File000120

Module VII – Computer Forensics Lab

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: CSI Stick Grabs Data From
Cell Phones
Source: http://news.cnet.com/

EC-Council
Module Objective
• Computer Forensic Lab
• Planning for a Forensic Lab
• Budget Allocation for a Forensic Lab
• Physical Location and Structural Design Considerations
• Work Area Considerations
• Human Resource Considerations
• Technical Specification of the Laboratory-based Imaging System
• Auditing a Computer Forensic Lab
• Basic Hardware Requirements
• Paraben Forensics Hardware and Hard Drive Forensics
• Wiebetech, DeepSpar, InfinaDyne, and Logicube Forensic Hardware
• DIBS® Mobile Forensic Workstation
• Basic Software Requirements
• Paraben Hard Drive Forensics
• TEEL Technologies SIM Tools
This module will familiarize you with:

EC-Council
Module Flow
Auditing a Computer
Forensic Lab
Wiebetech, DeepSpar,
InfinaDyne, and
Logicube Forensic Hardware
Paraben Forensics
Hardware and
Hard Drive Forensics
Paraben
Hard Drive Forensics
Basic Software
Requirements
DIBS® Mobile Forensic
Workstation
Basic Hardware
Requirements
TEEL Technologies
SIM Tools
Planning for a
Forensics Lab
Computer Forensics Lab
Technical Specification of
the Laboratory-based
Imaging System
Budget Allocation
for a Forensics Lab
Human Resource
Considerations
Physical Location
and Structural Design
Considerations
Work Area
Considerations

EC-Council
Hardware Requirements
Setting a Computer Forensics Lab
Software Requirements

EC-Council
Computer Forensics Lab
• Planning
• Budgeting
• Physical location and structural design
considerations
• Work area considerations
• Physical security recommendations
• Human resource considerations
• Forensic lab licensing
Setting a forensic lab includes:
A Computer Forensic Lab (CFL) is a designated location for
conducting computer based investigation on the collected
evidence

EC-Council
Planning for a Forensics Lab
• Types of investigation being conducted
• Workstations, both forensic and non-forensic
• UPS as a preventive measure against power failure
• Necessary software and hardware
• Book racks for the library
• Reference materials
• Safe locker to store evidence
• LAN and Internet connectivity
• Storage shelves for unused equipment
• Numbers of investigators/examiners to be involved
A list of elements that should be planned before
building the computer forensics lab:

EC-Council
Budget Allocation for a Forensics
Lab
Budget for a forensic lab is allocated by calculating the
expected number of cases that would be examined
Crime statistics of the previous year and the expected trend
plays an important role in budgeting
Space occupied, equipments required, personnel, training,
software, and hardware requirements are taken into account
while allocating a specific amount for the forensics lab
The nature of the forensic lab is also a determining factor

EC-Council
Physical Location Needs of a
Forensic Lab
• Site of the lab
• Access to the emergency services
• Lighting at the lab
• Physical milieu of the lab
• Design of parking facility
Physical location requirements of a
forensics lab:

EC-Council
Structural Design Considerations
• It must be a secure place
• It must be constructed with heavy materials
• It must not have any openings in the walls,
ceilings, and floors
• It must not have windows in the lab’s
exterior
Structural design considerations for
a lab:

EC-Council
Environmental Conditions
The environmental conditions required for
proper lab functioning are as follows:
• Large dimensions of the room
• High exchange rate of air per minute(in the lab)
• Good cooling system to overcome excess heat
generated by the work station
• Allocation of workstations as per the room
dimensions
• Arrangement of computers as per the
architecture of the lab
• It must be able to handle RAID server’s heat
output

EC-Council
Electrical Needs
The lab must be
supplied with good
amperage
It must have easy
electrical outlets
There must be an
Uninterrupted Power
Supply (UPS)
installed on all the
computers

EC-Council
Communication Needs
• Broadband for network and voice
communications
• Fax communications
• Dial-up Internet access must also be
available
• A dedicated network is preferred for the
forensic computers
Ensure the following
communication factors:

EC-Council
Work Area of a Computer
Forensic Lab
An ideal lab consists of two forensic
workstations and one ordinary
workstation with Internet connectivity
Forensics workstations vary according to
the types of cases and processes handled
in the lab
The work area should have ample space
so that there is space for case discussions
among investigators

EC-Council
Ambience of a Forensic Lab
Investigators spend long hours in a forensic lab, so it
is important to keep the lab environment comfortable
The height of ceilings, walls, flooring, and so on
contribute to the ambience of a forensics lab
Ergonomics, lighting, room temperature, and
communications form an important factor while
considering the ambience of a computer forensics lab

EC-Council
Ambience of a Forensic Lab:
Ergonomics
• “Ergon” which means “work”
• “Nomoi” which means “natural laws”
Taken from Greek words
• “The study of conniving equipment to meet
the human requirements of comfort without
affecting the efficiency”
Ergonomics is defined as:

EC-Council
Physical Security Recommendations
There should be only one entrance to a forensics lab
Do not keep the windows of the forensics lab open
Maintain a log book at the entrance of the lab to log in the
timings and name of the person who visited the lab
Place an intrusion alarm system in the entrance
Place fire fighting equipments within and outside the lab

