Computer
Forensics Notes
Creating
a lab
·
Find a place to put your computer forensics lab
·
Get all of the tools of the trade
·
Make sure to choose your own forensics software
·
How to store evidence
You can put a forensic lab inside any building if it can
provide the proper controls and resources.
Key things to look for are having a proper network,
electrical power, air conditioning, and privacy.
You must have the proper access controls to ensure you know
who can access your equipment, evidence, and forensic images. This is very
important because you don’t want the wrong people seeing this.
Documenting
chain of custody
A chain of custody document will show who has had possession
of something. This tracks it’s every movement and who has been in contact with
it. This will help tell where you got the evidence, who you got the evidence
from, when you got the evidence, what you did with the evidence, and where the
evidence has been stored.
Things to
remember in order to maintain the chain of custody for a forensic image
·
You must keep all information about the physical
system where you got the evidence
·
You must keep track of where the forensic image
is stored
“Hash or hashing refers to a mathematical algorithm that takes
data of any length and converts it to a fixed set of hexadecimal characters
that represent that data.”(Computer Forensics: InfoSec Pro Guide Pg. 33)
What is MD5? – Message-Digest algorithm 5
What is SHA-1? Secure Hash Algorithm-1
SHA-1 uses more bits 160 while MD5 only uses 128 bits
If you were to take a 1 TB hard drive and made a SHA-1 hash
you would get a 160 bit value that represents its contents. As long as
everything remains the same on the drive the hash will not change.
Remember Secure Hash Algorithm-1 uses 160 bits and
Message-Digest Algorithm 5 uses 128 bits
What is a raw image? A raw image is computer forensic image
of a system in which the data from the storage device is stored as a single
file or multiple files, but without any type of container that stores checksums
or hashes. (Computer Forensics: InfoSec Pro guide pg. 47)
Physical
Access Controls
This
can be basically anything that makes sense to keep the wrong people away from
your data. This could be a lock, guard, armed robot, and just about anything
else you can think of to keep people away that you don’t want near your
evidence.
Also
try to keep a log for anyone you do allow in your forensic lab. You want them
to sign in when they enter and sign out when they leave. It’s probably best to
have a guard make sure that they do this. You may also consider using camera surveillance
to maintain an absolute record of who comes and goes.
Make sure
your lab has proper electrical power and proper cooling
The
more cases you are involved with the more power you are going to need. It’s
best to have at least one dedicated circuit available for your lab. Make sure
you use a UPS(uninterruptible power supply) This will keep the power reaching
your equipment condition and eliminate any variances in voltage that may
potentially damage your equipment. This will also supply power temporarily if
you should have a power outage, make sure you are aware of how long this will
last if the power were to go out. Always
make sure to keep your lab properly cooled using an air conditioner. When you
are dealing with a lot of power you are dealing with a lot of heat. A dual hose portable air conditioner should do
the trick.
Privacy
Your computer forensics lab should
be private. This is pretty obvious given the lengths in which we go to ensure
physical access controls and even the chain of custody. This means do not work
on your examinations where anyone might come near you, do not work with the
door open. This shouldn’t be a problem
with a secured access forensics lab like has been discussed.
Tools of the Trade
·
Write Blockers – This will
block your computer from writing on evidence. So write blockers, blocks
writes. This is one of the essential
tools of any computer forensics lab. It is very important that you make sure
not to write to a disk while imaging. This can actually destroy a case that you
are trying to build against someone.
·
Drive Kits – This provides
an easy and compact connection for an internal hard drive to your work station.
Make sure you test this equipment out before going on site.
·
External Storage – Make sure
you get the highest transfer rate possible. USB 3.0 is currently one of your
best options. Make sure your external
storage has good heat dissipation, you don’t want it overheating and crashing.
·
Screwdriver Kits – You will
need this to remove hard drives from laptops.
·
Antistatic bags – These are
key to preventing static shock from killing your drive. These are cheap and
affordable.
·
Adaptors – New hard drive
interfaces may require an adaptor to bridge from that new interface to
something you can handle with your current equipment.
·
Forensic workstation – You
should have a dedicated work station computer that you can have processing evidence
overnight. You will probably want another computer to do other tasks while you
wait for this to finish. You should get all the Processing, Ram, and storage
space your budget can afford.
Forensic Software
SIFT- Sans Investigate
Forensics Toolkit is an open source forensic software that is made to run as a
static virtual environment that you can optionally install to a drive. This
works with Linux and Windows. This is a free open source software tool that a
beginner can use.
Encase –
EnCase Forensic version 7 is best for a trained user. This software is difficult
to use if you are just beginning. This
works with Windows and Linux this costs near $3,000.
FTK –
AccessData’s Forensic Toolkit is the tool to beat according to the author. Very
user friendly and provides free online training and certifications. A newer
user could probably grasp this very fast and if they struggle they will find
the support they need. This software works with Windows 7 and Server 2008 R2.
