Creating a digital forensic laboratory is a responsible step. The effectiveness of the laboratory depends on what software, hardware and equipment will be purchased.
Articles
Creating a digital forensic laboratory: Tips and Tricks
DFC specialists took part in the creation and upgrade of several digital forensic laboratories owned by state organizations and private entities and today they will share their tips and tricks.
Choosing a workstation configuration is an important step. The effectiveness of digital examiners depends on the way the workstation is configured.
However, we want to pay special attention to one point: the workstation should work as quietly as possible. Imagine an open space where several powerful computers are installed, each of which makes a noise like a server. The employees’ headache and poor health are guaranteed. Silent workstation performance is achieved by using low-noise fans and passive cooling systems.
Do not use top hardware. The idea to buy the most expensive processor, memory, motherboard for your new workstation is not the best one. We had many problems with the workstation in which similar components were used.
In our opinion, this configuration is optimal today:
OS: Windows 10 Pro 64-bit
CPU (2): E5-2660 v4 (14 core)
RAM: 64 GB DDR-42133 ECC
OS Drive: 1 TB SSD
Temp/Cache/DB Drive: 256 GB SSD
Data Drive: 8 TB 7200rpm
RAID Drives: 5×4 TB 7200rpm
Video Card: GeForce GTX 1080
We recommend to use two or more monitors for each workstation.
The most effective work is achieved when a digital examiner uses two workstations in its work.
Use NET Storages to store cases, forensic images, etc. NET Storages with a volume of 100-150 TB proved to be quite effective.
Use 10Gbit Net Cards. They will allow you to transfer data from the workstation to NET Storages quickly.
A Tableau Write Blockers Kit
It’s a good idea to have as more different forensic software in the digital laboratory. This will allow a forensic examiner to make cases as quickly and efficiently as possible. Also, this makes it possible to recheck the results of the research effectively.
However, if you have a limited budget, we recommend buying this software:
Windows 10 Pro
Office 365
Antivirus software
X-ways Forensic
AXIOM (Magnet Forensics)
The rest of the tools can be purchased as the laboratory develops.
Also, a lot of research can be done using freeware tools. Sometimes these tools outperform functionality of commercial tools.
If you create a digital forensic laboratory in a government organization, for example in the police department, then most likely they have their own case management software and then your task is just to add a new laboratory to the network of existing ones.
In other cases, you can use free and chargeable CRM systems. Besides, some CRM systems can be adapted to your management needs.
We recommend Kirjuri (Kirjuri is a web application for managing cases and physical forensic evidence items.) and Lima Forensic Case Management of all the specialized tools.
Digital Forensics Lab Setup Guide
We recommend using a separate workstation for the production of video forensics cases. We recommend using the following forensic tools:
DVR Examiner
Amped FIVE
Elecard
Very good results of recovering deleted videos can be obtained using X-ways Forensic. We have written about this tool above.
We recommend using a separate workstation to carry out mobile forensics research.
There are a lot of tools for mobile forensics. That is why it is difficult for a beginner to understand what they need to carry out this research effectively. We recommend using the following mobile forensic tools:
UFED 4PC (with CHINEX, UFED Camera Kit)
Cellebrute UFED Touch
Cellebryte cables and adapters
Oxygen Forensics DETECTIVE
XRY
Elcomsoft Mobile Forensic Bundle
We recommend using SР Flash tool to retrieve data from MTK based phones.
A Faraday Box (Ramsey)
We recommend using the following tools for Cloud forensics:
UFED Cloud Analyzer
Oxygen Forensics DETECTIVE
Elcomsoft Cloud eXplorer
We recommend using flashers for JTAG research:
Easy Z3x JTAG BOX
Octoplus Box
Samsung anyway S101
For Chip-off we recommend using:
VISUAL NAND RECONSTRUCTOR (STARTER KIT, Rusolut)
SMARTPHONE KIT (Rusolut)
CHINESE SMARTPHONE KIT (Rusolut)
NuProg-E UFS/EMMC Programmer
IN-UFS-Socket BGA Opentop
N-UFS-065-BGA095-115130-02O BGA Opentop
N-UFS-050-FBGA153-115130-02O BGA Opentop
We recommend using Weller WHA 300 Hot Air Reworking Station or Ersa HR100 Hybrid Rework system for disordering chips.
We recommend using a separate workstation for the production of Data recovery. You will need special hardware and tools for data recovery:
PC-3000 Express Professional System (Acelab)
Data Extractor Express (Acelab)
PC-3000 Flash (Acelab)
Many people believe that it is enough to buy ordinary office desks and chairs to equip a digital forensic lab. However, it is not so. Tables must have abrasion resistant coatings. We recommend the use of special laboratory tables.
