Hardware

The laboratory should have sufficient computers and other hardware to perform the variety of functions necessary. Examiners will be tasked with imaging hard drives and processing gigabytes of data. As a result, a forensic computer with sufficient RAM is necessary. While there are personal preferences for the amount, a minimum of 32 GB of RAM is recommended. In addition to memory and processing power, examiners will often be looking at a large amount of data. Forensic workstations should have a primary OS drive that can contain forensic software and a secondary drive to hold evidence. The secondary drive should contain 2 TB or greater of storage.

In addition to a forensic workstation, the examiner should also be provided an internet connected computer. The forensic workstation should have no internet connection to maintain security, but also to guard against possible corruption of evidence during an examination. A secondary machine would be utilized for conducting research or writing reports.

Another piece of critical information is a physical write blocker. This device allows for a connection between a hard drive seized as evidence and the forensic imaging machine. The critical difference between this physical write blocker and a USB or Thunderbolt connection is that the digital forensic examiner can be sure that there is no data written to the evidence drive.

The following image is the Tableau eSATA Forensic Bridgephysical write blocker:

For digital forensic laboratories that conduct a higher number of imaging tasks there is the option of including a dedicated forensic imaging station. This allows for quicker imaging of evidence drives and does not tie up a forensic workstation for proper imaging. The drawback is the expense and, if the CSIRT does not see a performance drop without it, it may be hard to justify the expense.

The CSIRT should also invest in a number of high capacity external USB drives. These are much easier to work with and use in the imaging process than traditional SATA or IDE drives. These drives are utilized to store an evidence drive image for further analysis. The CSIRT should have at least six of these high capacity drives available. Drives that have two to three terabytes of storage space can possibly store several images at a time. Smaller USB drives are also useful to have on hand to capture log files and memory images for later processing. With any of these USB drives, having the latest 3.0 version allows for faster processing as well.

Finally, digital forensic examiners that support a CSIRT should have a durable case to transport all of the necessary hardware, in the eventuality that they must conduct an offsite examination. Many of these tools are fragile and would not stand the pounding delivered by baggage handlers at the local airport. The CSIRT should invest in at least two hard sided cases like those in the following image. One case can transport hardware such as external hard drives and the second can transport a forensics laptop and minimize potential damage through rough handling: