Toolkit for Forensic Duplication
Dave Carlson - November 10, 2007
Jones, Bejtlich, and Rose (2006) recommended the following items as the minimum requirements for a Forensic Investigator’s traveling digital toolkit (pp. 164-166). [Jones, K. J, Bejtlich, R., and Rose, C. W. (2006). Real digital forensics: Computer security and incident response. Indianapolis: Pearson.] Of course, every investigator has unique preference for tools, both hardware and software. Add or subtract to this forensic toolkit list, as required for specific situations.
- Portable Forensic Workstation and Accessories
- Conduct forensic capture and analysis of suspect systems. Recommended system is called Forensic Air-Lite from Forensic Computers, Inc. Details of the system at: http://www.forensic-computers.com/airlite6mkiii.html. Additional accessories often make an investigator’s job easier or more effective.
- Digital Camera
- A digital camera is a good tool to prove that evidence was not damaged during your duplication. You will want to take a “before” and “after” photo of the original evidence.
- Screwdriver with several sizes and types of bits
- A screwdriver with different sizes and types of bits is always used during an engagement to remove parts, such as hard drives, from computers. We use a model that has all of the bits built into the handle to save space.
- Frequently you will find your nose buried in a dark computer case, documenting connectors and other important information. A flashlight is a “must have” item.
- Dremel Tool
- This tool is an excellent tool for cutting small pieces of metal, polishing surfaces, and more.
- Extra Jumpers
- You can never have enough jumpers. Frequently you will find that the hard drive you are trying to duplicate will have lost all of its important jumpers. You will need a jumper to set and IDE drive to master or slave, for example.
- Extra Screws (cases and hard drives)
- Similar to jumpers, you cannot count on all of the screws being in the suspect’s system.
- Cable Ties
- Cable ties are needed when you have to cut a cable tie in the suspect’s computer to acquire a duplication. You should always return the computer in the same condition you found it.
- Internal Computer Power Extension Cords
- Power extension cords are needed to connect the suspect’s media to your forensic workstation.
- Extra 40-pin IDE Cables
- When you attempt to duplicate an IDE drive, you will need low-density IDE cables to connect the media to your favorite forensic workstation.
- Extra 80-pin IDE Cables
- When you attempt to duplicate an IDE drive, you can use high-density IDE cables for faster transfer rates if the hardware supports it.
- SCSI Cables
- In addition to internal cables, external SCSI cables are often needed. SCSI cables come in 50- and 68-pin varieties. It is wise to have 50- and 68-pin converters available, too. In addition to 50- and 68-pin cables, Centronix to SCSI cables have been used in the past. Moreover, you may occasionally run into the 80-pin hard drive, so having the proper cables or converters around is valuable.
- SCSI Terminators
- 50- and 68-pin active and passive terminators are often needed when duplicating SCSI drives.
- Chan of Custody Forms
- These should be the same forms (or custom designed for your situation) that are used for tracking any evidence chain of custody.
- Evidence Labels
- As per your situation. Required for accurate tracking of evidence.
- Permanent fine-tipped pens are used to write on evidence and fill out the proper documentation. Have an assortment available.
- Evidence Envelopes
- All evidence should be contained in a tamper-proof evidence envelope.
- Evidence Tape
- Evidence tape can be used to show tampering if you store your evidence in a standard business envelope.
- Anti-static Bags
- Hard drives are stored in anti-static bags for safety.
- Evidence Hard Drives
- Several large hard drives will be used to store the evidence after it is duplicated from the suspect computer system.
- Boot Floppies or CD-ROM
- To acquire a duplication, boot from a trusted media source. Follow accepted practice to acquire a forensic duplication.
- Blank CD-R/DVD-R
- Often you will want to burn a modified bootable CD-ROM or provide your client or management with data. CD-R media is a good way to pass large sets (640 MB) of data. If you need more space, use DVD-R.
- Blank Floppies
- Often you may need to modify a boot disk. Having extra floppies available enables you to do that. Even though most modern computer do not use floppies any more, there are many old computers still in use.
- Network Hub or Switch
- A forensic duplication can be acquired over the network. This can be done safely by placing the suspect’s computer and your forensic workstation on a private network using a hub or switch and duplicating with software that supports this type of transfer.
- Network Cable
- A network cable is needed when duplicating over a network. The hub or switch and cable can be replaced by a cross-over cable if space is a premium in your kit.
- Forensic Software Dongles
- EnCase and FTK (examples of commercial forensic software) require a hardware dongle to operate. Remember to bring these items along, or your onsite analysis may be limited.
- Power Strip
- You may have hubs and several computers when you are onsite. It is wise to bring a power strip so that you are not limited by the number of power outlets when you are away from your lab.
- Operating System Installation Media
- When you connect a new hardware device to your computer, you may be required to have a device driver. Having the OS installation media available will let you quickly install most of the drivers you need.