EC-Council
Fire-Suppression Systems
In fire suppression system,
ensure that you:
• Install a dry chemical fire-
suppression system
• Check the installation of
sprinklers
• Have access to chemical fire
extinguishers

EC-Council
Evidence Locker Recommendations
The locker must be located in a restricted area
that is only accessible to the lab personnel
Authorize few people to access the locker
All the lockers must be monitored properly and
they must be locked when they are not under
supervision

EC-Council
Computer Forensic Investigator
Computer forensic investigator must have knowledge of general computer skills
such as hardware, software, OS, applications, etc.
The investigator must perform a proper investigation to protect the digital
evidence
The investigator must be certified from the authorized organizations

EC-Council
Law Enforcement Officer
Law enforcement officer must be a lawyer with knowledge of general
computer skills
The officer must have knowledge of all the cyber crime laws
The officer must know how to write an appropriate warrant for
searching and seizing of the computer

EC-Council
Forensic Lab Licensing
Requisite
• ISO/IEC 17025:1999, General Requirements for the
Competence of Testing and Calibration Laboratories
• ASCLD/LAB-International Supplemental Requirements for the
Accreditation of Forensic Science Testing and Calibration
Laboratories
Forensics labs around the globe seeking
ASCLD/LAB certificate have to adhere to:
The American Society of Crime Laboratory Directors (ASCLD) is an
international body certifying forensics labs that investigate criminal
cases by analyzing evidence

EC-Council
Features of the Laboratory Imaging
System
Automatic write protection
Preview capability
Password cracking pod (optional)
Unlimited theoretical capacity
Choice of LTO Ultrium or DAT drives (optional)
Optional second tape drive
Hard drive connectivity
Other media
Convenience

EC-Council
Technical Specification of the
Laboratory-based Imaging System
High performance workstation PC
Remote preview and imaging pod
Password cracking pod (optional)
LTO Ultrium tape drives (optional)
DDS-4 DAT tape drives (optional)
LTO Ultrium-1 and 2 recording format
DDS-4 DAT recording format
Image capture rate
Anti-repudiation techniques

EC-Council
Forensics Lab

EC-Council
Auditing a Computer Forensic
Lab
Forensics lab should be under surveillance to
protect it from intrusions
Inspect the lab on a regular basis to check if the
policies and procedures implemented are
followed
Verify the log file at the entrance of the lab
Manually check the fire extinguishers to ensure
their function

EC-Council
Auditing a Computer Forensic
Lab (cont’d)
• Examine the ceiling, floor, roof, and exterior
walls
• Examine the doors and locks
• Check if the locks are working properly
• Check out the visitors’ log
• Examine the logs for evidence containers
• Acquire evidence that is not being processed
and store it at a secure place
Steps to audit the computer
forensic lab:

EC-Council
Recommendations to Avoid
Eyestrain
• Keep optimum distance from the monitor
• Use Zoom option to vary the font’s size
• Use screen filters to clear the glare
• Lab must have proper ventilation
• Purge direct light on the monitor
• Get an eye check-up done regular intervals
• Take breaks at frequent intervals
Recommendations to avoid eyestrain:

EC-Council
Computer Forensic Labs, Inc.
Source: http://www.computerforensiclabsinc.com/

EC-Council
(cont’d)
Computer Forensic Labs (CFL) is one of the leading providers of
investigative services in computer forensics, forensic data recovery,
and electronic evidence discovery
CFL can conduct the following types of computer forensic investigations:
• Child pornography and sexual exploitation
• Use of e-mail, instant messaging, and chat
• Computer hacking and network intrusion
• Copyright infringement
• Software piracy
• Intellectual property disputes
• Identity theft
• Online auction fraud
• Credit card fraud
• Other financial fraud and schemes

EC-Council
(cont’d)
CFL can conduct the following types of computer forensic
investigation:
• Telecommunications fraud
• Threats, harassment, and/or stalking
• Extortion and/or black mail
• Gambling
• Drug abuse and/or distribution
• Divorce
• Adult sexual assault
• Assault and battery
• Domestic violence
• Death investigation
• Employee or employer’s misconduct
• Theft, robbery, and/or burglary

EC-Council
Procedures at Computer Forensic
Labs (CFL), Inc.
CFL recommends that you do not attempt to search for the evidence yourself because this
can change the important date/ time stamps as well as user information, thus, possibly
obstructing the investigation
• CFL will create an exact replica of the hard disk drive or other storage device so the evidence can be
evaluated and processed from a forensic evidence file which guarantees the preservation of the best
evidence and eliminates any possible guess work by the computer investigator
• Identify leads and computer evidence contained in files and slack space, which can determine the
outcome of the case
• Document the findings and provide expert witness testimony to help clarify technical computer
issues in the litigation process
• Deleted data, hidden data, and password-protected data can be retrieved in many instances
• The forensic investigators at Computer Forensic Labs, Inc. can find data on a formatted hard drive,
deleted e-mail, intentionally altered data and in some cases media that has been physically damaged
• The recovered data is then carefully documented, analyzed, and recorded in reports which are
presented to the client and/or in litigation

EC-Council
Data Destruction Industry
Standards
American: DoD 5220.22-M
American: NAVSO P-5239-26 (RLL)
American: NAVSO P-5239-26 (MFM)
German: VSITR
Russian: Russian Standard, GOST P50739-95

EC-Council
Case Study: San Diego Regional
Computer Forensics Laboratory (RCFL)
Source: http://rcfl.org/

EC-Council
Hardware Requirements
Setting a Computer Forensic Lab
Software Requirements

EC-Council
Equipment Required in a
Forensics Lab
Equipment required for a forensics lab depends on the
nature of the forensics investigation carried out in the
lab
Below listed are the common equipments that are
necessary in a computer forensics lab:
• Computer Forensic towers
• Printers
• Cables
• Additional hard drives
• Storage networks

EC-Council
Forensic Workstations
• Includes S/W for imaging, processing, and
investigation
Mobile Forensic Workstation:
• Ideal for data capture only
Mobile Imaging Workstation:
• Includes the complete range of forensic
software
Lab-based Forensic Workstation:
• For in-house data capture
Lab-based imaging Workstation:

EC-Council
Basic Workstation Requirements
in a Forensic Lab
• Intel Dual Core Processor with high computing speed
• 2 GB RAM for satisfying minimum processing requirements
• DVD-ROM with read/write facility
• Motherboard which supports IDE, SCSI ,USB/2, FireWire;
slot for LAN/WAN card and a fan attached for cooling the
processor
• Tape drive, USB drive
• Removable drive bays
• Monitor , keyboard , and mouse according to comfort of the
investigator
• Minimum two hard drives for loading two different OS on
each
• For emergencies, keep spare RAM & hard disk
A basic forensics workstation should have the
following:

EC-Council
Stocking the Hardware Peripherals
The following hardware peripherals
must be stocked as back-up:
• 40-pin 18-inch and 36-inch IDE cables,
both ATA-33 and ATA-100 or faster
• Ribbon cables for floppy disks
• Extra SCSI cards
• Graphics cards, PSI, and AGP
• Extra power cords
• A variety of hard disk drives
• Laptop hard drive connectors
• Handheld devices

EC-Council
Paraben Forensics Hardware:
Handheld First Responder Kit
• Wireless StrongHold Bag
• Remote Charger
• First responder cards for handling PDAs and Cell
Phones
The Kit includes:
Figure: Handheld First Responder Kit
Handheld First Responder Kit secures the device
from unwanted wireless signals that could
contaminate or eliminate data and provides power
to the device to prevent loss of data

EC-Council
Wireless StrongHold Bag
• Unique design that prevents data cables from acting as
signal conduits
• Shielding Effectiveness: Average 85db
from 30 MHz to 10 GHz
Features:
Figure: Wireless StrongHold Bag
First responders can use this bag to ensure that proper
wireless procedures are kept and that the evidence is
protected from potential case killers - after seizure of wireless
communications
It is made of a nickel, copper, and silver-plated nylon plain
woven fabric. This fabric is the key in preventing unwanted
signals from your evidence
Figure: Tri-weave material

EC-Council
Remote Charger
Figure: Remote Charger
The battery powered remote charger uses multiple charging
tips to keep your device powered
It is perfect for the first responder to ensure that seized
devices remain powered and potential evidence is preserved
It is included in the Device Seizure Toolbox
The charger is manufactured by :
• Motorola
• Nokia
• Samsung
• Siemens
• Sony Ericsson

EC-Council
Device Seizure Toolbox
The Device Seizure Toolbox
includes:
• Remote Charger
• Power Adaptor
• USB Serial DB9 Adapter
• 1-Nylon Carrying Case
Figure: Device Seizure Toolbox
Paraben's Device Seizure Toolbox is designed as a collection of the
items that would be needed in different scenarios for device seizure
The items in this toolbox in combination with the appropriate
software, allow for acquisitions of hundreds of cell phones & PDAs

EC-Council
Wireless StrongHold Tent
Paraben's Wireless StrongHold Tent (Patent Pending)
was designed to allow for the safe acquisition of the
data from wireless devices by blocking wireless signals
from getting to the device
The tent is portable and can fit one person using a
laptop to perform the acquisition
Features:
• Portable and easy to set up and carry
• Lightweight and compact for excellent portability
• Includes durable, custom carrying case
Figure: Wireless StrongHold
Tent

EC-Council
Passport StrongHold Bag
Paraben’s Passport StrongHold Bag protects
your RFID Passport
It is a protective barrier wrapping your
information in a signal blocking fortress
These bags are perfect for storing anything
using RFID chips so no one can steal the
information from your chip
Figure: Passport StrongHold Bag

EC-Council
Project-a-Phone
• Software can simultaneously display multiple
screens
• Fits most major mobile phones and handheld
devices
• Delivers live video or still images
• Allows the user to record audio and video and
take screen captures
• Is lightweight and compact for excellent
portability
Features:
Figure: Project-a-Phone
Project-a-Phone securely clamps your handheld device in place and delivers a
clear video image of the screen to your computer, so you can show it on your
monitor, display it through your projector, or share it on the web
It provides an easy access to the controls, while stabilizing your device, so you
can run live demonstrations

EC-Council
Paraben Forensics Hardware: SATA Adaptor
Male/Data Cable for Nokia 7110/6210/6310/i
• SATA Adaptor Male adds Serial ATA support for
Paraben's LockDown as well as ICS's ImageMASSter
Solo-2
• It can be used in combination with these products to
prevent altering any of the Serial-ATA or P-ATA
drive’s data during a Forensic Data Seizure
SATA Adaptor Male
• Popular cable for Nokia phones in Europe
Serial DLR3 Compatible Data Cable for Nokia
7110/6210/6310/i
Figure: SATA Adaptor Male
Figure: Serial DLR3 Compatible Data Cable
for Nokia 7110/6210/6310/i

