Elizabeth, Hello! If you are intending to simply learn about forensics, and data recovery techniques, I would assemble a system that includes the following list of hardware. This gets a bit detailed, but I have a point in the end (hopefully). The bottom line is to stay away from the bleeding edge, or you'll be wasting time with compatibility issues, should you end up analyzing legacy hardware (quite inevitable). Intel chipset - anything, really. 133Mhz Pentium I is fine. IDE controllers - The faster the better, as 90% of all bottlenecks in forensic processing are related to I/O issues SCSI controller - Adaptec cards are simply the best and most reliable. I actually used to carry a spare 1542 and 2940 in my raid kit. Video card - The type is based completely on your preference for OS. I usually stick with Matrox, as it performs exceptionally well in X Windows and MS products. Motherboard / BIOS - This is where it gets tricky. I stay away from the top of the line boards here for compatibility reasons. The BIOS should support the deactivation of all components - should you need to pop in a odd controller someday. For example, I once had a 8 bit ISA card that was a proprietary interface to a floppy drive built to read old Apple/Mac/Amiga disks. It supported two IRQs - both claimed by on-board devices. Memory - As much as humanly possible. Hard drives - For learning purposes, find a small IDE drive (1-2 G range) to use as the operating system drive. Find a handful of odd sized drive (both IDE and SCSI) to use as "evidence" and "target" media. Keyboard with a reinforced "Page Down" key - As I use Quickview Plus, Norton Utilities, Linux and other reliable software instead of shrinkwrapped "forensic" software, Page Down is used quite a bit. Heh. We were attempting to make a couple of points with that comment. First, simply purchasing a prebuilt system where someone has taken the time to provide you with specialty hardware (external power, external IDE connectors, removable drive bays, 50/68/SCA SCSI connectors) configured to work together saves an immense amount of time. This is quite important when a corporate entity is standing up an IR team. Second, purchasing a system gives the analyst someone to go to when the hardware breaks. In AFOSI, we literally had 2-3 rows of rolling storage units 8 feet high stacked with drives, spare parts, esoteric hardware and cables. We were our own repair shop, really. Most organizations simply can't afford to do that. Having a vendor available to call up and FedEx a part is an underappreciated ability until you are on site and really, really need that replacement motherboard that you burned out by flipping the 2.5" HD connector when connecting it to the on-board IDE controller.... By the way - somewhere along the way, we hosed up the URL for our source of hardware. The URL *should* be http://www.forensic-computers.com/. -- Matt Pepe. -----Original Message----- From: Elizabeth Genco [mailto:elizabeth.gencoat_private] Sent: Monday, July 16, 2001 7:03 PM To: 'forensicsat_private' Subject: Forensics workstations Hi again, everybody -- First of all, let me just say a big thank you to the myriad of folks who responded to my last message about making the transition to computer forensics. I was floored by the number of people who responded (both on and off the list), and was even more floored by the quality of said responses. I got some great advice from you all. Thanks so much! With that kind of encouragement, I decided to give this list another shot. I've got a little time and spare equipment on my hands, so as an exercise for myself, I'd like to build a workstation for forensic examination. Now, this is purely an educational exercise, and as such, I'm not looking to create the most professional machine ever. I'm just trying to learn something, since I've got spare resources lying around (workstations, hard disks, etc). The question I have for you all is: if you were building a forensics workstation from the ground up, what would you put on it? What kinds of software and hardware would you include? What do you consider to be essential, and what is simply "nice to have"? Realize that I don't have the money to go out and purchase professional software, like EnCase. So, while I encourage you to mention what your "money is no object" dream server would include, please also try to mention useful software that is free (like Coroner's Toolkit) and/or available on the cheap (like Norton Utilities). Again, this isn't for professional use -- I'm just trying to get my hands dirty and play around a bit. I'd also like to hear what you have to say about the whole issue of building your own server versus purchasing special hardware (like the workstations made by DIBS). I've been reading the latest Foundstone book ("Incident Response"), and in it they touch on this a bit. Their opinion seems to be that constructing your own hardware is a bad thing. I can understand the reasoning behind this view, but I'd like to hear other opinions. Thanks in advance for any input on these questions. Elizabeth ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:40:37 PDT