Some months ago, I survived yet another round of layoffs at a struggling dot-com. With the writing so clearly on the wall, I decided it was time to pick up new skills. My interest in infosecurity drew me to computer forensics. A firm believer in hands-on learning, I set out to build a forensics workstation from the desktop up and to learn as much as possible about what makes a "best-of-breed" station.
With little experience in such a project, I turned to the forensics list on SecurityFocus. Armed with advice from the list, I set about building my box.
Building a workstation from scratch has some distinct advantages, not the least of which is ensuring that you have all the right hardware and software. However, as a practical matter, I opted to take an existing box -- I had a bunch of reasonably fast Dells at my disposal -- and modify it.
Typical add-ons for forensics systems include a read-write CD drive, a tape drive, extra memory and removable drive bays. IDE drives are most common, but a SCSI controller can come in handy for the exceptions. Ideally, a forensics station has bays for both. A good monitor is crucial, as the work calls for hours of staring at the screen. Since most of my extra equipment consisted of unused PCs from the dot-com's LAN, I had to keep it simple: an extra hard disk to install different OSes on separate physical drives, more memory to boost performance of forensics tools and a CD-RW for copying evidence files.
Choosing operating systems came next. One oft-made suggestion by list members was to use at least two OSes, one Windows (any incarnation) and a flavor of Linux. I installed Windows 98 and RedHat 7.1. Installing the OSes on separate disks makes recovering from a bad disk or corrupted partition easier. Installing two OSes gave me more flexibility and a wider selection of tools.
With the hardware and platforms in place, the next step was selecting forensics tools. At a bare minimum, I wanted the tools for imaging hard disks and examining as many different types of files as possible without altering any data -- a key requirement of computer forensics. One of the first things I learned was that the ability to perform searches (for specific patterns in the files) is crucial. Since my goal was to learn as much as I could give my limited resources, I wanted to try out the industry's most widely accepted tools, such as Guidance Software's EnCase (www.guidancesoftware.com), even if I could only use them in a limited capacity.
The bad news for me is that most professional packages are expensive. The good news is that many of them are available in demo versions, and some of the most useful tools are free. Here's what I selected:
- EnCase is the hands-down leader in stand-alone forensics analysis software. EnCase is loaded with features, and is widely accepted in court. Users can examine files, including deleted files and unallocated data. It produces reports and extracts without altering the original data. Unfortunately, EnCase's demo version only works on vendor-supplied case files. So while I could familiarize myself with EnCase's features, I couldn't use it on either of my test disks.
- SafeBack from New Technologies creates and restores hard disk images without altering data. It's fast, fits on a single floppy and can make copies directly from hard disk to hard disk. I was interested in it for its ease of use, simplicity and speed. It performed well on all counts. Although it's only available to the law enforcement community, I was lucky enough to obtain a copy through a company for whom I did some contract work.
- dd (Data Dumper) is a free utility available for all Unix-based systems for forensic duplication. It's extremely reliable when used correctly. Using dd with a properly configured Linux system will prevent accidental data alteration.
- Quick View Plus from Jasc Software will open more than 200 file types. This is a valuable forensics tool, because I knew I would encounter file types that I'd never seen before.
- md5sum is great for hashing files and disks to prove that they haven't been tampered with during the analysis process. Through the SecurityFocus list, I learned that preserving the chain of custody of digital evidence is just as important as the investigative work of forensics. The Unix utility is free with GNU's (www.gnu.org) textutils package, a set of utilities for manipulating text.
- Winhex, by State-of-the-Art Software is an inexpensive hex, disk and RAM editor. Its data analysis feature allows for the identification of certain file types (such as images) in unknown data, like that of recovered files. It has many other features, including drive imaging and deleted data recovery.
- Maresware is a suite of DOS command-line forensics utilities written by Dan Mares. This set of tools consists of about 30 programs, including hash calculators (for files and disks), wiping utilities and search tools. Many of the tools are available in demo versions. However, one caveat is that most of the 32-bit versions won't run in a true DOS environment, while the 16-bit versions in DOS won't understand long file names. I got the most out of its utilities by running the 32-bit versions in a DOS command-line window on a Windows machine.
I now had the basics of a solid forensics workstation. The next step was to put my creation to the test. Test subjects included a disk from one of my older Windows 95 workstations and a Linux box that had once been a Web server.
Since building this workstation was my first step along the forensics path, I stuck to very basic testing. I wanted to make some forensic images, familiarize myself with some of the tools and be able to examine and perform some basic searches on files. With a little work and experimentation, I was able to find at least one tool for every purpose. I also learned the importance of having multiple tools at my disposal: Even if two tools can perform the same functions, one might be better suited to the task at hand. I also discovered that having two different tools is useful in verifying results.
At the end of my experiments, I was very satisfied with the workstation I had built with the resources available. My forensics workstation was hardly of a professional caliber, given my inexperience in the field, my reliance on demo versions and my lack of a working copy of EnCase. As a learning tool, however, it was first-rate. I now have a much better understanding of what the pros use, and know a good deal more about how forensics investigations are conducted.
About the author: Elizabeth A. Genco is a Unix admin for Community Connect in New York City.