Another Equipment Question


dbflynn

New Member
Mar 30, 2009
9
0
#1
My Department only recently decided that a computer crime position was needed. The goal of this position is to have a Detective able to investigate many different aspects of computer crimes. I would also be responsible for imaging and examining any seized computers for my department as well as the surrounding departments as requested.

It does not appear that there will be more than 15-20 cases per year. That number will most certainly grow as word gets out that the service is available and that the results are good.

The problem is that since this is a brand new position and there is nothing like it near by I have no one to ask about equipment.

Should I be looking for a complete forensic system such as the F.R.E.D. or will any computer with a good Processor and large amount of memory do? What are the advantages and drawbacks of each? Also there are so many different types and models of forensic workstations, what makes anyone of them better than the other? Then there is the software. EnCase or FTK or something else?

I really need to know what to ask for and the enevitable question of why I need "this" instead of the cheaper "that". Any help would be greatly appreciated.
 
Dec 31, 2006
3,405
0
#2
Hardware is only part of the equation. What OS do you want to use in your exam machine? Windows? Linux?

The F.R.E.D. is good because it comes as a self contained unit that is pre-configured. You can also configure more powerful, less expensive hardware (which is what we do). You also will need to have some equipment to capture in the field, probably a laptop and some write blockers.

EnCase and/or FTK and/or ProDiscover and/or Paraben will get you started, but you will end up with some specialized tools pretty early in the process.

Are there any agencies near you that you can call on and check out their labs?
 

dbflynn

New Member
Mar 30, 2009
9
0
#3
The State Bureau of Investigation, who we currently send everything to, does have a lab nearby. I have been trying to get someone to show me what they have but apparently they are too busy. Other than that there is really nothing close.

I would guess that I would use a window OS. I am familiar with Linux but I don't see a big difference. Is there any reason to use one over the other, or maybe something else?

I have seen the laptops but I don't see many situations where the would be needed. In most cases a search warrant for the system is obtained and the whole thing is seized. The only time I can see the need for a mobile system is possibly a consent search and I'm not clear on all the legalitites there.

This is something new to the area, and myself, and I am kind of stumbling through it blindfolded.

I like the idea of a F.R.E.D. system that is dedicated and self contained. The problem is I don't know how to explain to the boss why I need a system like this instead of a regular desktop computer, with good speed and memory, and some special software. Sure it has multiple drive bays, built in write protection, and is the right tool for the job, but my making my job easier isn't the goal for the bean counters.

I guess the real problem is a lack of experience on my part. I have only imaged a few times and have not used a variety of hardware or software. I am looking for opinions but published standards or baselines that should be met would be great. Something in black and white to show what is needed by anyone in my position. Then I can come up with a list of products and show what meets these standards.

I hope this makes sense.
 
Dec 31, 2006
3,405
0
#4
If you are just "familiar" with Linux, I would not recommend it as a platform.

F.R.E.D. is good because it comes pre-configured (relatively). We build our own exam machines, but they are not necessarily less expensive than a F.R.E.D., but are significantly more powerful.

My personal opinion is that FTK is initially easier for most examiners to start with, but once you get going you will find some of the more specialized tools perform better or different functions.

No matter what program(s) you choose you will want to get trained, especially before you step into court.

The DOJ has some great publications to follow for procedures, etc.

I what part of the country are you located?
 

Complete

Administrator
Aug 19, 2006
861
0
#5
Having been in your position once, I would recommend:

Desktop with lots of RAM and CPU power
Large dual monitors
Extra storage devices
Server 2003 or 2008
Ultimate Write Block Kit
EnCase w/training

Here's my justifications... Most commercial forensic tools run on Windows. Server 2003/08 will be able to use the full speed of firewire and eSata, something you should make sure your computer has. The write block kit is portable and will be usable in the field.

FREDs are nice, but having owned/used dedicated forensic machines, I was never thrilled with the performance of the "forensic" aspect. Getting a high-end machine with the write block kit will perform the same functions and be a tad more versatile.

EnCase is the most recognizable forensic software name in LE. Prosecutors who know next to nothing about computer forensics will still have heard of EnCase. FTK is a good tool, but has had some issues as of late. I wouldn't count it out though.

I second what PU said, get as much training as you can. Free/cheap classes can be found at NW3C and SEARCH. Contact your closest ICAC and FBI field office. Both may be able to sponsor you for additional training opportunities.
 

dbflynn

New Member
Mar 30, 2009
9
0
#7
I appreciate all the assistance. I am located in Eastern NC. I have received some training from the NW3C and am planning to attend more. Unfortunately our training budget has been frozen, again, so I am left to figure this stuff out on my own. I have taken a ton of online classes but there is not substitute for hand-on in my opinion.

What is SEARCH? I haven't heard of that but if they offer free/cheap training I need to check them out.

If there is anything else anyone can suggest to get me off and running I would certainly appreciate it.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu