A question I often get asked relating to Digital Forensic and Investigation Capabilities is ‘what tools are required?’ – a question which is both easy, and difficult to answer. Easy, because the answer is ‘everything’ you need to ‘accomplish’ the task. Hard because, it is dependent on two factors which are as follows:
- The level of knowledge and skill which are in place
- The type and objective of engagements
It is important to keep in mind with every investigation, and the subsequent call on Digital Forensic Capabilities, that the most important element involved is robust, and defined process which will underpin all aspects of an engagement. Management of a Crime Scene, a robust Chain-of-Custody, process, with all the procedural underpinning of tagging, bagging, case management, and contemporaneous recording of events. In this capacity, it is why the level of knowledge and skill is so very important to establish. Fact is, within reason, anyone can use a Digital Forensic Tool to acquire, say a disk image, or a RAM dump – but only the accomplished professional applying robust processes and procedures can present such an artifact in a form which should sustain integrity under cross-examination. So, the first tool to place in the Digital Investigation/Forensic kit bag is that of a set of robust, and defined process.
At this juncture, I would also take time out to add into the kit bag a set of formalised standards which will assist the investigation during their engagements. Say the ISO/IEC 27035 in relation to Incident Management, the ISO/IEC 17025 in respect of calibration, and setting up a Forensic Laboratory.
The next question to satisfy is, what are the desired objectives of the organisation, or individual? If it is to satisfy an internal requirement to provision a First Responder (FR) Triage activity, with the intent to pass any deeper finding onto a contracted, external agency, then the required tools in the kit bag could be limited to say:
1. The underpin of processes and standards
2. Tools to record the scene-of-crime, including a digital camera, simple case management recording capabilities
3. Back-and-Tag processes to document, and record any First Response acquisitions
4. Secure Storage capabilities
The importance here in point 4 (above) to maintain all case related materials under secure conditions with application of need-to-know, and need-to-access processes in place
With a – d in place and complemented with a quality toolset (screw driver etc), bags, tags etc, and the FR can accommodate the integrity of the case at the outset and is thus able to then handover as required to the second level of investigation and analysis which may be furnished by another internal department who are equipped to support the second-level processes, or a contracted outside agency, or in some cases even the Police who will supply the necessary specialist services to achieve the objective. So, the next important element to add into the mix is, ‘know the set limitations’.
OK, so we are agreeing now to enter into the deeper Investigation/Forensic engagement in which require a lower level of technological capabilities. So, before we start to buy in applications, let us agree on one thing. The applications we will be using will require some level of power to enable them to multitask, so for my own personal use I choice a Windows laptop accommodated with an i7 processor, a minimum of 8GB on board memory, a drive of at least 500GB, and an onboard TPM (Trusted Platform Module). Of course, you can go for a lower spec machine, but you will pay with wait-time whilst processing your case. I also find having a current license for VMWare can be a valuable addition to support engagements.
The next level of technological support I have is that of a high capacity, FIPS 140-2 Level 3, NCSC CPA (Foundation Level), Common Criteria drive to keep my cases materials secure and locked away in their own folder. This not only helps with case management, but also provisions support to prove that any acquired artifact, and other case-sensitive materials have been locked away from the potential of compromise, and corruption. My choice here comes in two forms, both supplied by iStorage. One is the diskAshur 2 which is available from 500GB, to 5TB, and the second is the more deskbound diskAshur DT offering 1 to 10TB of onboard storage.
As the technology demand grows, there are many must-have components and applications we need to add to the FR list – the first of which is a complete tool which will accommodate the acquisition, and analysis support of acquired artifacts and materials of evidential value, or materials discovered on computer systems, and/or their commonly associated mobile devices, and here my personal choice for use, and in support of specialist Digital Forensics Training I use the highly capable, and above all cost effective Belkasoft Evidence Center (BEC) which support capabilities to extract and carve deleted files, memory dumps, cloud deployments, iOS, Blackberry, Android, UFED (Universal Forensic Extraction Device) , JTAG and chip-off dumps, through to providing a mapping between entities (people) and objects (accounts) of investigative interest – this along with a very nice reporting feature make this an ideal partner to have alongside when engaging with a case, or students in the lecture environment.
When it comes to acquiring the potential smoking gun which may exist within the dynamic RAM of a live system, Belkasoft also provide a free tool to acquire the ‘active’ and logical footprint – See Image 1 and 2 below (Note the path is G:\FR writing them directly to an attached iStorage Secure Drive for safe keeping).