Notifications
Clear all

Forensic Lab Design

5 Posts
3 Users
0 Likes
631 Views
 Nash
(@nash)
Posts: 9
Active Member
Topic starter
 

Hey,

We are in the process of designing a new digital forensic lab. Our solution is going to be somewhat similar to "Dell's Digital Forensic Solution"

http//www.euro.dell.com/content/topics/topic.aspx/emea/corporate/pressoffice/2009/uk/en/2009_07_07_brk_000?c=uk&l=en

However, we want to use Sun Ray Servers with Thin Clients in our lab. The main reason to use Thin Clients instead of the traditional forensic workstations is to prevent unauthorized data leakage. We want all evidence to be stored in the data center. Further all forensic applications should also run in our data center. The analysts will be given access to the applications they require during a case.

What I want to know is whether anybody ever used thin clients in a forensic laboratory. What are the pros and cons of this solution when compared to the traditional approach of giving all analysts a powerful forensic workstation. What are the kind of problems we can face if we go for the thin client solution.

thank you
nash

 
Posted : 28/05/2010 10:26 am
(@mindsmith)
Posts: 174
Estimable Member
 

Nash, simplest scenarios would be using Sun with VMWare ESX server, and thin client or even MS Remote Desktop connections is viable and works well; I know of some labs that do that. Also using VMware allows you to revert back to a baseline snapshot if your lab insists on re-image workstations after each case (based on your standards).

I am pretty sure that the Dell Storage solution they offer is actually OEM'ed EMC hardware - fyi.

Some pointers/assumptions

1. Making sure that you imaging process is sound & that images are uploaded to the SANS and also to a second media (for backup/long term retention).
2. Image is loaded onto SANS, Analyst receives case and processes it, Extracted Evidence files are stored onto the SANS, and after review, these can then be burned onto encrypted DVD for issuing to your Investigators/Prosecutors/Special courts.
SANS is backed up to a Virtual Tape Library.

Perhaps each analyst can run 2 VMs each on the same case running diff tools or checks?

There is no need to ‘wipe’ the target media (SANS) using the above, so all in all – I think it makes for an efficient & time saving way to process cases as long as your server has HA factored in and you've catered for redundant storage as well.

Good luck.

 
Posted : 28/05/2010 4:52 pm
 Nash
(@nash)
Posts: 9
Active Member
Topic starter
 

thanks for the reply.

do you know how the licensing of Encase and FTK works for the Sun Ray server having VMWare ESX. For three investigators, do we need three different dongles or is there a separate license for the software than runs of the server.

 
Posted : 17/06/2010 11:53 am
(@bithead)
Posts: 1206
Noble Member
 

thanks for the reply.

do you know how the licensing of Encase and FTK works for the Sun Ray server having VMWare ESX. For three investigators, do we need three different dongles or is there a separate license for the software than runs of the server.

You will probably want to go with AccessData Lab to take full advantage of that environment.

 
Posted : 17/06/2010 5:38 pm
 Nash
(@nash)
Posts: 9
Active Member
Topic starter
 

thanks for the reply.

do you know how the licensing of Encase and FTK works for the Sun Ray server having VMWare ESX. For three investigators, do we need three different dongles or is there a separate license for the software than runs of the server.

You will probably want to go with AccessData Lab to take full advantage of that environment.

FTK 3 costs around 3.5 K per license. how much more does the AccessData Lab costs?

 
Posted : 18/06/2010 12:10 pm
Share: