Researching Materials
First, it is important to take stock of what you actually need. Researching trends within the industry will assist in showcasing what other agencies, companies, and individuals are doing. There is quite an array of information and materials out there. The various standards are easy to locate, and the information security community is quite open. Check out some of these sources of information:
- The European Network of Forensic Science Institutes (ENFSI)
- The National Institute of Standards and Technology (NIST)
- The Scientific Working Group on Digital Evidence (SWGDE)
Gathering information from these sites will provide details on how forensic testing is being carried out, and what is going on in the world of forensics.
Workstation Materials
Next, a workstation of some kind is required. Any computer that is secure, has adequate power, and has an internet connection will be able to be used for this type of work. Here is a high-level overview of what your workstation should contain to appropriately handle doing forensic work.
- RAM – as much as possible (at least 4 gigabytes for virtualization)
- CPU – dual-core processor at minimum (quad-core or higher is optimal)
- Onboard sound and graphics
- USB 1 and 2
- DVD/CD-RW
- Large monitor or dual monitors
- Printer
- Network equipment (switch, router, etc.)
The SANS Investigative Forensic Tool Kit, or PALADIN by Sumuri, will provide an operating system in Linux that contains the necessary software to begin forensic tests. If you don't have a Linux computer, this can be accomplished using a virtual system on a Windows PC. There are a few virtual machine managers (hypervisors) on the market that can be used for free. VirtualBox by Oracle and VMWare Player are two such pieces of virtualization software.
Using Paladin
Let's concentrate on PALADIN, because it is a LINUX forensics suite that is a simple, affordable, all-in-one home solution for a digital forensics lab, though others may work for you as well.
Following the installation of a hypervisor like PALADIN, it is necessary to activate VT technology on the system. This can be done in the computer's BIOS (Basic Input Output System). Activate this technology on the processor chip so that virtual computers can be created. Any one of the hypervisors listed are in executable form after download.
Once downloaded and installed, a GUI menu will appear. Allocate resources (CPU, RAM, etc.) to the virtual device, then select the slot and ensure it has enough physical resources on the main computer to function.
Testing may be involved using the aforementioned hardware. Once this is done, simply insert the DVD-ROM that has been burned, point the hypervisor to the .ISO file, or use a USB thumb drive that has been prepared with the Sumuri PALADIN software. This will boot the Live OS and allow for an installation of Paladin Linux. Installation of this operating system is very similar to Kali Linux for penetration testing.
Paladin's Features
PALADIN allows the booting of a computer to a safe environment. It is a Live OS and can be used as such. PALADIN is an entirely self-contained forensic suite that includes Autopsy. It has a full GUI interface and is supported by every operating system file type. This GUI has similar features to enCase and other mediums for imaging, triage, and analysis, but in a free and open-source platform.
PALADIN also includes the following features:
- Logging – PALADIN contains a full-text logging suite that allows logs to be saved externally, and contains detailed information on imaging to go in concert with forensic images.
- IMAGER Module – allows for simultaneous image copies on Paladin.
- Image Converter Module – images can be converted into other types of images.
- Find Module – assists in quick location on volumes and directories, etc. In the field it is often necessary to find content quickly.
- Disk Manager Module – similar to disk druid or Disk Management on Windows. The real benefit is the ability to see and manipulate write-blocked media. This feature is beyond other OS disk management processes.
Lesson Summary
Digital forensics are used to analyze cyber incidents to track down cybercrime, and collect evidence to assist law enforcement in proving cases against cyber criminals. There are several computing mediums, hardware, and software devices available to forensic examiners to appropriately track these incidents.
Building a home network can be done through virtualization software and the use of PALADIN, a LINUX forensics suite that is a simple, affordable, all-in-one home solution for a digital forensics lab.
