Storage…While I would love to sell you a nice big NAS…..I often wonder for basic leo why this is needed. We all know that 99 % of the cases plea out. Why have all these cases in "ready reserve" on a NAS? Once you have your doc's, spreadsheets and pictures, why not archive the case, getting it out of your life. For the odd case, take it out of archive and reload it.
Agreed. Or, you can just buy new hard disks as needed and keep the old ones on hand with the image files and case data. Plus the speed of working from a local disk vs. network storage is a consideration too.
Thanks, you have all given me a lot to think about.
Since this is a new initiative for my agency, I will be the only one involved up front. As time progresses, but I foresee the operation increasing as the value is realized. I am leaning strongly toward using FTK along with some open source tools. I’ve heard many good things about X-Ways, but why would I need both? Don’t they basically perform the same tasks? My primary focus is on white collar crime, but since I work for a state-level law enforcement agency, so plain-view material is fair game. I don’t have an immediate need for skin tone filters and ICAC specific material, so I need to take this into consideration when looking at analytical software packages. Which do you think would serve my agency best?
Actually, I like the idea of using a NAS for many reasons. First, of all, a NAS allows me to have an archived version of a project that can be readily accessed without storing numerous HDs in our evidence room. Since my agency also has civil litigation authority, there may be times when we will need these images years down the road. In the event of an image request, I could easily reproduce the data without involving a long-term chain of custody trail. This will also allow me to better utilize my resources by zeroizing my working images after an investigation is concluded. Of course, these are all things I need to consider during this phase of my project. I am certain I will be grappling with this subject until I develop the final solution.
Thanks again! Please keep the comments coming; I appreciate everyone’s input.
SA Dave Trudel
There are invariably things that one tool does a better job of than another. As one example, unless I missed a development somewhere, FTK is not able to search unallocated clusters for Outlook Compressible Encryption. EnCase does, but it's a MAMMOTH pain to try to do anything with the results. XWF handles the search with ease and gives good clean output of the results. Given the frequent importance of email in today's investigations and the popularity of Outlook, this is a pretty dang big deal. As you work with these tools, you'll continue to find that certain tools handle certain tasks well and certain tasks not so well.
Cross-validation is also very important. When opposing counsel says, "Sir, were you aware of bug XYZ in the software you used, a flaw that may make its output unreliable?", you can say, "Yes, but since I verified my results in a second tool, I have complete confidence that the bug did not affect my results in any way."
BTW, I spent most of my life in MS. Always happy to help any fellow forensicator, doubly so one from the Magnolia state, so feel free to PM me anytime.
Dave,
Just a quick FYI that there have been a few replies to your request over at the
Hope that helps.
Jamie
PS I'm not sure if anyone has already mentioned the book "Building a Digital Forensic Laboratory Establishing and Managing a Successful Facility" by Jones and Valli but I found it a worthwhile read when it first came out.