Creating a Forensic Computer System: Basic Hardware and Software Specifications



Similar documents
A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 1 Introducing Hardware

Computer Hardware HARDWARE. Computer Hardware. Mainboard (Motherboard) Instructor Özgür ZEYDAN

EUCIP IT Administrator - Module 1 PC Hardware Syllabus Version 3.0

Chapter 4 System Unit Components. Discovering Computers Your Interactive Guide to the Digital World

Understanding Digital Components

Primary Memory. Input Units CPU (Central Processing Unit)

CSCA0102 IT & Business Applications. Foundation in Business Information Technology School of Engineering & Computing Sciences FTMS College Global

Logical Operations. Control Unit. Contents. Arithmetic Operations. Objectives. The Central Processing Unit: Arithmetic / Logic Unit.

Chapter 6. Inside the System Unit. What You Will Learn... Computers Are Your Future. What You Will Learn... Describing Hardware Performance

Chapter 5 Cubix XP4 Blade Server

Chapter 5 Busses, Ports and Connecting Peripherals

Guide to Computer Forensics and Investigations, Second Edition

Discovering Computers Living in a Digital World

Computer Basics: Chapters 1 & 2

TEST CHAPTERS 1 & 2 OPERATING SYSTEMS

Three steps to the best technology: 1. The Assessment 2. The Dialogue 3. The Recommendation

SOFTWARE TECHNOLOGIES

COMPUTER HARDWARE & SERVICING QUESTION BANK

Desktop PC Buying Guide

Computer Storage. Computer Technology. (S1 Obj 2-3 and S3 Obj 1-1)

Tomorrow s Technology and You

EUCIP - IT Administrator. Module 1 - PC Hardware. Version 2.0

CHAPTER 3: HARDWARE BASICS: PERIPHERALS

Chapter 3: Computer Hardware Components: CPU, Memory, and I/O

Communicating with devices

COURCE TITLE DURATION CompTIA A+ Certification 40 H.

Computer Components Study Guide. The Case or System Box

How To Store Data On A Computer (For A Computer)

XTreme Files OS & Data Backup/Restore User Manual Please read the Instruction manual before using the XTreme Files (F Series) 1.

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

2.5" XTreme Files OS & Data Backup/Restore User Manual Please read the Instruction manual before using the XTreme Files (X Series) 1.

Technical Product Specifications Dell Dimension 2400 Created by: Scott Puckett

Rugged and open to your applications

Practice Test for the Domain 1 - PC Hardware (Brought to you by RMRoberts.com)

Prof. Dr. M. H. Assal

The Bus (PCI and PCI-Express)

DMS-10101, Computer Equipment

CHAPTER 2: HARDWARE BASICS: INSIDE THE BOX

A Practical Approach to Starting and Growing Your Own Law Firm

Digital Forensics. Module 4 CS 996

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Conseils Installations Formations Dépannages Matériels Logiciels N Entreprise : TVA : BE Banque CBC :

Useful Computer Forensics Tools Updated: Jun 10, 2003

Motherboard Specifications, A8M2N-LA (Naos)

Figure 1. Front and Back of a Computer Case

Ultra ATA 133 RAID PCI Pro

Minimum Hardware Specifications Upgrades

M6310 USB Flash Drive Tester/Duplicator

IT Solutions Resource Management Consulting Group th Street NW Suite 206 * Washington DC * Office (202)

How To Build A Scada System

v1 System Requirements 7/11/07

Enterprise Edition Technology Overview

The Motherboard Chapter #5

Operating Guide EPIA EX-Series Mini-ITX Mainboard

Computer Forensics Discipline

H ARDWARE C ONSIDERATIONS

SOFTDENT Practice Management Software v14.0 System Requirements. Server. Workstation (without digital imaging)

Computer Forensic Capabilities

Guide to Computer Forensics and Investigations, Second Edition

Tech Times. Back-up and Storage

CSCA0201 FUNDAMENTALS OF COMPUTING. Chapter 5 Storage Devices

Fall Lecture 1. Operating Systems: Configuration & Use CIS345. Introduction to Operating Systems. Mostafa Z. Ali. mzali@just.edu.

ELEN 115 Computer Components and Peripherals

ACER INC. VERITON M200 QUICK SPEC

Hard Drive Installation Options Ontrack Data Recovery Technical Paper.2004

SERVER AND WORKSTATION MINIMUM REQUIREMENT

Enterprise Erase LAN

NCTE Advice Sheet Storage and Backup Advice Sheet 7

HC Emission Protected Security Workstation

QuickSpecs. Models. HP StorageWorks X510 3TB Data Vault. HP StorageWorks X500 Data Vault. HP StorageWorks X500 Data Vault.

You have more pressing concerns than how to backup and share your data but you know it needs to be done and you know it would benefit your business.

Supporting Hard Drives

Mother Board Component

Lecture 6: Operating Systems and Utility Programs

CPU. Motherboard RAM. Power Supply. Storage. Optical Drives

Minimum Hardware Specifications Upgrades

Management Challenge. Managing Hardware Assets. Central Processing Unit. What is a Computer System?

CompTIA A Certification Exam Objectives - Study Guide Exam Number: (Brought to you by RMRoberts.com)

Lesson 5. Managing Devices. Learning Objectives. ODN Skills

s y s t e m r e q u i r e m e n t s

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

MN POS TM. Hardware & Peripherals. All required hardware may be purchased from Home Office.

The Central Processing Unit:

SMART Board User Guide for Mac

Module 1 Introduction to Information and Communication Technologies

Computer Hardware and Software:

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Program: Systems Engineering Certificate. Prerequisite: None. Hardware/Software required:

Floating License Server for ACDSee Photo Manager

Network Training Center (NTC)

Application Server Platform Architecture. IEI Application Server Platform for Communication Appliance

Intel RAID Controller Troubleshooting Guide

Product Specifications. Shuttle Barebone D10. Shuttle Mini-PC with 7" Touchscreen. Feature Highlight.

1 PERSONAL COMPUTERS

Tech Application Chapter 3 STUDY GUIDE

Chapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05

CERTIFICATE IN COMPUTER HARDWARE AND NETWORK TECHNOLOGY (CCHNT) COURSE STRUCTURE UNIVERSITY SCIENCE INSTRUMENTATION CENTRE (USIC)

Transcription:

Creating a Forensic Computer System: Basic Hardware and Software Specifications SEARCH Training Services August 2006 SEARCH The National Consortium for Justice Information and Statistics 7311 Greenhaven Drive, Suite 145 Sacramento, California 95831 Phone: (916) 392-2550 Fax: (916) 392-8440 Internet: www.search.org

Overview The following is a description of the basic hardware and software specifications required for a forensic computer system. The Training Services staff of SEARCH, in cooperation with law enforcement agencies throughout the United States, developed these specifications. The type of system described in this document provides the greatest flexibility and most efficiency when performing computer data forensics. The system should be able to handle 95% of the cases and types of equipment most law enforcement agencies will come across at the present time. 1 The basic functions any forensic system should be able to perform are: Make a true and accurate copy of a hard drive to another hard drive or an image file. Make a true and accurate copy of a hard drive to a removable and portable media. Restore the true and accurate copy onto a second forensic hard drive from the removable media or image files. Perform a media analysis of a subject drive or image file. A good reference for information is the National Institute of Standards and Technology Computer Forensics Tool Testing Web site: www.cftt.nist.gov In addition to the recommended hardware and software, this document provides a list of optional hardware. Law enforcement agencies will eventually need most of these packages, but some can be purchased on an as-needed basis. The recommended hardware and software is not intended to be an exclusive or exhaustive list. If you have suggestions of hardware and software to add to the list, please contact SEARCH Training Services staff at 916/392-2550 (Pacific time). 1 As of the date of publication, August 2006 Forensic Computer Systems: Basic Hardware and Software Specifications Page 1

Creating a Forensic System The system described here can perform the major functions required of a forensic system in a highly efficient manner and will provide optimal flexibility when conducting forensic analysis. The following are recommendations for forensic computer system hardware. Hardware Recommendations Motherboard and Processor A Pentium IV dual core processor with hyper threading (3.2+ GHz) or AMD Athlon 5000+ processor. You should strongly consider purchasing a 64-bit processor. Be sure to choose a motherboard that uses the latest socket style. For example, while you can still purchase processors for the AMD 939 socket, AMD is in the transition to the AM2 socket. In this example, you would purchase an AMD processor that uses the AM2 socket, not a 939 socket. Three to five PCI expansion slots PCI Express x16 Slot. While you may not need the high-speed graphics this bus provides, there are many inexpensive graphic cards that will work in this slot. Two ATA/100 or ATA/133 EIDE controller ports At least one standard 3½-inch floppy disk port Two serial ports One SPP/EPP/ECP parallel port Minimum of two USB2 ports (better if the ports are on the front of the computer) Adaptec FireWire card or similar quality or built-in FireWire ports Serial ATA controller port(s) A built-in Gigabit network connection The motherboard must have auto-sensing BIOS supporting LBA and C/H/S mode hard drives. Sound, Network and SCSI Cards A SoundBlaster AWE32-compatible sound card (built-in cards are fine) An Adaptec 29160N SCSI adapter card or similar quality and cabling to match the card Forensic Computer Systems: Basic Hardware and Software Specifications Page 2

Case and Drive Mounting A full ATX tower case with five to eight external 5¼-inch drive bay slots and two 3½-inch floppy drive bay slots. All hard drives can be mounted using removable drive bays with dual fans (one fan in the rack and one in the tray). Slide racks install in the computer, which allow for the easy addition and removal of hard drives. In addition, you need a 2½-inch to 3½-inch adapter (converts a laptop hard drive to fit a standard 40-pin IDE cable) and an ATA to Serial ATA adaptor (converts PATA to Serial ATA). Power Supply A minimum of a 400 watt modular power supply is needed. Consult your motherboard and processor guides for exact power requirements. Monitor One 21-inch and one 19-inch monitor (two 21-inch monitors are preferred). Also, LCD monitors are preferred because they take up less space and generate less heat. Some of the newer monitors provide DVI input. Hard Drives One Serial ATA hard drive per operating system (that is, one for Win2K, one for Linux, etc.). We recommend a minimum of two 160+ gigabyte hard drives for the forensic drives. The hard drives should be Serial ATA for performance reasons. Floppy Drive A 3½-inch floppy. CD Drives A CD-RW is needed in order to review CDs, transfer data to investigators and archive data. DVD Burner A DVD player is recommended in order to view DVDs and load some software. A DVD burner can be used to archive information. A dual-layer DVD burner will allow you to store more information. Memory (RAM) Four gigabytes of RAM (Random Access Memory) are recommended but no less than two gigabytes. The memory must match the motherboard s RAM specifications and should be the fastest type possible for it. Forensic Computer Systems: Basic Hardware and Software Specifications Page 3

Video Display Card A PCI Express 16x display card with a minimum of 256 megabytes of memory (DDR is preferred) that is capable of supporting DirectX writes is needed. Ideally, the video card will support two monitors at a time. Choose a card that provides dual DVI output. If the card does not support two monitors, then a second card will be needed if you want to use two monitors. The PCI express card must match what is on the motherboard. Cards may not be interchangeable. Peripherals A laser printer is recommended for high-speed printing of text or black-and-white photos. For color photos, either a color laser printer or a good quality inkjet printer is recommended. Removable Media Reading Devices Consider the amount of removable media, including memory sticks, Compact Flash, Secure Digital and others. These removable media are found in PDAs, digital cameras and many other devices. A device that reads all these different formats needs to be purchased. Hard Drive Blockers A hard drive blocker is a physical device that sits between your suspect s drive and your computer. This device prevents any writes to the suspect s hard drive. Caution: All hard drive blockers must be validated before using. Validation is independently verifying that the hard drive blocker works the way it claims to. The following are Web sites of companies offering hard drive blocker hardware: www.digitalintel.com www.vogon.us www.encase.com www.mykeytech.com www.wiebetech.com www.blackbagtech.com www.ics-iq.com www.acard.com A good reference for write-blocker information is: www.cftt.nist.gov Forensic Computer Systems: Basic Hardware and Software Specifications Page 4

Software Recommendations The following software recommendations are for drive duplication, image processing and miscellaneous purposes (including graphics and text viewers, miscellaneous utilities and operating systems). Drive Duplication Software Drive duplication software makes a true and accurate copy of the drive. It is recommended that you have at least two of these programs because all programs do not work in all situations. A good source of information on making true and accurate copies of media is: www.cftt.nist.gov Caution: All programs that make a duplicate image of a drive must be validated before using. Validation is independently verifying that the duplicate image program works the way it claims to. Product Company Drive-to- Drive? Drive-to- Image? Segmented? Website Byte Back 2 Tech Assist, Inc. Yes Yes Yes www.toolsthatwork.com EnCase Guidance Software No Yes Yes www.encase.com Forensic Toolkit AccessData No Yes Yes www.accessdata.com Ghost 3 Symantec No Yes Yes www.symantec.com ILook Law enforcement only No Yes Yes www.ilook-forensics.org/ Linux DD No Yes Yes www.cftt.nist.gov/disk_imaging.htm ProDiscover Technology Pathways No Yes Yes www.techpathways.com SafeBack 4 New Technologies, Inc. Yes Yes Yes www.forensics-intl.com SMART ASR Data No Yes Yes www.asrdata.com 2 Has additional features and data recovery capability. 3 Ghost in the RAW mode. 4 Version 2.2 supported by Encase, ILook and FTK. Version 3 supported only by Encase. Forensic Computer Systems: Basic Hardware and Software Specifications Page 5

Image Processing Software These four programs actually process an image. They perform file searches, text searching and data recovery, including on deleted files. Product Company Processes an Image? Makes a Duplicate Image? Reads SafeBack Images? Reads EnCase Images? Reads DD Images? Website EnCase Guidance Software Yes Yes Yes Yes Yes www.encase.com Forensic Toolkit AccessData Yes Yes Yes Yes Yes www.accessdata.com ILook Law enforcement only Yes Yes Yes Yes Yes www.ilookforensics.org/ ProDiscover 5 Technology Pathways Yes Yes No No Yes www.techpathways.com Miscellaneous Software Programs from the Graphics and Text Viewers table, as well as from the Miscellaneous Utilities table, will be needed. It is recommended that a forensic toolkit have at least two programs from the Graphic and Text Viewers table. You need to have at least one anti-virus program and one spyware remover. They should be separate programs. Graphics and Text Viewers Product File Viewer? Graphics Viewer? Website ACDSee No Yes www.acdsee.com Adobe Acrobat Reader PDF only No www.adobe.com Conversions Plus Yes Yes www.dataviz.com Firehand Ember No Yes www.firehand.com Graphics Workshop No Yes www.mindworkshop.com IrfanView No Yes www.irfanview.com KeyView Pro Yes Yes www.keyview.com LView Pro No Yes www.lview.com PhotoStudio No Yes www.stuffware.co.uk Quick View Plus Yes Yes www.avantstar.com ThumbsPlus No Yes www.cerious.com 5 Prodiscover has a free version. Forensic Computer Systems: Basic Hardware and Software Specifications Page 6

Miscellaneous Utilities Product Company Able to Unerase? Text Search? Operating System Notes Website Camtasia TechSmith No No All Win versions Makes movie-clip screen captures www.techsmith.com Captain Nemo Runtime Software No Yes All Win versions Allows for viewing of WinNT, Win2K and Linux hard drives from Win98 www.runtime.org DiskExplorer for NTFS Runtime Software No Yes Win2K/WinXP Disk editor and explorer www.runtime.org DriveSpy Digital Intelligence Yes Yes Win9x Logical, Win2K, WinNT, Linux at physical level Runs from a boot floppy: file uneraser, drive hasher, key word searcher www.digitalintel.com Easy Recovery Pro Ontrack Data Recovery No No Win9x Recovers a formatted drive www.ontrack.com E-mail Examiner Paraben No No All Win versions Email viewer www.parabenforensics.com Mailbag Assistant Fookes Software No No All Win versions Email viewer www.fookes.com NTFSDOS Professional Password Recovery Toolkit RecoverNT Winternals No No Boot floppy Allows a boot floppy to view Win NT/Win2k AccessData No No All Win versions Password cracker for applications LC Technology Yes No All Win versions Allows for recovery of formatted drives SnagIt TechSmith No No Win95B or better Captures screen images WhatFormat (Shareware) No No All Win versions Determines file format from header www.winternals.com www.accessdata.com www.lc-tech.com www.techsmith.com www.jozy.nl/whatfmt. html Forensic Computer Systems: Basic Hardware and Software Specifications Page 7

Operating Systems In order to process a drive, you may need an operating system identical to that used by the suspect so that the same conditions can be created. A variety of operating systems are useful to have. The following list is a good summary of the operating systems you might need: Windows 98 Windows 2000 Professional Windows ME Windows Home and Media Center Windows 2003 Server Linux Windows XP Pro Optional Hardware Scanner A high-end scanner is recommended so that paper evidence can be converted into electronic evidence, and then put on a CD. Using OCR (Optical Character Recognition) will also make the scanned files somewhat text searchable, depending on the quality of the document to begin with. Forensic Computer Systems: Basic Hardware and Software Specifications Page 8 SEARCH Group Inc. 2004

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information