For those beginning their computer forensic investigator career, an important aspect to consider is what equipment is needed to carry out successful investigations.
While software is a critical component of the job, examiners should have a complete computer forensic toolkit that consists of a computer workstation and a response kit to take out into the field.
In Learn Computer Forensics: Your one-stop guide to searching, analyzing, acquiring, and securing digital evidence, computer forensic investigator and author William Oettinger teaches new and experienced investigators everything they need to search for and analyze digital evidence, including which software and hardware to consider.
In the following excerpt from Chapter 2, learn about the forensic analysis process, starting with a look at the equipment Oettinger recommends including in a computer forensic toolkit. Download a PDF of the rest of Chapter 2 here.
Check out an interview with Oettinger, where he offers advice on starting down the computer forensic investigator career path.
We will now discuss the forensic analysis process. As a forensic investigator, you will need to create a strategy that will enable you to conduct an efficient investigation. You also need to make sure you are familiar with your tools and the results that they will provide. Without a process, you will waste time examining data that will not impact your investigation, and you will not be able to rely on your tools. In addition, you want to make sure you get valid results from the tools you deploy. Finally, to be thorough and efficient, you must use critical thinking to determine the best investigation or exam method.
While there are similarities in every investigation, you will find differences that will require you to have an exam strategy to be efficient. I am not a fan of keeping an examination checklist because there will be areas that aren't relevant, such as different operating systems, physical topography of the network, criminal elements, and suspects. These variables ensure that no two examinations or investigations are the same and will require the investigator to execute a different strategy for each of them.
The forensic analysis process is made up of five subsets:
The upcoming sections will discuss each of these in greater detail.
The pre-investigation is where you determine your capabilities and equipment specifications to conduct a forensic exam, regardless of whether it is in the field or a lab environment. Now is the time to determine your hardware, personnel, and training budget. Some of those costs will not be a one-time expenditure but will be an ongoing budget expenditure. The equipment must be updated, personnel training must be maintained, and the purchase of new technology as it becomes available.
Being a digital forensic investigator is not about buying the equipment, going to a training class, and never updating either of these afterward. As technology changes, so do the methods of hiding data or conducting criminal activities, so the investigator must be ready to adjust to these changes.
Before you are ready to begin the investigation, you must prepare yourself. This will allow for greater efficiency and a better work product. This includes preparing your equipment and becoming familiar with the current laws and legal decisions and the organization's policies and procedures.
Some equipment will be reusable, and some will not. For the single-use items, make sure someone replaces them as soon as the incident concludes.
Note: I cannot tell you how many times I have responded to the scene with my "to go" kit only to find that another detective had already used it and not replaced the consumable equipment. It was my mistake for not checking it before I departed to go to the crime scene, and it was my partner's mistake for not replacing the items.
We will now discuss the equipment you will use as an investigator.
Whenever you get forensic investigators together, a common topic of conversation is the forensic workstation. How much RAM? How many SSD drives? Which processor? Which operating system? These are all questions that you might commonly hear. There is always a difference of opinion about the configuration of a forensic workstation. None of the views are incorrect because the investigator's workstation configuration depends on their budget and the cases that are being investigated.
Forensic workstations are not cheap. Depending on the skill level of the investigator, they can either build their own or purchase a pre-made forensic workstation. Several vendors will configure a workstation to your specification. For example, consider the vendor SUMURI (https://sumuri.com ) and their TALINO workstations. The base model costs approximately $8,000 and comes with:
That is a basic forensic workstation, and you still must add storage for the forensic images. The high-end version costs over $18,000 and comes with:
One bottleneck that a forensic investigator may face with their forensic workstation is data transfer. I suggest using SSDs because they have much higher throughput than the typical spinning disk does. A fast CPU and a large amount of RAM enable maximum performance for forensic analysis. However, these machines are not portable, and you are not always able to perform the analysis or to acquire the data from the relative comfort of your workstation. A forensic laptop is also an expensive piece of equipment. At the time of printing, the TALINO OMEGA comes with:
Note: You will need to include Gigabit Ethernet on both workstations to communicate on the local area network.
As you can see, you can never have too much CPU, RAM, or storage space on your forensic workstations. The equipment I described is on the higher end; you can conduct digital forensic examinations with less expensive equipment and still achieve the same results. In addition, the more high-end equipment will decrease the time involved. If you are a member of a multinational corporation or a large law enforcement agency, you may have the budget for high-end equipment. A smaller law enforcement agency, a smaller organization, or a single practitioner will have to determine what cost is more appropriate for their situation.
Sometimes you must leave the lab, which means you need additional portable equipment. We will now discuss the equipment required in your response kit.
The digital evidence is not always delivered to your workspace. Sometimes, you may have to respond to a third-party location to acquire that evidence. The collection of that evidence is the basic building block for any digital forensic examination you may conduct. Like conducting an examination in your workspace, you need the proper tools and supporting equipment to accomplish this task. You need to create a response kit that includes documentary paperwork, pens, and storage containers to store digital evidence.
A response kit is unique to each digital forensic investigator. No kit is perfect; all kits are always subject to improvement. The goal of your response kit is to have everything you need to collect digital evidence, and we will go over some equipment that, in my experience, I have found helpful:
Note: A word of advice: I would disable the microphone so as not to record audio. You may have extended discussions about how to proceed using language that may be regarded as less professional. These discussions and use of language could be used as a distraction by the opposing side in the presentation of evidence.
Note: A program called VirtualHere (http://virtualhere.com/home ) allows you to use your USB devices remotely. This will require a network connection at your destination and at your home location where the USB keys are plugged in. If you are unsure about the quality of your network connection, I recommend taking the keys with you.
Now, the important question is this: how do you carry all of this from one location to another?
My recommendation is a Pelican-type case that is watertight and crush-proof to protect the equipment. Also, include a TSA-compliant locking device if you must travel via commercial air in the United States.
The list of items we have just discussed is only a recommendation. You will add/subtract from this list to meet the needs of the task at hand. There is no right or wrong answer when stocking your response kit. The budget, the organization, and the task at hand will dictate what equipment is needed.
A government/law enforcement digital forensic investigator may acquire full forensic images at the scene, and they will need larger storage capacity devices. As you become more experienced, you will accurately determine what equipment you need to perform your duties.
The result is that you need to have a response kit when leaving the office to acquire digital data or respond to any incident. How you stock that kit is entirely up to you as the forensic investigator. This is all about making your job easier and more efficient.
About the author William Oettinger is a veteran technical trainer and investigator. He is a retired police officer with the Las Vegas Metropolitan Police Department and a retired Criminal Investigation Division agent with the United States Marine Corps. He is a professional with more than 20 years of experience in academic, local, military, federal and international law enforcement organizations, where he acquired his multifaceted experience in IT, digital forensics, security operations, law enforcement, criminal investigations, and policy and procedure development. He has earned a Master of Science from Tiffin University in Ohio.
Most people think automation will take jobs away. For OSU Wexner Medical Center, network automation helps improve security, ...
These 16 Windows PowerShell cmdlets, including Get-NetIPAddress and Test-Connection, help network administrators troubleshoot ...
When troubleshooting wireless network issues, several scenarios can emerge. But valuable end-user insights can help network ...
As CIOs and CISOs push for innovation, mindset changes might be in order. They can take a cue from VCs and think about ideation ...
While Musk is facing legal and business challenges since taking over Twitter, it's not likely that his content moderation ...
Impossible Foods' Patrick Brown is proof that a focus on climate action can drive market success. Here are four sustainability ...
Monitoring files on Windows systems is critical to detect suspicious activities, but there are so many files and folders to keep ...
While Microsoft Loop is not yet generally available, Microsoft has released details about how Loop can connect users and projects...
The latest Windows 11 update offers a tabbed File Explorer for rearranging files and switching between folders. The OS also ...
Companies rely on the cloud for modern app development. Learn the key features that differentiate cloud computing from ...
To grasp a technology, it's best to start with the basics. Take this brief cloud computing quiz to gauge your knowledge of ...
AWS Batch enables developers to run thousands of batches within AWS. Follow this tutorial to set up this service, create your own...
Nuclear fusion works, just not yet well enough. Learn how software simulations running on modern supercomputers and data science ...
The international travel group is overhauling its data stack and aims to provide self-service analytics to key employees across ...
The Data Lab’s Data Summit majored on the ethical use of data, and featured Scottish government minister Tom Arthur, science ...
All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info