File000120

Module VII – Computer Forensics Lab

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: CSI Stick Grabs Data From Cell Phones

Source: http://news.cnet.com/



Module Objective

• Computer Forensic Lab• Planning for a Forensic Lab• Budget Allocation for a Forensic Lab• Physical Location and Structural Design Considerations• Work Area Considerations• Human Resource Considerations• Technical Specification of the Laboratory-based Imaging System• Auditing a Computer Forensic Lab• Basic Hardware Requirements• Paraben Forensics Hardware and Hard Drive Forensics• Wiebetech, DeepSpar, InfinaDyne, and Logicube Forensic Hardware• DIBS® Mobile Forensic Workstation• Basic Software Requirements• Paraben Hard Drive Forensics• TEEL Technologies SIM Tools

This module will familiarize you with:



Module Flow

Auditing a Computer Forensic Lab

Wiebetech, DeepSpar, InfinaDyne, and

Logicube Forensic Hardware

Paraben Forensics Hardware and

Hard Drive Forensics

ParabenHard Drive Forensics

Basic Software Requirements

DIBS® Mobile Forensic Workstation

Basic Hardware Requirements

TEEL Technologies SIM Tools

Planning for a Forensics Lab

Computer Forensics Lab

Technical Specification of the Laboratory-based

Imaging System

Budget Allocation for a Forensics Lab

Human Resource Considerations

Physical Location and Structural Design

Considerations

Work Area Considerations



Hardware Requirements

Setting a Computer Forensics Lab

Software Requirements



Computer Forensics Lab

• Planning• Budgeting• Physical location and structural design

considerations• Work area considerations• Physical security recommendations• Human resource considerations• Forensic lab licensing

Setting a forensic lab includes:

A Computer Forensic Lab (CFL) is a designated location for conducting computer based investigation on the collected evidence



Planning for a Forensics Lab

• Types of investigation being conducted• Workstations, both forensic and non-forensic• UPS as a preventive measure against power failure• Necessary software and hardware• Book racks for the library• Reference materials• Safe locker to store evidence• LAN and Internet connectivity• Storage shelves for unused equipment• Numbers of investigators/examiners to be involved

A list of elements that should be planned before building the computer forensics lab:



Budget Allocation for a Forensics Lab

Budget for a forensic lab is allocated by calculating the expected number of cases that would be examined

Crime statistics of the previous year and the expected trend plays an important role in budgeting

Space occupied, equipments required, personnel, training, software, and hardware requirements are taken into account while allocating a specific amount for the forensics lab

The nature of the forensic lab is also a determining factor



Physical Location Needs of a Forensic Lab

• Site of the lab • Access to the emergency services• Lighting at the lab• Physical milieu of the lab• Design of parking facility

Physical location requirements of a forensics lab:



Structural Design Considerations

• It must be a secure place

• It must be constructed with heavy materials

• It must not have any openings in the walls,

ceilings, and floors

• It must not have windows in the lab’s

exterior

Structural design considerations for a lab:



Environmental Conditions

The environmental conditions required for proper lab functioning are as follows:

• Large dimensions of the room• High exchange rate of air per minute(in the lab)• Good cooling system to overcome excess heat

generated by the work station• Allocation of workstations as per the room

dimensions• Arrangement of computers as per the

architecture of the lab• It must be able to handle RAID server’s heat

output



Electrical Needs

The lab must be supplied with good amperage

It must have easy electrical outlets

There must be an Uninterrupted Power Supply (UPS) installed on all the computers



Communication Needs

• Broadband for network and voice communications

• Fax communications• Dial-up Internet access must also be

available• A dedicated network is preferred for the

forensic computers

Ensure the following communication factors:



Work Area of a Computer Forensic Lab

An ideal lab consists of two forensic workstations and one ordinary workstation with Internet connectivity

Forensics workstations vary according to the types of cases and processes handled in the lab

The work area should have ample space so that there is space for case discussions among investigators



Ambience of a Forensic Lab

Investigators spend long hours in a forensic lab, so it is important to keep the lab environment comfortable

The height of ceilings, walls, flooring, and so on contribute to the ambience of a forensics lab

Ergonomics, lighting, room temperature, and communications form an important factor while considering the ambience of a computer forensics lab



Ambience of a Forensic Lab: Ergonomics

• “Ergon” which means “work”• “Nomoi” which means “natural laws”

Taken from Greek words

• “The study of conniving equipment to meet the human requirements of comfort without affecting the efficiency”

Ergonomics is defined as:



Physical Security Recommendations

There should be only one entrance to a forensics lab

Do not keep the windows of the forensics lab open

Maintain a log book at the entrance of the lab to log in the timings and name of the person who visited the lab

Place an intrusion alarm system in the entrance

Place fire fighting equipments within and outside the lab



Fire-Suppression Systems

In fire suppression system, ensure that you:

• Install a dry chemical fire-suppression system

• Check the installation of sprinklers

• Have access to chemical fire extinguishers



Evidence Locker Recommendations

The locker must be located in a restricted area that is only accessible to the lab personnel

Authorize few people to access the locker

All the lockers must be monitored properly and they must be locked when they are not under supervision



Computer Forensic Investigator

Computer forensic investigator must have knowledge of general computer skills such as hardware, software, OS, applications, etc.

The investigator must perform a proper investigation to protect the digital evidence

The investigator must be certified from the authorized organizations



Law Enforcement Officer

Law enforcement officer must be a lawyer with knowledge of general computer skills

The officer must have knowledge of all the cyber crime laws

The officer must know how to write an appropriate warrant for searching and seizing of the computer



Forensic Lab Licensing Requisite

• ISO/IEC 17025:1999, General Requirements for the Competence of Testing and Calibration Laboratories

• ASCLD/LAB-International Supplemental Requirements for the Accreditation of Forensic Science Testing and Calibration Laboratories

Forensics labs around the globe seeking ASCLD/LAB certificate have to adhere to:

The American Society of Crime Laboratory Directors (ASCLD) is an international body certifying forensics labs that investigate criminal cases by analyzing evidence



Features of the Laboratory Imaging System

Automatic write protection

Preview capability

Password cracking pod (optional)

Unlimited theoretical capacity

Choice of LTO Ultrium or DAT drives (optional)

Optional second tape drive

Hard drive connectivity

Other media

Convenience



Technical Specification of the Laboratory-based Imaging System

High performance workstation PC

Remote preview and imaging pod

Password cracking pod (optional)

LTO Ultrium tape drives (optional)

DDS-4 DAT tape drives (optional)

LTO Ultrium-1 and 2 recording format

DDS-4 DAT recording format

Image capture rate

Anti-repudiation techniques



Forensics Lab



Auditing a Computer Forensic Lab

Forensics lab should be under surveillance to protect it from intrusions

Inspect the lab on a regular basis to check if the policies and procedures implemented are followed

Verify the log file at the entrance of the lab

Manually check the fire extinguishers to ensure their function



Auditing a Computer Forensic Lab (cont’d)

• Examine the ceiling, floor, roof, and exterior walls

• Examine the doors and locks• Check if the locks are working properly• Check out the visitors’ log• Examine the logs for evidence containers• Acquire evidence that is not being processed

and store it at a secure place

Steps to audit the computer forensic lab:



Recommendations to Avoid Eyestrain

• Keep optimum distance from the monitor• Use Zoom option to vary the font’s size• Use screen filters to clear the glare• Lab must have proper ventilation• Purge direct light on the monitor• Get an eye check-up done regular intervals• Take breaks at frequent intervals

Recommendations to avoid eyestrain:



Computer Forensic Labs, Inc.

Source: http://www.computerforensiclabsinc.com/



Computer Forensic Labs, Inc. (cont’d)

Computer Forensic Labs (CFL) is one of the leading providers of investigative services in computer forensics, forensic data recovery, and electronic evidence discovery

CFL can conduct the following types of computer forensic investigations:

• Child pornography and sexual exploitation • Use of e-mail, instant messaging, and chat • Computer hacking and network intrusion • Copyright infringement • Software piracy • Intellectual property disputes • Identity theft• Online auction fraud • Credit card fraud • Other financial fraud and schemes



Computer Forensic Labs, Inc. (cont’d)

CFL can conduct the following types of computer forensic investigation:

• Telecommunications fraud• Threats, harassment, and/or stalking • Extortion and/or black mail • Gambling • Drug abuse and/or distribution • Divorce • Adult sexual assault • Assault and battery • Domestic violence • Death investigation • Employee or employer’s misconduct • Theft, robbery, and/or burglary



Procedures at Computer Forensic Labs (CFL), Inc.

CFL recommends that you do not attempt to search for the evidence yourself because this can change the important date/ time stamps as well as user information, thus, possibly obstructing the investigation

• CFL will create an exact replica of the hard disk drive or other storage device so the evidence can be evaluated and processed from a forensic evidence file which guarantees the preservation of the best evidence and eliminates any possible guess work by the computer investigator

• Identify leads and computer evidence contained in files and slack space, which can determine the outcome of the case

• Document the findings and provide expert witness testimony to help clarify technical computer issues in the litigation process

• Deleted data, hidden data, and password-protected data can be retrieved in many instances• The forensic investigators at Computer Forensic Labs, Inc. can find data on a formatted hard drive,

deleted e-mail, intentionally altered data and in some cases media that has been physically damaged• The recovered data is then carefully documented, analyzed, and recorded in reports which are

presented to the client and/or in litigation



Data Destruction Industry Standards

American: DoD 5220.22-M

American: NAVSO P-5239-26 (RLL)

American: NAVSO P-5239-26 (MFM)

German: VSITR

Russian: Russian Standard, GOST P50739-95



Case Study: San Diego Regional Computer Forensics Laboratory (RCFL)

Source: http://rcfl.org/




Setting a Computer Forensic Lab




Equipment Required in a Forensics Lab

Equipment required for a forensics lab depends on the nature of the forensics investigation carried out in the lab

Below listed are the common equipments that are necessary in a computer forensics lab:

• Computer Forensic towers• Printers• Cables• Additional hard drives• Storage networks



Forensic Workstations

• Includes S/W for imaging, processing, and investigation

Mobile Forensic Workstation:

• Ideal for data capture only

Mobile Imaging Workstation:

• Includes the complete range of forensic software

Lab-based Forensic Workstation:

• For in-house data capture

Lab-based imaging Workstation:



Basic Workstation Requirements in a Forensic Lab

• Intel Dual Core Processor with high computing speed• 2 GB RAM for satisfying minimum processing requirements• DVD-ROM with read/write facility• Motherboard which supports IDE, SCSI ,USB/2, FireWire;

slot for LAN/WAN card and a fan attached for cooling the processor

• Tape drive, USB drive• Removable drive bays• Monitor , keyboard , and mouse according to comfort of the

investigator• Minimum two hard drives for loading two different OS on

each• For emergencies, keep spare RAM & hard disk

A basic forensics workstation should have the following:



Stocking the Hardware Peripherals

The following hardware peripherals must be stocked as back-up:

• 40-pin 18-inch and 36-inch IDE cables, both ATA-33 and ATA-100 or faster

• Ribbon cables for floppy disks• Extra SCSI cards• Graphics cards, PSI, and AGP• Extra power cords• A variety of hard disk drives• Laptop hard drive connectors• Handheld devices



Paraben Forensics Hardware: Handheld First Responder Kit

• Wireless StrongHold Bag• Remote Charger• First responder cards for handling PDAs and Cell

Phones

The Kit includes:

Figure: Handheld First Responder Kit

Handheld First Responder Kit secures the device from unwanted wireless signals that could contaminate or eliminate data and provides power to the device to prevent loss of data



Paraben Forensics Hardware: Wireless StrongHold Bag

• Unique design that prevents data cables from acting as signal conduits

• Shielding Effectiveness: Average 85dbfrom 30 MHz to 10 GHz

Features:

Figure: Wireless StrongHold Bag

First responders can use this bag to ensure that proper wireless procedures are kept and that the evidence is protected from potential case killers - after seizure of wireless communications

It is made of a nickel, copper, and silver-plated nylon plain woven fabric. This fabric is the key in preventing unwanted signals from your evidence

Figure: Tri-weave material



Paraben Forensics Hardware: Remote Charger

Figure: Remote Charger

The battery powered remote charger uses multiple charging tips to keep your device powered

It is perfect for the first responder to ensure that seized devices remain powered and potential evidence is preserved

It is included in the Device Seizure Toolbox

The charger is manufactured by :

• Motorola• Nokia• Samsung• Siemens• Sony Ericsson



Paraben Forensics Hardware: Device Seizure Toolbox

The Device Seizure Toolbox includes:• Remote Charger• Power Adaptor• USB Serial DB9 Adapter• 1-Nylon Carrying Case

Figure: Device Seizure Toolbox

Paraben's Device Seizure Toolbox is designed as a collection of the items that would be needed in different scenarios for device seizure

