For those beginning their computer forensic investigator career, an important aspect to consider is what equipment is needed to carry out successful investigations.
While software is a critical component of the job, examiners should have a complete computer forensic toolkit that consists of a computer workstation and a response kit to take out into the field.
In Learn Computer Forensics: Your one-stop guide to searching, analyzing, acquiring, and securing digital evidence, computer forensic investigator and author William Oettinger teaches new and experienced investigators everything they need to search for and analyze digital evidence, including which software and hardware to consider.
In the following excerpt from Chapter 2, learn about the forensic analysis process, starting with a look at the equipment Oettinger recommends including in a computer forensic toolkit. Download a PDF of the rest of Chapter 2 here.
Check out an interview with Oettinger, where he offers advice on starting down the computer forensic investigator career path.
The Forensic Analysis Process
We will now discuss the forensic analysis process. As a forensic investigator, you will need to create a strategy that will enable you to conduct an efficient investigation. You also need to make sure you are familiar with your tools and the results that they will provide. Without a process, you will waste time examining data that will not impact your investigation, and you will not be able to rely on your tools. In addition, you want to make sure you get valid results from the tools you deploy. Finally, to be thorough and efficient, you must use critical thinking to determine the best investigation or exam method.
While there are similarities in every investigation, you will find differences that will require you to have an exam strategy to be efficient. I am not a fan of keeping an examination checklist because there will be areas that aren't relevant, such as different operating systems, physical topography of the network, criminal elements, and suspects. These variables ensure that no two examinations or investigations are the same and will require the investigator to execute a different strategy for each of them.
The forensic analysis process is made up of five subsets:
- Pre-investigation considerations
- Understanding case information and legal issues
- Understanding data acquisition
- Understanding the analysis process
- Reporting your findings
The upcoming sections will discuss each of these in greater detail.
The pre-investigation is where you determine your capabilities and equipment specifications to conduct a forensic exam, regardless of whether it is in the field or a lab environment. Now is the time to determine your hardware, personnel, and training budget. Some of those costs will not be a one-time expenditure but will be an ongoing budget expenditure. The equipment must be updated, personnel training must be maintained, and the purchase of new technology as it becomes available.
Being a digital forensic investigator is not about buying the equipment, going to a training class, and never updating either of these afterward. As technology changes, so do the methods of hiding data or conducting criminal activities, so the investigator must be ready to adjust to these changes.
Before you are ready to begin the investigation, you must prepare yourself. This will allow for greater efficiency and a better work product. This includes preparing your equipment and becoming familiar with the current laws and legal decisions and the organization's policies and procedures.
Some equipment will be reusable, and some will not. For the single-use items, make sure someone replaces them as soon as the incident concludes.
Note: I cannot tell you how many times I have responded to the scene with my "to go" kit only to find that another detective had already used it and not replaced the consumable equipment. It was my mistake for not checking it before I departed to go to the crime scene, and it was my partner's mistake for not replacing the items.
We will now discuss the equipment you will use as an investigator.
The forensic workstation
Whenever you get forensic investigators together, a common topic of conversation is the forensic workstation. How much RAM? How many SSD drives? Which processor? Which operating system? These are all questions that you might commonly hear. There is always a difference of opinion about the configuration of a forensic workstation. None of the views are incorrect because the investigator's workstation configuration depends on their budget and the cases that are being investigated.
