hope the copy does not fail. With this program, I can leave it overnight and not worry about it. Pinpoint Labs provides a free user interface for Robocopy. They also provide other free tools that is worth checking out.
XXCopy is another good copy program. The professional version is not free, but is still inexpensive. However, between the two copy programs mentioned, I would choose Robocopy over this.
USB Software Writeblock:
Windows XP SP2 allows users to writeblock USB devices through the registry. A white paper for this is provided by AccessData here. The Mid-Michigan Computer Forensics Group provides a user interface utility for this feature. To work properly, the USB device must not be connected to the computer first. Then enable the writeblock. Then plug the device. Any devices currently connected when the writeblock was enabled will not be protected. As always, verify that all software you use works properly. One problem that I have with this program is that it does not state the current status of the writeblock (enabled or disabled). I also prefer to use a hardware writeblocker over software.
Mounting Images:
Sometimes we want to mount images to preview the drive. Although FTK Imager is capable to achieving this function, sometimes it is easier to see it mounted in an interface we are use to. Mount Image Pro 2.0 is an inexpensive software that lets us mount dd and EnCase images as Windows drives. From there, we can preview the drive as if it were part of our local computer.
Another great software is Mount Everything. One time, we received many UNIX drives to investigate. We had to boot a system using Knoppix, create a Samba server, and from there, image the drive through the network. At that time, I did not know about Mount Everything. This program lets us mount the UNIX drive as a Windows partition. It shows as another drive on Windows Explorer, which makes it much easier to image.
Wiping Drives:
EnCase can be used to wipe drives, however I prefer to use WinHex. WinHex is a powerful, but affordable software that provides a low-level view of drives. When I am wiping multiple drives, I prefer to use a hardware solution that allows multiple drives to be connected at once. However, to verify that a drive has been zeroed out, or to wipe a single drive, I prefer to use WinHex. WinHex lets us decide whether to do a single pass or a Department of Defense (DoD) wipe. To quickly verify a wiped drive, I like to run the checksum function and see that it adds up to 0.
There are so many tools out there. The ones listed are some that I currently use. You should use programs that you know well. As long as you know how the software works and can defend the software you use, it should be in your arsenal.
Thursday, April 5, 2007
Cell Phone Forensics
I was asked to check out cell phone forensics. The problem today is that cell phones are no longer just phones. There are many extra features that make it very useful as evidence. In addition to call logs, there are text messages, emails, pictures, videos, and so on. The problem is that unlike computers, each manufacturer uses proprietary operating systems and cables. This becomes a problem when you are trying to build a lab that will handle different mobile devices. Unfortunately, there is no single tool that can handle all of these devices. Different forensic solutions specialize in different phones. Usually, you buy the software once and then pay an annual maintenance fee, which includes receiving new cables for new phones. Obviously, this can get very expensive.
When I asked an experienced investigator for advice, the answer was that not every solution can handle all types of mobile devices. Those that cannot be handled "forensically" are done using a video camera and recording your actions. As long as you can document everything you've done and show that your methods did not tamper the evidence. After all, you are using the best possible method available.
As far as what I will do for the lab, I am still researching. We are currently using Paraben's Device Seizure Toolbox but I have not tested it well enough to comment on its effectiveness. While attending Guidance Software's EnCase 6 Briefing, they kept mentioning Neutrino, which is going to be their solution for mobile devices. Although I look forward to see what they can offer, I'm a little skeptical. It is an unproven solution in an ever-changing environment.
Here is NIST's take on cell phone forensics:
http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf
When I asked an experienced investigator for advice, the answer was that not every solution can handle all types of mobile devices. Those that cannot be handled "forensically" are done using a video camera and recording your actions. As long as you can document everything you've done and show that your methods did not tamper the evidence. After all, you are using the best possible method available.
As far as what I will do for the lab, I am still researching. We are currently using Paraben's Device Seizure Toolbox but I have not tested it well enough to comment on its effectiveness. While attending Guidance Software's EnCase 6 Briefing, they kept mentioning Neutrino, which is going to be their solution for mobile devices. Although I look forward to see what they can offer, I'm a little skeptical. It is an unproven solution in an ever-changing environment.
Here is NIST's take on cell phone forensics:
http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf
Tuesday, March 20, 2007
Buying New Systems
Being on a budget, we need to order systems that is capable of handling current and future investigations. On one hand, I have an investigator that wants the best machine possible. On the other, I have my supervisor limiting the amount I can spend. Therefore, I had to balance between the two. We do not need the latest and greatest systems to perform an investigation. At the same time, we cannot hold back on certain specs that we really need.
Instead of getting one big powerful machine, we instead got two mid-level systems. That way we can use both machines for two separate investigations. The machines contains an Intel 1.8GHz Core 2 Duo processor. This allows us to have better multitasking capabilities. Programs like EnCase and FTK 2.0 (not out yet as of this writing) uses threads to perform several functions. For example, with EnCase, we can search for keywords while acquiring another drive. With FTK 2.0, we can run an investigation while indexing a drive (not possible with current versions of FTK). However, in order to do this, the processor must share the work between the two processes. By having two processors, the load for each processor is reduced, speeding up the investigation. Each computer also has 4GB of RAM. If we are processing a lot of data, we do not want to run out of memory and use virtual memory, which would hinder the investigation.
