Now that you have seen a selection of the tools available for the forensic examiner, you need to decide which tools work best for you. Every forensic examiner has slightly different needs. The particular tools you acquire depend on many factors, including:
Expected types of investigations
Evidence to be presented in a court of law
Evidence for internal reporting/auditing
Operating system needs and preference
Background and training
Consider your specific forensic needs and then carefully consider the products available. In general, you should only acquire the functionality you need and nothing more. The problem is that it can be difficult to know exactly what functionality you need. Each investigation is different and may call for different approaches. In such cases, tool needs change. To the best of your ability, develop a list of forensic tool needs.
The care and maintenance of your computer forensics tools begins well before you are asked to perform a forensic evaluation.
Each time you purchase a new hard drive, you must complete a procedure to sanitize the drive to ensure that there is no data on the drive prior to using it in the imaging process. This is a process that can require many hours to complete.
The CEO of a company once asked me to perform a forensics evaluation of a very senior employee's computer to look for evidence that this employee was planning to leave the company. The CEO was so concerned because this employee had access to very sensitive trade secrets that would put the company at a great disadvantage if they were obtained by a competitor.
The CEO wanted me to go into the employee's office in the middle of the night and image the hard drive without his knowledge and leave everything as I had found it so the employee would not know I had been there. I had only one problem. The CEO wanted the imaging done that night and I didn't have a hard drive with me that had been sanitized to the U.S. Department of Defense specification DoD 5220-22M standard.
I was out of town teaching a forensics class when the request was made. If I had been at home, I would have simply opened the safe at my lab and taken out one of the many sanitized hard drives (of varying sizes) that I keep prepped and ready to go. As a matter of procedure, each time I purchase a new hard drive, I use the Image MASSter Solo 2 Forensics unit to sanitize the drive and then I store the drive in my safe and complete an entry in a log to begin the chain of custody for that drive.
Because I did not have a prepped drive, I drove to one of the local computer super centers and purchased a drive. I had previously asked the CEO what size hard drive he thought the employee had in his computer and he told me the company standard was an 80GB hard drive. Of course, I purchased a 120GB hard drive to make sure I was buying a large enough drive.
Then, the real issue began. I went back to my hotel and began sanitizing the drive, which takes many hours to complete on a 120GB hard drive. The CEO told me he would meet me at the office whenever I was ready. The process completed at 4 AM and I called the CEO. We went to the office, and I was able to image the employee's computer and leave the building before any of the other employees arrived for work. After inspecting the hard drive, we discovered evidence that the executive was planning to leave and was collecting data to take with him. We were able to prevent him from taking the data with him. Very soon after, he did leave the company and, because of his actions, did not receive a severance package.
From this experience, I learned to always bring a sanitized 250GB hard drive with me when I travel out of town-just in case. From this story, you should learn that you will need to purchase a variety of hard drives and sanitize them before you ever talk to your first customer about performing a forensics examination.
Although it's important to be adequately prepared, one common pitfall is to over buy. The impulse in all things is to pack any acquisition with the maximum number of options. Think about it. Have you ever used all of the options on your video camera? Take a look at the owner's manual, and see all the cool things you can do with your camera. You probably heard about the features when you bought the camera and promptly forgot about most of them when you started using it. Forensic tools may include options you simply don't need. Avoid paying for options you'll never use.
In choosing a forensic tool set, consider how your organization approaches investigations. Do you need the ability to remotely examine machines? If so, you can narrow your search to a few options. Are you a Unix shop with a small budget? Open source tools might fit the bill in this situation.
There is no 'one size fits all' forensic toolkit. Ask questions. Take the time to attend training and view tutorials. Test as much software as possible. Investing a substantial amount of time in this process will help you make more informed decisions. Thoroughly consider how your organization conducts investigations, what kind of investigations you will need to participate in, and what features you will need to get the job done.
Unless a single set of forensic tools satisfies all of your needs, consider selecting multiple tools while weighing the costs involved. When you do select multiple tools, they will most likely overlap. That's okay. Get what you need. There is nothing wrong with having three disk imaging tools. Use the one that makes the most sense.
Most forensic examiners use tools from several vendors . Some may use commercial and open source tools. The source is not important. The important points are that you have the tools that get the job done, you know how to use them, and you have verified that the tools do what they are supposed to do before you use them on a real case.
One last point, get the necessary training to properly use the tools you acquire. Great tools can hamper or ruin an investigation if you don't know how to use them. Forensic tools can be highly effective or highly destructive, all depending on the knowledge of the user . Get the tools, and then get the training.
After you have built your toolbox and know how to use the tools in it, you are ready to tackle the next investigation.