Perhaps one of the worst ways to lose evidence is through an unforeseen natural disaster. Prepare up front and design protections into your lab in case of a potential problem.
Fire Protection
If your lab is located in a commercial facility, you should have automatic fire suppression. Take into account where the sprinkler or suppression agent dispensers are located, and plan accordingly. If you are using a locked enclosure with splash-proof vents, serious smoke damage will follow the fire as the smoke pours into the vents. For very little money, fireproof enclosures can protect your investments in specialized gear, licensed software, special operating system builds, and especially key evidence.
If you don’t have experience with fire suppression or you don’t know how to protect your assets, spend some time with your site’s physical security manager or your local fire marshal. They are usually quite helpful and happy that you would bother to learn best practices in advance. Additionally, they will be able to look at your particular location and help determine any peculiarities you may have and need to solve.
Flooding
Like fire, if flooding occurs in your area, caused by leaks or something tipping off the fire-suppression system, you need to ensure that your critical evidence is properly protected. Look for an evidence safe that has a water-tight seal, and be mindful of water pipes running in the ceiling above your lab.
Temperature Control
Keep your equipment from overheating and prolong your equipment’s life by using efficient ventilation and temperature controls. Given the confined spaces in many labs and the heat produced by the equipment, this is a must.
Power Protection
Surge protectors and uninterruptible power supplies (UPSs) should be a given by now. Protect your equipment from power surges caused by lightning with a good surge protector. Keep your equipment safe and running during power surges and outages with a solid UPS.
FORENSIC COMPUTERS
Once the lab is constructed—or in most cases, designated—your next step is to determine what kinds of cases the lab will handle and what resources are available to the department developing the forensic team.
Components of a Forensic Host
Host computers are the physical computer hardware and operating systems that host the forensic tools used by the examiner. The hardware will vary in scope and usage depending on the needs and budget of the examiner.
As a rule, examiners need lots of processing power. This isn’t because they are power hungry, but because some forensic tools require lots of processing power. Recommended additional components include a large monitor, external drive bays, device adapters, and CD-R/DVD burners. The large monitor will help you view extensive data simultaneously. Adapters for USB, SCSI (Small Computer Standard Interface), FireWire, and flash media are recommended, and a fast burner will help you copy and archive data. Additionally, include ample storage for all the evidence and generous onboard memory to work with the data. Fast drives such as SATA (Serial Advanced Technology Attachment) and SCSI, ideally on a controller separate from the OS drive, are worth the investment. Consider external hard drives for large data acquisitions. Provide yourself the additional horsepower with a fast bus, fast RAM, and only the software necessary to carry out investigations. Use quality components when possible.
The operating system used will depend on the comfort level of the user, the tools used, and, in some cases, the examiner’s budget.
Wrong or Poorly Configured Hardware
The consequences of investigating a civil or criminal case with the wrong equipment sometimes suffers you only the time and ingenuity to overcome the shortfall. Other times, however, it may cost you your investigation. Learning that you need a SCSI adapter at 3:00 A.M. in Bumford, Texas, is a bad situation. Other bad circumstances include not having enough storage, memory, adaptors, and other necessary equipment for your organization’s needs.
Understand Your Computer’s Role
Forensic hosts can play multiple roles. In purist environments, the acquisitions computer is always separate from the analysis computer. However, most corporate environments currently use the same machine for acquisitions and analysis. Whatever the environment, prepare yourself before you need the gear. Buy the appropriate cables, readers, or accessories to interface with the hardware in your environment, and make certain that your analysis machine can handle the workload.
For many investigators, a small shuttle computer may suffice for a mobile unit, whereas others feel hampered by the single PCI slot and will carry a fully equipped mid-tower computer to an onsite call. Still other investigators prefer a laptop, and they can successfully triage, grab, and work with data effectively within those constraints. Keep an eye on the market, as new computers and form factors are coming out all the time.
Acquisition Units
Acquisition host computers need lots of drive storage. If you’re short on funds, an older computer that’s deemed inadequate for everyday use makes an excellent acquisition and duplication host. An internal removable drive bay or an external drive bay connected via FireWire or USB 2.0 is recommended. Note that some old hardware write-blockers hook up only through a SCSI connection.
Analysis Units
Analysis host computers need lots of memory and processing power as they perform the brunt of the work with the forensic examiner on the machine. Because computer time is cheap and the examiner’s time is not, it is a good idea to invest money in an excellent analysis host. This will maximize the examiner’s time while minimizing frustration. If your organization has the funds, multiple hosts may break up the investigation to get specific tasks completed quicker than serially feeding the tasks through the same host.
