Computer Forensics Hardware
Although our forensic machines are capable of performing multiple tasks such as wiping, duplicating, and archiving data, dedicated hardware can make our lab more efficient. While we cannot currently afford any of these equipment, we are trying to get the money to do so. These are some of the equipment that I have experience using and will recommend to my supervisor.
Wiping:
Wiping a drive can take several minutes or hours to wipe each, depending on size and method used. If we were wiping one drive at a time, we can spend a whole day wiping drives on a machine that could have otherwise been use for investigations. For wiping multiple drives, I would use Logicube's Omniclone 5Xi.
This
model has six bays, one for the master drive, and five for the drives
to be wiped. It also has other capabilities, such as copying, although I
am not certain that it does forensic copies. The light bar, which
resembles a stop light, notifies the technicians when it is functioning
properly (green), waiting for a response (yellow), or an error occurred
(red). The good thing about this is that we can wipe multiple drives,
walk away, come back, and check up on it. It also does not tie down our
forensic machines. We usually wipe drives of the same size so that they
all finish at the same time. For much larger drives, we wipe them
overnight (to not tie down the Omniclone itself) and come back the next
day.Duplicating:
We always create forensic duplicates of the original evidence, and usually do so in EnCase or FTK Imager. However, there are times when we have to go outside the lab to perform an acquisition. It would be impractical to take our lab machines with us to the scene. Therefore, we usually rely on a mobile solution. This can include a laptop in a briefcase, with the forensic software installed. However, I prefer to use Logicube's Forensic Talon.
The source (evidence drive) goes outside, destination (forensic copy)
inside. Within a few minutes, we can have it set up and creating dd
images. We bring the copies back to our lab, and can either convert them
to EnCase images, which are compressed to save space, or just add the
images directly into the case. Because dd images are not compressed, and
we don't know the size of the evidence drive to begin with, we usually
carry high capacity hard drives. Also, the destination drive inside the
case can get really hot, so we keep the Talon open when acquiring.Archiving:
Image files are usually placed on our forensic servers and take up space when they are no longer needed. Once a case becomes inactive, we need to archive it. If it is a large case, we usually archive to tape. However, many cases are small enough to fit on DVDs. Currently, we are using one of our forensic machine to burn these files to DVD. However, this manual task can get tedious. First, we have to make sure the files all fit in one DVD. If not, we must manually split them. Then, once each DVD is done, we must manually remove one DVD and put the next one in and repeat the process. This wastes the investigator's time and the machine used to burn the DVDs. A better method is to use an automated machine. I have had good experience with Primera's Optivault Archival Appliance.
This robot uses the Retrospect backup software that lets you archive,
backup, and restore files to DVDs and other media. The best part of this
machine is that it is pretty much a start and forget system. Once we
archive a case, the machine will take care of burning the files,
switching DVDs, printing labels, and verifying that files were copied
correctly. This minimizes both human and CPU time.We usually create two sets per case. One is sent to a remote location and one stays in-house. This is so that we can restore the case if necessary and can get the second backup if something is wrong with the first.
Post a Comment