Forensic workstations are not cheap. Depending on the skill level of the investigator, they can either build their own or purchase a pre-made forensic workstation. Several vendors will configure a workstation to your specification. For example, consider the vendor SUMURI (https://sumuri.com) and their TALINO workstations. The base model costs approximately $8,000 and comes with:
- Intel Core i9-10900X 3.7 GHz 10-Core LGA 2066 Processor
- 32GB of DDR4 2666 MHz RAM
- 500GB M.2 NVMe SSD
That is a basic forensic workstation, and you still must add storage for the forensic images. The high-end version costs over $18,000 and comes with:
- Dual Intel Xeon Gold 5220 18-Core Processors
- 128GB DDR4 RAM
- 1TB SSD for the operating system
- 1TB M.2 NVMe SSD for temporary files and processing
- 2TB M.2 NVMe SSD for databases
- Eight 6TB Hard Drives configured in RAID 10 for evidence
- A 30-series GDDR6 Graphics Processing Unit (GPU) such as the NVIDIA RTX 3070 or 3080
One bottleneck that a forensic investigator may face with their forensic workstation is data transfer. I suggest using SSDs because they have much higher throughput than the typical spinning disk does. A fast CPU and a large amount of RAM enable maximum performance for forensic analysis. However, these machines are not portable, and you are not always able to perform the analysis or to acquire the data from the relative comfort of your workstation. A forensic laptop is also an expensive piece of equipment. At the time of printing, the TALINO OMEGA comes with:
- Intel Core i9-11900K Processor
- 64GB DDR4 2933 MHz RAM
- 500GB M.2 NVMe SSD for the operating system
- 250GB M.2 NVMe SSD for temporary files and processing
- 1TB M.2 NVMe SSD for database
- 2TB M.2 NVMe SSD for evidence files
- NVIDIA GeForce RTX 3080 GPU with 16GB GDDR6 video memory
Note: You will need to include Gigabit Ethernet on both workstations to communicate on the local area network.
As you can see, you can never have too much CPU, RAM, or storage space on your forensic workstations. The equipment I described is on the higher end; you can conduct digital forensic examinations with less expensive equipment and still achieve the same results. In addition, the more high-end equipment will decrease the time involved. If you are a member of a multinational corporation or a large law enforcement agency, you may have the budget for high-end equipment. A smaller law enforcement agency, a smaller organization, or a single practitioner will have to determine what cost is more appropriate for their situation.
Sometimes you must leave the lab, which means you need additional portable equipment. We will now discuss the equipment required in your response kit.
The response kit
The digital evidence is not always delivered to your workspace. Sometimes, you may have to respond to a third-party location to acquire that evidence. The collection of that evidence is the basic building block for any digital forensic examination you may conduct. Like conducting an examination in your workspace, you need the proper tools and supporting equipment to accomplish this task. You need to create a response kit that includes documentary paperwork, pens, and storage containers to store digital evidence.
A response kit is unique to each digital forensic investigator. No kit is perfect; all kits are always subject to improvement. The goal of your response kit is to have everything you need to collect digital evidence, and we will go over some equipment that, in my experience, I have found helpful:
- Digital camera: Capable of still and video recording. You need to document the scene as it was when you arrived. If you testify in official proceedings, you will show the fact-finder precisely what you saw as you arrived. Some organizations also video record all the actions of the digital forensic investigator's activities as they collect digital evidence.
Note: A word of advice: I would disable the microphone so as not to record audio. You may have extended discussions about how to proceed using language that may be regarded as less professional. These discussions and use of language could be used as a distraction by the opposing side in the presentation of evidence.
- Latex or nitrile gloves: These protect several aspects of the evidence collection -- you are not leaving your fingerprints, and you are also protecting yourself from potential biohazards that may be on the scene. I am talking about blood, urine, feces, and any other biological fluid you can think of.
- Notepads: You need to document your actions on the scene. A notepad is a perfect repository to maintain that information. You can take notes about who you talk to, who secured the scene, and the basic facts of the case. When you begin the investigation, a lot of information will come at you, and it could be easy for you to forget a specific action if you do not record it. Some organizations also make a hand-written sketch of where the digital evidence is being collected. Your organization's policies and procedures will determine whether a sketch is required.
- Organizational paperwork: This could be a property report for seizing evidence, and it lists exactly what was taken, where it was taken from, and any specific identifying marks or serial numbers on the item being taken. You can also include labels or tags to identify items that contain digital evidence.
- Paper storage bags/antistatic bags: You have to put the containers of digital evidence somewhere to prevent any unauthorized access. Digital evidence is very fragile, and you want to make sure you do not store it in a manner where static electricity can be generated. Static electricity can render the storage media inoperative, and you will lose access to any data.
- Storage media: Hard drives can be a traditional spinning disk or SSD and USB devices. A corporate digital forensic investigator will not shut down a server to create a forensic image. Instead, they will collect the specific datasets in the form of log files, RAM, or user directories and store them on the appropriately sized storage media.
- Write blocking devices: This could be a hardware device, such as the Tableau TK8u USB 3.0 forensic bridge (https://security.opentext.com/tableau/hardware/details/t8u), which allows you to access a storage device without changing its contents. We will discuss the acquisition of evidence in much greater detail in Chapter 3, Acquisition of Evidence. Alternatively, you can use a forensic boot disk, such as SUMURI's PALADIN, a Linux distribution based on Ubuntu that allows the collection of digital evidence in a forensically sound manner. SUMURI offers PALADIN as a free download at https://sumuri.com/software/paladin.
- Frequency shielding material: This could include commercial aluminum foil, Faraday bags, or any container that will block radio transmissions. You will use this when you seize a mobile device to prevent the user from remotely wiping or resetting the device. Be aware, however, that when you place the device in these containers, the battery will quickly deplete, as it will attempt to reconnect to the network. If you have access to the mobile device's menu, you can put the device into airplane mode. Then, the device will no longer attempt to connect to the network. Ensure you document any changes you make to the device.
- A toolkit: A small precision toolkit with multiple screwdriver bits is used to disassemble laptops, desktops, or mobile devices to access the digital storage container. You want to make sure you have a variety of screw heads to match what the various manufacturers use. Sometimes, the manufacturers will use two or three different screw heads when assembling their devices.
- Miscellaneous items: This can include extra power cables, data cables, USB hubs, screws, or anything else that might be difficult to acquire when you are at the subject's location in the middle of the night, and no stores are available for you to purchase the missing item. If you are responding to a commercial site, keep a spare mouse and keyboard in case you need to access a server and they are not available. (If you are conducting network-based investigations, you may also want to include a network tap.) This subset comprises items you don't think are needed until you are onsite and need them.
- A forensic laptop: Make sure all your software is up to date. I recommend creating a folder containing digital versions of any forms you will use, any processes you need to document, and any applications you find helpful in carrying out your tasks.
- Encryption: If you are traveling out of the country to get to the target site, you might want to encrypt the target drives that contain the acquired data you need to analyze. It is not uncommon for security services or customs to seize devices. This will ensure the data you acquired will not be compromised.
- Software security keys: This is also referred to as a dongle. You will find commercial versions of software that require you to insert a USB-based security key to use it. You want to make sure you have them with you because the software cannot be used without the security key inserted.
Note: A program called VirtualHere (http://virtualhere.com/home) allows you to use your USB devices remotely. This will require a network connection at your destination and at your home location where the USB keys are plugged in. If you are unsure about the quality of your network connection, I recommend taking the keys with you.
Now, the important question is this: how do you carry all of this from one location to another?
My recommendation is a Pelican-type case that is watertight and crush-proof to protect the equipment. Also, include a TSA-compliant locking device if you must travel via commercial air in the United States.
The list of items we have just discussed is only a recommendation. You will add/subtract from this list to meet the needs of the task at hand. There is no right or wrong answer when stocking your response kit. The budget, the organization, and the task at hand will dictate what equipment is needed.
A government/law enforcement digital forensic investigator may acquire full forensic images at the scene, and they will need larger storage capacity devices. As you become more experienced, you will accurately determine what equipment you need to perform your duties.
The result is that you need to have a response kit when leaving the office to acquire digital data or respond to any incident. How you stock that kit is entirely up to you as the forensic investigator. This is all about making your job easier and more efficient.
About the author
William Oettinger is a veteran technical trainer and investigator. He is a retired police officer with the Las Vegas Metropolitan Police Department and a retired Criminal Investigation Division agent with the United States Marine Corps. He is a professional with more than 20 years of experience in academic, local, military, federal and international law enforcement organizations, where he acquired his multifaceted experience in IT, digital forensics, security operations, law enforcement, criminal investigations, and policy and procedure development. He has earned a Master of Science from Tiffin University in Ohio.