1. Digital Forensics (Introduction)
In this section of the course, we’re going to play detective and begin our coverage of digital forensics. Now, this is an area that I really love inside the cybersecurity world, having spent several years as a digital media collector and digital forensic examiner myself. In this section of the course, we’re going to focus on domain four, with a singular focus on Objective 4.4. Now, Objective 4.4 states that, given a scenario, you must utilize basic digital forensic techniques. In this section, we’re going to focus on digital forensic techniques for workstations, desktops, laptops, and servers. In a later section of the course, we’re going to discuss COVID forensics specifically for virtualized systems, mobile devices, and the cloud as well. As we move through this section of the course, we’re going to start with a look at the role of a digital forensic analyst inside the cybersecurity field.
Then we’re going to discuss the different forensic procedures used by analysts in their jobs. Following that, we’ll look at the concepts of work product retention, which basically means how long we’re going to keep evidence and what kind of evidence we’re going to keep. Then we’re going to move into data acquisition for later forensic analysis and describe some of the most common forensic tools that are used by analysts in the field. After that, we’ll discuss how system memory images and disc images are acquired by those forensic analysts because there are different procedures used for each of these types of collections. Also, we’re going to discuss how we maintain the integrity of the evidence that’s collected by using hashes of forensic images that have been acquired by those analysts during our analysis. We also need to create a timeline so that we can analyse data from all of the different forensic evidence that we’re collecting from various devices, systems, and networks. So we’ll talk about that too.
Sometimes, though, this evidence isn’t collected cleanly. For example, a criminal may be trying to delete files or scramble the contents of their hard drive in order to hide them from an analyst. But that’s okay because there are ways to overcome it. And we’re going to discuss how an analyst can overcome this issue by using data carving techniques to recover these thought-to-be-deleted files from a given hard drive. Finally, we’re going to discuss the legal concept known as a “chain of custody.” And I’ll also demonstrate how an analyst can collect and validate digital evidence in a step-by-step video demonstration for you. Alright, it’s now time for us to jump into the world of digital forensics.
2. Digital Forensic Analysts (OBJ 4.4)
Digital forensic analyst. As a cybersecurity analyst, you’ll be responsible for a variety of tasks both during and after an incident to ensure that forensic analysts can do their jobs effectively. One of the jobs that a cybersecurity analyst may graduate into is that of a forensic analyst as well. Now, you might be called upon to perform a variety of forensic activities as part of your incident analysis and threat hunting. And so in this lesson, we are going to focus on the role of a digital forensic analyst. Now, when we talk about digital forensics, we are talking about the process of gathering and submitting computer evidence to trial and then interpreting that evidence by providing expert analysis. A forensic analyst has many different job titles, depending on where they work. You might hear them called a forensic computer examiner, a digital forensic examiner, or a computer forensic detective. All of these are valid names, as are many others you may come across.
Now, what exactly does a forensic analyst do? Well, they’re going to use specialised tools and skills to recover information from computer systems, from memory, and from storage. Now, the reason they have to do this is because, unlike evidence that you could see with the naked eye, all of this digital stuff can’t be seen. And so you have to be able to collect it, analyse it, and produce it as a report. That can then be used in court. Because if I just give you a hard drive, that doesn’t tell you anything; it’s what’s inside the drive that’s really important. We use forensics and digital forensics specifically to be able to pull out the information we need from that hard drive and present it in court. Now, one of the things that a forensic examiner may do is serve as an expert witness. Now this is, again, because that information has to be extracted from the hard drive. It needs to be extracted from memory. It has to be extracted from the network or from the system. And based on that, your expert analysis of what you found and the process you used is going to be called upon in court if you’re dealing with a criminal case.
For example, I once served as an expert witness in one of these cases. There was a case where somebody was suing a hotel, saying that they injured themselves on the property. Now, they have made a claim about how badly they were hurt and are trying to get a very big payout from this insurance company for the hotel. But we found video evidence showing that this person wasn’t actually hurt. And I use my technical skills as an analyst to be able to get the information from the video, perform the analysis, and provide that as a written report to the court. Based on that, they were able to combine that evidence with other evidence and get the verdict they were looking for. If you’re a forensic analyst, you may be asked to fill a lot of different roles. For example, you may be asked to help plan IT systems and processes.
