Hi all,
I'm in the process of putting together a forensic worksation ( my laptop just doesn't cut it) and was wondering about Internet connectivity.
Is it typical to have your main workstation not connected and thus safer from malware etc…and use a seconday machine for research and the likes?
Thanks,
Andrew-
That's the setup I have, for those exact same reasons. However at times I feel it is a little restrictive, especially if you have some urls you want to check out and copying and pasting is easier than typing it out on another machine….
Andy
Thanks Andy…That's the main reason I asked. I does seem a bit of a pain when your looking at a parsed index.dat file for example and wanting to view a few of the links….
Andrew-
Hi guys,
Where I am we have special PCs designated for public internet access. Or we use laptops we each have.
We keep separate machines because of security concerns for our network (with HD images etc) more than for public safety. There is, of course, the risk of contaminating evidence.
In your situation, I would use the laptop for internet, your forensics machine for forensics. Surely you can have them both turned on at the same time. A little bit of a pain, but you are far less likely to contaminate evidence. And never have to worry about intrusion.
Evan Read.
I have one workstation that is never connected to the internet. Updates are downloaded on a thumb drive and installed that way. Most of the time I am under various court orders to not have the examination machine on the internet, network, etc at anytime.
Andrew,
I agree with the machine not being on the internet while doing investigations, obviously the contamination of evidence is the main concern.
Think of it from another point where if you were examining a machine where there were cached HTML pages/images etc. what would happen if you opened up those items while connected to the internet, you would intern be going out to the page etc. and updating it with what is current.
Just a thought -)
On my main workstation I have 2 machines connected via a keyboard/mouse/screen switch connected to 2 monitors. I can switch with a key stroke between the forensic machine and an internet connected machine. The Internet machine just uses one screen leaving the forensic machine on the other monitor so I can copy down URL's etc. Obviously you cant copy and paste or click a link but it works for me.
Nick
Much appreciated. Thanks for the responses.
Andrew-
ipconfig /release )
i do the same as above, i disconnect when i am looking at evidence and i never leave the machine connected over night or anything as such if there is anything on the box which could potentially be moved/removed.
Much appreciated. Thanks for the responses.
Andrew-