Hi, everybody -- A few weeks ago I made a post to the list asking for input on the subject of forensics workstations; namely, what makes for a good one? I got all kinds of excellent responses, and a number of people asked me if I'd compile and post them to the list. So, here they are. I've tried to ask everyone included here for their permission before posting their response to the list at large. All the same, I'm anonymizing these as much as I can in case I missed someone along the way (my apologies if that's the case). I've also omitted the responses that were sent to the list already (they're available in the archives). As for my own workstation, things were going along swimmingly until my company went belly-up last week and I found myself out of a job and hardware (this isn't as dramatic as it sounds -- I knew we were doing poorly and had been making plans to leave anyway). Hopefully I'll be able to claim the hardware as my own -- short of selling stuff on eBay, I don't know what the management is going to do with 40+ office PCs! In any case, building the box was a good learning experience and should be easy enough to recreate if it came to that. I decided to build a dual boot RedHat 7.1/Win 98 box with the OSes on two separate hard disks, with an assortment of free, cheap and demo versions of popular tools (WinHex, Maresware, Neotrace, Norton Utilities, Quickview Plus, an Encase demo, etc). One small bit of administrivia: I am now using a different e-mail address for this list, as the other address will be going away soon. Without further ado, here's what members of the list had to say: + A couple of people suggested that I buy a PC instead of building one. Some links: http://www.cyberforensic.com/index.htm http://www.forensic-computers.com/main.htm http://www.cftco.com/machine.htm + "I built my own machine. The reasoning was two fold. One I would know exactly what was in my machine, and two, I could testify to it's abilities and my knowledge of the computer. Here is an excerpt from an article I wrote on the subject.... I started with the case requirements and felt the full tower ATX case ($35) would work great, and then onto the internal making of the system. I wanted a relatively fast machine so I went with the AMD 900 mhz chip ($145), a high end Tyan K-7 motherboard ($75), I found an ATI 32mb video card ($39), 512meg PC133 memory ($109 ea), 30 gb hard drive ($129 ea), 1.44 floppy ($7), PCI modem ($9), Sound Blaster , 52x CD ($49), Adaptec 2940 SCSI card ($75), ATA 100 controller card ($15), removable bays for the hard drives ($12 ea), ensure you get plenty of these bays as they are not interchangeable between manufacturers. I decided on the main hard drive for the unit also being in a removable bay, this was mainly due to cloning the drive and storing a copy in the event of a crash, a quick and easy replacement. I then added two additional IDE bay, two SCSI bays, and a Seagate 20GB tape ($95). I purchased 10 IDE additional removable bays and two SCSI bays, in addition to the three IDE bays and two SCSI bays in the platform. These are to put an LS-120 drive ($52), Zip 250 drive ($67), and other IDE devices into. It requires a little cutting and gluing, but the results are well worth it. You have to watch that you do not try to put too much into the platform as you will run out of IRQ's real fast. When all was said and done I had about $1,200.00 in a platform that will do everything I will need. I found a good quality 17" monitor for $149 at a local computer show and plan on purchasing a 19" ($189) at the next show. Extra cables and other items that may come in handy in working with older boxes have been obtained from tearing older machines apart. For duplication/cloning of hard drives I built a bare bones AMD 450 mhz, 128 meg ram, copy machine that has two IDE removable bays in it for a whopping $240.00. Again I found this at a wholesalers, who was happy to change drive for memory upgrades, etc.. and take off for items I didn't need. Don't forget, some local businesses are civic minded and will be more than happy to help you in setting up a platform by giving you items at cost, don't be bashful with your local computer stores, you'll never know what they are willing to do until you ask. On the software issue... There are several companies that put out forensic software that will more than likely do everything you need done. The costs range drastically, from $595.00 to over $1,650.00 per copy, not to include stand-alone programs for the obscure jobs you may be faced with. My advice on the software is to make contact with the companies you can find that make forensic suites and get as much information about the product as possible, find out the companies guarantees on the product and if they have or will have someone that can testify as an expert on their product should the need arise, and then ask others who are doing forensic work their opinions, all while trying to stay within your budgetary constraints." + "linux DD command can make exact copies, os does not matter. its actually better than ghost. Its also free on all unix os's. for undeleting files you can use norton diskedit.exe (can get for free) undelete one file at a time, or undelete (about $40.00). to view just about all file types get quickview plus (40.00). Can view 200 file types including images, work, word perfect, excel, etc. Without a software lock like encase i woold make a copy , exam copy and document process. if you open a file and find you need date, make another copy when done and go back and look at dates. As long as you work off copy you can always look at pc. also get hdl.com a utility made by rcmp canadian police, places software lock on ide drives. used in dos mode only. ps linux can also be used to mount and search most file systems. use grep searches to find names in files, file names, etc." + "[ dd, gzip, md5, crc, sha1, grep, mount ] are items that come with *nix that you should look at. Encase has a demo, totally useless but it will give you an understand on how it works. I liked it. You should have a computer that you know how it works and what is in it. Know the quirks of the computer so you can quickly fix problems. I would try to avoid HP, Compaq and such as they at times only like their hardware in the computers. Perhaps have an ATA 66 or 100 controller on your computer. Perhaps have a SCSI card in your computer. http://www.cftt.nist.gov/testdocs.html this URL has a document which tells of the different TESTS performed on disk imaging tools. This may help you understand possible problems as well as how they perform images etc." + "I just got done building my portable forensic machine, and while the office paid for it, I got to pick what I wanted. Having used a portable, and a "fixed" or standard workstation that was converted, I would keep my portable any day! I can take it with me, but its hefty enough to use day to day. So for the specifics: I got the case (a "Hercules") from Acme Portables (www.acmeportable.com. Ran about 2,500 for a case that comes with the flat panel display, your keyboard, the power supply and a stout transport case (I check it as baggage) I used a ABIT 133 RAID motherboard. The only drawback has been how crowded it is inside, but the motherboard works great. Added a 866mhz Intel chip (if you got the $$ I would have rather had the GB chip. 512Megs of RAM, some removable drive bays (run about 30 bucks each )for the SCSI (one) and the IDE (two) a CD burner (I like the HP)a moderate SCSI, video and sound card and you are set. (sans the software) I have also used a Dell workstation, converted to take the removable drive bays, a must. That was also a 866, with 256 megs of ram and the standard video and sound cards. I bypassed the SCSI and used a standalone box that we build for about 300 bucks. At that time I was not running into that many SCSI drives. The pros and cons of "professional" systems like DIBS or Freddie: I know my system inside and out, I built it, I tuned it to what I want and it works great. There is a lot to be said for being able to have what you want, and the experience of building it yourself. A side note, when I testify in court I make sure and put in that I built the system. Seems to give a little extra punch that I have a least some idea of what I am doing <grin> The con: I am not a professional computer builder and I had some glitches along the way: RAM chip gets in the way of the drive bay etc The pro systems are great, but expensive. Freddie is somewhere around 6k, I don't know about DIBS, and a fully built and software equipped portable like mine would run around 8-9K professionally build. A couple times I would really have liked to have the old warranty to fall back on!! Hope this helps." + "The thing I would recommend is to get the fastest processor you can, with the most memory. In a lot of situations more memory is better than a faster processor. In any event cram as much memory in the machine as you can. For a basic system from scratch I would build it to work with IDE hard drives, unless you have a bunch of SCSI drives laying around. The majority of forensics work is done on IDE drives unless you are in vary big network environment. Removable disk drive trays are a real time saver if you have them. The best are made by CRU and will last a long time, I have some cheaper ones in my home system, I think the model number is RAH-10. Look at www.cyberguys.com they carry the-10 and others. Cyberguys also carry some other neat items as well. You will need an IDE (ATAPI) CDROM reader (makes it easier to install software). If you have one a CD burner is also a good thing to have. You want the biggest monitor you can get your hands on ( your gong to be looking at it a long time) and the best video card you can get. Matrox makes some very good ones. Get several hard drives to put your forensic OS's on vs using one hard drive with System Commander or some other multi-boot program. Why, well, I have had forensics drive with 4 OS's installed and working fine, then one goes wacky or System Commander blows up and all of the OS's are out of commission. It is much easier to rebuild one OS than many. As far as which OS to use, Have one with Windows 98, Win NT or 2000 (or both), and Linux. Get the enhanced loopback RPM for Linux that Jason put out several weeks ago for your Linux OS . For a Hex editor, If you don't have Norton Utilities take a look at Winhex it is cheap and very powerful, it even includes a RAM editor." + "If you are building the workstation as a learning experience, that's fine. If you are building it for use in a corporate environment, where it won't be used for legal matters, that would be OK, too. If you are building it for use in investigations, then you need some sort of credentials that show you have the expertise to create such a workstation, such as a degree in computer engineering or a certification." Thanks again to everyone who responded! 'Twas a big help to me. Elizabeth ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:00:35 PDT