Also consider the surrounding environment, and ensure that the examiner has access to all the same software and equipment normally used in the environment. For example, if tapes are used in the environment, it makes sense to equip the investigator with the same access to hardware. Likewise, if the hardware used by the workforce supports certain high-end tools or software packages, the forensic investigator should have access to these types of tools or software packages.
Mobile Units
The forensic examiner might need to visit remote sites in your organization. A forensic services organization providing forensic acquisition and examination services at a customer’s premises needs a highly mobile workstation. In addition, companies with multiple branch offices, manufacturing facilities, and storage facilities often need mobile workstations capable of performing onsite investigations.
Often, large corporations employ only a handful of trained forensic investigators. This small group of people is forced to travel, in some cases worldwide, to perform acquisitions (and sometimes investigations) onsite. A correctly built and configured mobile workstation is a tremendous asset to the investigator.
If this is your role, you will appreciate a smaller, more compact workstation than a full-sized desktop computer. A laptop can be configured to work well if only a few hosts need to be acquired or analyzed. If more than a few hosts need to be acquired, consider using portable hardware duplicating tools such as Forensic Talon from Logicube and HardCopy by Voom Technologies. These devices are small and portable, and they typically have data capturing speeds of 3 gigabytes per second or faster.
Hardware Components for a Mobile Investigator The following components will help a mobile investigator:
• An internal or standalone external drive bay can offer plenty of storage. If you are going to use a laptop, consider using a laptop with a built-in FireWire. This allows you to use the available PCMCIA slot.
• A hard, solid storage case built for traveling will protect your gear while you’re on the move. Make certain the case locks or can accept a padlock.
• A USB expansion card makes it effortless to add other components such as a printer or multi-card reader.
• A wide array of adapters protects you from making last-minute trips.
• A
multi-card reader for different kinds of flash media can come in handy, especially if you are working covertly in a corporate environment.
• Hardware write-blockers such as FastBlock by Intelligent Computer Solutions (ICS) prevent writing data accidentally to your source media during the acquisition phase.
• Paraben Forensics’ Device Seizure Toolbox is a top-notch product for personal digital assistants (PDAs) and cell phones. If you even remotely think you will face a PDA during an investigation, the product is worth the money. Paraben also offers the ability to acquire cell phone data, and the company is constantly updating its products. As previously mentioned, hardware duplicating tools are often useful, depending on what you want to accomplish.
Depending on your established method and available tools, each situation might require a different acquisition technology.
The “Poor Man’s Shop”
If your management has not allocated enough funds, or if it’s a new group, you can save money by sharing hardware between the acquisitions workstation and the analysis workstation. You can also configure inexpensive hardware with open-source Linux and run freeware tools. Linux will run well on old hardware. The most important component in a “poor man’s shop” is the technical competence of the examiner. Keep in mind that you can always start out with limited tools and hardware and grow your abilities over time.
Commercially Available Hardware Systems
A number of commercial hardware systems are available, and they are excellent if you can afford them, but they aren’t necessary to do the job. At the end of the day, the forensic computer spends most of its time waiting on the examiner to press the next key. If you get bored, graph the average CPU utilization during an investigation. That said, commercial systems can provide several benefits:
• Professional support is available for examiners, should you ever run into hardware problems.
• Lots of horsepower helps handle large case loads and heavy data manipulation.
• Preconfigured computers are in many cases loaded and guaranteed to work with popular forensic software such as EnCase, SMART, or other tools.
The large drawback to commercial systems is that they are usually extremely expensive. They can cost tens of thousands of dollars with all the extras. Check out http://forensic-computers.com to see some prebuilt forensic computers.
Do-It-Yourself Hardware Systems
Do-it-yourself systems can be any size or shape and can run any operating system you choose. Though this is not for the faint of heart, they are not difficult to build. Such hardware systems can save you a tremendous amount of money and offer you the flexibility you may need to buy exactly the components you want. With a little patience and knowledge, you can design and build a formidable lab machine. If you just want the design and not the build part, then check out some of the prebuilt systems from DELL that may be loaded with everything you want. Hardware recommendations include the following:
• Extremely fast dual processor and front-side bus
• Extra memory for heavy analysis work
• Extra hard drive space for the operating system, programs, tools, and data output
• Removable drive bay for quickly changing hard drives
• Additional hard drive and controller to move acquired data, extracted information, or tools to a different hard drive from the OS
• Drives that are fast SCSI or SATA hard drives on their own controller
• A wide array of adapters
• Excellent video card for large monitors and for quickly reviewing hundreds of images
• Multiple connections for FireWire and USB
• Standalone external FireWire or USB drive enclosure that accepts SATA, IDE, and laptop drives
• SCSI connection if needed
• Extra SATA/IDE controller(s) going to a hardware write-block device(s) of your choice (such as those made by Intelligent Computer Solutions, at www.icsforensic.com)
• Heavy-duty, fast printer
• Multi-card reader for different kinds of Flash memory
• Ultra-fast CD and DVD burners
• For some, a tape backup
• Depending on your case load, a large file server on a local network to store media images while you work with them
Data Storage
Now that you have all of this data, how are you going to store it? Most forensic labs do not have the monetary resources to purchase large Storage Area Network (SAN) or Network Attached Storage (NAS) systems, government agencies excluded. Many corporations are getting space on the SAN or NAS as a shared resource, and reasonably priced mini-SANs are appearing on the market. If either of these options doesn’t work for you, you will have to get creative. To address this need, you have several options depending on how much you want to spend. For all of these options, it’s assumed your storage needs are greater than the current largest SATA disk.