The items in this toolbox in combination with the appropriate software, allow for acquisitions of hundreds of cell phones & PDAs



Paraben Forensics Hardware: Wireless StrongHold Tent

Paraben's Wireless StrongHold Tent (Patent Pending) was designed to allow for the safe acquisition of the data from wireless devices by blocking wireless signals from getting to the device

The tent is portable and can fit one person using a laptop to perform the acquisition

Features:

• Portable and easy to set up and carry• Lightweight and compact for excellent portability• Includes durable, custom carrying case

Figure: Wireless StrongHold Tent



Paraben Forensics Hardware: Passport StrongHold Bag

Paraben’s Passport StrongHold Bag protects your RFID Passport

It is a protective barrier wrapping your information in a signal blocking fortress

These bags are perfect for storing anything using RFID chips so no one can steal the information from your chip

Figure: Passport StrongHold Bag



Paraben Forensics Hardware: Project-a-Phone

• Software can simultaneously display multiple screens

• Fits most major mobile phones and handheld devices

• Delivers live video or still images • Allows the user to record audio and video and

take screen captures • Is lightweight and compact for excellent

portability

Features:

Figure: Project-a-Phone

Project-a-Phone securely clamps your handheld device in place and delivers a clear video image of the screen to your computer, so you can show it on your monitor, display it through your projector, or share it on the web

It provides an easy access to the controls, while stabilizing your device, so you can run live demonstrations



Paraben Forensics Hardware: SATA Adaptor Male/Data Cable for Nokia 7110/6210/6310/i

• SATA Adaptor Male adds Serial ATA support for Paraben's LockDown as well as ICS's ImageMASSter Solo-2

• It can be used in combination with these products to prevent altering any of the Serial-ATA or P-ATA drive’s data during a Forensic Data Seizure

SATA Adaptor Male

• Popular cable for Nokia phones in Europe

Serial DLR3 Compatible Data Cable for Nokia 7110/6210/6310/i

Figure: SATA Adaptor Male

Figure: Serial DLR3 Compatible Data Cablefor Nokia 7110/6210/6310/i



Paraben Forensics Hardware: Lockdown

• Small size (4"W x 3"D x 1"H) allows for complete portability and ease of use in the field

• IDE ports for both "desktop IDE" and "laptop IDE" media, negating the need for a desktop-to-laptop IDE adapter

• Acquires drives through Windows, which is substantially faster than DOS-based acquisitions

Features:Figure: Paraben's LockDown

Paraben's Lockdown is an advanced Firewire or USB to IDE write-blocker that combines speed and portability to allow IDE media to be acquired quickly and safely in Windows



Paraben Forensics Hardware: SIM Card Reader/Sony Clie N & S Series Serial Data Cable

SIM Card Reader

• SIM Card Reader has the ability to acquire and analyze SIM card data

• It is compatible with both programs and when used by either program, acts as a forensic SIM card reader

Sony Clie N & S Series Serial Data Cable

• Sony Clie serial cable supports all N & S series Sony Clie PDAs for use with Paraben's PDA Seizure or normal HotSync operations are formerly included in the PDA Seizure Toolbox

Figure: SIM Card Reader

Figure: Sony Clie N & S Series Serial Data Cable



Paraben Forensics Hardware: CSI Stick

Paraben's CSI Stick is a portable cell phone forensic and data gathering tool

It acquires data that can only be read and analyzed in Paraben's Device Seizure or DS Lite

It currently supports certain Motorola and Samsung phone models

• One CSI Stick base unit• Two Motorola tips• One Samsung tip• One remote charger• Carrying case

The CSI Stick tool includes:



Paraben Forensics Hardware: USB Serial DB9 Adapter

USB Serial DB9 Adapter

• Most adapters have different drivers making it nearly impossible to support USB to serial adaptors for PDA Seizure, Cell Seizure, & SIM Card Seizure

Specifications:

• Over 230kbps data transfer rate• Supports remote wake-up and power management• 96 byte buffer each for upstream and downstream

data flow• Easy installation• Works with cellular phones, PDA, digital cameras,

modems, and ISDN terminal adapters

Figure: USB Serial DB9 Adapter



Portable Forensic Systems and Towers: Forensic Air-Lite VI MKII laptop

Forensic Air-Lite VI-MK II has been tested to meet the strict requirements of conducting a proper forensic acquisition and analysis

The system is packaged with Ultimate Forensic Write Protection Kit and a Maxtor 300GB external hard drive

It includes:

• LCD Panel• Video Controller• DVD Burner• FireWire IEEE-1394• Flash Media Reader• Software• Ultimate Forensic Write Protection Kit Figure: Air-Lite VI-MK II



Portable Forensic Systems and Towers: Original Forensic Tower II

Figure: Forensic Solid Steel Tower™

Figure: Original Forensic Tower II

Original Forensic Tower II

• Original Forensic Tower II is the updated initial version of the Forensic-Computer’s forensic system

• It includes the Ultimate Forensic Write Protection Kit

Forensic Solid Steel Tower™

• Forensic Solid Steel Tower™ case has ten 5.25-inch bays that gives flexibility in configuring a lab system to meet the differing needs of your clients

• It includes the Ultimate Forensic Write Protection Kit



Portable Forensic Systems and Towers: Portable Forensic Workhorse V

• External Drive Bay Configuration • Bay 1: Tableau T335 Forensic Drive Bay

Controller00

It includes:

Portable Forensic Workhorse V is the latest model that sports an AMD Athlon 64 Processor to handle the most demanding keyword searches and graphics examinations

It is compatible with all commercial forensic acquisition and analysis software including EnCase®, Forensic Tool Kit®, SMART®, SafeBack®, all of the Mares tools, and other older MS-DOS® based legacy tools

Figure: Portable Forensic Workhorse V



Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

Tableau's T335 Forensic Drive Bay Controller provides three independent bridges, two SATA and one IDE, each of which can be configured for read-only or read-write operation at system build time

It is designed to be mounted in a 5.25" half-height drive bay on the front of a forensic workstation or tower

It is specifically designed to work in conjunction with SATA and IDE removable drive trays, which should be mounted in close proximity to the T335 in the host computer

Figure: T335 Forensic Drive Bay Controller



Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

The Forensic Air-Lite IV MK II is the Pentium 4 replacement of the legendary Forensic Air-Lite IV

It was initially designed to be an evidence acquisition system

It is compatible with all commercial forensic acquisition and analysis software including EnCase®, Forensic Tool Kit®, SMART®, SafeBack®, all of the Mares tools, and other older MS-DOS® based legacy tools

Figure: Forensic Air-Lite IV MK II

Figure: Forensic Air-Lite V



Portable Forensic Systems and Towers: Forensic Tower II

Forensic Tower II is a powerful forensic workstation

It has been tested to meet the strict requirements of conducting a proper forensic acquisition and analysis

It includes the Ultimate Forensic Write Protection Kit II

Figure: Forensic Tower II



Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit

Some of the tools include:• Forensic Bridges• Cables• Adapters• Power Assembly• Media Reader• Carrier Case

Ultimate Forensic Write Protection Kit is used for the following media types: IDE, IDE Notebook, SATA, SCSI (50-pin, 68-pin, and SCA-80) PLUS seven varieties of flash media

Figure: Ultimate Forensic Write Protection Kit



Tableau T3u Forensic SATA Bridge Write Protection Kit

The T3u Forensic SATA Bridge is a write-blocker for use with Serial ATA (SATA) hard disks

Unlike many other SATA write-blocking solutions, the T3u has native support for SATA hard disks

The Tableau T3u includes FireWire800, FireWire400, and USB 2.0 host interfaces, offering maximum flexibility when connecting the T3u to the host’s computer

It is ideal for field and lab settings

Figure: T3u Forensic SATA Bridge



Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

• Brings secure, hardware-based write blocking to the world of USB mass storage devices

• T8 also incorporates a major new enhancement in the realm of forensic bridges and write-blockers, a built-in LCD user interface

Tableau's Forensic USB Bridge

• (12 different popular digital media types including -CF-I, CF-II, Smart Media™, Memory Stick™, Memory Stick Pro™, Micro Drive™, Multimedia Card™ and Secure Digital Card™)

Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

Figure: Tableau's Forensic USB Bridge

Figure: READ ONLY 12-in-1 Flash Media Reader



Tableau TACC 1441 Hardware Accelerator

Tableau's TACC 1441 hardware acceleration sets a new standard in the password recovery performance

It works in conjunction with AccessData company software and delivers unprecedented password attack rates

Multiple TACC1441 units can be connected to a single host to boost performance

Figure: Tableau's TACC 1441 hardware accelerator



Multiple TACC1441 Units

Tableau's unit has single CPUs with four TACC1441 accelerators running in excess of 250,000 passwords per second



Digital Intelligence Forensic Hardware: FRED SR (Dual Xeon)

FRED SR (Dual Xeon) is a member of the FRED forensic workstations

It has all the functional capabilities of a FRED system with the addition of components optimized for the highest level of processor, memory, and I/O performance

It is built on a dual-processor 64-bit Xeon motherboard, with good flexibility, integrated peripheral support, and performance

Figure: FRED SR (Dual Xeon)



Digital Intelligence Forensic Hardware: FRED-L

Forensic Recovery of Evidence Device – Laptop (FRED-L) is a mobile field forensic acquisition kit

It comes with UltraKit and is used to quickly, efficiently, and securely image IDE, SATA, and SCSI hard drives

It is built in Core 2 Duo Mobile Processor technology

FRED-L kit includes:

• 3GB RAM• FireWire 1394a• FireWire 1394b ExpressCard• Four USB 2.0/1.X ports• Wireless 802.11a/b/g• Integrated 1.3 MP Video/Web Camera • Gigabit (10/100/1000 Mb/s) Ethernet support

Figure: FRED-L



Digital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC)

FREDC provides fully integrated processing power and flexibility

It is capable of housing up to 8 completely independent forensic processing systems

It is fully extensible to provide forensic network services and storage to pre-existing forensic workstations in your network

The design of FREDC allows for customization to meet any forensic requirement

Features of FREDC:

• Faster than a local hard drive• Centralized file storage• Centralized access control/security• Centralized file sharing• Centralized data backup • Easy to maintain and use Figure: FREDC



Digital Intelligence Forensic Hardware: Rack-A-TACC

Rack-A-TACC is a rack mounted network appliance that leverages multiple Tableau TACC1441 accelerators to recover passwords from:

• Encrypted files using dictionary and brute-force attack methods• Individual stand alone system

Its units integrate four accelerators into a single 2U chassis controlled by a quad core host computer with optimized I/O channels

Its units can be configured in a DNA cluster to increase decryption capabilities

Figure: Rack-A-TACC



Rack-A-TACC Performance Data



Digital Intelligence Forensic Hardware: FREDDIE

Forensic Recovery of Evidence Device Diminutive Interrogation Equipment (FREDDIE) is a portable solution which meets both imaging and processing requirements

It is used to acquire and analyze the computer forensics evidence and is used in mobile forensic processing

It is designed to acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/ SCSI I/SCSI II/SCSI III hard drives and storage devices

It is capable of handling 3½ inch floppies as well as CD-ROM and DVD

Figure: FREDDIE



Digital Intelligence Forensic Hardware: UltraKit

• UltraBlock bridges• Power supplies• Drive interface cables• Computer interface

Cables/Adapters• UltraKit case

Contents of UltraKit:

The UltraKit is a portable kit and is used to acquire a forensically sound image of any hard drive

It is a complete arsenal of FireWire (A/B) / USB (1.x/2.0) Interface Parallel IDE, Serial ATA, and SCSI Hardware Write Blockers

Figure: UltraKit



Digital Intelligence Forensic Hardware: UltraBay

The Digital Intelligence UltraBay is used to acquire a forensically sound image of IDE, SATA, and SCSI drives using your choice of forensic imaging software

The IDE, SATA, and SCSI drives may be connected and removed from the UltraBay without having to shut down the workstation or leaving the GUI

Figure: UltraBay



Digital Intelligence Forensic Hardware: UltraBlock

The UltraBlock SCSI is used to acquire data from a SCSI hard drive in a forensically sound write-protected environment

It is a FireWire/USB to SCSI Bridge Board with Forensic Write Protection

It can be connected to a laptop or desktop using the FireWire-A (400 Mb/s), the FireWire-B (800 Mb/s), or the USB 1.X/2.0 interface

Figure: UltraBlock



Digital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence Device (µFRED)

µFRED is an integrated, flexible, full-powered FRED system, and includes DI's exclusive UltraBay Write Protected Imaging Bay

It has all the processing power of a full size FRED system

It has an integrated Gigabit Ethernet (10/100/1000 Mb) for network connectivity

It includes two hard drives:

• Internal hard drive to support the operating systems and application software

• Second hard drive in a shock-mounted Hot Swap bay used for the storage and processing of case work and digital evidence

Figure: µFRED



Wiebetech: Forensics DriveDock v4

• Unique design allows direct access to hard drive by directly connecting to the Dock

• Dual Write-Blocked FireWire 400 Ports• USB 2.0 Read/Write Port• Multiple powering options such as Disk Drive Power In and Disk Drive

Power In LED• High-speed transfer rates

Forensics DriveDock v4 Features:

Forensic DriveDock v4 is a write-block forensic solution to access bare hard drives such as SATA or IDE drives

It quickly attaches drives via FireWire 400 compatible (for write-block mode) and USB (for read and write mode)

Figure: Forensics DriveDock v4



Wiebetech: Forensics UltraDock v4

• Write-blocked• HPA/DCO detection• eSATA port• DC Power in• Disk drive power In• DC Power input LED• Disk drive power in LED• Write-block LED• FireWire host detection LED• USB host detection LED

Features of Forensics UltraDock v4:

Forensic UltraDock v4 is a hard drive forensics field imager

Its write-blocked technology offers easy read-only access to suspect hard drives through eSATA ,USB, and FireWire 800/400 for maximum versatility

Figure: Forensics UltraDock v4



Wiebetech: Drive eRazer

• Power status LED verifies that the unit is switched on (or off)

• Status LED shows how much time remains in the erasing process

• Portability• Comes in Professional (Secure Erase) or Standard

(Single-Pass) varieties DRZR-3 DRZR-1 & DRZR-2

Drive eRazer Features:

Drive eRazer is a Wiebetech's hardware solution that completely erases all data from a hard drive quickly

It is faster than software programs and does not require a computer

Figure: Drive eRazer



Wiebetech: v4 Combo Adapters

Wiebetech v4 Combo Adapter is a device to transfer write-protected data to the standard devices

It works on Mac OS, Window, and forensics imaging software

v4 Combo Adapter Features:

• Shrouded IDE interface connector helps to protect the delicate IDE pins while connecting the adapter to the dock

• IDE interface faces upward for better accessibility• Adapters share a smaller and more consistent size• SATA adapter has been streamlined to 25% of its former size

Figure: v4 Combo Adapters



Wiebetech: ProSATA SS8

Wiebetech’s ProSATA SS8 is a portable and high capacity SCSI RAID with SATA drives

It combines up to 8TB of storage in a compact, transportable enclosure

It has built in RAID controller which supports every kind of RAID, including JBOD, 0, 1, 0+1, 3, 5, and 6

It is ideal for applications requiring mobile transport of up to 8TB of data

Figure: ProSATA SS8



Wiebetech: HotPlug

Wiebetech's HotPlug is used to transport a live computer without shutting it down

It allows hot seizure and removal of computers from the field to the forensics lab

It keeps the power flowing to the computer while transferring the computer's power input from one A/C source to another (a portable UPS) and back again

HotPlug Features:

• It moves a computer without shutting it down• It instantly reroutes power of a target device to a UPS for transport

Figure: HotPlug



CelleBrite: UFED System

• It is portable and easy to use• It is a standalone kit, with no computer required for extraction• It generates complete MD5 verified evidence reports• It supports over 1,400 handset models, with automatic software

updates for newly released devices

UFED System features:

The Cellebrite Universal Forensic Extraction Device (UFED) forensics system extracts vital data from most of all cell phones or PDAs

It extracts data such as phonebook, pictures, videos, text messages, call logs, ESN, and IMEI information from 1400+ models of handsets sold worldwide

It supports CDMA, GSM, IDEN, and TDMA technologies and is compatible with any wireless carrier

Figure: UFED System



DeepSpar: Disk Imager Forensic Edition

• Reading the status of each retrieved sector• Data being imaged• Type of imaging files

You can visualize the imaging process by:

DeepSpar Disk Imager Forensic Edition is a portable version of DeepSpar Disk Imager Data Recovery Edition with addition of forensic-specific functionality and is used to handle disk-level problems

Figure: Disk Imager Forensic Edition



DeepSpar: 3D Data Recovery

• This phase deals with drives that are not responding and drives that appear functional and can be imaged, but produce useless data

• Recommended tool: PC-3000 Drive Restoration System

Phase 1: Drive Restoration

• This phase deals with creating a clean duplicate of the disk contents on a new disk that can be used as a stable platform for phase 3

• Recommended tool: DeepSpar Disk Imager

Phase 2: Disk Imaging

• This phase involves rebuilding the file system, extracting the user’s data, and verifying the integrity of files

• Recommended tool: PC-3000 Data Extractor

Phase 3: Data Retrieval

DeepSpar data recovery systems pioneered the 3D Data Recovery process - a professional approach to data recovery centered on the following three phases:



Phase 1 Tool: PC-3000 Drive Restoration System

• Designed for the data recovery of businesses• Universal utilities give faster drive diagnostics• Repairs the drive and secures all user data• Software that comes with PC-3000 features a user-friendly

Microsoft Windows XP/2000 interface• PC-3000 has built-in features to treat particular drives for

their most common failures

Features of PC-3000 Drive Restoration System:

PC-3000 Drive Restoration System tool deals with drive restoration

It fixes firmware issues for all hard disk drive manufacturers and virtually all drive families

Figure: PC-3000 Drive Restoration System



Phase 2 Tool: DeepSpar Disk Imager

The disk imaging device is built to recover bad sectors on a hard drive

DeepSpar Disk Imager features:

• Retrieves up to 90 percent of bad sectors• Special vendor-specific ATA commands are used

that pre-configure the hard drive for imaging• Reduces the time it takes to image a disk with

bad sectors• Failing hard drives are imaged with care and

intelligence• Real-time reporting with the type and quality of

data imaging

Figure: DeepSpar Disk Imager



Phase 3 Tool: PC-3000 Data Extractor

• Retrieves the user’s data from drives with damaged logical structures

• Allows to analyze the logical structure of a damaged drive and depending on the severity of damage, selects specific files that the user wants to recover

• If the drive's translator module is damaged, it creates a virtual translator to create a map of offsets and copies the necessary data

PC-3000 Data Extractor features:

PC-3000 Data Extractor is a software add-on to PC-3000 that diagnoses and fixes file system issues

It works in tandem with PC-3000 hardware to recover data from any media (IDE HDD, SCSI HDD, and flash memory readers)



InfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD Inspector

The robotic loader extension allows CD/DVD Inspector to control a robotic CD/DVD loader device

This system processes up to 100 discs at a time

Robotic Loader system that is equipped with a camera, will be capable of capturing individual photographs of each disc processed

• These will be stored in JPEG format with the content and reports about the disc

Figure: Robotic Loader



InfinaDyne Forensic Products: Rimage Evidence Disc System

Rimage Evidence Disc System is a hardware device which collects optical media evidence and archives case files to a long life media

It is fully integrated with CD/DVD Inspector for 24x7 unattended collection of disc evidence

Types of Rimage Evidence Disc System are:

• Rimage 5100N• Rimage 5300N• Rimage 7100N

These systems are self-contained and requires power and a network connection to your lab network to begin operation, it does not require any external computer

Figure: Rimage 5100N





CD DVD Forensic Disc Analyzer with Robotic Disc Loader

Features:

• Reads and analyzes CD/DVD discs• Stores disc data to hard drive or network• Creates MD5 hash codes• Examines CD/DVDs to locate the hidden files• Automated system saves time for forensic

examiners

CD/DVD Forensic Disc Analyzer with Robotic Disc Loader is a professional tool for intensive analysis and extraction of data from CD and DVD media

It saves time for forensic examiners, data recovery technicians, and law enforcement professionals involved in computer forensic investigations

Figure: CD DVD Forensic Disc Analyzer



Image MASSter: RoadMASSter- 3

RoadMASSter- 3 features:

• High speed forensic tool with drive interfaces• High speed operation• Multiple capture methods• Multi drive copy• Previews and analyzes

The RoadMASSter 3 Forensics data acquisition and analysis tool is designed to perform both as a fast and reliable hard drive imaging and data analysis unit

It is an advanced computer forensics tool used by the law enforcement agencies as well as corporate security to acquire and analyze data

It can image hard drives of any kind as well as capture data from other media and unopened computers, and support different copy formats and hashing methods

Figure: RoadMASSter- 3



Image MASSter: Solo-3 Forensic

• MD5/SHA-1/SHA-2 and CRC32 hashing• Touch screen user interface• High speed operation• Built in write protection• Built in FireWire 1394B and USB 2.0 interface• Multiple media support

Features of Solo-3 Forensic:

Image MASSter Solo-3 Forensic data imaging tool is a portable hand-held device that can acquire data from one or two evidence drives at speeds exceeding 3GB/min

It is capable of capturing data from IDE and laptop drives, Serial ATA and SCSI drives, as well as Flash Cards

Figure: Solo-3 Forensic



Image MASSter: WipeMASSter

• High speed wipe operation• Sanitize multiple drives simultaneously• Multiple media support• Multiple sanitizing modes• Partitions and formats drives• Sanitize different drive models and sizes

Features of WipeMASSter:

WipeMASSter product is designed to erase data and sanitize up to nine hard drives simultaneously at speeds exceeding 3GB/min

It can erase data and sanitize hard drives of different sizes and models in the same operation

It has an add-on option for formatting the sanitized drives

Figure: WipeMASSter



Image MASSter: DriveLock

Image MASSter DriveLock device is a hardware write protect solution which prevents data writes

Serial-ATA DriveLock Kit USB/1394B

DriveLock Firewire/USB DriveLock IDE

DriveLock In Bay

• Serial-ATA DriveLock Kit USB/1394B• DriveLock Firewire/USB• DriveLock IDE• DriveLock In Bay

It is available in four versions:



Logicube: Forensic MD5

Forensic MD5 is a forensic hard disk data recovery system for law enforcement, corporate security, and cybercrime investigation

It’s in-built MD-5 engine allows for imaging speed up to 3.3 GB/min

It ensures bit-for-bit accuracy, guaranteeing zero chance of alteration of the suspect and evidence drives

Forensic MD5 features:

• Number of connectivity options• MD5 verification • Creates DD images• Field-tested ruggedized case• On-site reporting• It is portable• Unidirectional data transfer

Figure: Forensic MD5



Logicube: Forensic Talon®

Forensic Talon® features:

• Advanced keyword search• MD5 or SHA-256 Authentication• Unidirectional data transfer• Creates DD images on-the-fly• HPA and DCO capture• Portable and high-speed data capturing

Forensic Talon® is a forensic data capture system , specifically designed for the requirements of law enforcement, military, corporate security, and investigators

It simultaneously images and verifies data up to 4 GB/min

It captures IDE/UDMA/SATA drives, and can capture SCSI drives via USB cable

Figure: Forensic Talon®



Logicube: RAID I/O Adapter™

RAID I/O Adapter™ enables the Forensic Talon® to capture a suspect RAID drive pair directly to 1 destination drive, and 1 suspect drive to 2 destination drives

Features of RAID I/O Adapter™

• Captures RAID-0, RAID-1, and JBOD configurations• Supports MD5/SHA-256 scan and keyword search

mode during any 1-to-2 capture• Supports both native and DD image operation modes

during 1-to-2 and 2-to-1 capturing• Supports drive defect scan and WipeClean modes

during 1-to-2

Figure: RAID I/O Adapter™



Logicube: GPStamp™

• Computes the exact location of capture in 3D space; accurate within 50 meters

• Adds accurate latitude, longitude, and time to the capture report and log

• It is capable of acquiring satellites and fixes within most buildings

GPStamp™ features:

Logicube GPStamp™ is a device that produces a verified fix on the location, time, and date of the data captured

Investigators can bolster their credibility by specifying when and where data captures are performed

Figure: GPStamp™



Logicube: Portable Forensic Lab™

The Portable Forensic Lab™ (PFL) is a portable computer forensic field lab housed in a special ruggedized carrying case

This tool gives the investigator a head start, often cutting the time to acquire the critical data

The PFL includes all that a computer forensic examiner needs to:

• Data capture evidence at high speed from multiple sources• Browse data from multiple types of digital media• Analyze the data capture material using the computer

forensic analysis software such as FTK™ from AccessData

Figure: Portable Forensic Lab™



Logicube: CellDEK®

Logicube CellDEK® is a cell phone data extraction device which identifies devices by brand, model number, dimensions, and photographs

It is portable and compatible with over 1100 of the most popular cell phones and PDAs

It captures the data within 5 minutes and displays on screen, and prompts for downloading to a portable USB device

Investigators can immediately gain access to vital information, saving days of waiting for a report from a crime lab

Figure: CellDEK®



Logicube: OmniPort

Forensic OmniPort device allows immediate access to the majority of the current USB Flash devices

It captures and deploys data to or from most USB Flash drives

It is compatible with Thumb Drives, Pen Drive type devices, Flash Memory Cards using USB Card readers, and 2.5” and 3.5” external USB drives

It can be connected directly to a PC’s motherboard and booted as an IDE device

It allows data cloning to or from the attached USB drive by the Logicube Echo Plus®, Sonix®, OmniClone® 10Xi/5Xi/2Xi, and Forensic Talon®

Figure: OmniPort



Logicube: Desktop WritePROtects

Logicube Desktop WritePROtects is a data recovery adapter used to protect the hard drives

It comes in two versions:

• IDE Desktop WritePROtect• SATA Desktop WritePROtect

It allows only a small subset of the ATA specification commands to flow to the protected drive and blocks all other commands

It connects via IDE or SATA cable to the HDD forensic tools for data capture

It guarantees read-only access when analyzing the captured or cloned drive under Windows

Figure: Desktop WritePROtects



Logicube: USB Adapter

• Store/restore images to a network server• Modify a drive's contents• Defragment the master drive• Reformat the master drive• Manage partitions using the third party

software

It allows the investigator to:

USB Adapter allows for cloning and drive management directly through the USB (1.1 or 2.0) port on a PC or laptop

It is capable of cloning at speeds up to 750 MB/min

Figure: USB Adapter



OmniClone IDE Laptop Adapters



Logicube: Cables

• F-CABLE-30A• F-CABLE-5• F-CABLE-9• F-CABLE-RP10• F-CABLE-RP15• F-CABLE-RP2• F-CABLE-RP5• F-CABLE-SOL

OmniClone IDE Cables

• F-CABLE-SAS5• F-CABLE-SATA• F-CABLE-SATA18• F-CABLE-SATAEP• F-CABLE-SATAXI

OmniClone SATA Cables

• F-CABLE-RP2U• F-CABLE-RP5U• F-CABLE-RP10U• F-CABLE-RP15U• F-CABLE-SOLU• F-CABLE-5U• F-CABLE-9U• F-CABLE-30U• F-CABLE-XI, F-CABLE-2XI• F-CABLE-5XI, F-CABLE-10XI

OmniClone UDMA IDE Cables

• F-CABLE-SCSI• F-CABLE-SCSI2• F-CABLE-SCSI4

OmniClone SCSI Cables



Power Supplies and Switches

Tableau products share common power supply requirements

Tableau T2 Drive Power Switch:

• Using the T2, you can safely connect and disconnect a device from a power supply without having to turn off the power supply

• No forensic kit bag should be without a T2

Tableau TP1 Power Supply:

• Ensures that a single power supply would work across full lines of Tableau products

• Tableau sells the TP1 under two part numbers:• Part number "TP1" includes the power supply and a 6' US-style

IEC line cord• Part number "TP1-NC" includes only the power supply itself

Figure: T2 Drive Power Switch

Figure: TP1 Power Supply



DIBS Mobile Forensic Workstation

• Full size laptop with Intel Pentium M Centrino1.7 GHz processor

• 1GB DDR2 SDRAM 533MHZ • 80GB ATA-100 forensic hard drive running

Windows XP • Forensic software and operating systems are

fully installed and configured on the hard drive

Major Specifications:

DIBS® computer forensic equipment is designed for easy operation under standard operating conditions

Figure:DIBS Mobile Forensic Workstation



DIBS Advanced Forensic Workstation

DIBS® Advanced Forensic Workstation is a highly developed and versatile item of the forensic equipment and yet it is easy and intuitive to learn and use

It provides copying and analysis of drives using the Windows XP operating system

The custom designed unit uses standard components and sub-assemblies of the highest quality, configured in such a way so as to maintain maximum evidential integrity

Hardware and software modifications are tailored according to the needs of the forensic investigation, enabling the investigator to accurately and efficiently perform computer forensic analysis

Figure: DIBS Advanced Forensic Workstation



DIBS® RAID: Rapid Action Imaging Device

DIBS® RAID is a tough yet lightweight unit designed to enable copying of a suspect computer hard disk onto another clean hard disk

The average copying speed can be as fast as 2.4GB per minute and depending on the specifications of the hard drives, up to 4GB per minute

Two complete copying units are included together with a selection of hard disks to which copies can be made

Figure: Rapid Action Imaging Device



Forensic Archive and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro)

The system includes an all in one Robotic Duplicator, with a 100 disk capacity and customized software

Achieves forensic investigative data

The software performs MD5 and SHA1 hashes to validate the archive

The unit will also print labels Figure: FAR Pro




Setting a Computer Forensic Lab




Basic Software Requirements in a Forensic Lab

• To make an exact copy of the target hard disk data without altering dataImaging software:

• To convert one type of file into another type Conversion software:

• To compare different files and convert documents Analysis software:

• To view the different types of image and graphic filesViewing software:

• To gather and examine data on a real-time basisMonitoring software:

• To get the information from the encrypted files, hash sets, and erase utilitiesSecurity utility software:

Computer forensics lab should have the following basic software:



Maintain Operating System and Application Inventories

The following are the application inventories and operating systems that must be maintained:

• Windows XP, 2003, and Windows 2000 operating system• Linux / Unix / Mac OS X / iMac operating system• EnCase, FTK, and other forensic software• Imaging tools like R-drive, SafeBack etc.• Programming language applications such as Visual Studio

Suite• Graphics tools such as Adobe Photoshop, CorelDraw etc.• Specialized viewers such as QuickView and ACDC• MS Office Corel Office Suite / StarOffice/OpenOffice



Paraben Forensics Software: Device Seizure

Device Seizure v2.1 is a software that acquires and analyzes data from over 1,950 mobile phones, PDAs, and GPS devices including iPhones

It was designed from a forensic grade tool that has been upheld in countless court cases

Device Seizure can acquire the following data:

• SMS history (Text Messages)• Deleted SMS (Text Messages)• Phonebook• Call history• File system (physical memory dumps)• GPS waypoints, tracks, routes, etc.• PDA databases• Registry (Windows Mobile Devices)



Device Seizure: Screenshot 1



Device Seizure: Screenshot 2



Paraben Hard Drive Forensics: P2 Commander

• Back end Firebird database for supporting massive amounts of data• Multi-threading and task scheduling capabilities to process more data in less time• Examines logical and physical disks as well as individual files and folders with

FAT12, FAT16, FAT32, and NTFS file systems• Chat database plug-in supports many chat clients for viewing chat database contents• Forensic Sorter plugs-in sorts data into relevant categories

P2 Commander Features:

Paraben's P2 Commander is a comprehensive digital forensic tool designed to handle more data efficiently during the entire forensic process

It utilizes Paraben's advanced plug-in architecture to create specialized engines that focus on things such as e-mail, network e-mail, chat logs, and file sorting



P2 Commander Screenshot



Paraben Hard Drive Forensics:P2 eXplorer

Paraben's P2 eXplorer mounts the forensic image on the machine while preserving the forensic nature of the evidence

The image is mounted as the actual bitstream image, preserving unallocated, slack, and deleted data

Features:

• Mounts Paraben's Forensic Replicator images (PFR)• Mounts compressed & encrypted PFR images• Mounts WinImage non-compressed images• Mounts EnCase images (up to v4.02a)• Mounts RAW images from Linux DD & other tools



P2eXplorer Screenshot



Crucial Visionhttp://crucialsecurity.com/

Crucial Vision is a digital forensics bulk-process preview and holistic examination tool

It performs faster searching and processing by implementing the patent-pending algorithm to find more files in the FAT file system

It employs unique file recovery technology

Forensics analysts can encounter large volumes of data by providing a holistic view of all their data



Crucial Vision: Screenshot 1

Source: http://crucialsecurity.com/



Crucial Vision: Screenshot 2

Source: http://crucialsecurity.com/



InfinaDyne Forensic Products: CD/DVD Inspector

CD/DVD Inspector Features:

• Complete CD imaging• Supports creation of ZIP images from media• Supports DVD media recovery• File scanning• Built-in image viewer• Low-level sector examination and scanning• CD Text, ISRC, and RID audio disc display

CD/DVD Inspector is a software for intensive analysis and extraction of data from CD-R, CD-RW, and DVD media

It reads all major CD and DVD file system formats including ISO-9660, Joliet, UDF, HFS, and HFS+



InfinaDyne Forensic Products: AccuBurn-R for CD/DVD Inspector

AccuBurn-R produces exact copies of discs that have been imaged using CD/DVD Inspector

It supports all type of discs, such as:

• VCD / SVCD / XVCD video discs• Karaoke discs• Unfinalized drag-and-drop discs (write-once

media)• Discs with read errors• DVD Video



InfinaDyne Forensic Products: Flash Retriever Forensic Edition

• Complete imaging of flash devices in raw format• Use with EnCase E01 image files• Multiple-media support• Thumbnail display for photos• Report generator• Supports row camera files

Flash Retriever Forensic Edition features:

Flash Retriever Forensic Edition is a professional tool for examining, recovering, and documenting flash-based media

It recovers pictures and files from all types of flash media and creates hashed image file and restores image file to media



Flash Retriever Forensic Edition Screenshot 1



Flash Retriever Forensic Edition Screenshot 2



InfinaDyne Forensic Products: ThumbsDisplay

• Shows all thumbnail file: thumbs.db, thumbcache_idx.db, thumbcache_32.db etc.

• Displays all thumbnail images with original file name and timestamp

• Prints individual image and copies to the clipboard for inclusion in a document

• Displays thumbnail in three sizes: 96x96 (original) 150x150 or 200x200

ThumbsDisplay features:

ThumbsDisplay is a tool for examining and reporting on the contents of Thumbs.db files used by Windows



TEEL Technologies SIM Tools: SIMIS

SIMIS mobile handheld reader enables the investigator to collect data from multiple SIM cards for on-site analysis and later to review by using SIMIS PC software

Its independent testing and wide range of support of SIMs enables examiners to get maximum data from the SIM

Features of SIMIS:

• Complete analysis and data dump of SIM cards• Easy interfacing and reporting• Unicode supported to display native language characters• MD5 and SHA-256 hashing of data• Nextel, Thuraya, Irridium, and Inmarsat SIM supported• "Hot Number" enables identification of special interest numbers

during reads

Figure: SIMIS mobile handheld reader



TEEL Technologies SIM Tools: SIMulate

SIMulate features:

• Recovers and duplicates all available data from a SIM card

• Produces a working duplicate or many duplicates for evidence recovery and analysis

• Generates report with encrypted security hashes• Generates any number of cards

SIMulate - Forensic SIM duplication tool recovers all available data from a SIM Card under forensics examination and produces a working duplicate for evidence recovery and analysis

Cards produced with SIMulate can be reused - It irretrievably erases data on the SIMulate duplicate before writing new data to the card



TEEL Technologies SIM Tools: SIMgen

SIMgen is a SIM card creation tool for handset interrogation and is used to unlock data on phones with missing SIM cards

It allows the creation of a generic SIM card with user-configurable IMSI, ICCID, and MSISDN

It allows the card details obtained from the handset’s physical memory (typically) to be generated on a generic SIM

SIMgen features:

• Used for interrogating phones with SIM cards missing• Enables examiners to program a blank SIM card with IMSI, ICCID,

and MSISDN• No network connection• Generates any number of cards • SIMGen cards can be reused



LiveDiscover™ Forensic Edition

• Live forensic network mapping• Live forensic vulnerability assessment• Recognizes Windows, Unix, Linux, Macintosh,

VMS, Novell, OS/2, and Sun operating systems

• Modifies or adds custom vulnerability scripts• Generates the detailed forensic report

Features of LiveDiscover™ FE:

LiveDiscover™ scans a range of the selected IP addresses and generates comprehensive forensic reports

It allows for the creation of customized vulnerability scripts and provides a comprehensive view of the enterprise under investigation



Tools: LiveWire Investigator

• Examines a running computer while it continues to operate• Conducts investigations without disrupting operations• Maintains functionality of the critical systems• Captures and records running state (Volatile Memory Snapshot, Live

Registry Examination, System Log)• Collects key information on running programs, network connections,

and data transmissions (IP, NetBIOS, Routing table acquisition)• Obtains information that would be lost if the system was shut down

(Running processes)• Investigates and documents suspicious activity as it is occurs

Features of LiveWire Investigator:

LiveWire Investigator examines computer systems quickly and inconspicuously, capturing relevant data, including running state, while the system being investigated continues to operate

It is simple to operate; it adheres to digitals forensics best practices, and provides an extensive array of data acquisition options and analytical tools



Summary

A Computer Forensics Lab (CFL) is a designated location for conducting computer based investigation on the collected evidence

Budget for a forensic lab is allocated by estimating the number of cases that would be examined

An ideal lab consists of two forensic workstations and one ordinary workstation with Internet connectivity

The lab should be inspected on a regular basis to check if the policies and procedures implemented are followed

Forensics lab should be under surveillance to protect it from intrusions

The American Society of Crime Laboratory Directors (ASCLD) is an international body certifying forensics labs that investigate criminal cases by analyzing evidence

File000120

Technology

Transcript of File000120