The Forensic Analysis Workstation should be as high-end as possible. This should be equipped with the fastest processors available and the maximum amount of memory. The fastest available workspace drives should be included.
Due to budget limitations the following two equipment configurations have been used and tested in the preparation of this report.
• A-Bit VP6 Motherboard
• Dual Pentium III 866mhz Processors • 2 Gig PC133 Memory
• 1 80 gig Western Digital Hard drives • 1 40 gig Maxtor Hard Drive
© SANS Institute 2006, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
• 1 250 gig Seagate Hard Drive (SMB Network Shared drive) • 1 300 gig Seagate Hard Drive (SMB Network Shared drive) • 1 DVD-RW 4X Drive
• 1 CDR 40X
• 1 3.5, 144mb Floppy
• 1 Dell 920 Inkjet Printer/Scanner
• Intel 815EEA Motherboard • Pentium III 1gz Processor • 512meg PC 133 Memory • CDRW 40X
• 2-IDE Hard Drive Removable Carriages and Trays • 1-5 port USB 2.0 Interface Card
2.4.1.1. Identify USB-IDE Adapter.
Step 1. Insure USB-IDE adapter is powered off.
Step 2. Obtain evidence disk drive from Evidence Custodian, if appropriate. Step 3. Verify Evidence tag and case description to insure you have the proper
evidence.
Step 4. Remove disk drive from anti-static bag.
Step 5. Connect disk drive to the USB-IDE write protect adapter via the 40 pin plug. Step 6. Connect power plug.
Step 7. Turn on the USB-IDE write protect adapter.
Step 8. View /var/log/messages to determine when device is recognized by the system.
Command: tail –f /var/log/messages Sample Output:
Initializing USB Mass Storage driver...
scsi0 : SCSI emulation for USB Mass Storage devices usbcore: registered new driver usb-storage
USB Mass Storage support registered. usb-storage: device found at 2
usb-storage: waiting for device to settle before scanning Vendor: WDC AC26 Model: 400B Rev: 32.0
Type: Direct-Access ANSI SCSI revision: 00 Vendor: BlBlBlBl Model: BlBlBlBlBlBlBlBl Rev: BlBl
© SANS Institute 2006, Author retains full rights.
© SANS Institute 2006, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
27
sda: Write Protect is off
sda: Mode Sense: 00 14 00 00
sda: assuming drive cache: write through
SCSI device sda: 12594960 512-byte hdwr sectors (6449 MB) sda: Write Protect is off
sda: Mode Sense: 00 14 00 00
sda: assuming drive cache: write through sda: sda1
sd 0:0:0:0: Attached scsi disk sda
SCSI device sdb: 1701602668 512-byte hdwr sectors (871221 MB) sdb: Write Protect is off
sdb: Mode Sense: 00 14 00 00
sdb: assuming drive cache: write through
SCSI device sdb: 1701602668 512-byte hdwr sectors (871221 MB) sdb: Write Protect is off
sdb: Mode Sense: 00 14 00 00
sdb: assuming drive cache: write through
sdb:<6>usb 1-5: reset high speed USB device using ehci_hcd and address 2 usb 1-5: reset high speed USB device using ehci_hcd and address 2
usb 1-5: reset high speed USB device using ehci_hcd and address 2 NTFS driver 2.1.26 [Flags: R/W MODULE].
After the device is recognized by the forensic workstation, the investigator needs to determine how to properly address the disk drive. The above first highlighted block of text illustrates the system recognizing the recently attached disk drive as “USB Mass Storage devices.” This system will use SCSI emulation to access the device “scsi0 : SCSI emulation for USB Mass Storage devices.” The disk drive was identified as “WDC AC26 Model: 400B.” There are three additional pieces of information that are very important. The first is “SCSI device sda: 12594960 512- byte hdwr sectors (6449 MB) ”; this identifies the disk drive being connected to SCSI controller “sda.” The “sda” address will be used to access the drive. The second piece of information is that the disk drive is not write protected “sda: Write Protect is off.” This is why it is important to have a hardware write protection device. The third piece of information is “sda: sda1.” This states that the disk drive has one valid partition “sda1.” In order to access that partition the address “sda1” will be used.
2.4.1.2. Printers.
© SANS Institute 2006, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
locations. Insure that software drivers are included as part of Jump Kit. • 1- USB Color Inkjet printer
• 1- USB Laser printer. • 1 – Box of Printer Paper • 1 – Extra Toner Cartridge • 1 – Extra Inkjet Cartridge
2.4.2. Media.
2.4.2.1. Preparing Work Media.
Preparing digital evidence work media is essential to any forensic investigation.
The investigator must insure that only digital evidence from the current investigation is being accessed or referenced. Contamination from previous casework can cause irreparable case damage for client, investigator and legal authorities. All media to include hard drives must be completely overwritten with binary ones, binary zero’s and again a fixed known pattern for easy recognition. Department of Defense (DoD) hard disk wiping standards recommends 7 write passes before the drive is
considered clean of previous data. The following is a list of randomly picked utilities advertised as compliant with US DoD 5220.22-M standards for drive wiping:
Paragon Software Disk Wiper 7.0, Jetico Inc. BCWipe 3.0, Active@ Kill Disk - Hard Drive Eraser, Acronis Drive Cleanser 6.0, ZDelete.NET Disk Wiper, AEVITA Wipe and Delete. The aforementioned list is not comprehensive and should not be
considered as such. After the drive has been wiped to the investigator’s satisfaction, the drive or media can be formatted or used to receive a forensic image.
2.4.2.2. Sanitizing Removable Media.
All removable media should be sanitized and formatted before use. The media should be sanitized in accordance with DoD 5220.22-M standards. After the media has been sanitized, the media must be formatted for use. Only zero free defects media should be used in forensic processing. The media should have a new label affixed to exterior surface. The new label should reflect the date and signature of the person responsible for certifying the media. If DoD 5220.22-M approved software is not available for the sanitization process, the following procedure can be substituted as an interim solution. This procedure follows DoD guidelines in writing data to all the sectors on the disk 7 times. We are alternating writing 0’s and random numbers to every sector on the disk for a total of 7 writes.