This way, we know that those systems and processes are set up ahead of time to be able to collect evidence if needed during a cybersecurity incident. Additionally, an analyst may be asked to help investigate or reconstruct an incident; something bad happened to your network, and they want to figure out what happened. Well, an analyst has that detective skill in the technical domain to help piece those things back together. Another thing you might be asked to do is help investigate if a crime has occurred. By going through the systems, you can determine if something bad really happened and if that thing was a crime. For example, if you worked for the police, you might be called in to search a computer for evidence of child pornography. because that would be a crime. You’d be able to determine if you found that evidence, and if so, that means a crime has been committed and that person is going to go to jail. Another thing an analyst might help with is to collect and protect evidence.
As you’re going through these systems and collecting information, you also need to make sure you’re revalidating the information as it’s being collected and protected to make sure it doesn’t get changed after you’ve collected it. All of this is important to an analyst. Another thing an analyst might help with is determining if data was exposed. So maybe you want to know: has your company been the victim of a data breach? You suspect you might have been, but you’re not sure. Well, if you call in a forensic analyst, they can go through your systems and determine if your database was accessed and if those files were extracted. That’s something that can help you figure out if the data was exposed.
Or you might work for a forensic tool company. You have to develop tools and processes for them. All that can be done by a forensic analyst, and they’ll help out with those to make sure they are meeting the industry’s needs. And finally, a forensic analyst might be called on to support ongoing audits. This is due to the fact that audits are essentially evidence collection as well. And so you can go through the auditing process and help people go through the different processes and records to make sure everything is being kept up-to-date and has not been tampered with. Having a forensic analyst help with audits is really important, especially if you’re in a highly regulated field. For example, if you fall under Sarbanes-Oxley or HIPAA or something like that, you’re going to have regulators come and audit you. It does help to have a forensic analyst on staff who can help go through your information and verify that everything has maintained integrity and has not been tampered with.
3. Forensics Procedures (OBJ 4.4)
Forensic procedures. In this lesson, we are going to talk about the basic forensic procedures, and this is essentially going to be a four-step process. Now, the first thing you need to know about forensics is that everything we do follows written procedures. These written procedures are going to ensure that personnel handle forensics properly, effectively, and in compliance with the required regulations. This way, we always follow what is written down, and we always do it the same way. Now, as we go through our forensic procedures, there are four main areas. We have identification, collection, analysis, and reporting. In this lesson, we’re going to talk about each one of them. First, we’re going to have identification. This is going to ensure the scene is safe.
We have made sure we secure the scene to provide any evidence of contamination, and we have identified the scope of the evidence to be collected. Now, when you think about this, especially in the digital forensics world, I like to think about it as if you’re working for the police department. They break down the door, and they arrest the person. And what do you need to do? Well, as you walk in the door, the first thing you need to do is make sure the scene is safe. There’s not a bad guy hiding in the other room that’s going to come out and hurt you or try to stop you from collecting the evidence. We want to make sure everything is safe there.
Then, once we know everything is safe, we move on to the next step, which is making sure nobody contaminates our evidence. We want to record the scene using video and photography to make sure we know exactly what was there before we touched anything. And then we want to start identifying the scope of the evidence to be collected. If I go into a store as part of this investigation and they say, “Hey, we’re looking for this type of data,” well, I need to start looking at all the computer systems around there and say, “Where can this type of data be hidden?” Is it going to be on a tablet? Is it going to be on a phone? Is it going to be on a smart TV?
Is it going to be on a server? And based on the type of data I’m looking for, I’m going to scope my evidence collection because a lot of times your warrant will tell you exactly how large or small a scope you have and what you’re allowed to collect. And then we’re going to move into collection. Now, when we do collection, we have to ensure that we have authorization to collect the evidence. Now, this might take the form of something like a warrant, and then we’re going to document and prove the integrity of the evidence as it’s collected. Now, what this means is that, as I start collecting the information from the computer, I’m not just going to take the hard drive and throw it in a bag. I need to perform a bit-by-bit analysis of that hard drive because all of my subsequent analysis will be performed on the copy rather than the original. Now, I also need to make sure that that hard drive is an exact match once I make a copy of it.
And I am going to take it into evidence to make sure that I have the original, so that if we ever need to go back to the original for analysis and make another copy, we could. We also want to ensure its integrity, to ensure that I haven’t changed any data on it and that no one else has changed anything on it. That’s the idea here. With collection. Then we move into analysis. So now that we have a copy, we are going to create a copy of this evidence and we’re going to take that for analysis. And we use repeatable methods and tools during the analysis. Again, everything here is going to be written down. We are going to use procedures that tell us exactly what to do. This is going to say step one: do this and make a copy of the drive. Step two: Create a hash of the drive to make sure you have integrity. Step three: perform an analysis on the drive using the XYZ tool. It’ll tell you exactly what you need to do as an analyst using a checklist that can be repeated and followed each and every time. And then we got to step four, which was reporting at the end of all of our analysis. We need to create a report of the methods and tools that we used in our investigation. And then we also need to present detailed findings and conclusions based on that analysis.
If I was looking for child pornography on this hard drive of the victim’s computer, I need to say I found it; it was located here, and here’s how I prove it. All of the things I did, how I found it, all of the locations, all of the files, screenshots of it—all of that kind of stuff to include in the final report to be given to the judge and the court so that person can go to trial. Again, as I said in the last lesson, you may be called to go into court to testify based on what you have, your report that you’re going to give, and the analysis you’ve done. Now, this is really important to realise because everything you do is going to come under question once you take that stand. They’re going to ask about every method you’ve used and any mistakes you possibly could have made. They’re going to try to find fault with everything you could have done. Because if they can find fault with anything you’ve done, your evidence and everything you learned from it can be thrown out of court, which can get their client off. Attorneys are paid a lot of money to help get their clients off of these criminal charges.
And so if you’re working in the criminal sector as a forensic gamer, you need to be very careful to follow the procedures exactly. This is going to bring us to the concept of a legal hold. Now a legal hold is a process thatis designed to preserve all the relevant information when litigation is reasonably expected to occur. Now, “litigation” is just a fancy word for “lawsuit.” Essentially, if we think what we’re going to be dealing with and collecting could end up in court one day, we need to make sure we don’t destroy any evidence. We must collect and preserve everything. Now, one of the biggest challenges when you start dealing with this is that you can actually have your computer or server seized as evidence in some kind of criminal conspiracy. Assume you run a web hosting company and someone purchased storage space on your server and placed illegal files—or whatever the bad content is—on it. Well, if the police want to take that evidence, they might take your server that holds not just that person’s stuff on it but also all of your other clients’ stuff on it as well. And that can go away for a long period of time because of this legal hold. The legal hold can actually take that computer or server as evidence for the entire duration of that trial, which could be months or even years. So this is something you have to think about as an organization.
Do you have backups for your servers? How quickly can you get them back online? If you have some kind of evidence collection, that’s going to happen because that is something that you need as part of your business continuity plan as well. Now, another thing I recommend when you’re dealing with the law is that you should always have somebody from your organisation appointed as your liaison, and that person should have legal knowledge and expertise so they can be the point of contact with law enforcement. So when somebody comes in from law enforcement and they want to start collecting evidence, you need to have somebody who can work with them. This person is going to be your point of contact between the forensics team, which may be an outside company or law enforcement, and your sister team, which is your cybersecurity incident response team. If you’re dealing with a data breach, for instance, is your company going to try to pursue legal action against the person who broke into your systems? If so, you’re going to have a forensics team from law enforcement come in and collect that evidence. And so having this liaison who can be that single voice and that single point of contact can really make things work a lot better for you. Now, the last thing we need to talk about in this lesson is ethics.
Forensic analysts have to follow a code of ethics, and there are three main points to this code of ethics that you really do need to follow. Otherwise, you’re going to have a problem when you get on the stand. First, the analysis must be performed without bias. This means that any conclusions or opinions that you form should only be based on the direct evidence that you have observed. You shouldn’t be thinking, “Well, I don’t like this person because XYZ.” It’s not based on their color, their creed, their nationality, what they look like, or anything else. It should only be based on the evidence you find. In fact, it’s much better for a forensic gamelist to be completely removed from the situation. A lot of places that I’ve worked with before have one set of people who collect the information and another set that analyses it.
So all they see is the data. They don’t know anything about the case up to that point, and that can help eliminate some of that bias. The second requirement is that analyst methods be repeatable by third parties. Now, what I mean is that if I take the exact same evidence and give it to somebody else, they should get the same results if they use the same methods you did. And again, this is why it is so important that you document every single thing you do when you’re doing your analysis. For instance, when I do my analysis, I will write down the time and the action I took. I clicked this button, I ran this command, and here were my results, and I put a screenshot in there. That way, anybody who comes behind me can see exactly what I did, when I did it, and how I did it. And if they run those same commands, they should get the same results. If they don’t, that could be reason to get your evidence thrown out. And the third thing is that evidence must not be changed or manipulated. We never want to do analysis on the actual device itself. Instead, we always want to do it on a copy when we can.
So if I’m taking evidence from a hard drive, I’m going to make a copy of that hard drive. I’m going to run an integrity check on both the drive and the source to make sure they match, such as a hash. And if they do, I can then do my analysis on the copy. That way I don’t have the possibility of changing or modifying the original. And we’ll talk about a lot of other things and how we can make sure we don’t modify the original as we go through this section. Now, here is a big warning for you. If you’re ever going to do this professionally, keep this in mind: defence attorneys will try to use any deviation from your ethics or from your procedures as a reason to dismiss your findings and analysis. Remember, these attorneys get paid big dollars to be able to get their clients off; that’s their job. They’re trying to get that case thrown out at any time. They can get your evidence thrown out. That is one less thing against their client. And so they’re going to do that. They are going to go after you. They’re going to go after your credentials; they’re going after your methods; they’re going to go after your processes. And you’re going to have to defend all of that in court to make sure your evidence is admissible and can stand up in court.
4. Work Product Retention (OBJ 4.4)
Retention of work product In this lesson, we’re going to quickly talk about “work product retention,” which is a type of procedure and policy in the way that we hire somebody. Now, when we deal with work product retention, this is a contractual method of retaining or hiring a forensic investigator so that their analysis is protected from disclosure by the work product doctrine. Now, when you’re dealing with a criminal or civil trial, you’re going to have these things called discovery and disclosure. These principles of discovery and disclosure are going to govern the exchange of evidence between the prosecution team and the defence team in this civil or criminal trial.
Now, when we’re dealing with digital forensics, things get a little bit weird here, because if I were dealing with something like fingerprints on a bottle, that bottle would be something that would be admissible as part of discovery and disclosure. You’d have to give it to the other side, so the prosecutor would give it to the defence attorney so they could look at it as well. Well, with digital forensics, it doesn’t necessarily work that way, because the thing you’re actually collecting evidence from is the hard drive or the image from it. Your discovery and disclosure to the opposing party is to provide them with a copy, or image, of that hard drive. not your analysis, just the hard drive itself. Their team has to do their own analysis to see what they can come up with. Now, the actual analysis of the evidence that was collected by the person and looked at has determined that it is actually a product of work product retention.
And so if an attorney hires me, they can retain me as an expert to perform the analysis. Now, once I do that analysis, that attorney can decide whether or not to give it over to the other side. So if I am hired by the prosecution, they can decide whether or not to give it to the defence attorney. If I am hired by the defense, they can decide whether or not to give it to the prosecutor. The actual image itself, on both sides, will be part of the discovery and disclosure process. But my analysis is owned by the attorney who contracts me. That’s how it works for a forensic analyst. Now, to make sure you’re protected by this workproduct doctrine, you need to make sure you’re limiting your contact with the company’s CSR team, and those people cannot help you with the analysis. Instead, it all has to be done by you, the forensic analyst, or your forensic analysis company. By doing that and being hired by the attorney, that’s going to keep the work product doctrine intact. There’s one more detail that has to be done, and that is that the attorney has to contract the analyst. They cannot have the attorney’s firm contract the analyst.
Now, there’s one more key thing here. When you’re dealing with hiring an analyst as a company, you can’t hire the analyst and have this work product doctrine; your attorney for the company needs to hire the analyst. This is something that has to do with the way the law is written, and so the attorney has to hire the analyst. Now, you can do a three-way contract where it’s the investigator that you’re hiring, the attorney, and the company, and they can use wording in the contract, such as “at the direction of outside counsel,” meaning that attorney in anticipation of litigation, in which case the company can be on the contract too. But if you just have the company hire an analyst, that would be admissible under discovery and disclosure. So you need to make sure the attorney is involved in this. Whenever you’re hiring an analyst, if you’re the victim of a data breach and you want to bring in some outside analysts to help you with this.
5. Data Acquisition (OBJ 4.4)
Data acquisition. In this lesson, we’re going to talk about how you start acquiring evidence. This involves data acquisition, which is the method and tools used to create a forensically sound copy of the data from a source device, such as system memory or a hard disk.
Now, when you deal with acquisition, the question you have to ask is, “Do I have the right to search for or seize this thing legally?” This is an important question because in your organization, not all the devices are owned by the company. If it’s owned by the company, yes, you have the right to go ahead and collect on it because you work for the company and they want you to. What if you let them bring their own device? If you allow employees to bring their own devices into your organization, these policies can complicate data acquisition because you may not be legally able to search or seize that device because you don’t own it; the employee does. As a result, you must ensure that any evidence you collect is lawfully obtained. Otherwise, that search could be inadmissible.
Another thing that makes data acquisition very complicated is that when you get to a crime scene, you’re not just dealing with the physical world; you’re dealing with the digital world. And so, when I come into a room and I see that the lights are on and the computer is on, how am I going to collect the data off that computer? Am I going to shut it down? Am I going to power it off? Am I going to collect it when it’s powered on? All of these are valid options, and each one has drawbacks and benefits depending on what you’re trying to accomplish. But for now, I just want you to keep in mind the fact that when you’re dealing with a digital crime scene as opposed to just a physical one, some evidence could be lost when you turn off a computer or shut it down.
And so you need to make sure you understand what you’re going to do and the procedures you’re going to deal with. Now, this brings us to the idea that some of this data can only be collected when the system is on, and some of this data can only be collected once the system is shut down or you suddenly remove the power. Now, an analyst always has to think about the order of volatility when they collect their evidence. Back in A plus and security plus, you should have learned about the order of volatility. So the rest of this lesson should be a review, but if it’s been a while, let’s go ahead and cover it anyway. First, we always want to collect anything that is short-term or anything that is highly volatile. So if you start thinking about things like CPU registers and cache memory, that is a very small amount of memory inside those processors. As a result, it is frequently changed.
So you want to be able to collect that as soon as possible. Then we move on to the other volatile memory, which is things like system memory, routing tables, ARP, cached process tables, temporary swap files, and things like that. All of those are things that are volatile and are changing quite rapidly, but not nearly as quickly as a CP register or cache memory. Then we move on to the data that’s on persistent mass storage. Now, in the old days, we would just say “hard drive,” but nowadays we just say “mass storage,” because this includes our hard drives, our solid-state drives, and our flash drives. All of these are persistent mass storage systems because they will retain the information when you take away the power, unlike memory. But it does still change quite often. As long as the computer is on and people are writing or reading to that disk, then we’re going to go ahead and collect the things that are remotely logged, things like ourseam and any other kind of monitoring data. This is important because, while it’s not on the system you’re analyzing, it’s already been remotely logged somewhere else.
That other place somewhere else is still being read and written to over and over again by other systems, and so it could modify some data. So we want to collect that as well. Following that, we’d like to obtain anything physical. This is the physical configuration and network topology and things of that nature. So if I go into the network and I start looking at the way it’s wired, I can say, “Okay, this computer was talking to this switch, which talks to this router,” and I can start mapping that out and collecting that information. After that, we’re going to collect archival media. Now, what is that? It’s things like backup tapes and offsite storage. Things that are written to once and then forgotten about. For instance, you might write something to a CD or DVD. Once it’s written to that disk, it’s going to maintain that data on it until you destroy the disk.
And so it is our lowest priority for collection, but still something we want to collect at the end of the day. Now, one piece of warning that I want to give you is something that a lot of junior analysts will neglect to think about when you’re dealing with the Windows Registry. A lot of people think about the Windows Registry as being on the hard disk. And while most of the Windows Registry is stored on the hard disk, there are some key areas like the HKLM hardware hive that only store themselves in memory. So you want to analyse that registry part using a memory dump instead. When I analyse the registry, I usually do it for your memory dump first, and then I can go back and do it off the hard drive afterwards. That way, anything that was missed in memory might get caught by the hard drive, and I can see both things. When you’re dealing with things like the Slash hardware hive, it’s really important to capture that because that’s going to record every single disc that has been connected to or taken out of that computer. If I use that drive in that computer, it’s going to be logged in that hardware hive. So that would tell me, as an analyst, that I need to start looking for that thumb drive or that flash drive so I can find the data that was written off from this computer. And so that’s one of the reasons why that’s really important to think about.
6. Forensics Tools (OBJ 4.4)
Forensic tools. In this lesson, we are going to talk about forensic tools, which are specialised applications and hardware that we use to do data collection, data analysis, and data acquisition. Now, digital forensic kits are something we’re going to put together with a lot of different tools in them. This is going to be a kit containing the software and hardware (tools) required for us to acquire and analyse evidence from system memory dumps and mass storage file systems.
Now this is important because digital forensics software is specialised software that’s designed to assist in the collection and analysis of this digital evidence. You can’t just copy it like you would a file from your hard drive onto a USB drive. You can’t just drag and drop it. There are special ways you have to do this to make sure it’s forensically sound. Now, there are lots of different tools out there, but the ones we’re going to focus on in this lesson are InCase, the forensic toolkit, also known as FTK, and the sleuth toolkit. These are the three big ones we’re going to do in COVID inside the Cys Plus curriculum.
Now, just a quick exam note. You don’t need to know how to use these tools for the exam. You should know what they are. And if you see their name, you should know their digital forensic tools. First, we have NKS, and Ncase is a digital forensic case management product that was created by guidance software. It uses built-in pathways or workflow templates that will show you the key steps in many types of investigations. Remember how I said it was really important to follow a written process? Well, these pathways and workflows help you do that. They give you all the key steps that you need as you’re going through your process, almost like a checklist. Now, when you look at Ncase, it is a graphical user environment, and it runs on Windows. The great thing about it is that you can use it for both acquisition and analysis. Ncase is a very powerful tool, and it can read bit-by-bit copies of the hard drive and do the analysis inside the slack space and the deleted files and bring those back to life. It can also help you with things like timeline generation and lots more. We’re going to talk about more of these features later on in this section.
Next, we have FTK, the forensic toolkit. This is a digital forensic investigation suite that accesses data, and it runs on Windows servers or server clusters that allow for faster searching and analysis because of the way it does data indexing whenever you import evidence. Now, most of the features you’re going to find in InCase, you’re going to find in FTK as well. They are really the two big competitors in the digital forensic software market, and they are both commercial solutions that cost a lot of money. When you look at FTK, you see a lot of the same things that you see in case right now. It has the same kind of style inside the windows. You can see the binary data written in hexadecimal with the ASCII at the bottom. Off to the side, you can see the files at the top and bottom of the file list that it’s found as it’s gone through this hard drive. And you can see that it has basically the same type of stuff that you found in Ncase.
Next, I want to talk about the SLEW toolkit. Now this is a good one for you to start learning how to use digital forensics. The reason for this is that it’s an open-source digital forensics collection of a lot of different command-line tools and programming libraries for disc imaging and file analysis. And it interfaces with a programme called Autopsy. That is the graphical user interface for this kit. Now, the great thing about the Sleuth Toolkit is that it is a completely free and open-source solution. So you can go to Google and download the Sleuth Toolkit, install it on your machine, and start playing with it right now. Now the Sleuth Toolkit looks a lot like the other ones when you’re using it on Windows. Again, a graphical environment And it’s basically made to be a clone of FTK or Incase, but in the open-source, free-for-you-to-use market. So you may be wondering, Jason, which one should I learn to use?
Well, it really comes down to which one your organisation uses. Now, I like to start out with the Sleep toolkit because, again, it’s free and open source. However, if you have access to In Case or FTK, you should try learning those as well. And both of those do have free demos that you can download and use. Now, as an analyst, which one are you going to become proficient in and use? Well, most likely you’re going to be using Incase or FTK. Why? Because if you’re doing forensic analysis, you’re probably working for a corporation or for law enforcement. And most police stations in law enforcement use either FDK or In Case, and which one you’re going to use is going to be based on the place that hires you. If they’re already using In Case, that’s what you’re going to use. If they use the SDK, that’s what you’re going to use. And that’s the idea here. As a student, I would go ahead and download the Sleuth Toolkit and start learning how that works. And I’ll actually show you how I use the Sleuth Toolkit a little bit later on in this section as I do a demonstration for you. Now, in addition to having the software, you also need hardware. And when you start dealing with a forensic workstation, these things have to be powerful.
When you talk about a digital forensic workstation, this is something that is going to have multiple processors, multiple cores, and lots of memory, usually 32, 64, or 128 GB of memory. You’re going to need a very large hard drive to store the data internally as you’re working on it. And you need to have access to data stored offsite as well. Now, in addition to software, you also need hardware. And one of the biggest pieces of hardware you need is a digital forensics workstation. Now a digital forensics workstation is going to be a very powerful computer, and you can see a couple of them here on the screen. Now these are standalone forensic tools. They’re going to have lots of power behind them. You’re going to have multiple processors in the system, and you’re going to have multiple cores inside the system. You’re going to have 32, 64, or 128 GB of main memory in these systems.
You’re going to need fast SSDs to be able to run all this stuff. And you’re going to have a wide variety of drive host bus adapters, things like EIDE SATA, SCSI, SAS, USB, FireWire, Thunderbolt, and pretty much any other connection mechanism you may need because you might need to connect an external drive of some kind to your system to import that evidence. So you want to make sure you have access to all of that. In addition to that, you’re going to have optical drives, CD, DVD, Blu-ray, and even memory card readers. All of this in one machine Now, in addition to all this, your forensic workstation also needs access to a high-capacity disc array subsystem, like a raid or a storage area network. And the reason for this is simple: the evidence files are huge.
If you took an evidence collection on my personal computer right now, you would have two terabytes worth of data—and that’s just on one of my machines. I have four or five machines sitting around my office right now. If you came in here and collected data on each one of those, you’d have 510, 15 terabytes of data to store if you came in to look at my server; that’s 40 terabytes of data. And so you need to have access to some place to put these huge evidence files as you’re collecting them. Another thing I mentioned before was that we always want to do our analysis on the copies of your acquired images. You never do it on the actual drives themselves. So the way this works is that you’ll have the original evidence, which could be a hard drive or an SSD. You’re going to make a bit-by-bit copy of that and acquire it using your digital forensic tools.
Now that you have that acquired image, we’re not going to do the analysis on that image either. We’re going to make a copy of that image, and that’s what we’re going to do our analysis on. This way, we can always go back to the source image, make another copy, and do more analysis without affecting the original. One last big warning here in this lesson: as an analyst, you should always make sure your forensic workstation is prohibited from accessing the Internet. You don’t want to connect to the Internet. Why? Because if you can connect to the Internet, that means the Internet can connect to you. And if the Internet connects to you, there’s a possibility your forensic workstation could be compromised with malware. It can get a remote access Trojan, and then a bad guy could get in and start manipulating your evidence and making it say what it’s supposed to say. So you always want to make sure that your forensic workstation is cut off from the Internet. This way, your evidence stays pure, as does your machine.