Computer Forensic Workstation

Forensic Workstations:

To conduct investigation and analysis, we must have a specially configured PC known as computer forensics workstation. This is a computer loaded with additional bays, ports, and forensic software and hardware. Less powerful workstations are used for mundane tasks and multipurpose workstations are used for high-end analysis tasks.

          Forensic Workstations must be configured according to the usage and location. For example, a police department might need 1 multipurpose workstation and 2 or 3 basic workstations. Private or corporate labs would probably require different configurations than a police lab.

A simple DOS platform and a Windows platform is required. MS-DOS 6.2 and Windows XP are recommended. Write blocking hardware is also a must, as each time the suspect/evidence disk is accessed, the OS alters the data by writing new data and thus, destroying the quality and integrity of the evidence.

With current computer hardware and software, it is very easy to set up a forensic workstation. The following list contains absolutely necessary components for a basic workstation:

1.     A computer running Windows XP

2.     A write-blocker device

3.     Forensic acquisition tool

4.     Forensic analysis tool

5.     A large target drive to receive the source or suspect disk data.

6.     Spare PATA and SATA ports

7.     USB Ports

8.     Network Interface Cards (NIC)

Forensic workstations can be divided into 3 categories :

1.     Stationary workstation – a tower with several bays and many peripheral devices

2.     Portable workstation – a laptop computer with almost as many bays and peripherals as a stationary workstations

3.     Lightweight workstation – a laptop computer with a specialized selection of peripherals

Mobile forensic workstation (www.vogon−computer−evidence.com/mobile−station.htm) is a highly flexible and modular piece of equipment that provides the facilities and power of a well equipped computer forensic laboratory to be set up anywhere in the world in the time it takes to arrive there yourself. The system allows direct imaging using the special hosting options, network connectivity, tape duplication, processing, and investigation activities to be carried out.

A laptop PC using FireWire(IEEE 1394B standard), USB 2.0 or a PCMCIA SATA hard disk can be used to create an efficient mobile forensic workstation. Improved throughput speeds on the laptops also help in faster imaging of suspect drives.

A complete multipurpose stationary workstation must contain the following:

Software:

1.           MS-Windows XP Legal Copy

2.           MS-DOS 6.22

3.           EnCase (Guidance Software)

4.           FTK (AccessData’s Forensic Tool Kit)

5.           CyberCheck (C-DAC)

6.           DIBS Mycroft High Speed Search Engine

7.           Password Recovery Toolkit

8.           Registry Viewer

9.           DVD-CD Authoring software

10.      Forensic Utility softwares

11.      MS-Office Legal Copy

12.      Adobe Photoshop Legal Copy

13.      K-Lite Codec Pack

14.      Decryption and Encryption Tools

15.      Mobile Forensics Tools

16.      Data Recovery tools

17.      Data Carving Tools

18.      CelleBrite Mobile Forensic Toolkit

Hardware:

1.           Primary Hard disk – efficiently partitioned

2.           Standard peripherals like DVD-readers and writer, laser printers, scanners, LCD Monitor, Speakers

3.           Powerful processors systems

4.           Storage devices for making bit-stream copies or clones of suspect storage media

5.           Memory Card Readers – MMC, SD, Mini & Micro SD, Micro Drives, Flash Cards

6.           USB external CD-DVD Writers for backing up

7.           A wide array of connectors for various hardware devices

8.           Expansion slots for examining laptop hard-disks, PCMCIA Cards and Drives

9.           Removable storage media – Pen drives, USB drives, JAZZ and ZIP drives

10.      Write blockers

11.      IDE and SCSI hard drives

12.      FireWire Disk Imaging Tools

Thus we can see, a computer forensic workstation is very essential for every forensic investigator. The extent and capabilities and the type of workstation is governed by the resources available to the investigator. The investigator or the user of the forensic workstation must have a working knowledge of all the hardware and software involved.