Case Study on Physical devices used in Computer forensics

Presented by –

Vishal Tandel

Introduction• Computer forensics is the practice of collecting, analysing and reporting on

digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics follows a similar process to other forensic disciplines, and faces similar issues.

• Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.

Forensics Systems• The F.R.E.D. family of forensic workstations consists of integrated forensic

processing platforms capable of handling the most challenging computer case. Available in mobile, stationary and laboratory configurations, these systems are designed for both the acquisition and examination of computer evidence. F.R.E.D. professional forensic systems, and the Digital Intelligence UltraBay 3d universal write protected imaging bay, deliver the ability to easily duplicate evidence directly from IDE/SAS/SATA hard drives, USB devices, Firewire devices, CDs, DVDs, LTO-4 tapes and PC Card/Smartmedia/SD-MMC/Memory Stick/Compact Flash media in a forensically sound environment.

FRED and FRED DX

• FRED is our Forensic Recovery of Evidence Device. The FRED family of forensic workstations are highly integrated, flexible and modular forensic platforms and now include DI's exclusive UltraBay 3d Write Protected Imaging Bay.

• The UltraBay 3d™ and UltraBay 3™ (available on FREDDIE and uFRED) are the industry's first USB 3.0 integrated forensic bridge that includes a touch screen display and a graphical user interface for acquisition process monitoring (when using Tableau Imager).

• The industry's first USB 3.0 integrated forensic bridge.

• Completely integrated / internal system solution.• Integrated Write Blocked (Read-Only) Ports:

• SAS• SATA• IDE• USB 3.0/2.0/1.1• FireWire 400/800

• Touch screen with a graphical user interface (GUI) for acquisition process monitoring.

• Full multi-LUN FireWire acquisition support is provided for Write Protected imaging of Apple Mac systems booted to FireWire device mode.

• Firmware updates available at no charge through Tableau Firmware Update.

• Full HPA/DCO support for SATA and IDE devices.• FireWire write-blocked port has 9-pin FW800

connector and supports both FW400 and FW800 devices.

FRED FRED with 1 RAID FRED with 2 RAID

FRED - Core I7 MB$5,999(Standard Configuration)FRED DX - Dual Xeon MB$7,999(Standard Configuration)

FRED - Core I7 MB$8,549(Standard Configuration)FRED DX - Dual Xeon MB$10,549(Standard Configuration)

FRED - Core I7 MB$9,349(Standard Configuration)FRED DX - Dual Xeon MB$11,349(Standard Configuration)

FREDDIE

• Forensic Recovery of Evidence Device (Diminutive Interrogation Equipment) is FREDDIE. FREDDIE is a highly portable solution which meets both imaging and processing requirements.

FREDDIE Standard

w/UltraBay 3SKU: F2010

$7,999.00

• FREDDIE is the ultimate solution in mobile forensic processing power. FREDDIE is the little brother of our larger FRED unit. Like its older brother, FREDDIE is a highly integrated, flexible and modular forensic platform designed from the ground up for both the acquisition and analysis of computer evidence with the added advantage of being highly portable. FREDDIE uses the same motherboard, and many of the same components, as our larger FRED unit. The removable devices in our custom forensic bays can be used in both FRED and FREDDIE

• FREDDIE is designed for use “On Location” at electronic crime scenes.  Remove the hard drive(s) from the suspect system and plug them into FREDDIE and acquire the electronic evidence.  FREDDIE is designed to acquire data directly from IDE/EIDE/ATA/SATA/ ATAPI/ SAS/USB/Firewire hard drives and storage devices.No more worrying about the problems encountered trying to configure parallel devices on suspect equipment in order to use external backup devices.

Baseline FREDDIE Specifications.• 14" High, 17 1/4" Wide, 10 1/4" Deep - 55 lbs• Intel Core i7-4820K CPU (Quad Processor), 3.7 GHz, 10MB Intel Smart Cache, 5 GT/s DMI• 32 GB (4x8GB)PC3-12800 DDR3 1600 MHz Memory• 1 x 500 GB 10,000 RPM SATA III Hard Drive - OS Drive• 1 x 128 GB Solid State SATA III Hard Drive - Temp/Cache/DB Drive• 1 x 2.0 TB 7200 RPM SATA III Hard Drive - Data Drive.

FRED SR

• FRED SR (Dual Xeon) is the highest performance member of the FRED family of forensic workstations. FRED SR has all the functional capabilities of a FRED system with the addition of components optimized for the absolute highest level of processor, memory, and I/O performance.

FRED SR StandardSKU: F3120 $14,999.00

• Baseline FRED SR Specifications• Dual(2) Intel Xeon E5-2620 v2 CPU, (Hex Core) 2.1 GHz, 15MB Cache, 7.2 GT/s Intel QPI• 32 GB PC3-12800 DDR3 1600 MHz ECC Memory• 1 x 500 GB 10,000 RPM SATA III Hard Drive - OS Drive• 1 x 128 GB Solid State SATA III Hard Drive - Temp/Cache/DB Drive• 1 x 2.0 TB 7200 RPM SATA III Hard Drive - Data Drive installed in HotSwap Bay1• 22" WideScreen LCD Monitor with Built-in Speakers.

FREDL

• FREDL is our Forensic Recovery of Evidence Device - Laptop. FREDL is the ultimate solution in mobile forensic imaging convenience and includes our UltraKit - the preferred mobile forensic acquisition solution.

FREDL w/UltraKit

SKU: F4110$4,999.00

• The FREDL forensic laptop and the included UltraKit work together to quickly, efficiently and securely image IDE, SATA, SAS and USB hard drives in a forensically sound environment. FREDL is built on the very latest and fastest in i7 Processor technology.

LEFT VIEW FRONT VIEW RIGHT VIEW

TOP VIEW BACK VIEW BOTTOM VIEW

Baseline FREDL Specifications

• Intel Core i7-4810MQ Quad Core Processor, 2.8 GHz, 6MB L3 Cache

• 8 GB DDR3 1600 PC3-12800 Memory• 256 GB Solid State internal SATA Drive• Intel HM87 Chipset• 15.6" Full HD(1920x1080) LED Backlit Display• nVidia GeForce GTX 870M with 6 GB GDDR5 VRAM• Internal 6x BD-R BluRay Burner /8x DVD +- R/2.4x +DL

Super Multi Combo Drive• Integrated Components:• 10/100/1000 Mbps Ethernet LAN• 802.11a/b/g/n Wireless LAN + Bluetooth (Intel 6235AGN)• Card Reader 9-in-1 (MMC/RSMMC/MS/MS Pro/MS

Duo/SD/Mini-SD/SDHC/SDXC)• 2.0 Megapixel Digital Video Camera• High Definition Audio• Microphone• Speakers (2)• 19mm Full-Size Keyboard with numeric keypad -

Illuminated• Touch Pad pointing device(2 buttons)with scroll function• Finger Print Reader

1 HDMI Port1 DisplayPort 1.21 Mini DisplayPort 1.21 Headphone jack1 Microphone jack1 Line-In jack1 S/PDIF output jack1 RJ45 LAN jack1 USB 2.0 ports3 USB 3.0 ports1 IEEE 1394a1 E-SATA Port (USB 3.0 Combo)Li-Polymer 8 Cell, 5200mAh, 79.96Wh Battery PackKensington LockUniversal AC Adapter (100~240V AC 50/60hz)Dimensions: 14.76 x 10.55 x 1.73 (inch)Weight: 7.28 lbs (complete system + battery)

Operating Systems Included: Windows 7 Ultimate (64 bit), Windows 98 Standalone DOS.

FREDC FORENSIC NETWORK• A Forensic Network is a series of processing and imaging computers connected and

integrated directly with a high-speed, high-capacity server to share resources. The file server operates as the core of the Forensic Network and can be used as a central storage facility for Forensic Images as well as applications software for use by the client processing and imaging stations. Workstation clients on the network perform the actual imaging and processing tasks, while the central file server stores the images and case work.

• The FREDC is a fully configured, private cloud, for Forensic Storage. Centralized Storage, centralized administration, centralized security, and centralized backup! All the things that made REAL file servers great - all in a platform fast enough to make it worthwhile! Unlike other generic "IT-Centric" network solutions, the FREDC has been designed from the ground up to be fast and reliable for direct forensic imaging and processing to/from the server itself. While other solutions require secondary copies to network storage, the FREDC systems have been designed for the direct ingest and processing of data. No need for closets full of old hard drives or massive amounts of local workstation storage!

FREDC Features• 10GB Ethernet Network (10GBase-T) for

Compatibility10GBase-T Network Infrastructure is backwardly compatible with Standard Gigabit Ethernet Interfaces and Cables. Use Cat6A cables and 10GBase-T adapters for 10G speeds. Connect legacy Gigabit devices using standard Cat5e cables and Interfaces. Even legacy Gigabit workstations can achieve forensic imaging speeds of up to 6.6 GB/Min using this network! Use what you have now and upgrade your connectivity as you move forward!

• Integrated Backup/Archive Software and HardwareA 16-Tape Robotic Tape Library and Enterprise-class software is included with each system. Fifteen Ultrium-5 Tapes (3TB Compressed/1.5 TB Native capacity per tape) are included. We even include a cleaning cartridge! The Enterprise-class Backup and Archive software has been pre-installed and configured. Training is provided on the use of the software with special focus on suggested methods to protect and archive your forensic case work.

FREDC Configured With 4 RAIDs and 3 FREDs

FORENSIC WRITE BLOCKERS• With operating systems becoming more complex, it is increasingly important to protect

fragile computer evidence. Be confident about maintaining the integrity of your data during examination with hardware write protection devices from Digital Intelligence.

• Digital Intelligence designs and offers parallel IDE, serial ATA and SCSI hardware write blockers, as well as other custom solutions, to effectively address specific write blocking requirements. Learn how our UltraKit, UltraBlock, FireFly, FireBlock, SCSIBlock and FireChief devices can maintain the integrity of your evidence.

• The UltraKit III is a portable kit which contains a complete family of UltraBlock hardware write blockers along with adapters and connectors for use in acquiring a forensically sound image of virtually any hard drive or storage device you may encounter. Simply select the appropriate Write Protected UltraBlock and attach it to the source drive and use your desktop or laptop to acquire a forensically protected disk image to an internal drive or externally connected drive enclosure.

UltraKit IIISKU: W3705

$1,419.00

UltraKit III + FireWireSKU: W3712

$1,649.00

UltraKit III + FireWire + TD2SKU: W3825

$2,999.00

UltraKit III (T35U) + FireWire + TD3 + TDPX8-RW + TDPX6 SAS Protocol Module

SKU: W3880

$4,299.00

UltraKit III (T35ES) + FireWire + TD3+ TDPX8-RW + TDPX6 SAS Protocol Module

SKU: W3885

$4,349.00

ULTRABLOCK USB 3 IDE / SATA (Read Only)

• The Read-Only UltraBlock USB 3 IDE/SATA is used to acquire data from an IDE or SATA hard drive in a forensically sound write-protected environment.

• The Read Only UltraBlock USB 3.0 IDE-SATA (USB 2.0 compatible) is used to acquire data from an IDE or SATA hard drive in a forensically sound write-protected environment. The USB 3.0 family of portable forensic bridges offer faster imaging speeds, reliable performance, and an easy to use USB 3.0 host computer connection.

• UltraBlock USB 3.0 IDE-SATA Write Blocker• The UltraBlock USB 3.0 Forensic IDE/SATA Bridge supports write-blocked,

forensic acquisitions of both SATA and IDE storage devices through a fast USB 3.0 host connection. It offers forensic examiners the ease of use, reliability, and imaging speed necessary to image today's larger and faster hard-disk drives - in both lab or field environments.

UB USB 3.0 IDE-SATA Read Only Kit

SKU: W2710 $349.0

0

Extra Power SupplySKU: X1000 $25.00

PC Interface: One USB 3.0 Type B (9- pin, super/ high/full/low speed)

Drive Interfaces: SATA Signal Connector, IDE signal Connector

User Configurable: Read-Only or Read-Write via DIP switch

ULTRABLOCK USB 3 IDE / SATA (Read Write)

• The Read Write UltraBlock USB 3 IDE/SATA is used to write data to an IDE or SATA hard drive.

• The Read Write UltraBlock USB 3.0 IDE-SATA (USB 2.0 compatible) is used to write data to an IDE or SATA hard drive. The USB 3.0 family of portable forensic bridges offer faster imaging speeds, reliable performance, and an easy to use USB 3.0 host computer connection

• UltraBlock USB 3.0 IDE/SATA pre-configured for read/write operation. It's available in a yellow case so that you can easily distinguish a pre-configured read/write device from a read-only device. It offers forensic examiners the ease of use, reliability, and imaging speed necessary to image today's larger and faster hard-disk drives - in both lab or field environments.

UB USB 3.0 IDE-SATA Read Write Kit

SKU: W2760$349.0

0

Extra Power SupplySKU: X1000 $25.00

PC Interface: One USB 3.0 Type B (9- pin, super/ high/full/low speed)

Drive Interfaces: SATA Signal Connector, IDE signal Connector

User Configurable: Read-Only or Read-Write via DIP switch

ULTRABLOCK eSATA IDE / SATA (Read Only) The Read-Only UltraBlock eSATA IDE/SATA is used to acquire data from an IDE or SATA hard drive in a forensically sound write-protected environment.

ULTRABLOCK eSATA IDE / SATA (Read Write) The Read Write UltraBlock eSATA IDE/SATA is used to write data to an IDE or SATA hard drive.

ULTRABLOCK SAS The UltraBlock SAS is used to acquire data from a Serial Attached SCSI hard drive in a forensically sound write-protected environment.

ULTRABLOCK FIREWIRE WRITE BLOCKER The UltraBlock Firewire Write Blocker brings secure, hardware-based write blocking to the world of Firewire devices.

ULTRABLOCK USB (V2) WRITE BLOCKER The UltraBlock Forensic USB Write Blocker brings secure, hardware-based write blocking to the world of USB mass storage devices. Version 2 offers many improvements over the initial release.

ULTRABLOCK FORENSIC CARD READER These units can be used for writing and the forensic acquisition of information found on multimedia and memory cards.

STANDALONE FORENSIC DEVICES

• Standalone forensic devices which address specific needs of the Computer Forensics Investigator.

GPU PowerStation The GPU Power Station is the first commercially available SuperComputer expansion chassis designed and optimized for massive parallel processing and computation.

SUPERCHIEF USB3 IDE / SATA The SuperChief (IDE/SATA) is a dual bay USB3 to IDE and SATA enclosure that is completely configurable for Read Only or Read Write operation.

3.5 INCH USB3 SATA HD ENCLOSURE The 3.5" HD enclosure connects to a SATA drive and is read-write and read-only switchable. The enclosure operates at USB 3.0 speeds and includes a power supply and USB3 data cable.

FORENSIC IMAGER 3 The Forensic Imager 3, with a color touchscreen interface, provides forensic write blocking for IDE, SATA, SAS, USB3 and Firewire devices.

FORENSIC DUPLICATOR 2U The Forensic Duplicator 2U natively images USB 3.0, SATA, and IDE/PATA storage devices. Investigators can (optionally) image SAS drives by using the same TDP6 module used with Forensic Duplicator 1 and 2.

FORENSIC DUPLICATOR 2 Provides forensic (write-protected source drive) disk-to-file or disk-to-disk duplication for IDE to SATA and SATA to SATA hard disk drives. This version is 1:2 which allows you to copy from one IDE or SATA drive to two SATA destinations simultaneously.

FORENSIC DUPLICATOR Provides forensic disk-to-file or disk-to-disk duplication for IDE to IDE, IDE to SATA, SATA to SATA and SATA to IDE hard disk drives.

HARDCOPY 3P 1:2 Portable Forensic Hard Drive Duplicator. The HardCopy has been refined and redesigned to meet the ever-growing needs of progressive and committed forensic investigators.

SHADOW 3 This completely unique and patented forensic tool allows you to boot and run a suspect computer on the spot and in minutes without compromising evidence - no drive imaging required.

ACCESSORIES

• Here you'll find adapters, power supplies, hard drive trays, cables and other hardware and accessories for our products

PRECISION ELECTRONICS TOOL KIT

• The Precision Electronics Tool Kit is a complete comprehensive standard in precision screwdriver bit sets, featuring 30pcs of selected bits and 10pcs of essential repair devices. The devices are organized in a durable carrying case. This kit allows disassembly of most branded smart phones, video games, notebooks, electronic devices and more.

Precision Electronics Tool

KitSKU: X1250

$34.95

MULTIDRIVE ADAPTER

• The MultiDrive Adapter allows 2.5 inch, 1.8 inch pin connector and 1.8 inch ZIF connector IDE hard drives to be connected to a write blocker or standard 40 pin IDE connector.

• This adapter will not connect to a MacBook Air SATA LIF Hard Drive.MultiDrive Adapter

SKU: A4400 $69.95

Replacement ZIF to PIN Adapters (2) SKU: A4405 $16.00

BLADE TYPE SSD ADAPTER Connect your Mac Air BLADE Type SSD (128Gb or 256Gb) to a SATA power and data cable. Pentalobe screwdrivers are also available to disassemble your iPhone or MacBook Air.

SATA LIF ADAPTER Easily connect your 1.8 inch Mac Air SATA LIF hard drive to a SATA cable. Each adapter features a SATA LIF female drive interface, 2 interchangeable SATA LIF connector cables, and convenient carrying case.

ADAPTER PACK Includes 2" IDE Cable, 2.5" hard drive adapter, 1.8" pin Hard Drive Adapter, MicroSATA Adapter and ZIF Adapter in zippered case.

ZIF ADAPTER This kit is offered by Digital Intelligence to meet the high duty cycle required for Forensic applications. Rugged pocket size enclosure with structurally mounted power connection. Easily connect your 1.8 inch notebook IDE hard drive to a 40-pin IDE cable. Each adapter features a ZIF female laptop drive interface, 4 interchangeable ZIF connector cables, and a and convenient carrying case.

1.8 INCH ZIF or PIN HD ENCLOSURE The 1.8" HD enclosure connects to either a ZIF or PIN drive. The enclosure operates at USB 2.0 speeds and requires no additional power supply. Available with or without a hard drive pre-installed.

2.5 INCH USB3 SATA HD ENCLOSURE The 2.5" HD enclosure connects to a SATA drive. The enclosure operates at USB 3.0 speeds and requires no additional power supply.

3.5 INCH HARD DRIVE ENCLOSURE This enclosure holds a single 3.5 inch SATA Hard Drive and uniquely supports all of the following interfaces: eSATA, FireWire 400 (1394a), FireWire 800 (1394b), and USB 2.0.

USB PROTOCOL MODULE Connect and copy USB devices on your Forensic Duplicator.

SAS PROTOCOL MODULE Connect and copy SAS hard drives on your Forensic Duplicator.

PROTOCOL MODULE BUNDLE Connect and copy USB and SAS hard drives on your Forensic Duplicator.

FAR - FORENSIC ARCHIVE AND RESTORE Fernico FAR systems are specifically designed for Digital Forensic Investigators who need a complete solution for backup, restoration and acquisition of forensic data evidence. Backup Digital Evidence Automatically to DVD, HD-DVD or Blu-Ray Disc. Restore Disks to Rebuild or Review Cases. Acquire Evidence From a Variety of Media.

MICROSATA ADAPTER The MicroSATA Adapter can be used to adapt a SATA interface to a Micro SATA drive. This is for the adapter only, the Micro SATA HD pictured is for graphic representation only and not included. RoHS compliant.

SD ADAPTERS The SD Adapters are used to adapt a MicroSD and MiniSD card to an SD form factor.

Conclusion

• These are a few popular digital forensics devices used by various law enforcement agencies in performing crime investigations. In this paper all kind of devices like premium, computer forensics, mobile forensics and others. If you are going to start learning digital forensics, you can download or buy these devices and start working on those. It will help you in better understanding the whole process and devices.

• These are not the only devices. There are various other free and premium devices available in the market. So, you can do more research on the devices to know more about those devices. These devices are added in random order. So, please don’t consider it as a ranking of the devices. I just tried to make a list of popular digital forensics devices only.

• With the increasing use of digital data and mobile phones, digital forensics has become more important. Cyber crimes are also increasing day by day. So companies are also trying to launch more powerful version of the devices, and you need to be in touch of latest digital forensics news to know about recent releases.

References

1. Searching and Seizing Computers and Obtaining Electronic Evidence in CriminalInvestigations, Computer Crime and Intellectual Property Section (CCIPS) July-2002.http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.html 2. Thomas Welch, “Handbook of information Security Management”, CRC Press LLC,1999. 3. G.Shpantzer and T.Ipsen, “Law Enforcement Challenges in Digital Forensics.” Proc.6th National Colloquium Information System Security Education. NCISSE Colloquium press,2002. 4. http://en.wikipedia.org/wiki/EnCase.5. http://www.digitalintelligence.com/6. www.accessdata.com/7. www.sleuthkit.org/