Join Us!

Notifications
Clear all

Forensic Lab setup  

Page 1 / 2
  RSS
jhup
 jhup
(@jhup)
Community Legend

So, it finally happened.

I get a call and I am told to "set up a forensic lab"… Budget? "Don't worry about it." Time frame? "Aren't you done yet?"…

Years of begging, an now I am so nervous I lose track of what I need, I have to take a step back.

Most of my work is US, but EMEA or Asia is not unheard of.

I could use some kibitzing.

Do you store your non-active evidence in a cage & vault, just vault, just cage?
I have standard evidence bags, so that's not an issue, just have no idea what will happen when this starts to get into a swing of things.

Is it better to store each digital evidence in its own device (i.e. HDD/double blue ray), or can I use a large, secure SAN or NAS?

What is your favorite "catch all" hardware write blocker? (IDE/SATA/PATA/USB/etc)

On the field - dedicated collection device, or "generic" laptop?

Temporary storages for images out on the field - presuming I can slave the device to collecting machine (be it laptop, or dedicated machine) external drives or the drive of the collecting device?

I do little mobile forensics now, but once the word gets out, it will start picking up.
What is your preferred mobile device collection tool?
What is your preferred mobile device analysis tool?
Anyone uses Encase Neutrino? pros/cons?

Anyone uses Paraben’s Network E-mail Examiner?

- - -
Anything else I am missing?
I am working up all the internal forms and procedures… Is there some template package out there?

I am making a laundry list of services, and all the docs that go with it. On top of that, they also want me to get a training package going how to & not to handle potential evidence on the field…

p.s. Hello all! D

Quote
Posted : 16/05/2009 1:51 am
kovar
(@kovar)
Senior Member

So, it finally happened.
Do you store your non-active evidence in a cage & vault, just vault, just cage?

I've used a locked fire safe in a secure room in the past. I've also used cages, and a large storage room at various clients. If you've got a vault, use it. If not, I'd go with a cage or dedicated room with a good access cotnrol mechanism. I'd also consider bar codes and a good shelving system if you're doing to generate a lot of stored evidence.

Is it better to store each digital evidence in its own device (i.e. HDD/double blue ray), or can I use a large, secure SAN or NAS?

I think this will depend on volume. If you're going to generate any reasonable amount of images and if you don't have a lot of staff around to manage distinct physical containers, I'd go with a large, secure SAN or NAS with partitions for each case.

If you do go with distinct physical containers, don't forget to include backup for the images and your work product. I've seen people use portable RAIDs for this purpose.

What is your favorite "catch all" hardware write blocker? (IDE/SATA/PATA/USB/etc)

I'm about to do a review on three different write blockers which should get posted in the next two weeks.

On the field - dedicated collection device, or "generic" laptop?

Both, if I have the space. If not, a generic laptop. I spent three weeks in Asia collecting images with eight ThinkPads and writeblockers. We didn't need to use a hardware imaging solution the entire trip, though we did use Helix for a couple of systems where the drive was really hard to remove.

A good hardware imaging solution will let you create two images at the same time, a major plus in my book. I've done this with the ThinkPads by doing a Robocopy between the original target and a backup disk each night. It worked quite well.

Now that the cost of the hardware imaging solutions has come down, you can get more throughput per $ spent with the dedicated solutions.

The laptops give you a bit more flexibility.

Temporary storages for images out on the field - presuming I can slave the device to collecting machine (be it laptop, or dedicated machine) external drives or the drive of the collecting device?

I'd use external drives, either standalone or portable RAIDs, depending in part on how many images will you collect at one pass?

During the Asia trip, we used a lot of 1TB WD drives. We'd image to one and robocopy to its backup each night. As they filled up, we'd ship the primary home and then the secondary after the primary was received.

We could have fit more images onto portable RAIDs but didn't really see enough gain in going that route. If I knew I could fit everything for the entire trip onto a single portable RAID I might go that route but would still strongly consider backing it up via some mechanism, particularly if I was going to need to ship it rather than hand carry it home.

By the way, don't count on getting hard drives on site in Asia. You can buy one or two at each shop, but getting 20 1TB WD Passports in one outing is tough. We bought them in the US and shipped them over.

I do little mobile forensics now, but once the word gets out, it will start picking up.
What is your preferred mobile device collection tool?
What is your preferred mobile device analysis tool?
Anyone uses Encase Neutrino? pros/cons?

Alas, no help here.

Anyone uses Paraben’s Network E-mail Examiner?

Yes, though they seem to keep pushing functionality up the stack and you may want to look at P2 Commander now, depending on what you intend to do. If you're planning on doing analysis in the field, I'd consider Paraben's NEMX or P2 Commander along with Aid4Mail.

Anything else I am missing?

If you'll drop me a PM with your email, I'll send you my collection kit inventory. It is the contents of a single Pelican case that fits in overhead storage designed to handle a single collection track - tools, office supplies, laptop, etc.

If you're doing analysis in the field you'll want more CPU, memory, and disk plus all your software.

Helix, network cables, and a small network switch.
A labeler, and a system for labeling all your collection drives.
Wipe and put a TrueCrypt volume on each of your collection drives before you go out the door. (If you're not using hardware imaging solutions.)
An inventory list with prices, serial numbers, and point of origin for each item of equipment. (Very useful when going through customs.)
And a whole lot more, and this is just the collection side of things.

I am working up all the internal forms and procedures… Is there some template package out there?

Not that I've found. I have a collection of forms I've found over the years and then built my own.

I am making a laundry list of services, and all the docs that go with it. On top of that, they also want me to get a training package going how to & not to handle potential evidence on the field…

After you pull all this together, give it a trial run, fine tune everything, and try again.

Sounds like a lot of fun to me. I'm envious.

-David

ReplyQuote
Posted : 16/05/2009 9:14 am
eiss
 eiss
(@eiss)
New Member

Sounds fantastic

You are now at the place I HOPE TO Be at.

Any thoughts on what the total budget/spend will be?

Commenting on the post, one point I will make regading your storage questions is- Ensuring where you store your images is sterile and not open to question due to storage re-use where previous images may have been held is a very important point to consider.
Best of luck

Hope to make a similar post in the near future!!

ReplyQuote
Posted : 16/05/2009 4:28 pm
miket065
(@miket065)
Active Member

Kovar, you mentioned bar-coding. I am looking into implementing this in my lab.

Recomendations?

ReplyQuote
Posted : 16/05/2009 7:09 pm
kovar
(@kovar)
Senior Member

Greetings,

The bar coding was in use at a previous client and I didn't make a note of the vendor, unfortunately.

The intake station had a label printer, a bar code scanner, and a Windows application that communicated with a database. Other stations just had the scanner and the application. The license arrangement was per station. That is all I know about it, other than the fact that it helped us enormously.

-David

ReplyQuote
Posted : 16/05/2009 7:13 pm
jhup
 jhup
(@jhup)
Community Legend

David, ah, barcode, and labeler! A great ideas ! ! Cables, duh… oops

I didn't think of these. It is always the little fly in the ointment…

David, writing up on your Asian perspective is awesome since we have several offices there.

I am leaning toward the SAN, as we have several data centers with already functioning solutions.

Except - eiss commented on the sterility of the storage. I can do that on my solution(s) such as external drives, or a NAS.

If I use the corporate SAN, there is really no specific way to do such thing… I can isolate the data and the access to the data, but I cannot fathom how would a SAN "sterilize" the space. There is no way to write directly to the same "sector" of the same drive where I will be putting the evidence.

I am scaling for 30TB annual. That should cover about 100 cases, any more and I need staff.

Any suggestions? Anyone used digital evidence bags? How do they function, and any such software recommendations? I think that might be a mitigating solution for sterility.

Thanks!

ReplyQuote
Posted : 16/05/2009 9:19 pm
kovar
(@kovar)
Senior Member

Greetings,

On the corporate SAN, create TrueCrypt volumes for each case. The act of creating the volume will sterilize and reserve the space. Store the evidence images and work product in the TrueCrypt volume.

-David

ReplyQuote
Posted : 16/05/2009 9:22 pm
LarryDaniel
(@larrydaniel)
Active Member

You might want to check out this book at amazon
Building a Digital Forensics Laboratory

ReplyQuote
Posted : 17/05/2009 9:33 pm
kovar
(@kovar)
Senior Member

Greetings,

I just sent out my collection kit inventory to a number of people. Please bear in mind that you'll want to adapt this kit to the way you work. It was designed with two scenarios in mind

1) A domestic (US) case where I needed to collect just a few images
and
2) Any case with a lot of images to collect and the opportunity to bring other equipment along.

For #1 - it'd let me image one system using a write blocker and a second one with Helix simultaneously and then back the images from one drive to the other so I've got two good copies. Add more hard drives, or larger hard drives, and you can go for days with that one kit.

For #2 - I'd add more imaging systems, either writeblocker/laptop combinations or hardware imaging solutions. The primary kit, the one the inventory is for, has the tools and office supplies for removing hard drives and documenting everything so additional equipment is limited to imaging systems and spare hard drives.

When we went to Asia for a three week long collection project, we took two primary kits, four additional laptop/writeblocker combinations, and a lot of hard drives. It worked quite well. Mind you, there is a lot of process, procedures, documentation, and team work that went into making everything go smoothly as well. All the equipment in the world will not help you if you don't use it properly, and "using it properly" includes good documentation, disassembly skills, equipment layout, and a host of other details.

-David

ReplyQuote
Posted : 18/05/2009 10:44 am
douglasbrush
(@douglasbrush)
Senior Member

David,

Wanted to be the first to thank you for putting together the list and sharing this information with the community. 8)

ReplyQuote
Posted : 18/05/2009 6:31 pm
IanF
 IanF
(@ianf)
Member

David,

Wanted to be the first to thank you for putting together the list and sharing this information with the community. 8)

I want to add my thanks to this - much appreciated David. Especially for those of us who are angling at breaking into this field.

ReplyQuote
Posted : 19/05/2009 9:03 pm
jhup
 jhup
(@jhup)
Community Legend

Ditto! Thank you very much for your list!

I think I will have some more follow-ups as things get moving.

If things work out, I would be happy to share sanitized procedures & forms, if interested.

Here are more questions - it looks feasible to have space carved out of our SAN for storing and working off of evidence.

Limited access, proper backup, etc. all there.

TrueCrypt - I am thinking of using virtual volumes (file-hosted container), one for each case.

I don't think TrueCrypt is on the NIST FIPS list.
Have any of you ran into problems using TrueCrypt form legal point?
What alternatives are out there that can do encrypted file-hosted containers, and are just as lightweight but are NIST reviewed?

ReplyQuote
Posted : 20/05/2009 12:27 am
douglasbrush
(@douglasbrush)
Senior Member

Good questions jhup. Saw a similar question RE TruCrypt on another thread and have been watching out for a response and reading up on it today. If you run across something before an answer pops up please post and I will do the same.

ReplyQuote
Posted : 20/05/2009 12:41 am
kovar
(@kovar)
Senior Member

Greetings,

I have other forms and documents to share, I've just not had time to write them up in a sanitized manner. Questions such as yours are a good reminder to do so.

And if you need someone to go over to Asia and help set this up, just let me know.

I've not encountered any legal objections to using TrueCrypt and I know of a lot of other security professionals using it for similar purposes. I've also not gone looking for a legal opinion.

You could use PGP instead of TrueCrypt. It isn't free, but if you want legal cover it might be worthwhile.

-David

ReplyQuote
Posted : 20/05/2009 1:15 am
jhup
 jhup
(@jhup)
Community Legend

PGP. I didn't think of them… again… (

On the FIPS list only the SDKshows up, not the actual app.

Does that cover the actual application? I figure it does since we are looking for the "validated cryptographic module". The SDK, by its nature would fall under it.

What do you use the PostIts, pill boxes, sharpies for?

I was thinking of getting pre-printed, temper evident bar-code labels. This way, I can bar code the media at collection, and do not require a printer. Any reason not to go this route?

ReplyQuote
Posted : 20/05/2009 10:17 pm
Page 1 / 2
Share: