Importance of Computer Forensics Process
In this post, we started the technical details of DFIR. The most important part of DFIR is the correct, repeatable, sound investigations. Investigators must follow a repeatable and well-documented set of steps in every analysis iteration to give the same findings. So, let’s start.
Phases Involved in the Computer Forensics Investigation Process
We will dive into the investigation process in three steps:
- Pre-investigation Phase
- Investigation Phase
- Post-investigation Phase
Each step in the investigation process has a vast amount of information. In this post, we will start with the pre-investigation.
This phase involves gathering the plaintiff’s information, the type of incident, and obtaining permission and warrant for further actions. Initially, we must discuss setting up a computer forensics lab, creating the investigation team, and assessing risk.
Setting up a Computer Forensics Lab
A Computer Forensics Lab (CFL) is a location designated for conducting computer-based investigation with regard to the collected evidence
The lab contains instruments, software, hardware, tools, suspected media, and forensic workstations. Let’s look at setting up a lab, according to the EC-Council. If you need more information, I highly recommend you take DFIR training from EC-Council.
STEPS, SETTING UP A COMPUTER FORENSICS LAB:
- Planning and budgeting:
- Break down the costs into daily and annual expenditure
- Refer to the past expenses
- Consider updated technology
- Use statistics to obtain an idea about the computer crimes that are more likely to occur
- crime statistics
- case expected
- number of investigators
- required training
- space occupied
- equipment required
- software and hardware
- reference material
- safe locker
- LAN and Internet
- Storage shelves are some of the considerations for budgeting.
- Physical location and structural design considerations:
- Make sure the lab room is secured
- Heavy construction materials need to be used
- Make sure lab exteriors have no windows
- Ensure that computer systems are facing away from windows
- Consider the room size and ventilation
- Consider the room’s temperature and the number of workstations the room can occupy
- Physical Location Needs: Site of the lab, Access to emergency services, Design of parking facility, Physical milieu of the lab
- Communication Needs: Dedicated Internet and communication lines, Multiple backups for communication lines in case of emergencies, A dedicated network
- Environmental Needs: Appropriate room size, Good ventilation and air-conditioning
- Electrical Needs: Good electricity supply, Must have emergency power and lighting systems
- Work area considerations: In a forensics lab, investigators can work in harmony but, when required in isolation. Therefore, a cubical space is appropriate for investigators.
- Human resource considerations: All the examiners, technicians, and admins need certification and experience in their respective fields.
- Physical security recommendations: Because we store electronic equipment and evidence, the roos must be small, the door must have a strong locking system, and a visitor logging system must be in place.
- General Considerations:
- Forensics labs should have only one entrance
- An electronic sign-in log for all visitors should be maintained
- All windows of the lab should be closed
- An added layer of protection in the form of an intrusion alarm system should be installed in the lab
- A log register containing visitor details such as name, date and time of the visit, purpose, and address of the visitor, should be maintained
- Visitors should be provided with badges to distinguish them from the lab staff easily and assigned personnel to guide them
- Guards should be deployed around the forensics lab premises
- Closed-circuit cameras should be placed in and around the lab to monitor human movements
- Abide by TEMPEST requirements.
- Don’t forget to get forensics lab licensing from the concerned authorities.
This part gives examples of the well-known forensic hardware for investigations. These tools can be installed in the forensics lab. The following list and links are up-to-date as of 2023.
- DeepSpar Disk Imager: Hardware tool for data recovery from damaged drives. Link
- Digital Intelligence Forensic Hardware: FRED: High-performance data acquisition and analysis workstation. Link
- Drive eRazer Ultra: Hardware device for secure data erasure from hard drives and SSDs. Link
- Data Recovery Stick: Portable device for quick data recovery and extraction from various storage media.
- FREDC [Private Cloud]: Specialized private cloud solution for secure storage and management of digital evidence.
