Now that you’ve reviewed a selection of tools available to forensic investigators, you must decide which tools work best for you. Every forensic investigator has slightly different needs. The particular tools you acquire depend on many factors, including:
- Expected types of investigations
- Evidence to be presented in a court of law
- Evidence for internal reporting/auditing
- Operating system needs and preference
- Background and training
- Budget
- Status
- Law enforcement
- Private organization
Consider your specific forensic needs, then carefully consider the products available. In general, you should acquire only the functionality you need and nothing more. The problem is that it can be difficult to know exactly what functionality you will need under any and all circumstances. Each investigation is different and may call for different approaches. In such cases, tool needs change. To the best of your ability, develop a list of anticipated forensic tool needs.
Tales from the Trenches: Forensic Tools
The care and maintenance of your computer forensic tools begins well before you are asked to perform any forensic evaluation.
Each time you purchase a new hard drive, you must complete a procedure to sanitize that drive to ensure that there is no data present prior to using it in an imaging process. This is a process that can require many hours to complete.
The CEO of a company once asked me to perform a forensic evaluation of a very senior employee’s computer to look for evidence that this employee was planning to leave the company. The CEO was very concerned because this employee had access to sensitive trade secrets that could put the company at a great disadvantage if they were revealed to a competitor.
The CEO wanted me to go into the employee’s office in the middle of the night and image the hard drive without his knowledge and leave everything as I had found it so the employee would not know I had been there. I had only one problem. The CEO wanted the imaging done that night and I didn’t have a hard drive with me that had been sanitized to comply with the U.S. Department of Defense specification DoD 5220.22-M standard.
I was out of town teaching a forensic class when the request was made. If I had been at home, I simply would have opened the safe at my lab and taken out one of the many sanitized hard drives (of varying sizes) that I keep prepped and ready to go. As a matter of procedure, each time I purchase a new hard drive, I use the ICS Image MASSter Solo 4 Forensic unit to sanitize the drive and then I store the drive in my safe and complete an entry in a log to begin its chain of custody.
Because I did not have a prepped drive, I drove to one of the local computer super centers and purchased a drive. I had previously asked the CEO what size hard drive he thought the employee had in his computer and he told me the company standard was an 80 GB hard drive. Of course, I purchased a 120 GB hard drive to make sure I was buying a large enough drive.
I went back to my hotel and began sanitizing the drive, which takes many hours to complete on a 120 GB hard drive. The CEO told me he would meet me at the office whenever I was ready. The process completed at 4 a.m. and I called the CEO. We went to the office, and I was able to image the employee’s computer and leave the building before any of the other employees arrived for work. After inspecting the hard drive, we discovered evidence that the executive was planning to leave and was collecting data to take with him. We were able to prevent him from taking the data. Very soon after, he did leave the company and, because of his actions, did not receive a severance package.
From this experience, I learned to bring a sanitized 250 GB hard drive with me when I travel out of town—just in case. From this story, you should learn that you would be wise to purchase a variety of hard drives and sanitize them before you ever talk to your first customer about performing a forensic examination.
Although it’s important to be adequately prepared, one common pitfall is to overbuy. The impulse in all things is to pack any acquisition with the maximum number of options available. Think about it. Have you ever used all the options in your video camera? Look at the owner’s manual and see all the cool things it can do. You probably heard about those features when you purchased the camera and promptly forgot about most of them once you started using it. Forensic tools may include options you simply don’t need. Avoid paying for options you’ll never use: It will save you money.
Each Organization Is Different
In choosing a forensic tool set, consider how your organization approaches investigations. Do you need the ability to examine machines remotely? If so, you can narrow your search to a few options. Are you a UNIX shop with a small budget? Open source tools might fit the bill in this situation.
There is no “one size fits all” forensic toolkit. Ask questions. Take the time to attend training and view tutorials. Test as much software as possible. Investing a substantial amount of time in this process will help you make decisions that are more informed. Thoroughly consider how your organization conducts investigations, what kind of investigations you’ll need to participate in, and what features you’ll need to get the job done.
Most Examiners Use Overlapping Tools
Unless a single set of forensic tools satisfies all of your needs, consider selecting multiple tools while weighing the costs involved. When you do select multiple tools, they will most likely overlap. That’s okay. Get what you need. There’s nothing wrong with having three disk imaging tools. Use the one that makes the most sense.
Most forensic examiners use tools from several vendors. Some may use commercial and open source tools. The source is not important. The important points are that you have the tools to get the job done, you know how to use them, and you verify that the tools do what they are supposed to do before you use them on a real case.
One last point: Get the necessary training to use the tools you acquire most effectively. Great tools can hamper or ruin an investigation if you don’t know how to use them. Forensic tools can be highly effective or highly destructive, depending on the knowledge of their user. Get the tools, and then get the training to use them properly.
After you have built your toolbox, and know how to use the tools in it, you are ready to tackle the next investigation.