Cheapest Storage
The least expensive option is to create a large RAID (Redundant Array of Inexpensive Disks) set from a couple of internal RAID cards; these are now sold at most computer stores. We recommend making a hardware RAID for each card and then combining them with a software RAID 0 to allow the operating system to access the RAIDs as a single disk, giving you more storage. Other methods include using a couple of IDE drives with Windows software RAID or logical volumes across a number of physical disks.
Cheap Storage
The next step up would be an external SATA RAID. SATA drives are always less expensive than SCSI drives, but SCSI busses and drives are also faster. So these external RAID units allow you to take between 2 and 15 SATA drives and create a RAID disk that will be shown through the SCSI interface as a single disk to the operating system. These units can also be daisy-chained. We use the Promise SuperTrack Series (www.promise.com) and can get up to 16 terabytes per 16-drive unit.
Not-so-cheap Storage
Once you have outgrown multiple 16-terabyte boxes and need multiple servers to access a single set of data, you have outgrown most of the inexpensive solutions. At this point, you need to move to a NAS (Network Attached Storage) or a SAN system, or to a distributed file system, such as GFS and OpenGFS for Linux and DFS for Windows. SAN systems are always more expensive than NAS systems. We would recommend the units from Equallogic (www.equallogic.com) and BlueArc (www.bluearc.com). These units are not cheap; they typically cost at least $20,000, but they will allow you to grow your lab environment. More information about NAS and SAN systems can be found in Chapter 10.
FORENSIC HARDWARE AND SOFTWARE TOOLS
This is almost a misnomer, because many so-called “forensic tools” were created for uses outside the forensics field. A forensic tool produces useful, reproducible, and verifiable results. Forensic tools can be divided into two large classes of tools: hardware and software.
Using Hardware Tools
Forensic hardware tools include every hardware element outside the traditional host, such as the specialized cables, write-blockers, drive-dupers, and other gear that allows forensic software tools to work. The forensic lab in your organization should be able to assess common digital storage devices rapidly. If your organization uses SCSI hard drives on production servers, you should be able to deal with SCSI drives. If you have other common storage mechanisms, consider whether it makes sense for you to include those capabilities in the lab.
A forensically sound write-blocker allows data to travel in one direction only, like a diode or check valve. One version, FASTBLOC, is detected automatically if you use EnCase. A note is added to the case log stating you used hardware write protection.
Another nice tool is the Image MASSter Solo 3 Forensic system, a hardware duplication device that will image a suspect’s hard drive onto another hard drive with full cryptographic verification. The target drive can hold multiple images from more than one suspect drive and can also be put into 640MB Linux-DD chucks for input into other programs. This device copies data at speeds close to 3 GB/minute,
depending on the source and destination hard drive spindle speed.
Using Software Tools
Software tools fall into many categories, depending on how you want to break them down. Some tools are multipurpose tools that can cover more than one scenario. EnCase, SMART, FTK, and TCT are all multipurpose tools. Something definitely to consider is the value of having and using a robust multipurpose tool. Consider a Swiss Army Knife. You want to have a tool that has all the blades you may ever need, even if you don’t use them all at first.
Other tools are highly specialized, such as X-Ways WinHex. If you need a hex editor, WinHex is one of the best tools on the market. If you need to view e-mail, this is the wrong tool.
One frequently asked question we encounter is how to verify a tool for use in forensic investigations. Initiatives are underway at NIST to validate certain tools. Additionally, the Scientific Working Group on Digital Evidence (SWGDE) aims to provide guidelines for validation testing. You can find the latest SWGDE public documents, including the SWGDE Validation Guidelines, online at http://www.swgde.org/documents.html.
Some of the tool categories we will cover in this book include the following:
• Acquisition tools
• Data discovery tools
• Internet history tools
Hacking Exposed Page 8