- IMAGE MASSTER WIPEPRO [HDD Sanitizing Station]: Hardware station for secure data wiping from multiple hard drives. Link
- Paraben’s Chat Stick: Device specialized in extracting and analyzing chat and messaging data. Link
- Paraben’s First Responder Bundle: Comprehensive package of digital forensics tools for first responders. Link
- Paraben’s StrongHold Faraday Bag: Shielding bag to block electromagnetic signals, preventing tampering of devices. Link
- PC-3000 Data Extractor: Tool for recovering data from damaged storage devices. Link
- PC-3000 Flash: Toolset for working with flash memory-based storage devices. Link
- RAPID IMAGE 7020 X2 IT [HDD Duplicator]: High-speed device for duplicating hard drives and creating forensic images. Link
- ROADMASSTER-3 X2: Device for acquiring and imaging data from multiple storage devices.
- Shadow: Specific purpose tool; further context is needed for description.
- Tableau T8-R2 Forensic USB Bridge: USB bridge for forensic examination of USB devices. Link
- Tableau TP3 Power Supply: Specialized power supply unit for digital forensic devices. Link
- UltraBay 3d [Acquisition]: Modular device for fast and secure data acquisition.
- VOOM Hardcopy 3P [Image, Clone, Wipe]: Device offering imaging, cloning, and wiping functionalities.
- WriteProtect-DESKTOP: Hardware solution preventing data alteration during forensic investigations.
- ZX-Tower [Sanitization]: Device for secure data erasure and sanitization of storage devices.
This part contains a list of popular freeware or enterprise software that can decrease the complexity and time in your investigations. The following list and links are up-to-date as of 2023.
- AccessData FTK Imager: A free tool for creating forensic images of digital evidence and examining those images. Link
- Autopsy: Graphical interface for The Sleuth Kit. Link
- Bulk Extractor: Tool to scan and extract data from disk images. Link
- Capsa Network Analyzer: Network monitoring and packet analysis tool. Link
- Cain & Abel: Multipurpose security tool for password recovery, packet analysis, and more. Link
- Cellebrite UFED: A mobile forensic tool for data extraction. Link
- EnCase: Leading digital forensics software for evidence collection. Link
- File Viewer: Software for opening and viewing various file formats. Link
- FTK (Forensic Toolkit): Comprehensive platform for digital evidence analysis. Link
- Ghidra: Open-source software reverse engineering framework. Link
- Hex Editor Neo: Binary data editor for file structure analysis. Link
- IrfanView: Image viewer and converter. Link
- L0phtCrack: Password auditing and recovery tool. Link
- mailXaminer: Email forensics tool for analyzing email artifacts. Link
- Magnet AXIOM: Digital forensics platform for analyzing digital evidence. Link
- Memtriage: A memory triage tool for assessing system memory during incident response. Link
- MiniTool Power Data Recovery Enterprise: Data recovery software. Link
- NetworkMiner: Network forensics tool for pcap analysis. Link
- Nuix Corporate Investigation Suite: Data analysis suite for large-scale investigations. Link
- Ophcrack: Rainbow table-based password cracking. Link
- OSForensics: Tool for file system analysis and evidence recovery. Link
- Oxygen Forensic® Kit: Mobile data extraction and analysis tool. Link
- PALADIN Forensic Suite: Linux-based live forensic system with various tools. Link
- Paraben’s DP2C: Mobile data extraction and analysis from devices. Link
- Paraben’s P2C (P2 Commander): Mobile forensics tool for data extraction. Link
- Recuva: Data recovery software for restoring deleted files. Link
- RegRipper: Windows registry analysis tool. Link
- R-Drive Image: Disk imaging utility for data recovery. Link
- Responder: Tool for network protocol analysis during incident response. Link
- SnowBatch: Batch image conversion tool. Link
- The Sleuth Kit: Open-source toolkit for digital forensics analysis. Link
- Volatility: Memory forensics framework for analyzing memory dumps. Link
- Wireshark: Network protocol analyzer for capturing and analyzing network traffic. Link
- Xplico: Extracts application data from network traffic. Link
- Zamzar: Online file conversion service. Link
We continue our journey about DFIR with the second part of this discussion. We review “building the team, laws and regulations, quality assurance, etc.” I hope you like the content.
Emre Caglar Hosgor