Need advise on Hard...
 
Notifications
Clear all

Need advise on Hardware and software

 Anonymous

Hi guys,

I need your help!

Can u guys help me with a list of software + hardware for doing Desktop forensics. I have some experience in the forensic field but that was like 4 years ago. I hope u guys could help me to not spend too much money on hardware/software i dont really need.

So lets say u have only about 10000 euro or 12500 dollar to spend. What would U buy ?

Things i would like to see.

forensic Responders KIT including
- Hardware writeblocker with disk imaging
- Something to extract Volatile data Maybe usb-stick with writeblocker ??

Workstation for analysis
- i7 or xeon ? plus alot of ram ?
Software for analysis
- ftk ? encase ?

Thanks alot in advance!

Quote
Topic starter Posted : 14/12/2014 8:03 pm
Igor_Michailov
(@igor_michailov)
Senior Member

- ftk ? encase ?

Do you need software and hardware for mobile devices analysis?

ReplyQuote
Posted : 14/12/2014 8:09 pm
mscotgrove
(@mscotgrove)
Senior Member

All modern hardware is pretty fast. An i7 with maybe 16GB RAM will be fine. Next years model will be a tad faster for a tad less money. Software will make more difference to system speed than raw power. Investigate this area first.

ReplyQuote
Posted : 15/12/2014 1:18 am
 Anonymous

- ftk ? encase ?

Do you need software and hardware for mobile devices analysis?

laptops yes but no mobiles or tablets

ReplyQuote
Topic starter Posted : 15/12/2014 12:05 pm
 Anonymous

All modern hardware is pretty fast. An i7 with maybe 16GB RAM will be fine. Next years model will be a tad faster for a tad less money. Software will make more difference to system speed than raw power. Investigate this area first.

Ok thx for answering. do u have a recommendation for writeblockers and for imaging hardware? are products from wiebetech or tableau the way to go?

ReplyQuote
Topic starter Posted : 15/12/2014 12:38 pm
steve862
(@steve862)
Active Member

Hi,

Whilst you might only be examining desktops/servers/laptops and not mobile devices, I'd be willing to bet you will find mobile device backups on the computers you examine. To examine many of those you would need to factor in a mobile forensics tool.

Software will be the most expensive part with training being the next most expensive thing. If it's been 4 years since you were working in this field and you used to use EnCase, you will find version 7 completely alien to version 6. I personally was very impressed with X-Ways when I went on training for that a few weeks ago. I've worked with EnCase since version 3 but I will be switching to X-Ways as my preferred tool.

I would agree your exam PC doesn't have to be anything special. An i7 with 16GB of RAM will suffice.

I've used Tableau devices for several years and am very happy with them.

Steve

ReplyQuote
Posted : 15/12/2014 2:23 pm
 Anonymous

Hi Steve

thank u for answering,

The need for forensics tools hardware/software is part of a new established Security Operations Center(SOC) in my company. Core function will be monitoring using SIEM/IDS etc. One of the functions of the SOC will be acting as a first responders to security incidents and investigating security incidents. Forensics will not be a core function of the SOC. Because we wont have data/security breaches all day.

From my experience (4 years ago) both AccessData and Guidance Software where basically the company's that where far ahead above others in Computer Forensics. But maybe other company's like X-ways catched up.It's hard to see all the differences and the possibilities/new techniques of all the forensic software. I will not be the one that is going to perform the Forensics Investigations. We need to hire new staff or let existing staff go to trainings for that.

What makes u switch to X-ways Forensics software? Is it the price ?

greetings

robin

ReplyQuote
Topic starter Posted : 17/12/2014 10:04 pm
jaclaz
(@jaclaz)
Community Legend

Hmmm, why not IDS and SIA? ?
http//www.scmagazineuk.com/the-future-of-ips-ids-and-siem/article/249422/

Once removed the issue about acronyms πŸ˜‰ , your "pure forensic" needs seem to be relatively simple, all in all you can do with *any* imaging/cloning solution (and a hardware blocker may or may not be a requirement, at least technically) and with *any* forensic tool, as long as it provides the data you are looking for.

In my (very little and amateurish) experience, the generic issue with an intrusion incident or data leak (when such an incident happens) is that *something* in the "generic" defense you have put together fails (and fails badly).

Since it is expected that the firewalls, intrusion detection systems, antiviruses and the like are valid and kept up-to-date what "gets through" must be *something* "completely new", and if this is the case the result of an investigation is mainly in the hands (or brain and experience with the systems) of the actual operator, *anything* pre-made and apparently "smart" is likely to fail to automagically detect what already passed through the existing lines of defense, and thus more "direct" tools (where direct does not mean non-scriptable or "dumb") like the X-Ways ones may provide some advantages over theoretically more automated solutions, and you will probably find many interesting/useful tools among the Open Source (and/or freeware) ones, like
http//windowsir.blogspot.it/p/foss-tools.html
still what IMHO really matters is how much familiar and expert is the actual guy(s) with a given tool and with a given setup/system.

I have the impression (possibly being completely wrong, as it often happens 😯 ) that you are tackling the requirement from the "wrong" side, not entirely unlike what happened here (related mainly to hardware and not to software)
http//www.forensicfocus.com/Forums/viewtopic/t=10086/
http//www.forensicfocus.com/Forums/viewtopic/t=11186/

jaclaz

ReplyQuote
Posted : 17/12/2014 11:55 pm
MDCR
 MDCR
(@mdcr)
Active Member

I will not be the one that is going to perform the Forensics Investigations. We need to hire new staff or let existing staff go to trainings for that.

