I work for a small police department in Georgia, and being the only one in my division able to competently use a computer I got sent to the Mississippi State University Introduction to Digital Forensics one week course. Now my supervisor wants my input for a basic forensic setup for regular and mobile devices, I'm now looking for assistance from those with more experience than I for some assistance to see if I am heading in the right direction while starting this up.
My goal is to be able to take computer hard drives, flash drives, cell phones, cameras, and other mobile devices and aquire images and search for additional evidence and keep it forensicly sound.
First off the workstation I was looking at this FRED system to run FTK 3.0
http//
As far as for cellphones and other mobile devices, is there a benefit other than poratbility for getting a hardware solution like XRY or Cellebrite versus a software solution like Oxygen?
Also what other types of equipment will be needed for starting this up (evidence drives etc…)
I apprecieate any and all assistance.
A couple of things
First, while it is not mandatory, I would recommend that your supervisor put together the budget for you to attend courses on the use of the technology that you'll be employing (FTK it appears). As I said, this is not mandatory, but any defense attorney that you come up against is going to hit you hard on training and experience and your familiarity with the toolkit(s) that you use and while, as I said, formal training is not necessary, you don't want to risk losing a valid conviction because your evidence or testimony are questioned.
And remember, that each successful challenge to your testimony will be used against you in subsequent trials.
This goes for cell/PDA analysis, as well, and (perhaps) even more so because there are so many different devices many of which use undocumented, proprietary, software, operating systems, etc., and each of which presents its own peculiar challenges.
Training is no substitute for experience but it can be a good defense against a claim that you are not qualified to be doing what you are doing. In addition, the training frequently teaches you critical thinking which is essential to making sure that you don't "step in it" when you get to trial.
Years ago most law enforcement was self-taught learning from the school of hard knocks, as it were, but, today, these courses are filled with law enforcement personnel. The effect of this is that the bar for the "minimum standard of professional competence" may have been raised by "common practice".
Furthermore, while I realize that you mentioned a "small police department" the fact is that the department has made a significant investment in software and hardware for you to perform these services. Now the department wouldn't think, for a second, that giving you a rifle and scope would make you a SWAT team sniper just as a fire department wouldn't think about buying a fire engine without training the personnel to use it.
There seems to be this perception that "computer" technology is somehow different because computers are so ubiquitous. Fact is, the ubiquity of these devices is all the more reason why someone intending to use them as evidence needs to be adequately trained or experienced.
The FREDs are nice if you have the $. If you would like to spread it out a bit more, I would suggest getting a computer without all those bells and whistles and investing in some detached write blockers (e.g. digital intell makes an ultrakit that will have most of what need). I would also get a copy of EnCase and Xways forensics (in addition to FTK) as multiple tools are important in this field.
The alternative is invest time (and $$) in training on some of the freeware tools (take a look at the SANS SIFT workstation).
Either way, you are going to need quite a bit more than the 1 week of training.
Have you considered the FLETC? They will train/equip you and they have funding set aside to cover state/local LE (there is a waiting list). They are just a few hours away from you (Glynco, at the southeast corner of the state). The good thing about FLETC is they constantly vet the tools and tweak their training.
Same goes for mobile device forensics….multiple tools would be best (you're heading in the right direction). Get more training and take a look at FLETC.
While I applaud your ambition, if you are just starting in forensics you are asking for a lot of issues if you immediately jump into much beyond computers (and probably focusing on one OS to start with).
While the FRED is about as turn-key as it gets there are better solutions for an agency with a budget (and we all have them).
I would suggest narrowing your focus, get the tools and training to accomplish that and then grow your areas of expertise.
Agreed as you are fortunate to be in Georgia look at FLETC programs. I sent you a private message with more information. They offer an imaging course and then the SCERS course. Also contact your Internet Crimes Against children Task Force Commander and get involved with them and your area chapter of the HTCIA. ICAC may be able to help you out with additional training and/or equipment.
Regards,
Chris Currier
Well let me welcome you to the field……….. and provide some suggestions based on my experiences from law enforcement.
1. Join IACIS http//
Law enforcement focused community with a very valuable certification. You can get information from a LE perspective that will help you in that arena.
2. Follow
* Forensic Focus,
* The SANS Forensic blog http//computer-forensics.sans.org/,
* Harlan Carvey's Windows IR Blog http//windowsir.blogspot.com/,
* Guidance Software's User Forums are also helpful
* HTCIA. FLETC is great stuff as well. ICAC is also a valuable resource.
Not a complete list as there are many other great blogs but this is a good start.
3. FREDs are nice
But building your own machine and purchasing write blockers and a hardware imager are good ideas.
4. Get a budget for media storage (hard drives) bigger than you think. You will go through it
5. Lots of RAM and a 64 bit OS have worked well for me wink
6. As time goes learn linux as well. Can be very helpful. http//
7. Courses and certification in whatever tools you are going to use. Good idea to get more than one tool.
8. Forensic Certs are helpful
Tool based
* EnCase, FTK, others?