Additional specs include flat panel monitors and a tower case. The flat panel is to save space in our lab. Currently, the CRT monitors take up most of the table. The tower case will allow us to expand the system as needed.
To save a little more, we sent out a bid with these specs and had several resellers try to meet our budget. One was able to and we began processing the order.
Instead of getting one big powerful machine, we instead got two mid-level systems. That way we can use both machines for two separate investigations. The machines contains an Intel 1.8GHz Core 2 Duo processor. This allows us to have better multitasking capabilities. Programs like EnCase and FTK 2.0 (not out yet as of this writing) uses threads to perform several functions. For example, with EnCase, we can search for keywords while acquiring another drive. With FTK 2.0, we can run an investigation while indexing a drive (not possible with current versions of FTK). However, in order to do this, the processor must share the work between the two processes. By having two processors, the load for each processor is reduced, speeding up the investigation. Each computer also has 4GB of RAM. If we are processing a lot of data, we do not want to run out of memory and use virtual memory, which would hinder the investigation.
Additional specs include flat panel monitors and a tower case. The flat panel is to save space in our lab. Currently, the CRT monitors take up most of the table. The tower case will allow us to expand the system as needed.
To save a little more, we sent out a bid with these specs and had several resellers try to meet our budget. One was able to and we began processing the order.
Tuesday, March 13, 2007
Surveying
Before building the lab, I needed to survey the current state of the lab. My criteria is based on certain factors. Is there sufficient space to work in? Do they have any equipment that can be reused? Is the lab secured?
A little background: a network administrator built the current lab and has since left for the private sector. Unfortunately, this meant that the lab was no longer being properly maintained. This is where I come in. My job is to update the lab to make it functional and efficient to investigate crimes involving computers, cell phones, PDAs, and other electronic devices.
Compared to the other labs that I have seen, this one is not very big. However, keeping its users in mind, it should be sufficient. So far I have seen one investigator in the lab at any given time. This is probably due to the fact that the current lab only has one analysis machine! In fact, the only forensic software installed is EnCase. Paraben's Email Examiner is on the shelf, but not installed on the computer. There are also three write blockers. Two are FastBloc field edition (external write blocker) and one is a FastBloc lab edition (write blocker that fits in a computer's drive bay). These are all made by Guidance Software. Although they are the largest computer forensic software company, there are other tools that can do other things better. For example, AccessData's Password Recovery Toolkit (PRTK) is a much better tool for cracking passwords.
I will definitely reuse the analysis machines and the write blockers. If they are capable of handling current investigations now, then it is still useful. As far as write blockers, I have used both cheap and expensive ones. Both work as stated, however the cheaper ones have a higher failure rate and feel cheap. The expensive ones are much heavier and made for the field. The manufacturers also stand by their products. Additionally, it may have been tested and proven to work by the National Institute of Standards and Technology (NIST)*. Regardless, you should still do your own tests to make sure your equipment works.
As far as security, it is extremely important that the lab is secured. This is to prevent the possibility of evidence tampering. Although I won't get into the details of the security measures, I will say that there are several defenses to gain access to the room.
* http://www.cftt.nist.gov/hardware_write_block.htm
A little background: a network administrator built the current lab and has since left for the private sector. Unfortunately, this meant that the lab was no longer being properly maintained. This is where I come in. My job is to update the lab to make it functional and efficient to investigate crimes involving computers, cell phones, PDAs, and other electronic devices.
Compared to the other labs that I have seen, this one is not very big. However, keeping its users in mind, it should be sufficient. So far I have seen one investigator in the lab at any given time. This is probably due to the fact that the current lab only has one analysis machine! In fact, the only forensic software installed is EnCase. Paraben's Email Examiner is on the shelf, but not installed on the computer. There are also three write blockers. Two are FastBloc field edition (external write blocker) and one is a FastBloc lab edition (write blocker that fits in a computer's drive bay). These are all made by Guidance Software. Although they are the largest computer forensic software company, there are other tools that can do other things better. For example, AccessData's Password Recovery Toolkit (PRTK) is a much better tool for cracking passwords.
I will definitely reuse the analysis machines and the write blockers. If they are capable of handling current investigations now, then it is still useful. As far as write blockers, I have used both cheap and expensive ones. Both work as stated, however the cheaper ones have a higher failure rate and feel cheap. The expensive ones are much heavier and made for the field. The manufacturers also stand by their products. Additionally, it may have been tested and proven to work by the National Institute of Standards and Technology (NIST)*. Regardless, you should still do your own tests to make sure your equipment works.
As far as security, it is extremely important that the lab is secured. This is to prevent the possibility of evidence tampering. Although I won't get into the details of the security measures, I will say that there are several defenses to gain access to the room.
* http://www.cftt.nist.gov/hardware_write_block.htm
Sunday, March 11, 2007
Introduction
Welcome. This blog is born from an opportunity to build a computer forensics lab for a local government agency. Although my experience with this task is limited, I had the chance to visit several academic, corporate, law enforcement, and federal law enforcement labs. I have seen the pros and cons of each lab and hope to use the different methodologies and tools that will best fit my lab. Although I already have an ideal lab in mind, I am working with a limited budget. Therefore, throughout my posts, I will write about what I would have wanted and what is actually being done. Unfortunately, the equipment and tools are not cheap. Therefore, I will have to work with what I have and make sacrifices in certain areas.
Subscribe to:
Posts (Atom)