Friday, March 16, 2007

An Inexpensive Forensic toolkit

What should you have in a basic homebuilt forensic toolkit? What can you do without specialized tools? We'll cover what you should have in a portable IR forensic toolkit if you're on a tight budget, with an emphasis on freebies and using inexpensive commodity tools and software. In our next article, we'll talk about what a well equipped forensic toolkit might contain if you aren't budget constrained.

A full kit composed only of commodity items many systems administrators have at hand:

  • Screwdrivers (Phillips at the very least)
  • USB 2.0/Firewire drive enclosure or a USB 2.0 -> IDE bridge device and 12v molex power adapter. Remember to check that your enclosure works with your Linux LiveCD.
  • SATA->IDE Adapter OR USB 2.0/Firewire -> SATA enclosure - having the adapter is lighter than carrying two enclosures.
  • 2.5" -> 3.5" laptop hard drive adapter
  • Spare hard drive jumpers
  • Known good ATA and SATA cables - in my experience, problem ATA cables are one of the most annoying issues when imaging drives.
  • A capacious thumbdrive - a 1 GB drive is a good start, and one with write block switch is a good idea.
  • A portable external USB/Firewire hard drive - larger is better - try to have at least the maximum size drive that your environment has deployed for a single desktop or server. You can cheat a bit and carry just one enclosure and a drive to put in it if you are attempting to travel light and don't anticipate needing to copy from a drive in the enclosure while you're using the big drive.
  • IR and forensic LiveCDs.
  • A notebook and pens - do not use pencil!
  • A laptop with supported chipsets for your forensic CD of choice for USB/Firewire, NIC, and other critical hardware.
  • A crossover network cable, in case you need to connect your laptop to the system you're imaging. If you don't have a crossover cable handy, a pocket hub or switch and some standard ethernet cables will work nicely.
  • Anti-static bags for transporting drives. I like to carry the plastic clamshells that drives ship in to put drives in when I have to take them with me.
  • Stick on labels to label drives and devices - something that will stay on, but peels off easily.
  • A black fine tip permanent market for labeling devices
  • Blank CDs and DVDs
  • An extension cord and/or power strip with a long cord
  • Business cards to leave so that you can be contacted

Total toolkit cost should be <$300 excluding the laptop, even if you have to buy all of this new. This toolkit provides the hardware you need to get a system open and to pull most commodity drives, and to walk away with a good image. If you're just doing forensics as part of an incident response investigation, and don't have to maintain evidenciary standards, this will get you where you need to go in most cases. This is also the sort of toolkit that many administrators could scrape together on short notice out of their standard administrator's toolkit, meaning that the tools you need are likely already at hand. In addition:
  • If you frequently work with SCSI, you should have SCSI adapters - a SCA -> 68 pin adapter, a HD50 -> 68 pin adapter, and spare terminators. You'll also need a SCSI card or SCSI adapter. Sadly, I haven't run into a quality USB 2.0 -> SCSI bridge device yet.

What you don't have in this kit:
  • Commercial analysis software like FTK or Encase
  • A commercial disk duplicator with MD5 sum capabilities.
  • Write blockers (although these can be had for less than $200 now)
  • Large scale long term mass storage
We'll discuss a pro level forensic kit next time! Don't forget to check out our earlier posts on digital forensics tips.

No comments: