I know this is really really broad question - but whats your computer forensics lab hardware setup? More specifically:
1. Hard Drive - what type(s) and size/
2. RAM what type and ammount?
3. CPU what chip and speed?
4. What peripheries do you use (external hard drive, dvd burners etc)
I am just trying to collect ideas for a new system and I am curious to see what folks here use (and recommend as well!) 🙂
My Forensic Workstation =
A purpose built machine, with the following: -
1. CPU = Twin Xeon 3.40 GHz Processors
2. 2 GB RAM
3. 75 GB 10,000 RPM HDD (for OS and tools)
4. 1 TB RAID (4 x 250 GB SATA drives) for file store
5. 1 GB NIC connection to 6 TB RAID remote store
6. RADION x800 Dual Graphics card with two 17" Philips monitors (pushed together for 'big' EnCase GUI real estate)
7. DVD/RW/CD/RW Combo
8 Wireless mouse/keyboard
9. Running Windows XP Pro
10. Many ports for connectivity USB.2/ Firewire, etc.
My Internet Machine =
Some crappy old heap of junk that was forfieted from an old case, that I have 'cobbled' together, running Linux SUSE 9. Pro on a seperate network.
Andy 8)
Andy,
If possible would you be able to briefly outline your imaging strategy? I know your survey looked at the way examiners are handling and storing image files and I'm sure there are many people here who would be interested in your thoughts on best practice.
Cheers,
Jamie
No probs Jamie, I was actually holding off publishing my MSc dissertation project (until I got the award at the end of April - not wanting to count chickens, etc, etc). I will post it as a pdf when I am successful (if I am successful).
I kept the idea quite simple and in hindsight its not that big a deal. I'm a little embarrassed at the thought of people waiting for the results……:oops:
Our imaging strategy like technology has shifted and changed over time.
We originally implemented a network based solution to the acquisition process, incorporating a GBit copper network with a compatible switch. There were four forensic workstations on the network all are capable of imaging (equipped with Fastbloc). We stored acquired images (acquired in EnCase) across the network to an attached 3 TB RAID (managed by a server running Windows 2000).
Investigations were conducted across the network on the EnCase evidence files stored remotely. We did not experience any noticeable lag (and thats with 4 investigators simultaneously acquiring and investigating), and timings differences compared to locally accessed EnCase files were negligible. Certainly not noticeable to the naked eye.
We quickly filled the RAID up, and sought an archiving solution – eventually opting for tape.
As time went by, hard disk drive capacities have increased – a lot.
Accessing much larger cases across the network (especially when reopening a saved EnCase Case file, with lots of mounted files, and bookmarks)
Recently we acquired 4 new forensic workstations. Leaving the original 4 for acquisition only. The 4 new machine have an internal 1TB RAID, alongside the OS drive. We also increased the remote store to 6 TB, and better tape backup.
We still image to the remote RAID, but additionally use a program called SyncBack to copy the acquired EnCase files (we store them in 1500MB chunks instead of the default 640MB) to our local 1TB store, and investigate locally. This makes the investigation process i.e. scrolling in full gallery view, a little bit quicker, and text searches and scripts run faster too.
Acquiring with EnCase and Fastbloc across the network (and locally) is much faster than Linux. I used HELIX and GRAB (the graphical DD front end) for my project, and conducted timings on several drives.
Best 'practicewise' (is that a real word? If not - I've just invented it) – imaging is identical to a locally based process. Network imaging in a Windows based networking environment using Fastbloc and EnCase is transparent. All that is required in the mapping of the network shared drives to deposit the image.
Andy
Great post, Andy, many thanks. Looking forward to reading the dissertation when (not if!) you get the good news…
Cheers,
Jamie
–Was going to post in General but this thread looked like it already had the theme I was getting at.–
G'day all 🙂
Running larger keyword lists on my analysis workstation causes EnCase to crash with memory consumption errors. That's the reason for my question of analysis workstation hardware specs or recommendations. I've drooled over some of the stuff at
Thanks in advance group,
Ty
This is my first post and I apologise for the simple question.
If I was to copy a hard drive what is best practice on how to take a copy of hard drive.
What hw/sw do you use?
Lets say the pc has
OS XP SP2
Regards,
Andrew