New Lab - Thoughts ...
 
Notifications
Clear all

New Lab - Thoughts wanted

16 Posts
9 Users
0 Likes
1,431 Views
(@sgunn)
Posts: 13
Active Member
Topic starter
 

I am about to take on a new role, and have to build a one man forensics lab, and the budget is not very high Approx USD$15,000 . I have been told that I must use a FRED machine and will run EnCase v7. But have a few questions and wondered what else would people use or would recommend to start off with.

I understand the FRED comes with a Tableau write blocker for most connections, so do I need any other write blockers? Are there any pros/cons with using the inbuilt ones?

Is there an advantage in getting the FRED with Raid, or could I just add a third party raid storage box like a Qnap as this is a cheaper option?

EnCase V7 now includes mobile and tablet devices, but I have heard that Oxygen Passware Analyst is a much better piece of software, is it worth paying out for this?

Anything other hardware/software I should have to start with.

Many thanks

 
Posted : 09/04/2015 2:03 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

I am about to take on a new role, and have to build a one man forensics lab, and the budget is not very high Approx USD$15,000 . I have been told that I must use a FRED machine and will run EnCase v7. But have a few questions and wondered what else would people use or would recommend to start off with.

I understand the FRED comes with a Tableau write blocker for most connections, so do I need any other write blockers? Are there any pros/cons with using the inbuilt ones?

Is there an advantage in getting the FRED with Raid, or could I just add a third party raid storage box like a Qnap as this is a cheaper option?

EnCase V7 now includes mobile and tablet devices, but I have heard that Oxygen Passware Analyst is a much better piece of software, is it worth paying out for this?

Anything other hardware/software I should have to start with.

Many thanks

As a point of clarification, are you saying that the decision to use a FRED and EnCase 7 are already made and out of your control?

 
Posted : 09/04/2015 10:04 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have been told that I must use a FRED machine and will run EnCase v7.

"been told"? ?
"must"?? 😯

BTW very nice machines, but maybe not exactly the cheap option to start an activity, particularly on a low budget.

I mean in a Forensic Lab with already (say) 12 FRED machines and the need to deal with increasing work and thus to hire a new technician it sounds like a "must" (or at least a"smart" choice for compatibility/unification/etc.) but in a "one man show" looking to start a new business/branch I could see better ways to spend part of the budget, with a little DIY.

jaclaz

 
Posted : 09/04/2015 1:15 pm
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

in a "one man show" looking to start a new business/branch I could see better ways to spend part of the budget, with a little DIY.

jaclaz

I concur.

For example, fast, high capacity computers are great, but X-Ways runs very well on lower end, even DIY computers. Next, I prefer portable write-blockers because they can also be used in the field. And don't forget a nice, fast laptop with 2+ USB3 ports and preferably an eSATA port, and also a Mac mini.

 
Posted : 09/04/2015 1:43 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

Do you need to perform acquisitions in the field? If yes, then a laptop and write blockers may be needed.

Otherwise, get lots of storage.

It's unfortunate that you're locked into the FRED. Digital Intelligence make nice machines, but you can build an equivalently powerful system for a lot less and then you could re-use your external write blockers from your field kit.

 
Posted : 09/04/2015 7:10 pm
(@sgunn)
Posts: 13
Active Member
Topic starter
 

Many thanks for your replies.

I am told the reason I must purchase a FRED machine over a DIY machine is that DIY machines are sometimes picked apart in court as just that DIY, with anyone being able to open them, change them, etc. Where as the FRED's are all pre built and there is no need to touch them and are seen as a "legitimate" forensic tool.

I must admit, I have been using encase on a iMac machine running windows, which works flawlessly, but for slower speed acquiring certain devices.

If there is a justifiable explanation of using a DIY or standard PC then I would certainly go back to the department and argue it.

regarding EnCase, they already have a license for the software and I am also a EnCE. So I have no issue with that.

This is my first real position as a forensic investigator and understand most of the cases will involve government investigations, so the thought of having evidence thrown out of court due to the wrong equipment, would be a disaster.

your thoughts are valuable to me, in getting this right.

S

 
Posted : 09/04/2015 7:29 pm
HexDrugsRockNRoll
(@hexdrugsrocknroll)
Posts: 60
Trusted Member
 

I am told the reason I must purchase a FRED machine over a DIY machine is that DIY machines are sometimes picked apart in court as just that DIY, with anyone being able to open them, change them, etc. Where as the FRED's are all pre built and there is no need to touch them and are seen as a "legitimate" forensic tool.

S

I haven't heard or seen someone being challenged in Court (or anywhere) about the computer they use. I've never used a FRED machine, however I assume they can be physically opened the same as most other machines, so the reason you've been given doesn't hold much water. If someone really wants to open the machine to maliciously tinker around with stuff, they'll do it. Each of the machines I've used over time I've opened to add RAM / change drives, etc.

I understand that this is what you've been told, and likely what is said by those-who-must-not-be-named upstairs (i.e. the guys and girls with the cash) goes, but don't think you should hang onto this as concrete advice.

 
Posted : 09/04/2015 7:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am told the reason I must purchase a FRED machine over a DIY machine is that DIY machines are sometimes picked apart in court as just that DIY, with anyone being able to open them, change them, etc. Where as the FRED's are all pre built and there is no need to touch them and are seen as a "legitimate" forensic tool.

Yep D , I am told that this particular make/models of Police cars
http//www.bbc.com/news/blogs-news-from-elsewhere-27574548
http//commons.wikimedia.org/wiki/Police_cars_by_country#/media/FileLamborghini_Polizia.JPG

is recognized world wide as being very suitable for highway high speed chases, and as such preferred by many policemen worldwide (surely here in Italy).

Notwithstanding this, on average what policemen actually get is this one
http//commons.wikimedia.org/wiki/Police_cars_by_country#/media/FileGrande_Punto_Polizia.JPG

If I were you I would be very careful to not confuse the tool with the procedures (and/or with your knowledge), you can easily make a mess with the best tools in the world or make a superb work with much simpler/cheaper tools.

In any case I would like to see examples (actual papers/court acts) where a DIY machine (which represent more or less EVERY single machine that is not a FRED one, i.e. in my completely faked guess something like 98.32% of all PC's used in forensics worldwide) has been deemed "inferior to a FRED" or "inadequate because it is not a FRED" or in any other way defined "not legitimate".

Additionally I would like to see any evidence (apart anecdotal ones or vague hearsay) about a FRED machine not being user serviceable (or being "sealed" or "unmodifiable", "unhackable", etc.).

A FRED machine is AFAIK a "common enough" and "standard enough" PC built with very good (but still standard/industry) components by a firm which is very well known and has a very good reputation, surely well built, with a few nice, handy features, but really nothing much more than this.

jaclaz

 
Posted : 09/04/2015 7:55 pm
(@sgunn)
Posts: 13
Active Member
Topic starter
 

Thanks everyone,

I will take your input and see if I can sway the employers minds. Out of interest I would probably go with a main player for the desktop i.e. HP/Dell ..

Do you have any recommendations?

I would also look at tableau forensic bridges for drives, but what would you suggest for usb/media cards?

Thanks

 
Posted : 09/04/2015 8:18 pm
(@athulin)
Posts: 1156
Noble Member
 

… and have to build a one man forensics lab, and the budget is not very high Approx USD$15,000 . I have been told that I must use a FRED machine and will run EnCase v7.

If those are your input parameters, fine. I'd like a less expensive platform than EnCase, myself – and EnCase v7 still leaves a bad taste in my mouth (I tried the public 'beta', and decided that v7 will have to be forced down my throat before I use it), though I believe they have caught up with many of the problems.

But what kind of work will you be doing? Government work is a bit non-specific. But probably intentionally so. Will it be part of corporate incident response in an IT environment you (or someone near you) knows well, or is it external jobs with 'never the same hardware twice, and some preferrably not seen even once' kind of deal? Are you doing eDiscovery stuff? or what? Mobile computers or cell phones? All that will affect your choice of tools.

I understand the FRED comes with a Tableau write blocker for most connections, so do I need any other write blockers?

If you'll do field work, you are going to need a separate kit. What connectors you need to support – that's where knowledge about case types and target equipment comes in. If you work in a Mac environment, for example, you may need a solution for Thunderbolt drives, such as a Mac field computer.

Are there any pros/cons with using the inbuilt ones?

I'll leave technical aspects to others. But consider support – you will be able to get that from … Digital Intelligence, I suppose it is. That's probably a plus. But you may not be be able to swap to another kit – you're buying into Tableau. If there is a mess, you essentially won't have a working write blocker until they fix it. (And if you're going for a locked solution, you also buy into the hardware support it will be up to them to decide when you get things fixed. And you may have to wait …)

On the other hand, if you're not a tech kind of person, who prefers to stay away from the innards of the system, it's probably perfect.

Is there an advantage in getting the FRED with Raid, or could I just add a third party raid storage box like a Qnap as this is a cheaper option?

Do you have any RAID experts where you work? Have a chat with them.

Basically, it's the same thing over again you will have a single source of support, and that may be a big plus. On the other hand, you won't have any options when push comes to shove.

For a single-analyst solution, the FRED-with-RAID is probably the best you'll get the fastest interconnect for your money. So what happens when you add an analyst next year? And how do you handle backups? (RAID does not solve backup problems.) (Do you have an IT department somewhere nearby – chat with them about basic and daily necessities to plan for. Do you need to plan for power spike or surge protection, for example? Environmental damage, like a burst water pipe in the ceiling?)

EnCase V7 now includes mobile and tablet devices, but I have heard that Oxygen Passware Analyst is a much better piece of software, is it worth paying out for this?

I think that's the wrong question.

Anything other hardware/software I should have to start with.

Absolutely. Everything that is right for the job you expect to do. Myself, I find VMWare + a MSDN license extremely useful for setting up test environment to check out things.

But what job *do* you expect to do? And how often? Are we talking full time? Or one job every third month? And what are the external requirements? (I don't think 'EnCase v7 and FRED' is enough? Evidence storage safes? Intruder alarms? Or … ?

If you don't know, plan for mistakes, and accept them.

Put at least one fourth of the allocated money aside for later. You are going to make mistakes in your choice of system, and you probably don't want to have to beg for more money to fix them before you can do the next job in the queue.

If you haven't already, see if you can find a copy of 'Building a Digital Forensic Laboratory' or similar book. It contains lots of useful stuff, even if they write about larger labs.

Added Training? Certification? other things to keep in mind.

 
Posted : 09/04/2015 9:05 pm
Page 1 / 2
Share: