±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35131
New Yesterday: 5 Visitors: 160

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Acquisition techniques. How can we do more efficiently?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Acquisition techniques. How can we do more efficiently?

Post Posted: Mon Dec 24, 2018 12:17 am

Hi,

I work in a law enforcement DFU in the UK.

We have limited resources.

I have access to 2 acquisition PC’s with USB3 write blockers and network storage.

Daily I might get 3/4 acquisitions done due to size of hard drives.

Takes a good 45mins to do the notes, photographs and strip the machines down for media and storage per exhibit.

Any strategies out there that people use to do things the most efficient way?  

forensicit
Member
 
 
  

Re: Acquisition techniques. How can we do more efficiently?

Post Posted: Mon Dec 24, 2018 3:40 am

Are you acquiring directly to your network? What sort of network interface do you have in the PC? You could maybe see if you can upgrade those to get quicker speeds?
Either that, or buy some large drives to acquire to locally, then schedule a task for a robocopy of the data form the local drive to your network storage location overnight when the office is empty.

To be honest, acquiring 3 to 4 devices a day isn't too bad. You have to remember that the acquisition process is vitally important to the overarching forensic process and that everything you do can be scrutinised further down the line, so I would say taking time to write all your notes up is good practice. Although it feels like a sausage factory at times, it is sometimes good to remember that 99% of the time there is someone's life, or liberty at stake so it deserves to be treated with the due care and diligence that you have described. Smile  

hectic_forensics
Member
 
 
  

Re: Acquisition techniques. How can we do more efficiently?

Post Posted: Mon Dec 24, 2018 5:51 am

There was some discussions some time ago about a forensic tool:
www.forensicfocus.com/...c/t=11704/

intended to be used in a non-lab scenario, still the "generic" idea was that Read speed is higher than Write speed, so "dividing" the read stream to several write streams i.e. devices (buses) made things much faster.

Besides the usual "fluff" by the vendor, here is some insight by PaulSanderson:
www.forensicfocus.com/.../start=49/

have a look at the thread starting from the above post.


Loosely, you need some seriously fast (and local) "target" devices, as was suggested by hectic_forensics a local pool of disk drives or - nowadays - possibly of SSD's and a provision for copying to "final" location when system is idle/not used.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Acquisition techniques. How can we do more efficiently?

Post Posted: Mon Dec 24, 2018 10:47 pm

I'll add something to this.
After your get your image and want to save it to another drive for storage and disaster recovery, be sure to get something like untracopier to transfer over data. Windows loves to interfere in moving things and doesn't always do the best job.
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

armresl
Senior Member
 
 
  

Re: Acquisition techniques. How can we do more efficiently?

Post Posted: Tue Dec 25, 2018 3:21 am

as a complete tangent; triage devices first, you may find you dont need to image them and you can get the entire examination done in a day, rather than imaging/processing etc.

Also, looking into Evimetry lab which will allow for concurrent imaging and processing at the same time  

randomaccess
Senior Member
 
 
  

Re: Acquisition techniques. How can we do more efficiently?

Post Posted: Thu Dec 27, 2018 5:02 am

With imaging of hard drives, I always find that more (cheaper) machines images faster than single faster machines.
Do you have a single write-blocker attached to each machine? What Imaging software are you using?

In terms of fastest imaging software, X-Ways arguably holds the title for that, however X-Ways Imager comes at a cost of about £100.
Installing a forensic Linux distribution onto a machine and using Guymager is our preferred method. It removes the requirement for writeblockers (although we use them for old IDE drives) and they can be repalced with USB 3 docks (Approx £20 per unit). You can then image 2 devices per machine without buying additional writeblockers. This also allows you to repurpose an old machine (if you have any) as they don't need to be particularly powerful.

Although your network will start slowing down when you acquire multiple images at once, the trick is to get all the bays going and then come back in the morning. Even if it takes 10%-25% longer because you are doing more drives at once, they will all be done by morning.

DM me if you want to look at some of our procedures, I'm sure your going through the ISO 17025 nightmare as well.  

minime2k9
Senior Member
 
 
  

Re: Acquisition techniques. How can we do more efficiently?

Post Posted: Thu Dec 27, 2018 10:48 am

- minime2k9

DM me if you want to look at some of our procedures, I'm sure your going through the ISO 17025 nightmare as well.

You know that the use of "your" instead of "you are" is a non-conformity per ISO 17025 Shocked , and you need to take immediate action to control and correct it, don't you? Wink

Very Happy

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next