Need advise on Hard...
 
Notifications
Clear all

Need advise on Hardware and software

13 Posts
7 Users
0 Likes
916 Views
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Hi guys,

I need your help!

Can u guys help me with a list of software + hardware for doing Desktop forensics. I have some experience in the forensic field but that was like 4 years ago. I hope u guys could help me to not spend too much money on hardware/software i dont really need.

So lets say u have only about 10000 euro or 12500 dollar to spend. What would U buy ?

Things i would like to see.

forensic Responders KIT including
- Hardware writeblocker with disk imaging
- Something to extract Volatile data Maybe usb-stick with writeblocker ??

Workstation for analysis
- i7 or xeon ? plus alot of ram ?
Software for analysis
- ftk ? encase ?

Thanks alot in advance!

 
Posted : 14/12/2014 8:03 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

- ftk ? encase ?

Do you need software and hardware for mobile devices analysis?

 
Posted : 14/12/2014 8:09 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

All modern hardware is pretty fast. An i7 with maybe 16GB RAM will be fine. Next years model will be a tad faster for a tad less money. Software will make more difference to system speed than raw power. Investigate this area first.

 
Posted : 15/12/2014 1:18 am
(@Anonymous)
Posts: 0
Guest
Topic starter
 

- ftk ? encase ?

Do you need software and hardware for mobile devices analysis?

laptops yes but no mobiles or tablets

 
Posted : 15/12/2014 12:05 pm
(@Anonymous)
Posts: 0
Guest
Topic starter
 

All modern hardware is pretty fast. An i7 with maybe 16GB RAM will be fine. Next years model will be a tad faster for a tad less money. Software will make more difference to system speed than raw power. Investigate this area first.

Ok thx for answering. do u have a recommendation for writeblockers and for imaging hardware? are products from wiebetech or tableau the way to go?

 
Posted : 15/12/2014 12:38 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

Whilst you might only be examining desktops/servers/laptops and not mobile devices, I'd be willing to bet you will find mobile device backups on the computers you examine. To examine many of those you would need to factor in a mobile forensics tool.

Software will be the most expensive part with training being the next most expensive thing. If it's been 4 years since you were working in this field and you used to use EnCase, you will find version 7 completely alien to version 6. I personally was very impressed with X-Ways when I went on training for that a few weeks ago. I've worked with EnCase since version 3 but I will be switching to X-Ways as my preferred tool.

I would agree your exam PC doesn't have to be anything special. An i7 with 16GB of RAM will suffice.

I've used Tableau devices for several years and am very happy with them.

Steve

 
Posted : 15/12/2014 2:23 pm
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Hi Steve

thank u for answering,

The need for forensics tools hardware/software is part of a new established Security Operations Center(SOC) in my company. Core function will be monitoring using SIEM/IDS etc. One of the functions of the SOC will be acting as a first responders to security incidents and investigating security incidents. Forensics will not be a core function of the SOC. Because we wont have data/security breaches all day.

From my experience (4 years ago) both AccessData and Guidance Software where basically the company's that where far ahead above others in Computer Forensics. But maybe other company's like X-ways catched up.It's hard to see all the differences and the possibilities/new techniques of all the forensic software. I will not be the one that is going to perform the Forensics Investigations. We need to hire new staff or let existing staff go to trainings for that.

What makes u switch to X-ways Forensics software? Is it the price ?

greetings

robin

 
Posted : 17/12/2014 10:04 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hmmm, why not IDS and SIA? ?
http//www.scmagazineuk.com/the-future-of-ips-ids-and-siem/article/249422/

Once removed the issue about acronyms 😉 , your "pure forensic" needs seem to be relatively simple, all in all you can do with *any* imaging/cloning solution (and a hardware blocker may or may not be a requirement, at least technically) and with *any* forensic tool, as long as it provides the data you are looking for.

In my (very little and amateurish) experience, the generic issue with an intrusion incident or data leak (when such an incident happens) is that *something* in the "generic" defense you have put together fails (and fails badly).

Since it is expected that the firewalls, intrusion detection systems, antiviruses and the like are valid and kept up-to-date what "gets through" must be *something* "completely new", and if this is the case the result of an investigation is mainly in the hands (or brain and experience with the systems) of the actual operator, *anything* pre-made and apparently "smart" is likely to fail to automagically detect what already passed through the existing lines of defense, and thus more "direct" tools (where direct does not mean non-scriptable or "dumb") like the X-Ways ones may provide some advantages over theoretically more automated solutions, and you will probably find many interesting/useful tools among the Open Source (and/or freeware) ones, like
http//windowsir.blogspot.it/p/foss-tools.html
still what IMHO really matters is how much familiar and expert is the actual guy(s) with a given tool and with a given setup/system.

I have the impression (possibly being completely wrong, as it often happens 😯 ) that you are tackling the requirement from the "wrong" side, not entirely unlike what happened here (related mainly to hardware and not to software)
http//www.forensicfocus.com/Forums/viewtopic/t=10086/
http//www.forensicfocus.com/Forums/viewtopic/t=11186/

jaclaz

 
Posted : 17/12/2014 11:55 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

I will not be the one that is going to perform the Forensics Investigations. We need to hire new staff or let existing staff go to trainings for that.

Forgive my bluntness, but being an analyst who have been handed tools by people who do not know what they are doing, i have to ask you

Why are you the one making the call about what hardware and software to use? And why are you asking total strangers for advice when you have experienced staff inhouse who probably know what they are doing, knows the organisation and what types of investigations that will pop up?

 
Posted : 18/12/2014 4:34 am
(@Anonymous)
Posts: 0
Guest
Topic starter
 

I will not be the one that is going to perform the Forensics Investigations. We need to hire new staff or let existing staff go to trainings for that.

Forgive my bluntness, but being an analyst who have been handed tools by people who do not know what they are doing, i have to ask you

Why are you the one making the call about what hardware and software to use? And why are you asking total strangers for advice when you have experienced staff inhouse who probably know what they are doing, knows the organisation and what types of investigations that will pop up?

Where i said that there is experienced staff ?
Need to hire new staff or go to trainings for forensics means there is no experienced staff in that field.

Why i am making the call ?
Im not making any calls about hardware and software. I studied something called digital forensic investigator at my school. I used to work with opensource software like the sleuthkit/autospy and foremost and i have used FTK in the past. So i know about the steps involved in a forensic investigation. And i help the company by giving advise about important steps in a forensic investigation for example legal considerations and steps from a analist standpoint like securing volatile data calculating hash files etcetera.

Like i already said before its been over 4 years since i have done anything with forensics. Autopsy didnt had ext-4 support at that time. Hardware and Software improved. So I'm asking around on a forum about what software/hardware is good and why. Why i ask total strangers? Why not ? Should i ask the company that makes these product the all say the have the best product roll . Why are u on this forum? not to learn something from each other? Or share knowledge ? Just because somebody said product X is good it doesn't mean i'm automatically going to take their word for it. I was just hoping for examples of products people use and why these and for what purpose. I know the knowledge of analist is the most important in the field of forensics and monitoring in security operations centers and not the tools used.

 
Posted : 18/12/2014 6:10 am
Page 1 / 2
Share: