Options

What kind of setup for an interest in forensics?

atippettatippett Member Posts: 154
in Off-Topic
I've taken Computer Forensics course in college and really liked it. We used tools like Encase and Paladin. What kind of setup would I need to do some of this type of stuff at home?
· Share on FacebookShare on Twitter

Comments

  • Options
    the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I know our computer forensics guys have the following:

    5 removable bays for hard drives (with write blockers)
    1 external bay on top (for direct drive insertion)
    RAID setup for imaging/storage
    NAS for long term storage

    Dunno what amount of RAM or processor(s) types, but they have some beefy machines. My suggestion would be to not invest too much because really only so much you could do in an unsecured environment. If just practicing you could get a USB write blocker and a standard tower setup (or even a laptop) to do forensics with.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
    · Share on FacebookShare on Twitter
  • Options
    ramrunner800ramrunner800 Member Posts: 238
    Getting started in forensics doesn't really take too much, but the requirements can expand significantly depending on what you want to do and what level you want to take it to. To get started you just need a machine you can run some VM's on. You'd probably initially start with something like the SANS SIFT workstation, and a Windows VM with some of the free tools that run on there, like Redline, FTK Imager, etc. Hardware doesn't have to be too crazy if you just want to get started and noodle around a bit. Professionally built forensics workstations can get into pretty expensive territory, but they're designed for use in very busy labs with high ops tempos.

    With forensics tools, disk I/O is often the limiting factor in how quickly your tools can process something. I parsed an 8 gig memory image with a paid tool on a 7200 rpm hdd, and it took 14.5 hours. I then parsed the same thing on a Samsung 950 SSD, and it took 45 minutes. You also want to have plenty of RAM, especially for memory forensics; a good rule of thumb is 2x the size of the images you parse. My day to day rig has 64 gigs of RAM, and I have access to a machine with 3tb, in order to be prepared for any imaginable scenario.

    If you want to get into imaging drives, you can start with a simple USB to SATA adapter or hard drive dock. This is not forensically sound, but it is enough to capture an image you are just going to play and experiment with. Moving up into write-blockers is definitely a good thing to do for getting more imaging practice, but I have to say that even doing forensics every day, I pretty much never take a full forensic image (I do malware forensics though, not legal support forensics). Write blockers are a little bit pricey, so I'd wait to buy one of those until you really need one for performing the tasks you want to lab. Many companies these days have network acquisitions set up, so you may even want to look at something like F-Response, rather than write blockers. When you do go for a write blocker, Wiebetech's Forensic UltraDock is pretty inexpensive, and does the job.
    Currently Studying For: GXPN
    · Share on FacebookShare on Twitter
Sign In or Register to comment.