A Toolkit for Forensic Duplications*
A Toolkit for Forensic Duplications[*]
Item / PurposeDigital camera / A digital camera is a good tool to prove the evidence was not damaged during your duplication. You will want to take a “before” and “after” photo of the original evidence.
Screwdriver with several sizes and types of bits / A screwdriver with different sizes and types of bits is always used during an engagement to remove parts, such as hard drives, from computers. We use a model that has all of the bits built into the handle to save space.
Flashlight / Frequently you will find your nose buried in a dark computer case, documenting connectors and other important information. A flashlight is a “must have” item.
Dremel tool / It is an excellent tool for cutting small pieces of metal, polishing surfaces, and more.
Extra jumpers / You can never have enough jumpers. Frequently you will find that the hard drive you are trying to duplicate will have lost all of its important jumpers. You will need a jumper to set an IDE drive to master or slave, for example.
Extra screws (for cases and hard drives) / Similar to jumpers, you cannot count on all of the screws being in the suspect’s system.
Cable ties / Cable ties are needed when you have to cut a cable tie in the suspect’s computer to acquire a duplication. You should always return the computer in the same condition you found it.
Internal computer power extension cords / Power extension cords are needed to connect the suspect’s media to your forensic workstation.
Extra 40-pin IDE cables / When you attempt to duplicate an IDE drive, you will need low-density IDE cables to connect the media to your forensic workstation.
Extra 80-pin IDE cables / When you attempt to duplicate an IDE drive, you will need high-density IDE cables to connect the media to your forensic workstation.
SCSI cables / In addition to internal cables, external SCSI cables are often needed. SCSI cables come in 50- and 68-pin varieties. It is wise to have 50- to 68-pin converters available, too. In addition to 50- and 68-pin cables, centronix to SCSI cables have been used in the past. Moreover, you may occasionally run into the 80-pin hard drive, so having the proper cables or converters around is valuable.
SCSI terminators / 50- and 68-pin active and passive terminators are often needed when duplicating SCSI devices
Evidence worksheets / The worksheet is used to record informationregarding each piece of evidence. One worksheet is used for each unique evidence tag.
Agent notes / The worksheet is used to record any relevant information such as conference calls, shipment tracking numbers, relevant findings, etc.
Item / Purpose
System worksheets / This worksheet is used to record information regarding each computer system. The sheet normally contains the followinginformation: make, model, series number, media evidence tags, expansion card, peripheral connections, and physical location.
Evidence labels / It is used to label each piece of evidence, which contains case number, evidence tag number(s), contents, acquired by, date.
Chain of custody forms / It can be a 4”x6” thick card which contains source individual, source location, destination individual, destination location, transfer date.
Evidence custodian logs / This log contains information about new evidence submission, old evidence disposition, and any evidence for each case.
Evidence access logs / The log contains date, name, case number, time in and time out.
Pens / Permanent fine-tipped pens are used to write on evidence and fill out the proper documentation
Evidence envelops / All evidence should be contained in a tamper-proof evidence envelop.
Evidence tap / Evidence tape can be used to show tampering if you store your evidence in a standard business envelop.
Anti-static bags / Hard drives are stored in anti-static bags for safety.
Evidence hard drives / Several large hard drives will be used to store the evidence after it is duplicated.
Boot floppies or CD-ROM / In order to acquire a duplication, we will need to boot from a trusted media source.
Blank CD-R/DVD-R / Often you will want to burn a modified bootable CD-ROM or provide your client/management with data. CD-R media is a good way to pass large sets (640MB) of data. If you need more space, DVD-R will allow you to pass 4.3 GB of data on one piece of media.
Blank floppies / Often you may need to modify a boot disk. Having extra floppies available enables you to do that.
Network hub or switch / A forensic duplication can be acquired over a network. This can be done safely by placing the suspect’s computer and your forensic workstation on a private network using a hub or switch and duplicating with software that supports this type of transfer.
Network cable / A network cable is needed when duplicating over a network. The hub/switch and cable can be replaced by a cross-over cable if space is a premium in your fly-away kit.
Forensic software dongles / EnCase and FTK require a hardware dongle in order to operate. Remember to bring these items along, or your onsite analysis may be limited.
Power strip / You may have hubs and several computers when you are onsite. It is wise to bring a power strip so that you are not limited by the number of power outlets when you are away from your lab.
Operating system installation media / When you connect a new hardware device to your computer, you may be required to have a device driver. Having the OS installation media available will let you quickly install most of the drivers you need.
1
[*]Source: Jones, K. J. et al., Real Digital Forensics, Addison Wesley, 2006, pp. 164-166.