Digital Forensics Equipment Flashcards
Equipment
Collecting evidence in digital forensics investigations is something that takes careful planning and preparation and if the investigator doesn’t have the proper toolkit, then the evidence may become compromised. Many law enforcement departments around the globe have dedicated forensic laboratories where they can analyze evidence in a manner that will prevent it from being tampered with. As an investigator, you will need to have the same kind of tools at your disposal, comparable to what you would find in a laboratory.
Forensic Laptop or Workstation
Bringing a laptop specifically designated for digital evidence can be essential when gathering the evidence at the scene or capturing evidence that may be in memory. Popular Linux distributions such as CAINE or DEFT can often be found on these laptops, as well as commercialized systems for law enforcement.
Electro-Static Evidence Bags with Tamper-proof Stickers
Electro-Static Evidence Bags will help protect any sensitive digital components from Electro-Static Discharge (ESD) during the transport of the evidence from its initial location, to a secure lab environment. Labeling is often applied to these bags to let investigators know what is contained inside of them. Having bags or stickers that are sealed, and the seal must be physically broken to gain access to the evidence within is critical to ensure the chain of custody is maintained, and that evidence is not tampered with whilst in storage or transit.
Labels
Labeling is essential when conducting any kind of evidence collection. Knowing what piece of hardware is, helps yourself and other people in the chain of custody determine what the evidence is, without having to go inside of it.
Photographs
Digital cameras can be used to document how IT equipment was found to maintain the Chain of Custody. It can show what cables were plugged in to a server, what external hard drives were connected to a laptop, what was on the screen, and much more.
Grounding Bracelets
Similar to Electro-Static Bags, grounding bracelets are important for investigators to use, to ensure that when handling evidence, they do not inadvertently compromise or damage the evidence.
Hardware Write-Blockers
Hardware Write Blockers can be an essential piece of equipment that will ensure that your evidence has not been tampered with. It can either be software on your forensic laptop, or a hardware device that permits read-only access to data storage devices without compromising the integrity of any data that may be contained on them.
Blank Hard Drives
In the event that you need to copy data on-site, having blank hard disks are an essential piece of hardware to have in your toolkit. These can be used in conjunction with write-blockers to copy the disk to another one without making any writeable changes to the media. Drives used for forensic work need to be extremely high capacity, especially if bit-by-bit copies of suspect hard drives are being copied. The size of the receiving drive must always be higher than that of the original drive.
Specialist Equipment
In some cases, specialized equipment/software is used on the scene to assess the digital evidence that was found. This can include:
Wireless Stronghold/Faraday Boxes – to block any wireless signals from reaching the evidence, preventing remote access or wiping.
Specialized Write-Blockers – write-blockers that could also be used on cell phones, GPS devices, IoT devices, and other non-standard hard drives.
Phone Jammers – acting the same as a faraday box or wireless stronghold.
Dedicated Flash Drives – containing tools like Encase, FTK, CSILinux, and MacQuisiton.
