Hi There
Well my organization is planing to setup a digital forensic lab in their new campus as i have been assigned to write a proposal to get an approval from the top management for this project as for now i have no idea how start ,basically we are in a education sector and would like to setup the lab to conduct training as for now if any company would like to come forward and send me a proposal with the costing and the proper layout required it would be great ,really looking forward to get a guidance.
thanks roll
I am not an expert, but I can think of a couple of ways you can go for.
First, it would depend upon your budget, lab size, and the number of (forensic) computers. Also, a system staff.
If you are setting up a medium size lab, I would have about 20 forensic workstations running Windows 7 with virtual machines running XP, Win98, and Linux (Ubuntu). Normally, forensic workstations are off the network connection, or with minimum intranet connection.
Each machine would need some forensic tools. EnCase provides an academic license with a very reasonable price. Some other common tools like FTK and WinHex would be a must. Also, Helix 3 Live CD. If network network forensic is to be taught, tools like Nessus and Wireshark would be needed.
The forensic workstation does not have to be the state of art PCs. They can be 3~5 year old machine (with 40~80GB hard disk, 1GB Ram). FAT12 file systems would be relatively easy to start with for general file systems, so a floppy drive is needed.
You can install one machine with all the OSs and tools, then copy the image to the rest of machines.
To work with images (taking and retrieving), you may need USB/eSATA external hard disks of 100GB+ size. It would be nice if you can have them for each forensic workstation. USB thumb drive with varying size (with FAT16, FAT32, NTFS) would be good to have to play around with disk images. And, of course, a printer attached to the network.
You would need write blockers for each machine.
Then, one decent Linux (Ubuntu) server working as file servers and for time cruching jobs. This server may also contain the forensic workstation image, and then the image can be easily taken through the network.
Just my 2 cents.
While I'm not in full agreement with everything these authors recommend, there's still a lot of good material in Building a Digital Forensic Laboratory by Andy Jones and Craig Valli (pub. by Butterfield-Heinemann). Available through Amazon and others.
You would obviously adapt this information to your own organization's purposes but IMHO it's a good starting point. Whether "teaching" or "doing" forensics, the lab should be as realistic as possible - and as your budget will allow for.
As this is an educational facility, for training…why not just get a couple of boxes and run it completely off of free and open-source tools?
Anyone have any good references or material aimed more at the "justification" for forensic labs and associated costs?
As this is an educational facility, for training…why not just get a couple of boxes and run it completely off of free and open-source tools?
With respect, I disagree with this suggestion, which is no different from the notion that a college chemistry lab should be limited to jelly jars and candles instead of beakers, graduated cylinders and Bunsen burners, much less anything sophisticated like a spectrographic analyzer.
On the other hand, a lab that implements sophisticated tools such as Encase is not precluded from introducing students to open-source software - and would be better able to show students how and why one type of tool or the other might be chosen in a particular circumstance.
I think that, at the very least, the lab should implement SMART and Encase along with the open-source tools, and a phone/mobile device suite like Paraben's would be even better. Also, it should consist of networked workstations that can be configured to permit team projects to be conducted against server-based images. Personally, I would not consider taking instruction from a facility that only offered an exposure to open-source tools.
Anyone have any good references or material aimed more at the "justification" for forensic labs and associated costs?
Your question is too broad. Are you talking about the public side or the private side - and if private, how infrastructure-critical is the industry?
With respect, I disagree with this suggestion, which is no different from the notion that a college chemistry lab should be limited to jelly jars and candles instead of beakers, graduated cylinders and Bunsen burners, much less anything sophisticated like a spectrographic analyzer.
I understand you position, but I do not agree at all with your analogy. While some of the free and open-source tools do not have a flashy UI or use a dongle, many of them are far better tools for their specific task than is included in commercial bundles. In fact, there are free tools that provide functionality not found in commercial applications at all.
The purpose of my suggestion was not to exclude the use of commercial suites, but instead to do two things
- Get the lab up and running for minimal cost. Once it's set up and interested is shown, this increased interest can be used as justification for purchasing those commercial suites.
- Providing students with the "under the hood" basics so that they can then make informed decisions regarding tools and commercial suites to use.
In the industry, the biggest shortcomings I've observed are an analyst's inability to think beyond the [insert name of commercial tool] UI. An inability to think critically, develop/follow an analysis plan, document analysis and then write a coherent report all overshadow many analyst's examination capabilities. I've seen too many analysts with multiple vendor-specific certifications simply bypass analysis of critical items, for no other reason than (apparently) the UI doesn't have an "Analyze This" button.
Knowing what's under the hood makes for a better-informed and -educated analyst. In many ways, the training provided with respect to commercial tools can blind the analyst to what's possible.
You I'm not saying they can't use commercial tools as well as open-source.
Me I'm not saying that they can't use open-source tools as well as commercial tools.
Looks like "Potayto, potahto" to me.
The analogy not only holds, but it's perfect. You teach people lab skills on the sort of real-world equipment they'll be using in their work, and survey shows…well, you know the answer to that one.
As for getting up and running cheaply, the OP clearly indicates that he is working for an institution that has a budget, indicates no need to get up and running either quickly or cheaply, and any institution can afford the educational pricing offered by most "commercial" products.
As for the "low-level folks are smarter" assertion, which is as tiresome as it is presumptuously elitist, I won't dignify that except to point out that I know lots of examiners who can't tell you any more about how their low-level tools work at the code level than some Encase examiners can tell you. I myself have sat in a number of sessions that explained all of the intricacies of the command line switches for dd, but not once did any instructor crack open that utility at the code level and I'd be mighty surprised if 5% of the folks who use dd on a daily basis have ever looked at the code.
I am not an expert, but I can think of a couple of ways you can go for.
First, it would depend upon your budget, lab size, and the number of (forensic) computers. Also, a system staff.
If you are setting up a medium size lab, I would have about 20 forensic workstations running Windows 7 with virtual machines running XP, Win98, and Linux (Ubuntu). Normally, forensic workstations are off the network connection, or with minimum intranet connection.
Each machine would need some forensic tools. EnCase provides an academic license with a very reasonable price. Some other common tools like FTK and WinHex would be a must. Also, Helix 3 Live CD. If network network forensic is to be taught, tools like Nessus and Wireshark would be needed.The forensic workstation does not have to be the state of art PCs. They can be 3~5 year old machine (with 40~80GB hard disk, 1GB Ram). FAT12 file systems would be relatively easy to start with for general file systems, so a floppy drive is needed.
You can install one machine with all the OSs and tools, then copy the image to the rest of machines.
To work with images (taking and retrieving), you may need USB/eSATA external hard disks of 100GB+ size. It would be nice if you can have them for each forensic workstation. USB thumb drive with varying size (with FAT16, FAT32, NTFS) would be good to have to play around with disk images. And, of course, a printer attached to the network.
You would need write blockers for each machine.Then, one decent Linux (Ubuntu) server working as file servers and for time cruching jobs. This server may also contain the forensic workstation image, and then the image can be easily taken through the network.
Just my 2 cents.
Excellent suggestions, all!