Q I would like to know if everyone is validating your forensic computer and cell phone equipment? Does anyone have good whitepaper regarding the validation of computer forensics equipment.
Yes – in situations where the hardware is an unknown entity. This typically happens in fieldwork, when the target system is used for the acquiry. Before an acquiry is done, there should at least be some basic test to establish 'does this computer work as it should?'. If there are basic diagnostic tests in BIOS (often disabled), I turn them on, and start the system without any drives connected. At the very least I try to get at least one pass of memtest86+ run – if memory is faulty, some acquiry software will go haywire without apparent reason.
I also try to disconnect devices that are not necessary – though I suspect I'll need to get a multimeter to verify that the power unit isn't overloaded on systems where that is not possible. Simple drive tests before each drive is acquired. For network acquiry, also basic tests of network interface. And if the acquiry software requires a particular platform (such as Linux), the OS platform needs to be checked out – I generally take a copy the dmesg file to see if there is any hardware that causes driver errors or warnings, and a similar copy of the appropriate syslog file *after* the job is (or seems to be) done to ensure there were no surprises during acquiry.
(Some reading of the syslog.conf file may be necessary – you generally don't want the logs to be sent to an unaccessible logserver somewhere…)
Don't work with cell phones … so far at least.
The joy of this is you can sometimes procure new toys. Need to test some acquisitions on a iPad2? Boss - we need to buy an iPad2 for the lab to test with the gear! )
Check the NIST site for validation papers.
Nice Douglasbrush…….nice