Forgive my bluntness, but being an analyst who have been handed tools by people who do not know what they are doing, i have to ask you

Why are you the one making the call about what hardware and software to use? And why are you asking total strangers for advice when you have experienced staff inhouse who probably know what they are doing, knows the organisation and what types of investigations that will pop up?

ReplyQuote
Posted : 18/12/2014 4:34 am
 Anonymous

I will not be the one that is going to perform the Forensics Investigations. We need to hire new staff or let existing staff go to trainings for that.

Forgive my bluntness, but being an analyst who have been handed tools by people who do not know what they are doing, i have to ask you

Why are you the one making the call about what hardware and software to use? And why are you asking total strangers for advice when you have experienced staff inhouse who probably know what they are doing, knows the organisation and what types of investigations that will pop up?

Where i said that there is experienced staff ?
Need to hire new staff or go to trainings for forensics means there is no experienced staff in that field.

Why i am making the call ?
Im not making any calls about hardware and software. I studied something called digital forensic investigator at my school. I used to work with opensource software like the sleuthkit/autospy and foremost and i have used FTK in the past. So i know about the steps involved in a forensic investigation. And i help the company by giving advise about important steps in a forensic investigation for example legal considerations and steps from a analist standpoint like securing volatile data calculating hash files etcetera.

Like i already said before its been over 4 years since i have done anything with forensics. Autopsy didnt had ext-4 support at that time. Hardware and Software improved. So I'm asking around on a forum about what software/hardware is good and why. Why i ask total strangers? Why not ? Should i ask the company that makes these product the all say the have the best product roll . Why are u on this forum? not to learn something from each other? Or share knowledge ? Just because somebody said product X is good it doesn't mean i'm automatically going to take their word for it. I was just hoping for examples of products people use and why these and for what purpose. I know the knowledge of analist is the most important in the field of forensics and monitoring in security operations centers and not the tools used.

ReplyQuote
Topic starter Posted : 18/12/2014 6:10 am
 Anonymous

Hmmm, why not IDS and SIA? ?

SIEM and IDS are just two examples of what is used in the SOC there are more systems.
The blog u quoted talks alot about intrusion prevention. Data breach was just a example it can be all sorts of investigations. Off course when something big happens u use all the tools and logging u have. Also u can have all the systems u like for prevention but it can be a investigation on a employee as well. Things like fraud or when he is sharing company data with other company's. So many security in place but then a employee leaked a password because he got social engineered.

http//windowsir.blogspot.it/p/foss-tools.html

Nice list thank you

still what IMHO really matters is how much familiar and expert is the actual guy(s) with a given tool and with a given setup/system.

Agreed

I have the impression (possibly being completely wrong, as it often happens 😯 ) that you are tackling the requirement from the "wrong" side, not entirely unlike what happened here (related mainly to hardware and not to software)

Not sure what are trying to say here. English is not my native tongue.

Im focusing now pure on forensics performed on desktops with Windows because that is what i have been asked. I know requirements will change depending on the sort of investigations that is wished for.

jaclaz

ReplyQuote
Topic starter Posted : 18/12/2014 6:45 am
jaclaz
(@jaclaz)
Community Legend

@r0b!n
What I (and MDCR) are trying to tell you is that the "relevance" in a successful digital investigation can be summed up (you will get different percentages by different people) in just three categories, a success is due to

  1. between 75% and 95 % to the experience and knowledge of the investigator
  2. between 4% and 20 % to the software used (as in "this program is better than this other one")
  3. between 1% and 5 % to the hardware used (as in "this PC with a zillion Tb of RAM, and a 256 bit processor running at 4 THz 😯 is better than this other one")
  4. [/listo]

    Of course using a computer with a fastish processor lots of Ram and a given program targeted to the specific kind of investigation may well produce faster results, but that's all.

    The "main" part remains the investigator, and once you will hire one he/she will be the one that will choose the "right" hardware and the "right" program(s), and each investigator will have programs with which he/she is more familiar with, that he/she "likes better", etc.

    Allow me to doubt (with all due respect ) ) that you (or your company) will be able to form/train a "capable enough" "security expert/digital investigator" starting from available resources/staff (even if already IT experts) in anything less than 6 to 12 months, what would you do in the meantime?
    Hire an external consultant?
    If yes, he is the one that should answer those questions.

    Do nothing till the SOC is fully operative?
    But how would you ever be able to know if it is fully operative and it is adequate to the requirements?

    I mean (automotive comparison).
    Q. Hi, I want to put together a race team, for the 24h of Le Mans in the GTE Pro category
    http//www.24h-lemans.com/
    which car should I buy, I have a budget of 1,000,000 €.
    A. Both Porsche's and Ferrari's are nice cars, and do not underestimate the Corvette, but who is going to be your Chief Engineer and who will be the driver(s)?
    Q. No prob, I used to race with karts a few years ago and I worked on a summer in a car repair workshop once, I only want to know which cars are better…

    jaclaz

ReplyQuote
Posted : 18/12/2014 6:10 pm
jhup
 jhup
(@jhup)
Community Legend

To expand on the issue of tool selection by the persons not doing the analysis - your long term costs will be less if you allow the new forensicator to select the tool.

This is because that individual will most likely select something they are already familiar with at least, potentially reducing your training costs.

When I am called onto the carpet to explain my analysis, I am often questioned on my expertise and length of use of the tools used.

ReplyQuote
Posted : 18/12/2014 7:05 pm
Share:
Share to...