| If an incident response team anticipates conducting forensics examinations, it should acquire a dedicated forensics platform. This computer does not need to be particularly powerful; in most cases, the limiting factor in conducting an investigation is I/O speed, not processor power. The computer should be set up to accommodate most likely configurations; specialized equipment can be added as needed. Standard Corporate Desktop Most of this section (and indeed, most of this chapter) assumes that the standard corporate desktop is an Intel or compatible clone, running some version of Microsoft Windows. UNIX investigations will be discussed further in Chapter 9, "Forensics II," although most of the basic techniques in this chapter are applicable to UNIX desktop systems. If the company has Macintosh systems, it will require a dedicated Macintosh forensics platform. | -
CPU. With Moore's Law showing no signs of slowing , it is difficult to state the minimum or appropriate CPU speed. However, a CPU similar to the standard desktop configuration in the company should be sufficient. The CPU needs to be able to run the operating system and forensics software, so consulting those manufacturers for compatibility is recommended. It might also need to run some desktop software. If the company has high-end or proprietary applications (for example, graphics or CAD), the machine should be capable of running these applications as required to view data files. -
Motherboard. Because the system might be modified as needed by adding other components , the main board should have several available slots. The BIOS needs to be as current as possible to recognize large storage devices. It might be preferable to custom-build the forensics computer to ensure that the system has as open an architecture as possible. -
Case and cables. The computer should have a case design that allows for easy access to the drive bays and expansion slots. A tower configuration, with multiple vacant drive bays and sides that remove completely, is preferred. The computer should have extra power cables available to add additional storage devices or peripherals and multiple IDE or SCSI control cables. -
Storage. The computer needs a primary disk drive capable of storing the operating systems and the software. More important than the primary disk is the capability to add multiple secondary disk drives. One or more of these secondary drives will be used for the storage of evidence as it is processed . Other drives might be the evidence drives themselves (more on this later). SCSI drives are recommended for their I/O speed, but the computer must be able to mount IDE drives as well. -
Floppy drives. The computer needs the capability to read from floppy drives during the course of the investigation. Typically these will be 3.5" high-density drives, but if the company uses other removable media such as ZIP disks or 3.5" super drives, the computer should have one of these drives mounted as well. Although 5.25" drives have all but disappeared from the corporate environment, it might be wise to procure a 5.25" drive while they are still available and mount it in the forensics computer just in case an investigation turns up older floppies. -
CD writer. A CD writer can be used to read in evidence from CD-ROMs as needed. It can also be used to record evidence during the investigation. If the CDs are closed at the end of the writing process, they can be used to demonstrate that the evidence was not modified during the period between the investigation and the eventual legal or administrative hearing. This is not a substitute for proper evidence handling and storage, but it is valuable as an additional demonstration of the authenticity of the evidence. -
Tape drives. If the company uses tape drives for backup, a compatible drive is useful. If the population of tape drives in the company is small or varied, a drive can be added later if an investigation requires it. -
Network card or modem. It might be useful to be able to transfer files or data from the forensics computer to other systems. It is also useful to be able to access the Internet for system and software updates. However, these benefits must be weighed against the risk that a networked computer is inherently more vulnerable to unauthorized access. Even if the system is properly secured, the perception that an unauthorized person might have accessed the system and modified the data might be harmful when attempting to demonstrate proper evidence safeguards. If the system is networked, it is recommended that networking be disabled at any time during an actual examination of the evidence. -
Operating system. The computer must be capable of reading any media or file system likely to be collected. The most common Windows file systems are FAT, FAT32, and NTFS. At the present time, only Windows 2000 is capable of reading all these systems. As an alternative, the forensics computer can be set up to dual-boot to both Windows 95/98 and NT. If other files systems such as Linux are in common usage, the system should be set up to boot to them as well. Some of the forensics packages discussed later in this chapter provide the investigator with the capability to overcome these limitations. For example, data could be imaged from an NTFS drive using EnCase and then be viewed and examined using EnCase under Windows 98. If, however, the drive is restored, an NT or 2000 system will be required to read the drive. It is also possible to buy dedicated forensics machines from vendors . A quick Internet search on computer forensics will provide several links if the response team wants to buy a ready-made machine instead of building one from scratch. |
