Well its way past time for me to upgrade and I am looking at the possibility of building a machine as opposed to buying one (such as the FRED style machines.) Building the machine and making it operational will not be a problem for me, but I do have concerns about several things.
1. A Forensically Friendly BIOS. What exactly does that mean? Is this a custom made BIOS? I have tested multiple machines (laptops and desktops from known vendors and homebuilt) using write blockers and I have yet to have a problem validating images created this way. Is this an important feature? Is this something that can be an issue in court?
2. Should I look at a multiprocessor setup or not. I have seen a few of these setups and I am not sure if it is worth it. Most applications have to be optimized for this setup and I am not sure if Encase, Ilook, or FTK are. For that matter, when I use Penguin Sleuth or other Linux variant, they seem to be extemely fast even on older systems.
3. Where should I stop. When I look at everthing that is available on preconfigured machines versus what I see on a day to day basis, I truly wonder how far I need to go. I will still have an older FRED that I can use when I come across scsi drives or zip disks, but should I include these options on a new machine when in reality, most of what I deal with is IDE, Floppy, CD, or the occasional USB/flash card style media. I still haven't had to deal with a SATA drive yet and I am not sure what i will do when I do (this is mainly because I don't have a write blocker for SATA yet. I realize that I can mount a SATA read only in linux and image it that way, but I trust my write blockers and they are much more forgiving of mistakes.)
4. If you have built your own machine, have you had any problems with hardware or other issues that I should be concerned about. For that matter, is there anyone who advocates certain hardware as being excellent for this kind of machine.
I appreciate any help and if anybody else has other concerns that I should consider, please post those too.
Matt
Matt,
I'm going to give someone else the opportunity to reply to your post's content first but just wanted to welcome you to Forensic Focus. This should be an interesting thread!
Jamie
Come on people, you are reading the post, at least fill in the poll. 😀
Matt
Up to this point in time, I have used a "Name Brand" Computer as the base computer of my setup with hardware blocking items, etc added in as necessary.
It seems to serve it's purpose and has stood up in in court.
OK, I'm dodging the more detailed questions (for the time being) but my strategy in the past has usually been to build my own where time allows, buy off the shelf (e.g. Dell) and adapt when it doesn't. The forensic machines built by various companies are great but it's not always possible to justify the expenditure, especially if the vast majority of your cases are similar in nature. Of course, if money was no object, I'd buy one. Then again, if money was no object I'd be writing this from my yacht off St-Tropez.
Unfortunately for both myself and forensic hardware vendors, I'm not 🙂
Jamie
This does raise some very interesting issues.
1. Forensics Friendly BIOS - what are the features that make a BIOS Forensics friendly or unfriendly ? Any ideas? What does come to mind is the Gigabyte mobo with a dual bios to prevent the BIOS getting accidentally flashed by viruses like CIH or by other programs. Any ideas/info from all you gurus would be welcome.
2. Dual Processors - These come in handy for brute forcing passwords, but your software needs to be optimised to take advantage of all the horsepower - so if you are not heavily into psswds recovery then a single processor might be useful.
3. SCSI - Can be very useful - there are plenty of inexpensive options available today and maybe you can get one when you need one.
So if your needs are pretty well defiined- you don't need to really go in for a high end FRED or equivalent.
HTH
Samir
Thanks for the reply. I am definitely leaning toward building my own box at this point. I want to put as many bells and whistles on it as possible, because I do run across the unusual occasionally and I would rather have it than need it and try to get it purchased while waiting to do the work.
Anyone have opinions on processor type? I have always been an AMD guy, basically because I think it gives the most bang for the buck. I read on another forum that AMD's are faster for imaging with compression set high, but I haven't heard much more than that. I really think that it wont matter much whether its an AMD or Intel, my main plan is to feed it as much ram as possible, at this point I am looking at 4 GB.
Lastly, I am looking for a multi card reader with hardware write blocking capabilities. I found this:
I was wondering if anyone else has seen other products. How about write blocking for the Thumb drives. I have three thumb drives now, two have a switch to lock it as read only, but one does not. Are there any products out that you can plug in a usb drive and activate a write blocker.
Thanks
Matt
Sorry for my ignorance, I'm new on the subject…
What does a forensic machine need? Does it need special hardware?
Thanks,
Marc
Hi Marc
A forensic pc is a pc which is customised towards the forensic investigators needs.
Essentially it consists of best of breed components loads of processing power and ram as well as specialised hardware like write blockers, dual bioses, redundant power supplies, extra cooling, removable bays and lots of other bells and whistles.
You may want to visit
Hope this helps
Regards
Samir
Imagine the best gaming machine (the most RAM & fastest processor – you can cram in), with as many ports (USB, Firewire, SD) and removable bays, etc as possible.
Most commercial forensic tools are extremely processor and RAM hungry – so a fast machine is must, also you might want to use something like VMWare during an investigation, and again this software can take up memory and processor resources.
A large storage capacity – when you image a machine and commence investigating, again depending on which tools you use, will normally result in a lot of extracted files.
And it depends on what type of work you are doing, i.e. work for defence or prosecution. If you are doing defence work, you might need something more portable, as most law enforcement agencies will resist you removing evidence from their custody (especially in paedophile cases). Some will allow you to use their facilities and machines, but if you use something more exotic to do forensic work, you might have to take it with you.
I would rather commission a company to custom build me a machine, I’ve built and repaired them in the past and can tell you (and I’m sure anyone who’s also done this will agree), that if you are not building them all the time (i.e. as a profession), then you will not be up to speed on all the latest component parts, and their compatibility. It’s a real pain trying to get some peripherals to work if there are conflicts, and if you main line of work is forensics then you will not want to be tied up with hardware problems.
Andy