DynoTech Software Logo Interesting Articles about Popular Topics

  Article Index

 
Toolkit for Forensic Duplication
Dave Carlson - November 10, 2007

Jones, Bejtlich, and Rose (2006) recommended the following items as the minimum requirements for a Forensic Investigator’s traveling digital toolkit (pp. 164-166). [Jones, K. J, Bejtlich, R., and Rose, C. W. (2006). Real digital forensics: Computer security and incident response. Indianapolis: Pearson.] Of course, every investigator has unique preference for tools, both hardware and software. Add or subtract to this forensic toolkit list, as required for specific situations.

Portable Forensic Workstation and Accessories
Conduct forensic capture and analysis of suspect systems. Recommended system is called Forensic Air-Lite from Forensic Computers, Inc. Details of the system at: http://www.forensic-computers.com/airlite6mkiii.html. Additional accessories often make an investigator’s job easier or more effective.
Digital Camera
A digital camera is a good tool to prove that evidence was not damaged during your duplication. You will want to take a “before” and “after” photo of the original evidence.
Screwdriver with several sizes and types of bits
A screwdriver with different sizes and types of bits is always used during an engagement to remove parts, such as hard drives, from computers. We use a model that has all of the bits built into the handle to save space.
Flashlight
Frequently you will find your nose buried in a dark computer case, documenting connectors and other important information. A flashlight is a “must have” item.
Dremel Tool
This tool is an excellent tool for cutting small pieces of metal, polishing surfaces, and more.
Extra Jumpers
You can never have enough jumpers. Frequently you will find that the hard drive you are trying to duplicate will have lost all of its important jumpers. You will need a jumper to set and IDE drive to master or slave, for example.
Extra Screws (cases and hard drives)
Similar to jumpers, you cannot count on all of the screws being in the suspect’s system.
Cable Ties
Cable ties are needed when you have to cut a cable tie in the suspect’s computer to acquire a duplication. You should always return the computer in the same condition you found it.
Internal Computer Power Extension Cords
Power extension cords are needed to connect the suspect’s media to your forensic workstation.
Extra 40-pin IDE Cables
When you attempt to duplicate an IDE drive, you will need low-density IDE cables to connect the media to your favorite forensic workstation.
Extra 80-pin IDE Cables
When you attempt to duplicate an IDE drive, you can use high-density IDE cables for faster transfer rates if the hardware supports it.
SCSI Cables
In addition to internal cables, external SCSI cables are often needed. SCSI cables come in 50- and 68-pin varieties. It is wise to have 50- and 68-pin converters available, too. In addition to 50- and 68-pin cables, Centronix to SCSI cables have been used in the past. Moreover, you may occasionally run into the 80-pin hard drive, so having the proper cables or converters around is valuable.
SCSI Terminators
50- and 68-pin active and passive terminators are often needed when duplicating SCSI drives.
Chan of Custody Forms
These should be the same forms (or custom designed for your situation) that are used for tracking any evidence chain of custody.
Evidence Labels
As per your situation. Required for accurate tracking of evidence.
Pens
Permanent fine-tipped pens are used to write on evidence and fill out the proper documentation. Have an assortment available.
Evidence Envelopes
All evidence should be contained in a tamper-proof evidence envelope.
Evidence Tape
Evidence tape can be used to show tampering if you store your evidence in a standard business envelope.
Anti-static Bags
Hard drives are stored in anti-static bags for safety.
Evidence Hard Drives
Several large hard drives will be used to store the evidence after it is duplicated from the suspect computer system.
Boot Floppies or CD-ROM
To acquire a duplication, boot from a trusted media source. Follow accepted practice to acquire a forensic duplication.
Blank CD-R/DVD-R
Often you will want to burn a modified bootable CD-ROM or provide your client or management with data. CD-R media is a good way to pass large sets (640 MB) of data. If you need more space, use DVD-R.
Blank Floppies
Often you may need to modify a boot disk. Having extra floppies available enables you to do that. Even though most modern computer do not use floppies any more, there are many old computers still in use.
Network Hub or Switch
A forensic duplication can be acquired over the network. This can be done safely by placing the suspect’s computer and your forensic workstation on a private network using a hub or switch and duplicating with software that supports this type of transfer.
Network Cable
A network cable is needed when duplicating over a network. The hub or switch and cable can be replaced by a cross-over cable if space is a premium in your kit.
Forensic Software Dongles
EnCase and FTK (examples of commercial forensic software) require a hardware dongle to operate. Remember to bring these items along, or your onsite analysis may be limited.
Power Strip
You may have hubs and several computers when you are onsite. It is wise to bring a power strip so that you are not limited by the number of power outlets when you are away from your lab.
Operating System Installation Media
When you connect a new hardware device to your computer, you may be required to have a device driver. Having the OS installation media available will let you quickly install most of the drivers you need.
 

  Article Index




Copyright © 2016, DynoTech Software, All Rights Reserved.