Office chairs should be as convenient as possible. We recommend using not ordinary office chairs but gaming chairs.
The table where the electronic equipment is assembled and disassembled should be equipped with an antistatic mat and an antistatic bracelet.
Happy forensicating!
About the authors
Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.
Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.
Are you eager to learn Computer Forensics and Cyber Crime Investigation and want to be a profound Forensics Investigator ? If your answer is YES, then this course is only for you. I specially framed this course to Transform Your Life from what you are today to whatyou actually want to be.
i personally worked on more than 3,000 Cyber Crime Cases as Investigator and currently helping INDIAN law enforcement agencies to fight against cyber criminals. Computer crime in today’s cyber world is on the rise. Computer Forensics Investigation techniques are being used by Police, Government and Corporate entities globally to solve any case related to computer or Digital devices.
******************************************************************
WHAT STUDENTS ARE SAYING ABOUT THIS COURSE :
Tafadzwa S Chipunza says 'I'm happy i took this course in preparation for my certification. helped me understand a few concepts i didn't understand.'
Joseph Cox says 'Excellent course!! The instructor has keen knowledge about Digital Forensics and its relation to criminal investigations. He is able to present the concepts(Chain of Custody, Maintaining Integrity, Forensic Imaging..etc) in a very detailed and methodical way, so that the information is understandable. I feel the knowledge I am gaining from the course will be of great benefit in the field.'
Michael Ekwam says 'Thanks Gautam, for this course. I am glad I took this course. It has been an eye opener in terms of the free open source tools available on the net as well as the techniques.
Gautam knows his stuff and delivers them in a way that is easy to follow and straight to the point. Amazing introductory course on computer forensics & investigation using open source tools.'
Trish McGarvey says 'This was a great hands-on course! I learned some valuable tips that will help my investigations. I look forward to more classes!'
Abhay Sharma says 'If you want to know some amazing open source tools (not just for crime investigation but also your own computer’s files recovery and much more) then go for this course. Gautam has done a great job explaining some amazing tools. (Now i know how to recover deleted stuff easily, Thanks Gautam for this wonderful course.'
Dimitar Madjarov says 'One of the good courses on UDEMY of Computer Forensics & Investigation'
AbbaYusuf Dkm says 'Very well explained. instructor uses a lot of case studies and there he explains in depth what has happened and how. This reinforces the background theory he teaches. anti-forensics part was quick interesting for me. thank you for recording this awesome course.'
Allan Antang Piku full movie download utorrent kickass. says 'Teacher is very engaging in his computer forensics delivery of the knowledge that he has, which makes the course much interesting to watch and has led me to further research and investigation on certain topics covered.
The course is well thought out as well, with clear objectives. best part of this course is more practical demonstration than theory. I salute your efforts.'
Junaid Khan says 'I have learned more with this course than any other similar courses i purchased in higher price so i'm fully satisfied with this course and I highly recommend this instructor courses. this is the Best online course you can take of computer forensics and crime investigation.'
and many more...
This course can help prevailing as well as new professionals to develop an existing and a new career respectively. Computer Forensic Investigator is one of the most valued certificates in Network Security and possessing it raises one to an elite group of professionals.
You Will Be Having Knowledge of These Topics After Completing This Course :
BONUS : Cyber Crime Investigation of Website Hacking, Social Media Crime & Email Crime Investigation.
By the conclusion of this computer based tutorial for Computer Forensics and Cyber Crime Investigation, you will have a clear understanding of what it takes to be a computer forensics investigator, and the tools and techniques used by most Forensics Science Laboratories in solving Computer related crimes.
Have a Joyful Journey of Learning!
All too frequently a peer will contact me in a panic about recovering deleted files from a suspect's hard drive--after my peer has trampled on the digital evidence like a rookie police officer at his first crime scene. Often valuable evidence is lost for good,or unusable in court; or worse, the suspect knows he is being investigated.
With the proper hardware that you probably already have and freeware available online, you can easily build your own basic computer forensics lab that will hold up in court, reduce E-Discovery costs and, most importantly, retrieve valuable evidence for all your investigations.
See also: How to Plan an Investigation
Here is the cardinal rule at the beginning of any forensic investigation: Don't touch the suspect's computer or hard drive.
On television you see detectives and CSI staff walk into a crime scene, log onto the suspect's computer and start looking for evidence. Do not do this. Ever. Any touch of the keyboard, or mouse, or even the simple act of powering the computer down, forensically changes the hard drive.
These are the two critical steps you must take first:
First, when you approach a suspect's computer unplug from the back of the computer (not the wall) and let it die. Powered-on laptops should have their battery removed to shut the system down. This sudden shutdown freezes the hard drive's evidence in place.
Second, never attempt to view the suspect's hard drive without a read/write blocking device. Read/write blocking devices prevent your computer from altering the suspect's hard drive while you are looking for evidence.
Without these two steps in place your evidence will have a tough time holding up in court. For more information on digital evidence collection check out the Secret Service's Best Practices For Seizing Electronic Evidence, Pocket Guide for First Responders [PDF link].
With those rules clear, nothing should hold you back from building a basic setup to forensically image your suspect's computer (i.e. create a duplicate copy of it) and review it for evidence.
The first step before gathering evidence is reconnaissance. In advance, find out the make and model of your suspect's computer. Most businesses use stock systems, so knowing your suspect's computer model number can help you determine the type of hard drive (SATA vs ATA), its size (40GB and beyond) and--most importantly--how to access and unplug the hard drive. Computer makers are getting creative with cramming hard drives into odd spots, so a simple search for Dell Latitude D400 hard drive on YouTube or Google may help you quickly and easily remove the drive.
Building A Digital Forensic Laboratory
For the read/write blocking device you have two options: buy or build.
If you choose to buy, there are a variety of commercial options available at different price points. I personally use Logicube's Portable Forensic Lab, which works like a portable copier. This device runs for a few thousand dollars but can make copies at a rate of 4GB per min and is easy to ship to non-tech people to use. Logicube and other vendors also make small portable units for a few hundred dollars that work fine too.
However, here is a simple and cheap trick to make your own device. Using an empty USB external hard drive case ($20) and a simple change to your registry, you can be imaging like a pro.
First set up your registry with the following steps. (Note: Editing the registry isn't usually recommended if you aren't reasonably familiar with PC technology.)
1. Click on the Start Button and type in Regedit and hit Enter.
2. Navigate through HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl.
3. Right click on Control and select New and then Key. Call the new key FORENSICWRITEBLOCK.
4. Right click on FORENSICWRITEBLOCK and select New and then Dword. Call the new dword WriteProtect.
5. Right click on WriteProtect and select Properties. Set the value to 1 and hit OK.
(Note: To revert and remove the blocked write access to USB drivers after you're done imaging, just delete the StorageDevicePolicies registry key, or delete the WriteProtect registry entry, or change the value data for WriteProtect to zero.)
When you have finished setting up your registry, test your external drive with a personal or blank hard drive by trying to copy a file to the plugged-in external drive. Windows should give you an error message indicating the drive is write-protected and your attempted file copy will fail.
After covertly grabbing your suspect's hard drive (preferably during the middle of the night--see How to be a Better Burglar), plug the drive into your read/write blocking device. Windows should recognize the new drive and explorer will open. At this point you can search and use the drive as it was your own or make a forensic image that can see deleted files, be reviewed at a later time by you or a third-party and will hold up in court.
To make a forensic image, download Accessdata's FTK Imager 2.6.1. On the forensic market there are a lot of open source, freeware and paid software to choose from, but I find FTK Imager is very easy to use for beginners with its step by step wizard and of course, free price tag. Once installed select Create Disk Image, select the source of the image (your usb drive), name your file and save location (I recommend saving to a large external drive) and click start. After a few hours you will have an identical copy of your suspect's drive to explore. At this time you can return your suspect's drive without them knowing you made a copy. FTK Imager can also review the imaged drive or original drive by selecting 'Add Evidence Item.' In this function, Imager acts much like Windows Explorer, but will show you many deleted files marked with an X.
For greater forensic capabilities vendors like Guidance and Accessdata offer software solutions that organize your suspect's documents, emails, and instant messages; index complete drives for searches; crack encrypted passwords; and much more. (See also Rules of Evidence: Digital Forensic Tools.) Personally I recommend and use FTK 2.2 for its easy-to-use tools, high processing speed and excellent technical support team.
In the end I tell people computer forensics is more of an art than a science. Whether you make a copy and use Windows Explorer to find evidence or purchase tools like Encase and FTK to make searching easier, it all comes down to taking your time, connecting the dots and sorting through a lot of information.
Brandon Gregg is a corporate investigations manager.
This story, 'How to Build Your Own Digital Forensics Lab, Cheap' was originally published by CSO.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |