In this post, we started the technical details of DFIR. The most important part of DFIR is the correct, repeatable, sound investigations. Investigators must follow a repeatable and well-documented set of steps in every analysis iteration to give the same findings. So, let’s start.

We will dive into the investigation process in three steps:

• Pre-investigation Phase
• Investigation Phase
• Post-investigation Phase

Each step in the investigation process has a vast amount of information. In this post, we will start with the pre-investigation.

Pre-investigation Phase

This phase involves gathering the plaintiff’s information, the type of incident, and obtaining permission and warrant for further actions. Initially, we must discuss setting up a computer forensics lab, creating the investigation team, and assessing risk.

Setting up a Computer Forensics Lab

A Computer Forensics Lab (CFL) is a location designated for conducting computer-based investigation with regard to the collected evidence

The lab contains instruments, software, hardware, tools, suspected media, and forensic workstations. Let’s look at setting up a lab, according to the EC-Council. If you need more information, I highly recommend you take DFIR training from EC-Council.

STEPS, SETTING UP A COMPUTER FORENSICS LAB:

1. Planning and budgeting:
   • Break down the costs into daily and annual expenditure
   • Refer to the past expenses
   • Consider updated technology
   • Use statistics to obtain an idea about the computer crimes that are more likely to occur
     • crime statistics
     • case expected
     • number of investigators
     • required training
     • space occupied
     • equipment required
     • software and hardware
     • reference material
     • safe locker
     • LAN and Internet
     • Storage shelves are some of the considerations for budgeting.
2. Physical location and structural design considerations:
   • Make sure the lab room is secured  
   • Heavy construction materials need to be used  
   • Make sure lab exteriors have no windows
   • Ensure that computer systems are facing away from windows 
   • Consider the room size and ventilation  
   • Consider the room’s temperature and the number of workstations the room can occupy
   • Physical Location Needs: Site of the lab, Access to emergency services, Design of parking facility, Physical milieu of the lab 
   • Communication Needs: Dedicated Internet and communication lines, Multiple backups for communication lines in case of emergencies, A dedicated network
   • Environmental Needs: Appropriate room size, Good ventilation and air-conditioning
   • Electrical Needs: Good electricity supply, Must have emergency power and lighting systems
3. Work area considerations: In a forensics lab, investigators can work in harmony but, when required in isolation. Therefore, a cubical space is appropriate for investigators.
4. Human resource considerations: All the examiners, technicians, and admins need certification and experience in their respective fields.
5. Physical security recommendations: Because we store electronic equipment and evidence, the roos must be small, the door must have a strong locking system, and a visitor logging system must be in place.
6. General Considerations:
   • Forensics labs should have only one entrance
   • An electronic sign-in log for all visitors should be maintained
   • All windows of the lab should be closed
   • An added layer of protection in the form of an intrusion alarm system should be installed in the lab
   • A log register containing visitor details such as name, date and time of the visit, purpose, and address of the visitor, should be maintained
   • Visitors should be provided with badges to distinguish them from the lab staff easily and assigned personnel to guide them
   • Guards should be deployed around the forensics lab premises
   • Closed-circuit cameras should be placed in and around the lab to monitor human movements
   • Abide by TEMPEST requirements.
7. Don’t forget to get forensics lab licensing from the concerned authorities.

FORENSICS HARDWARE

This part gives examples of the well-known forensic hardware for investigations. These tools can be installed in the forensics lab. The following list and links are up-to-date as of 2023.

• DeepSpar Disk Imager: Hardware tool for data recovery from damaged drives. Link
• Digital Intelligence Forensic Hardware: FRED: High-performance data acquisition and analysis workstation. Link
• Drive eRazer Ultra: Hardware device for secure data erasure from hard drives and SSDs. Link
• Data Recovery Stick: Portable device for quick data recovery and extraction from various storage media.
• FREDC [Private Cloud]: Specialized private cloud solution for secure storage and management of digital evidence.
• IMAGE MASSTER WIPEPRO [HDD Sanitizing Station]: Hardware station for secure data wiping from multiple hard drives. Link
• Paraben’s Chat Stick: Device specialized in extracting and analyzing chat and messaging data. Link
• Paraben’s First Responder Bundle: Comprehensive package of digital forensics tools for first responders. Link
• Paraben’s StrongHold Faraday Bag: Shielding bag to block electromagnetic signals, preventing tampering of devices. Link
• PC-3000 Data Extractor: Tool for recovering data from damaged storage devices. Link
• PC-3000 Flash: Toolset for working with flash memory-based storage devices. Link
• RAPID IMAGE 7020 X2 IT [HDD Duplicator]: High-speed device for duplicating hard drives and creating forensic images. Link
• ROADMASSTER-3 X2: Device for acquiring and imaging data from multiple storage devices.
• Shadow: Specific purpose tool; further context is needed for description.
• Tableau T8-R2 Forensic USB Bridge: USB bridge for forensic examination of USB devices. Link
• Tableau TP3 Power Supply: Specialized power supply unit for digital forensic devices. Link
• UltraBay 3d [Acquisition]: Modular device for fast and secure data acquisition.
• VOOM Hardcopy 3P [Image, Clone, Wipe]: Device offering imaging, cloning, and wiping functionalities.
• WriteProtect-DESKTOP: Hardware solution preventing data alteration during forensic investigations.
• ZX-Tower [Sanitization]: Device for secure data erasure and sanitization of storage devices.

FORENSICS SOFTWARE

This part contains a list of popular freeware or enterprise software that can decrease the complexity and time in your investigations. The following list and links are up-to-date as of 2023.

• AccessData FTK Imager: A free tool for creating forensic images of digital evidence and examining those images. Link
• Autopsy: Graphical interface for The Sleuth Kit. Link
• Bulk Extractor: Tool to scan and extract data from disk images. Link
• Capsa Network Analyzer: Network monitoring and packet analysis tool. Link
• Cain & Abel: Multipurpose security tool for password recovery, packet analysis, and more. Link
• Cellebrite UFED: A mobile forensic tool for data extraction. Link
• EnCase: Leading digital forensics software for evidence collection. Link
• File Viewer: Software for opening and viewing various file formats. Link
• FTK (Forensic Toolkit): Comprehensive platform for digital evidence analysis. Link
• Ghidra: Open-source software reverse engineering framework. Link
• Hex Editor Neo: Binary data editor for file structure analysis. Link
• IrfanView: Image viewer and converter. Link
• L0phtCrack: Password auditing and recovery tool. Link
• mailXaminer: Email forensics tool for analyzing email artifacts. Link
• Magnet AXIOM: Digital forensics platform for analyzing digital evidence. Link
• Memtriage: A memory triage tool for assessing system memory during incident response. Link
• MiniTool Power Data Recovery Enterprise: Data recovery software. Link
• NetworkMiner: Network forensics tool for pcap analysis. Link
• Nuix Corporate Investigation Suite: Data analysis suite for large-scale investigations. Link
• Ophcrack: Rainbow table-based password cracking. Link
• OSForensics: Tool for file system analysis and evidence recovery. Link
• Oxygen Forensic® Kit: Mobile data extraction and analysis tool. Link
• PALADIN Forensic Suite: Linux-based live forensic system with various tools. Link
• Paraben’s DP2C: Mobile data extraction and analysis from devices. Link
• Paraben’s P2C (P2 Commander): Mobile forensics tool for data extraction. Link
• Recuva: Data recovery software for restoring deleted files. Link
• RegRipper: Windows registry analysis tool. Link
• R-Drive Image: Disk imaging utility for data recovery. Link
• Responder: Tool for network protocol analysis during incident response. Link
• SnowBatch: Batch image conversion tool. Link
• The Sleuth Kit: Open-source toolkit for digital forensics analysis. Link
• Volatility: Memory forensics framework for analyzing memory dumps. Link
• Wireshark: Network protocol analyzer for capturing and analyzing network traffic. Link
• Xplico: Extracts application data from network traffic. Link
• Zamzar: Online file conversion service. Link

We continue our journey about DFIR with the second part of this discussion. We review “building the team, laws and regulations, quality assurance, etc.” I hope you like the content.

Emre Caglar Hosgor