Lesson 5, Topic 5
In Progress

Forensic Workstation

Lesson Progress
0% Complete

The following is a description of the basic hardware required for a forensic computer system. The aim is to define a type of system that provides the greatest flexibility and efficiency when performing digital forensics. Below are the most basic functions that any forensic activity may require, therefore the computer system should be able to perform all of them at a minimum:

  • Make a true and accurate copy of a hard drive to another hard drive or an image file.
  • Make a true and accurate copy of a hard drive to a removable and portable media.
  • Restore the true and accurate copy onto a second forensic hard drive from the removable media or image files.
  • Perform a media analysis of a subject drive or image file.
  • Machine hardware requirement

Please note the following specifications are considered to be top-end at the time of writing this document. Regular audit must be carried out to ensure that the hardware is compatible and capable of managing ever evolving computer processing and interface requirements. Also please note that multiple forensics laptops should be kept in a ready state as a backup to avoid delays due to hardware malfunction or failure.

Recommended Hardware Configuration

Motherboard and Processor

Sound

Any latest, reliable, high spec, fast and efficient motherboard and processor architecture can be used. Following is one possible configuration:

  • Intel Quad Core i7-3740QM CPU @ 3.60 GHz
  • 32 or 64-bit Architecture
  • 4MB Cache

A good quality sound card is required to record notes (if required) while performing investigations. One possible configuration is below:

  • Realtek High Definition Audio Sound Card
  • Headphone Output support
  • Mic Input support

Connectivity

Video Output

The system must have appropriate connectivity configured ready to connect to any available secure network through wire or wireless. One possible configuration is below:

  • Intel 82579LM Gigabit Network Ethernet
  • Intel Centrino Advanced N6205 Wireless

The system should be able to connect to external video monitors to extend the display or project to larger outputs supporting DVI and VGA. One possible configuration is below:

  • Intel HD Graphics 4000
  • NVIDIA Quadro K1000M

Security

Peripheral Ports

The system must be secure with appropriate access control to avoid any compromise of the forensic activity and subsequently of the evidence. Using a fingerprint reader can provide a good hardware based biometric control:

  • Built-in Fingerprint Reader

The system must support all modern interfaces including the following:

  • USB 2.0
  • USB 3.0
  • FireWire
  • Card Reader

Battery and Power Adaptor

RAM

The system must have long battery backup available and equipped with fast charging power adaptor. There must be spare batteries and power adaptor available. One possible configuration is below:

  • Nine cell 94Wh long life battery
  • 170W fast charging power adaptor
  • Various plugs including configuration for European, US, Asian and UK outlets.

Large capacity and high performance RAM is very helpful to support the processing power requirements of a forensic activity. With the launch of laptops capable of supporting up to 32 GB RAM one possible configuration could be:

  • 4 x 8GB DDR3 PC3-12800 / CL=11 / Unbuffered / NON-ECC / DDR3-1600 / 1.35V / 1024Meg x 64 

Hard Drive

Optical Drive

Having a reliable and large storage is always beneficial. Solid State Disks are a very reliable means of providing cheap space. One possible example is:

  • Samsung 1TB 840 EVO Series SATA 6Gb/s 2.5″ Solid State Drive

The system must be equipped with an optical drive to allow reads/write operations as required for backups and/or installation of new tools. One possible option is below:

• LG GT80N DVD Rewriter w/ M-DISC