What would you (collectively) recommend as a minimal set of equipment (hardware and software) to do forensics work.
I'll start the discussion with:
You need to image drives in the field, so a either a hardware drive imager or a laptop with a write-blocker widget that plugs into the laptop's firewire or USB 2.0 port. And an external firewire or USB 2.0 drive to store the image.
A good place to buy lots of hard drives 🙂 (NewEgg?)
You need to analyse the data back at your office, so a system with a lot of RAM and a fast CPU that can read the image drive. Running Windows for software like EnCase or Linux for software like the Sleuth Kit.
If you will be preparing documents for court then you'll probably need software to convert lots of data formats to PDF and a PDF redaction program like Redax.
What type of budget you got?
> What type of budget you got?
Minimal.
That's why I didn't list a FRED portable or something like that.
Software: I would buy Encase (forensic edition) $2500
It's nice to have a standalone email analysis program, there are several, I like paraben's email examiner or FTK. Export the email files out with Encase and use your standalone utility on it. Email examiner is $200, FTK about $800.
If your looking at cases involving peer to peer kazaalyzer from Sanderson Forensics is a good utility $100.
Netanalysis is great for cases involving internet use, available from paraben $165.
Quickview Plus is an essential viewer, about $30.
I don't think producing pdf reports is a must, but you will need MS Word. Buy it off ebay with the Microsoft Works pack for about $50.
You will probably buy various other viewers, etc. over time, but these are what I use primarily.
Writeblockers: I would get an IDE write blocker (firewire) with an adapter for 2.5" (laptop drives). About $200 from Digital Intelligence. You can get SATA and SCSI blockers as well, but in my experience 90% or better of acquisitions are still IDE. Put the others off until you need them. Use either a network acquisition, or attach them to a desktop unit locally via either onboard SATA, or a SCSI card, and acquire them with Encase in DOS.
Forensic PC: Try to get by with one computer for both acquisition and analysis. The savings over buying two will cover your Encase License. This means some type of portable, either a high end laptop (make sure it has onboard firewire, the firewire pcmcia cards are way slower) or a luggable. I lean away from the laptops just because they are more expensive to upgrade (usually you just replace them), and you end up carrying so much junk with you anyway that it hardly makes a difference. It's also nice to have a machine with an onboard storage drive. It's powered by the system, so one less power supply (you'll need one for your laptop, your write blocker, and your external storage drive).
Good luck, I hope this helped.
I just noticed you mentioned the self contained drive imagers. I'm not a big fan of these. They are costly, and don't allow you to verify to make sure you have a good image in the field. I prefer to verify an image and open it to make sure all is ok before I leave the scene. In certain circumstances I may even make a copy of the evidence files before I leave. You often cannot reacquire the data if something goes wrong, it also leaves a bad impression if you ask to.
I'm curious, you recommend EnCase for general forensic analysis and FTK in addition for email analysis. Access Data promotes FTK as a full forensic solution. Do you feel EnCase is so much better that it is worth $2500 more even if you are already planning on buying FTK?
No Encase is not that much better, it is just more widely used for now. In March or so when FTK 2.0 comes out with RAID support and more updated features you will start to see more people using FTK.
One thing that I know that I like FTK over Encase for is the indexing and real time searches. Also you have the ability to make a very nice report and export it to a CD, with the files that you need i.e. email-attachment, .doc, html, etc.
Turtle,
an earlier post from you said that you "will be doing forensic analysis of breakins which you have the skills for."
I was wondering what forensic training that you have gone through.
Greg,
I disagree with the one computer for acquisition and analysis idea. That is fine if you only have one drive or one case. Sure you could add multiple files to your case but if you happened to get another case in you have to shut down to image and can't work both.
Go to pricewatch and get a cheap bare bones pc for $200 just in case you need it. If your client calls and says come now and image this and you are right in the middle of verifying or acquiring something else, someone is not going to be pleased.
Encase is far and away the leading forensic utility. That fact alone may place you in better stead with clients (as an Encase user) as the market becomes more educated on what "best practices" in computer forensics are. Encase has a strong track record in courts all over the country. Encase is not perfect, certainly isn't the cheapest, and doesn't do it all but I firmly believe it's the best thing going right now.
There is a significant learning curve involved in becoming proficient with a forensic utility. You can see from my signature line which way I chose to go. If I'm going to invest the time and money to learn the software, I want to go with the best. Don't buy any software package unless you can devote some time and money to learning how to use it. It's not enough to know what it does, you need to know how it does it. For instance, I know I can, via a couple of mouse clicks, recover folders from unallocated space and rebuild the file structure of those deleted files. But I run the risk of looking like anything but an expert in court if I can't explain how Encase does it. If you are planning on purchasing FTK anyway, go ahead and try it out. Just remember that the $800 or so you spend on FTK doesn't allow you to view the registry, you have to buy a seperate module for that. I feel like with Encase I find more and miss less than I would another way.
But to answer your question directly, I would not buy FTK and Encase both, at least not initially. If Encase wont view it, as in the case of AOL emails, I just use the copy over procedure. It works very well, just not as streamlined as "view file structure".
Armresl:
I don't understand what you mean here:
I disagree with the one computer for acquisition and analysis idea. That is fine if you only have one drive or one case. Sure you could add multiple files to your case but if you happened to get another case in you have to shut down to image and can't work both.
If I'm in the middle of a case and need to leave right away I just save it, swap in a fresh storage drive, and go. If it's such an emergency that I can't wait 20 min for a verification or keyword search to finish then I'll be billing enough to make up for the inconvenience of having to restart it later.
Encase ver 4 is setup to allow you to work multiple cases simultaneousely. Running keyword searches, signature and hash analysis across several cases at once. If you want to do this on multiple computers, either with Encase or FTK you'll need multiple dongles (licenses). Certainly feasible, but not on a minimalist budget.
If I bought a $200.00 barebones and the above situation arises the only thing I can do with it is take it with me, as I certainly won't be using it on a day to day basis for examinations. Certainly, as business picks up buy more computers, there's always room for one more after all. In the beginning training is of more value than hardware, get by with what you must, devote the rest to training.
One thing that I know that I like FTK over Encase for is the indexing and real time searches.
I agree that indexing is a great feature of FTK.
armresl,
> I was wondering what forensic training that you have gone through.
No formal forensic training. I have a Bachelors in Computer Science and I've been doing Unix security programming and system administration for over 16 years. For example, I designed NEC's network security processor (something like a firewall for a circuit switched network). For several years now I've been doing security analysis (network probes) and reconstructing servers after hackers or trojans take over (root-kits). So I have a very good knowledge of system security from that point of view. Lately more and more clients have been asking me to do examinations that border on "forensic", for example business owners in disputes having me recover "the second set of books" from deleted file space. I am finding this area fascinating and am going to pursue more training and experience in this area.
Hence, my joining this board and putting together a set of forensic tools.
It looks like it would be best to pick a software suite and stick with it, learning it very well. My natural inclination, being very experienced in Unix, is to use the Unix tools such as 'Vital Data's FoRK', Knoppix-STD, Autopsy, SleuthKit. However I suspect those tools are not as useful as EnCase or FTK. I also suspect using Unix tools instead of the #1 or #2 software suite would open me up to more intense scrutiny when it's time to testify in court as to my findings.
That is part of what I am trying to find out.