Waiting for my new forensics lab to be completed, I am glad to see one of the scenarios we are supposed to work on are exactly that. Noroff in Kristiansand has decided to construct a computer forensics laboratory to provide a service to local Police forces and businesses. These are the initial survey of potential clients has indicated the following:
- Most of the forensic work will involved devices running the Windows operating system and for removable storage media. It is anticipated that much of the caseworkwill feature system misuse (breach of acceptable use policy).
- There will be 2 members of staff working in the lab.
- Case turnover will be 2-3 cases per month.
A suitable room (former bomb-shelter) has been located in the building to ensure a secure location. My budget for this scenario is NOK 200,000,- to spend on both hardware and software. This is what I have landed on:
- For the balance between RAM, CPU and Storage I have decided this on two factors, one is the minimum requirements for using AccessData FTK, and the other is based on available and recommended technology. For each of the two staff members working there I have dedicated each one a HP Elitebook 84 G4 with upgraded RAM, giving them an Intel Core i7 6500U processor with 2.5 GHz speed (can be factory overclocked to 3.1 GHz), 32 GB DDR4 RAM, and lastly 256 GB SSD storage. Now, storagewise that is not a lot, but the is free space inside to place a secondary SSD (available versions up to 4TB). These machines will have docking to give more comfortable work environment whilst in the office – but still have your entire workspace on the go should there be a request for that. As a second shared option, there will be a stationary forensics workstation, operating as a server available via VPN. This machine will have 128GB DDR4 RAM with multiple slots for removable storage and other media to be inserted.
- The laboratory will also need hardware and software.
Hardware: A range of tools will be needed, such as kits containing torx, phillips and so on. A good range of tools will be needed, better to have one too much than one too little. Other components in the lab may include rubber gloves, various plyers, heating gun, antistatic band, magnetic mat, a variety of cables and connectors. The lab will also need several removable storage media as well as empty cabinets for 2.5″ and 3.5″ harddrives. Most of the equipment can be stored on a wall grid above the desk, as well as a mobile tool cart. Lastly there will be two write-blockers in the lab.
Software: There is a large variety of freeware available, as well as paid software. My recommendation would be to take advantage of some of the forensics tools included in Kali Linux such as Autopsy. Kali also has some great tools for password attacks against locked hardware. In addition, using DD for Linux is an option. A lot of data recovery on removal media can be done exclusively via FTK Imager. But I believe that the laboratory budget opens up room for a complete license to the FTK program, as well as the MPE+ software (for mobile phones and tablets).
As a final budget proposal:
- Two upgraded HP Elitebook 840, NOK 40,000,-
- One server/workstation inc. removable media, NOK 60,000,-
- Various hardware and equipment, NOK 30,000,-
- Various software, NOK 50,000,-
- Unexpected extras, NOK 20,000,-