Newbie Acquiring Laptop

Because we are in a corporate environment, mgt wants to know ASAP when something is found. They need to know whether or not they need to take action against a given employee to prevent them from doing anything malicious. We don't have the luxury of waiting a few days to catch flights back, perform analysis, report results, etc…

To be honest, acquisitions and analysis can be done easily in the field with a Dell Latitude and an external HDD. I don't know what software you're using, but tools like FTK Imager and ProDiscover IR work great, even writing to an external HDD. When I go on-site, I can get the laptop with installed software, the external drive, a couple of write-blockers, and all the stuff I need in the carry bag from Dell. Hostile, mobile, agile.

Harlan

Hi,

We do use laptops in forensic work but for a lot less money we could get a SFF base unit with a TFT that would be fairly portable and definately a lot faster.

One of the challenges you may face anyway is a delay in proving whether something did or didn't take place. Of course you can preview the live contents of a drive using a number of tools very quickly but if you start needing to recover files, search through registry keys, log entries and so on you might find you want a bit more than a straight Pentium 3.4GB.

Usually proving something isn't there takes a lot longer than finding what is there.

Steve

If you are basically really only doing live previews, then why spend the $$ on any system at all?

Investigate forensic Linux LiveCD's. There are three or four relatively good ones. Most are free, the one that I know of that isn't, is still worth every nickel of the $175 price. Especially if your main goal is previewing data.

You have a tremendous advantage you can test several LiveCD's as to what works on your corporate equipment. You'll be able to pinpoint exactly what works best, and you'll eliminate "onsite testing". Buy a few nice sturdy Firewire/USB drive enclosures and you'll be all set. You can preview the data. Call the bigwigs, report what's there and if they want the drive captured you can image it right to a hard drive you put in the drive enclosure. Fly back to your lab and analyze it in more detail there.

Though, from a potential litigation standpoint, you may be better off previewing the data; if the bigwigs want the drive imaged, then pull the drive and have IT replace it; fly back to your lab and image the drive there, then place the original in an evidence locker for safe-keeping. This will allow you to retain the actual original evidence. Your general counsel and his/her outside law firm of choice will thank you if the matter ends up in court.

Harlan - What you're talking about is what we had in mind. We generally know what we're going after and we want to get in, acquire the image, find the bad stuff, and submit a preliminary report to mgt.

Steve - You make a great point. Once we do our initial analysis in the field, we definitely will want to do a thorough scan once we get back to the office. Could you explain what SFF and TFT mean?

I guess the ultimate question would be - What would be the best all around solution for our needs? Would it be sufficient to get a Latitude with a 3.2 G processor, 4 G of RAM, fire wire card, and an external HD? Would that not be sufficient for starting out?

I'll also take any suggestions regarding a good write blocker and the software you guys used. Regarding a write blocker, I've seen a couple of kits such as the UltraKit for around $1200 . Is that more than we need? Regarding the software, we checked out Encase (too expensive for what it does), FTK or UTK (looks good for the price), and we're currently checking out ProDiscover.

Thanks in advance for your help.

-Matt

Matt,

The hardware sounds good. I've used the Tableau write-blockers.

Regarding software, FTK Imager is great for general imaging and previewing/verification of the file system. If you're primarily expecting to deal with Windows systems, I don't really see why you can't go with just ProDiscover/IR, and include maybe Helix and dd in your toolkit.

Regarding "finding the bad stuff", it really depends on what you're looking for. I was recently speaking to a customer, and we discussed the fact that specific analysis is relatively easy to quantify (ie, locate a file, etc), whereas "find the bad stuff" can take considerable time and expense.

I've written several really useful ProScripts that I'm working on putting into an overall suite of tools…these can be used for analysis.

Harlan

Matt,

SFF = Small Form Factor TFT = As in LCD monitors

Dietro makes a good point about Linux CDs. They can offer write blocking from both a boot and limited write blocking straight from within the OS and offer many useful network monitoring utilities. If you are familiar with Linux you will be able to use these CDs to do almost everything you need to do in an examination.

With regards EnCase and FTK. I use both and find FTK better for text based investigations and EnCase better when I need to view large quantities of images. FTK is a fair bit cheaper.

Are you going to be looking at workstations or servers, or both? Will you need to look at Apple Macs too? Currently FTK can't handle reading the HFS+ filesystem but EnCase does pretty well. If you have to do Apple Macs maybe you can get an Intel based Mac and dual boot between Windows and OSx. I'm not sure about FTK but EnCase won't read older NFS file-systems on Novell servers.

If you are only going to preview a computer on the day and would then fully examine the imaged data over the next few days then I don't think you need to spend too much on the laptop or other portable computer. A higher end computer could be purchased to do this work.

As for write blockers, we pay about £150-300 per device in the UK, I would have thought the US would be cheaper.

Steve

I guess the ultimate question would be - What would be the best all around solution for our needs? Would it be sufficient to get a Latitude with a 3.2 G processor, 4 G of RAM, fire wire card, and an external HD? Would that not be sufficient for starting out?

That should be more than enough, but again, it may not be necessary for mobile acquisitions in your corporate environment. Sit down with IT and get a rough list of ALL the equipment deployed in your enterprise. If the bulk of what you'll be imaging will be desktops and laptops, then I'd reiterate my suggestion to look into Linux LiveCD's.

HERE is a write up from farmerdude about previewing data using his forensic boot CD (it is the one that costs $175).

I'll also take any suggestions regarding a good write blocker and the software you guys used. Regarding a write blocker, I've seen a couple of kits such as the UltraKit for around $1200 . Is that more than we need? Regarding the software, we checked out Encase (too expensive for what it does), FTK or UTK (looks good for the price), and we're currently checking out ProDiscover.

The Ultrakit may be more than you need for 99% of what you will be doing, but for that 1%, you'll be prepared. 😉 Here again, getting a solid inventory of what devices you have in use across the enterprise will be of huge benefit in determining what type of write-blocking you need to have on hand.

As far as tools, UTK a tremendous tool. Encase does offer a few more features, but UTK will get you through most all analyses.

Something to consider here though is, while Encase is more costly, if you do end up using a Linux LiveCD for your desktop and laptop acquisitions, then you won't be dropping $$ for a mobile acquisition machine, and then the price for Encase and UTK is more manageable. And if you can get both, then do it. You'll want to validate your findings in one tool with the other. Plus, you'll then have access to all UTK's unique features and all of Encase's unique features.