Neutral certs such as
* IACIS
* CCE
* SANS DCFA (http//
* DFCB cert (http//
9. Get your processes in order
A. Chain of custody and evidence handling
B. Case Log and investigation documentation (A database can be
very helpful)
C. Policies and procedures
10. Develop a learning action plan and keep track of everything you learn.
* THE DFCB has a summary of what is covered that is useful stuff to know and can help guide you
* Know networks, e-mails, how the web works, common scams, malware
11. NIST is a great resource, especially the sample images they have. Good for testing and validation processes
http//
12. Virtual machines are great for testing
VMWare and Virtualbox in some cases as well
Anyway just some ideas I hope that is helpful
Welcome to the wonderfull world of digital forensics. You won't be bored for a second. )
I work with the Norwegian Directorate of Taxes which means my experience with US laws and regulations are somewhat slim, however I'll offer a few points that you might find valuable.
First, make sure you have SoPs, methodology and routines in order ASAP. You'll hardly ever follow them from beginning to end - each case is different, but they are great for reference when you're stuck or when you have to document how and why you are doing something. Document your SoPs and reference them often. Saves you from documenting every step in every case report.
Second, building your own forensic workstation from scratch is a very good idea. Not only will you get some valuable experience rumaging around inside a box, you'll also know your own machine 100% and that can come in handy when trouble arise. Plenty of RAM and a 64-bit OS is a must, just like rwuiuc said, and if you can afford it a solid state disk on which run your system will greatly increase your performance. Note though, that I would not use SSDs for evidence just yet. They are good, but the old magnetic disks are far more restorable when s**t hits the fan. (By the way, two or three workstations are better than one super-mighty hypercomputer. And if you want to use MSABs XRY you need one with a 32-bit OS to be able to perform cell phone acquisition. Not all the cell phone drivers are 64-bit compatible. This is only valid for acquisition. Once you have the image you can examine it in a 64-bit environment using the XRY Reader.)
Third, get tools that are recognized by the community and that help you work smarter and faster. EnCase and FTK are examples of well proven general digital forensic tools. Others are Perlustro's ILook PI and X-Ways Forensic. I use EnCase, FTK and ILook PI as well as different linux distros for computer investigations (hard drives and various flash drives like camera memory cards, USB memory sticks, etc.). For mobile phone and GPS investigations I use MSABs XRY. I don't have any experience with other mobile phone tools, but I find XRY to be very handy. You don't have to be a computer expert to use it which means it's easier to share your findings with colleagues and others (like the courts, lawyers, etc.), and since it supports both phones and GPS units you're good for a bunch of units in one box. (Also, they have a great field kit which makes it easy to get a head start on an investigation while you're still in the field.)
There are a lot of resources online and I'll also mention - like people before me - HTCIA and SANS. They are great pools of info and experience.
Finally, let me wish you good luck and don't hesitate to contact me directly if you think I can be of any assistance. (PM me and I'll give you me email address.)
Regards,
Stig Andersen
Sent you a pm with some contact info in the US and an option that your dept may want to consider.
All great suggestions but let me ask you this byter who do you have close by that you can call when stuck with a problem (and you -will- get stuck)? ..who is going to review your files before they are sent off to the DA? How will you know what errors there are?
Getting the equipment is (budget aside) easy, but not having someone with experience and knowledge review your work is downright ridiculous. Don't put the horse before the cart… I would speak to your supervisors and establish a chain of command in terms of work / report reviewing and mentorship…
Just my few pennies worth )
All great suggestions but let me ask you this byter who do you have close by that you can call when stuck with a problem (and you -will- get stuck)? ..who is going to review your files before they are sent off to the DA? How will you know what errors there are?
Getting the equipment is (budget aside) easy, but not having someone with experience and knowledge review your work is downright ridiculous. Don't put the horse before the cart… I would speak to your supervisors and establish a chain of command in terms of work / report reviewing and mentorship…
Just my few pennies worth )
Pretty much all I can say is "Yup"…
To put it a little more elequently… My supervisor wants to have this ability, and I'm the only one in my division or agency who is computer literate enough to understand the basics. So there isn't really anyone at my agency or any of the nearby agencies that can be used for support which makes this all the more difficult.
So what I'm looking at is pretty much becoming self taught. So first I'm looking to get the tools and begin practicing. Right now I'm using the FTK trial (the one that examines a max of 5000 files) as well as a few other freeware tools, and I'm working on practice problems and taking images of various memory cards and flash drives that I can get my hands on around the office (with the owner's permission) and seeing what I can come up with.
I am aware that I am going to need more training and certifications before I can realistically bring evidence to court, but I need to start somewhere.