EC-Council
Lockdown
• Small size (4"W x 3"D x 1"H) allows for complete
portability and ease of use in the field
• IDE ports for both "desktop IDE" and "laptop IDE"
media, negating the need for a desktop-to-laptop
IDE adapter
• Acquires drives through Windows, which is
substantially faster than DOS-based acquisitions
Features:Figure: Paraben's LockDown
Paraben's Lockdown is an advanced Firewire or USB
to IDE write-blocker that combines speed and
portability to allow IDE media to be acquired quickly
and safely in Windows

EC-Council
Paraben Forensics Hardware: SIM Card
Reader/Sony Clie N & S Series Serial
Data Cable
SIM Card Reader
• SIM Card Reader has the ability to acquire and
analyze SIM card data
• It is compatible with both programs and when used
by either program, acts as a forensic SIM card
reader
Sony Clie N & S Series Serial Data Cable
• Sony Clie serial cable supports all N & S series Sony
Clie PDAs for use with Paraben's PDA Seizure or
normal HotSync operations are formerly included
in the PDA Seizure Toolbox
Figure: SIM Card Reader
Figure: Sony Clie N & S Series Serial
Data Cable

EC-Council
CSI Stick
Paraben's CSI Stick is a portable cell phone forensic and data gathering tool
It acquires data that can only be read and analyzed in Paraben's Device Seizure or
DS Lite
It currently supports certain Motorola and Samsung phone models
• One CSI Stick base unit
• Two Motorola tips
• One Samsung tip
• One remote charger
• Carrying case
The CSI Stick tool includes:

EC-Council
USB Serial DB9 Adapter
USB Serial DB9 Adapter
• Most adapters have different drivers making it nearly
impossible to support USB to serial adaptors for PDA
Seizure, Cell Seizure, & SIM Card Seizure
Specifications:
• Over 230kbps data transfer rate
• Supports remote wake-up and power management
• 96 byte buffer each for upstream and downstream
data flow
• Easy installation
• Works with cellular phones, PDA, digital cameras,
modems, and ISDN terminal adapters
Figure: USB Serial DB9 Adapter

EC-Council
Portable Forensic Systems and Towers:
Forensic Air-Lite VI MKII laptop
Forensic Air-Lite VI-MK II has been tested to meet the strict requirements of
conducting a proper forensic acquisition and analysis
The system is packaged with Ultimate Forensic Write Protection Kit and a
Maxtor 300GB external hard drive
It includes:
• LCD Panel
• Video Controller
• DVD Burner
• FireWire IEEE-1394
• Flash Media Reader
• Software
• Ultimate Forensic Write Protection Kit Figure: Air-Lite VI-MK II

EC-Council
Portable Forensic Systems and
Towers: Original Forensic Tower II
Figure: Forensic Solid Steel
Tower™
Figure: Original Forensic
Tower II
Original Forensic Tower II
• Original Forensic Tower II is the updated
initial version of the Forensic-Computer’s
forensic system
• It includes the Ultimate Forensic Write
Protection Kit
Forensic Solid Steel Tower™
• Forensic Solid Steel Tower™ case has ten
5.25-inch bays that gives flexibility in
configuring a lab system to meet the
differing needs of your clients
• It includes the Ultimate Forensic Write
Protection Kit

EC-Council
Portable Forensic Systems and Towers:
Portable Forensic Workhorse V
• External Drive Bay Configuration
• Bay 1: Tableau T335 Forensic Drive Bay
Controller00
It includes:
Portable Forensic Workhorse V is the latest model that sports an AMD Athlon
64 Processor to handle the most demanding keyword searches and graphics
examinations
It is compatible with all commercial forensic acquisition and analysis software
including EnCase®, Forensic Tool Kit®, SMART®, SafeBack®, all of the
Mares tools, and other older MS-DOS® based legacy tools
Figure: Portable Forensic Workhorse V

EC-Council
Portable Forensic Workhorse V: Tableau
335 Forensic Drive Bay Controller
Tableau's T335 Forensic Drive Bay Controller provides three independent bridges, two
SATA and one IDE, each of which can be configured for read-only or read-write operation
at system build time
It is designed to be mounted in a 5.25" half-height drive bay on the front of a forensic
workstation or tower
It is specifically designed to work in conjunction with SATA and IDE removable drive trays,
which should be mounted in close proximity to the T335 in the host computer
Figure: T335 Forensic Drive Bay Controller

EC-Council
Towers: Forensic Air-Lite IV MK II
The Forensic Air-Lite IV MK II is the Pentium 4
replacement of the legendary Forensic Air-Lite IV
It was initially designed to be an evidence acquisition
system
It is compatible with all commercial forensic acquisition
and analysis software including EnCase®, Forensic Tool
Kit®, SMART®, SafeBack®, all of the Mares tools, and
other older MS-DOS® based legacy tools
Figure: Forensic Air-Lite IV MK II
Figure: Forensic Air-Lite V

EC-Council
Towers: Forensic Tower II
Forensic Tower II is a powerful forensic workstation
It has been tested to meet the strict requirements of conducting a
proper forensic acquisition and analysis
It includes the Ultimate Forensic Write Protection Kit II
Figure: Forensic Tower II

EC-Council
Forensic Write Protection Devices and Kits:
Ultimate Forensic Write Protection Kit
Some of the tools include:
• Forensic Bridges
• Cables
• Adapters
• Power Assembly
• Media Reader
• Carrier Case
Ultimate Forensic Write Protection Kit is used for the
following media types: IDE, IDE Notebook, SATA, SCSI
(50-pin, 68-pin, and SCA-80) PLUS seven varieties of
flash media
Figure: Ultimate Forensic Write
Protection Kit

EC-Council
Tableau T3u Forensic SATA
Bridge Write Protection Kit
The T3u Forensic SATA Bridge is a write-blocker for use
with Serial ATA (SATA) hard disks
Unlike many other SATA write-blocking solutions, the T3u
has native support for SATA hard disks
The Tableau T3u includes FireWire800, FireWire400, and
USB 2.0 host interfaces, offering maximum flexibility when
connecting the T3u to the host’s computer
It is ideal for field and lab settings
Figure: T3u Forensic SATA
Bridge

EC-Council
Tableau T8 Forensic USB Bridge Kit/Addonics Mini
DigiDrive READ ONLY 12-in-1 Flash Media Reader
• Brings secure, hardware-based write blocking to the
world of USB mass storage devices
• T8 also incorporates a major new enhancement in
the realm of forensic bridges and write-blockers, a
built-in LCD user interface
Tableau's Forensic USB Bridge
• (12 different popular digital media types including -
CF-I, CF-II, Smart Media™, Memory Stick™,
Memory Stick Pro™, Micro Drive™, Multimedia
Card™ and Secure Digital Card™)
Addonics Mini DigiDrive READ ONLY 12-
in-1 Flash Media Reader
Figure: Tableau's Forensic USB
Bridge
Figure: READ ONLY 12-in-1 Flash Media
Reader

EC-Council
Tableau TACC 1441 Hardware
Accelerator
Tableau's TACC 1441 hardware acceleration sets a new standard in
the password recovery performance
It works in conjunction with AccessData company software and
delivers unprecedented password attack rates
Multiple TACC1441 units can be connected to a single host to boost
performance
Figure: Tableau's TACC 1441 hardware accelerator

EC-Council
Multiple TACC1441 Units
Tableau's unit has single CPUs with four TACC1441 accelerators running
in excess of 250,000 passwords per second

EC-Council
Digital Intelligence Forensic
Hardware: FRED SR (Dual Xeon)
FRED SR (Dual Xeon) is a member of the
FRED forensic workstations
It has all the functional capabilities of a FRED
system with the addition of components
optimized for the highest level of processor,
memory, and I/O performance
It is built on a dual-processor 64-bit Xeon
motherboard, with good flexibility, integrated
peripheral support, and performance
Figure: FRED SR (Dual Xeon)

EC-Council
Hardware: FRED-L
Forensic Recovery of Evidence Device – Laptop (FRED-L) is
a mobile field forensic acquisition kit
It comes with UltraKit and is used to quickly, efficiently, and
securely image IDE, SATA, and SCSI hard drives
It is built in Core 2 Duo Mobile Processor technology
FRED-L kit includes:
• 3GB RAM
• FireWire 1394a
• FireWire 1394b ExpressCard
• Four USB 2.0/1.X ports
• Wireless 802.11a/b/g
• Integrated 1.3 MP Video/Web Camera
• Gigabit (10/100/1000 Mb/s) Ethernet support
Figure: FRED-L

EC-Council
Digital Intelligence Forensic Hardware:
Forensic Recovery of Evidence Data
Center (FREDC)
FREDC provides fully integrated processing power and flexibility
It is capable of housing up to 8 completely independent forensic
processing systems
It is fully extensible to provide forensic network services and storage
to pre-existing forensic workstations in your network
The design of FREDC allows for customization to meet any forensic
requirement
Features of FREDC:
• Faster than a local hard drive
• Centralized file storage
• Centralized access control/security
• Centralized file sharing
• Centralized data backup
• Easy to maintain and use Figure: FREDC

EC-Council
Hardware: Rack-A-TACC
Rack-A-TACC is a rack mounted network appliance that leverages
multiple Tableau TACC1441 accelerators to recover passwords from:
• Encrypted files using dictionary and brute-force attack methods
• Individual stand alone system
Its units integrate four accelerators into a single 2U chassis controlled
by a quad core host computer with optimized I/O channels
Its units can be configured in a DNA cluster to increase decryption
capabilities
Figure: Rack-A-TACC

EC-Council
Rack-A-TACC Performance Data

EC-Council
Hardware: FREDDIE
Forensic Recovery of Evidence Device Diminutive
Interrogation Equipment (FREDDIE) is a portable
solution which meets both imaging and processing
requirements
It is used to acquire and analyze the computer forensics
evidence and is used in mobile forensic processing
It is designed to acquire data directly from
IDE/EIDE/ATA/SATA/ATAPI/ SCSI I/SCSI II/SCSI III
hard drives and storage devices
It is capable of handling 3½ inch floppies as well as CD-
ROM and DVD
Figure: FREDDIE

EC-Council
Hardware: UltraKit
• UltraBlock bridges
• Power supplies
• Drive interface cables
• Computer interface
Cables/Adapters
• UltraKit case
Contents of
UltraKit:
The UltraKit is a portable kit and is used to acquire a forensically
sound image of any hard drive
It is a complete arsenal of FireWire (A/B) / USB (1.x/2.0) Interface
Parallel IDE, Serial ATA, and SCSI Hardware Write Blockers
Figure: UltraKit

EC-Council
Hardware: UltraBay
The Digital Intelligence UltraBay is used
to acquire a forensically sound image of
IDE, SATA, and SCSI drives using your
choice of forensic imaging software
The IDE, SATA, and SCSI drives may be
connected and removed from the
UltraBay without having to shut down
the workstation or leaving the GUI
Figure: UltraBay

EC-Council
Hardware: UltraBlock
The UltraBlock SCSI is used to acquire
data from a SCSI hard drive in a
forensically sound write-protected
environment
It is a FireWire/USB to SCSI Bridge
Board with Forensic Write Protection
It can be connected to a laptop or
desktop using the FireWire-A (400
Mb/s), the FireWire-B (800 Mb/s), or
the USB 1.X/2.0 interface
Figure: UltraBlock

EC-Council
Digital Intelligence Forensic Hardware:
Micro Forensic Recovery of Evidence
Device (µFRED)
µFRED is an integrated, flexible, full-powered FRED
system, and includes DI's exclusive UltraBay Write
Protected Imaging Bay
It has all the processing power of a full size FRED system
It has an integrated Gigabit Ethernet (10/100/1000 Mb)
for network connectivity
It includes two hard drives:
• Internal hard drive to support the operating systems and
application software
• Second hard drive in a shock-mounted Hot Swap bay used for
the storage and processing of case work and digital evidence
Figure: µFRED

EC-Council
Wiebetech: Forensics DriveDock v4
• Unique design allows direct access to hard drive by directly connecting to
the Dock
• Dual Write-Blocked FireWire 400 Ports
• USB 2.0 Read/Write Port
• Multiple powering options such as Disk Drive Power In and Disk Drive
Power In LED
• High-speed transfer rates
Forensics DriveDock v4 Features:
Forensic DriveDock v4 is a write-block forensic solution to
access bare hard drives such as SATA or IDE drives
It quickly attaches drives via FireWire 400 compatible (for
write-block mode) and USB (for read and write mode)
Figure: Forensics DriveDock v4

EC-Council
Wiebetech: Forensics UltraDock v4
• Write-blocked
• HPA/DCO detection
• eSATA port
• DC Power in
• Disk drive power In
• DC Power input LED
• Disk drive power in LED
• Write-block LED
• FireWire host detection LED
• USB host detection LED
Features of Forensics UltraDock v4:
Forensic UltraDock v4 is a hard drive forensics field imager
Its write-blocked technology offers easy read-only access to suspect hard drives through
eSATA ,USB, and FireWire 800/400 for maximum versatility
Figure: Forensics UltraDock v4

EC-Council
Wiebetech: Drive eRazer
• Power status LED verifies that the unit is switched on (or
off)
• Status LED shows how much time remains in the erasing
process
• Portability
• Comes in Professional (Secure Erase) or Standard
(Single-Pass) varieties DRZR-3 DRZR-1 & DRZR-2
Drive eRazer Features:
Drive eRazer is a Wiebetech's hardware solution that completely erases all
data from a hard drive quickly
It is faster than software programs and does not require a computer
Figure: Drive eRazer

EC-Council
Wiebetech: v4 Combo Adapters
Wiebetech v4 Combo Adapter is a device to transfer write-
protected data to the standard devices
It works on Mac OS, Window, and forensics imaging
software
v4 Combo Adapter Features:
• Shrouded IDE interface connector helps to protect the delicate
IDE pins while connecting the adapter to the dock
• IDE interface faces upward for better accessibility
• Adapters share a smaller and more consistent size
• SATA adapter has been streamlined to 25% of its former size
Figure: v4 Combo Adapters

EC-Council
Wiebetech: ProSATA SS8
Wiebetech’s ProSATA SS8 is a portable and high
capacity SCSI RAID with SATA drives
It combines up to 8TB of storage in a compact,
transportable enclosure
It has built in RAID controller which supports
every kind of RAID, including JBOD, 0, 1, 0+1, 3,
5, and 6
It is ideal for applications requiring mobile
transport of up to 8TB of data
Figure: ProSATA SS8

EC-Council
Wiebetech: HotPlug
Wiebetech's HotPlug is used to transport a live computer
without shutting it down
It allows hot seizure and removal of computers from the field
to the forensics lab
It keeps the power flowing to the computer while transferring
the computer's power input from one A/C source to another
(a portable UPS) and back again
HotPlug Features:
• It moves a computer without shutting it down
• It instantly reroutes power of a target device to a UPS for transport
Figure: HotPlug

EC-Council
CelleBrite: UFED System
• It is portable and easy to use
• It is a standalone kit, with no computer required for extraction
• It generates complete MD5 verified evidence reports
• It supports over 1,400 handset models, with automatic software
updates for newly released devices
UFED System features:
The Cellebrite Universal Forensic Extraction Device (UFED) forensics system extracts vital
data from most of all cell phones or PDAs
It extracts data such as phonebook, pictures, videos, text messages, call logs, ESN, and IMEI
information from 1400+ models of handsets sold worldwide
It supports CDMA, GSM, IDEN, and TDMA technologies and is compatible with any
wireless carrier
Figure: UFED System

EC-Council
DeepSpar: Disk Imager Forensic
Edition
• Reading the status of each retrieved sector
• Data being imaged
• Type of imaging files
You can visualize the imaging process by:
DeepSpar Disk Imager Forensic Edition is a portable version of
DeepSpar Disk Imager Data Recovery Edition with addition of forensic-
specific functionality and is used to handle disk-level problems
Figure: Disk Imager Forensic Edition

EC-Council
DeepSpar: 3D Data Recovery
• This phase deals with drives that are not responding and drives that appear functional and can be
imaged, but produce useless data
• Recommended tool: PC-3000 Drive Restoration System
Phase 1: Drive Restoration
• This phase deals with creating a clean duplicate of the disk contents on a new disk that can be used as
a stable platform for phase 3
• Recommended tool: DeepSpar Disk Imager
Phase 2: Disk Imaging
• This phase involves rebuilding the file system, extracting the user’s data, and verifying the integrity of
files
• Recommended tool: PC-3000 Data Extractor
Phase 3: Data Retrieval
DeepSpar data recovery systems pioneered the 3D Data Recovery process - a professional
approach to data recovery centered on the following three phases:

EC-Council
Phase 1 Tool: PC-3000 Drive
Restoration System
• Designed for the data recovery of businesses
• Universal utilities give faster drive diagnostics
• Repairs the drive and secures all user data
• Software that comes with PC-3000 features a user-friendly
Microsoft Windows XP/2000 interface
• PC-3000 has built-in features to treat particular drives for
their most common failures
Features of PC-3000 Drive Restoration
System:
PC-3000 Drive Restoration System tool deals with drive restoration
It fixes firmware issues for all hard disk drive manufacturers and virtually all drive
families
Figure:
PC-3000 Drive Restoration System

EC-Council
Phase 2 Tool: DeepSpar Disk
Imager
The disk imaging device is built to recover bad
sectors on a hard drive
DeepSpar Disk Imager features:
• Retrieves up to 90 percent of bad sectors
• Special vendor-specific ATA commands are used
that pre-configure the hard drive for imaging
• Reduces the time it takes to image a disk with
bad sectors
• Failing hard drives are imaged with care and
intelligence
• Real-time reporting with the type and quality of
data imaging
Figure: DeepSpar Disk Imager

EC-Council
Phase 3 Tool: PC-3000 Data
Extractor
• Retrieves the user’s data from drives with damaged logical
structures
• Allows to analyze the logical structure of a damaged drive and
depending on the severity of damage, selects specific files that the
user wants to recover
• If the drive's translator module is damaged, it creates a virtual
translator to create a map of offsets and copies the necessary data
PC-3000 Data Extractor features:
PC-3000 Data Extractor is a software add-on to PC-3000 that diagnoses
and fixes file system issues
It works in tandem with PC-3000 hardware to recover data from any
media (IDE HDD, SCSI HDD, and flash memory readers)

EC-Council
InfinaDyne Forensic Products: Robotic
Loader Extension for CD/DVD Inspector
The robotic loader extension allows CD/DVD Inspector to control a robotic
CD/DVD loader device
This system processes up to 100 discs at a time
Robotic Loader system that is equipped with a camera, will be capable of
capturing individual photographs of each disc processed
• These will be stored in JPEG format with the content and reports about the disc
Figure: Robotic Loader

EC-Council
InfinaDyne Forensic Products:
Rimage Evidence Disc System
Rimage Evidence Disc System is a hardware device which
collects optical media evidence and archives case files to a
long life media
It is fully integrated with CD/DVD Inspector for 24x7
unattended collection of disc evidence
Types of Rimage Evidence Disc System are:
• Rimage 5100N
• Rimage 5300N
• Rimage 7100N
These systems are self-contained and requires power and a
network connection to your lab network to begin operation,
it does not require any external computer
Figure: Rimage 5100N

EC-Council
CD DVD Forensic Disc Analyzer
with Robotic Disc Loader
Features:
• Reads and analyzes CD/DVD discs
• Stores disc data to hard drive or network
• Creates MD5 hash codes
• Examines CD/DVDs to locate the hidden files
• Automated system saves time for forensic
examiners
CD/DVD Forensic Disc Analyzer with Robotic Disc Loader is a professional
tool for intensive analysis and extraction of data from CD and DVD media
It saves time for forensic examiners, data recovery technicians, and law
enforcement professionals involved in computer forensic investigations
Figure: CD DVD Forensic Disc Analyzer

EC-Council
Image MASSter: RoadMASSter- 3
RoadMASSter- 3 features:
• High speed forensic tool with drive interfaces
• High speed operation
• Multiple capture methods
• Multi drive copy
• Previews and analyzes
The RoadMASSter 3 Forensics data acquisition and analysis tool is designed to
perform both as a fast and reliable hard drive imaging and data analysis unit
It is an advanced computer forensics tool used by the law enforcement agencies
as well as corporate security to acquire and analyze data
It can image hard drives of any kind as well as capture data from other media
and unopened computers, and support different copy formats and hashing
methods
Figure: RoadMASSter- 3

EC-Council
Image MASSter: Solo-3 Forensic
• MD5/SHA-1/SHA-2 and CRC32 hashing
• Touch screen user interface
• High speed operation
• Built in write protection
• Built in FireWire 1394B and USB 2.0 interface
• Multiple media support
Features of Solo-3 Forensic:
Image MASSter Solo-3 Forensic data imaging tool is a portable hand-held
device that can acquire data from one or two evidence drives at speeds
exceeding 3GB/min
It is capable of capturing data from IDE and laptop drives, Serial ATA and SCSI
drives, as well as Flash Cards
Figure: Solo-3 Forensic

EC-Council
Image MASSter: WipeMASSter
• High speed wipe operation
• Sanitize multiple drives simultaneously
• Multiple media support
• Multiple sanitizing modes
• Partitions and formats drives
• Sanitize different drive models and sizes
Features of WipeMASSter:
WipeMASSter product is designed to erase data and sanitize up to nine hard
drives simultaneously at speeds exceeding 3GB/min
It can erase data and sanitize hard drives of different sizes and models in the
same operation
It has an add-on option for formatting the sanitized drives
Figure: WipeMASSter

EC-Council
Image MASSter: DriveLock
Image MASSter DriveLock device is a hardware write protect solution which
prevents data writes
Serial-ATA DriveLock Kit USB/1394B
DriveLock Firewire/USB DriveLock IDE
DriveLock In Bay
• Serial-ATA DriveLock Kit USB/1394B
• DriveLock Firewire/USB
• DriveLock IDE
• DriveLock In Bay
It is available in four versions:

EC-Council
Logicube: Forensic MD5
Forensic MD5 is a forensic hard disk data recovery system for law
enforcement, corporate security, and cybercrime investigation
It’s in-built MD-5 engine allows for imaging speed up to 3.3 GB/min
It ensures bit-for-bit accuracy, guaranteeing zero chance of
alteration of the suspect and evidence drives
Forensic MD5 features:
• Number of connectivity options
• MD5 verification
• Creates DD images
• Field-tested ruggedized case
• On-site reporting
• It is portable
• Unidirectional data transfer
Figure: Forensic MD5

EC-Council
Logicube: Forensic Talon®
Forensic Talon® features:
• Advanced keyword search
• MD5 or SHA-256 Authentication
• Unidirectional data transfer
• Creates DD images on-the-fly
• HPA and DCO capture
• Portable and high-speed data capturing
Forensic Talon® is a forensic data capture system , specifically designed
for the requirements of law enforcement, military, corporate security,
and investigators
It simultaneously images and verifies data up to 4 GB/min
It captures IDE/UDMA/SATA drives, and can capture SCSI drives via
USB cable
Figure: Forensic Talon®

EC-Council
Logicube: RAID I/O Adapter™
RAID I/O Adapter™ enables the Forensic Talon®
to capture a suspect RAID drive pair directly to 1
destination drive, and 1 suspect drive to 2
destination drives
Features of RAID I/O Adapter™
• Captures RAID-0, RAID-1, and JBOD configurations
• Supports MD5/SHA-256 scan and keyword search
mode during any 1-to-2 capture
• Supports both native and DD image operation modes
during 1-to-2 and 2-to-1 capturing
• Supports drive defect scan and WipeClean modes
during 1-to-2
Figure: RAID I/O Adapter™

EC-Council
Logicube: GPStamp™
• Computes the exact location of capture in
3D space; accurate within 50 meters
• Adds accurate latitude, longitude, and time
to the capture report and log
• It is capable of acquiring satellites and fixes
within most buildings
GPStamp™ features:
Logicube GPStamp™ is a device that produces a verified fix on the
location, time, and date of the data captured
Investigators can bolster their credibility by specifying when and where
data captures are performed
Figure: GPStamp™

EC-Council
Logicube: Portable Forensic Lab™
The Portable Forensic Lab™ (PFL) is a portable
computer forensic field lab housed in a special
ruggedized carrying case
This tool gives the investigator a head start, often
cutting the time to acquire the critical data
The PFL includes all that a computer forensic
examiner needs to:
• Data capture evidence at high speed from multiple sources
• Browse data from multiple types of digital media
• Analyze the data capture material using the computer
forensic analysis software such as FTK™ from AccessData
Figure:
Portable Forensic Lab™

EC-Council
Logicube: CellDEK®
Logicube CellDEK® is a cell phone data extraction
device which identifies devices by brand, model
number, dimensions, and photographs
It is portable and compatible with over 1100 of the
most popular cell phones and PDAs
It captures the data within 5 minutes and displays on
screen, and prompts for downloading to a portable
USB device
Investigators can immediately gain access to vital
information, saving days of waiting for a report from
a crime lab
Figure: CellDEK®

EC-Council
Logicube: OmniPort
Forensic OmniPort device allows immediate access to the
majority of the current USB Flash devices
It captures and deploys data to or from most USB Flash
drives
It is compatible with Thumb Drives, Pen Drive type devices,
Flash Memory Cards using USB Card readers, and 2.5” and
3.5” external USB drives
It can be connected directly to a PC’s motherboard and
booted as an IDE device
It allows data cloning to or from the attached USB drive by
the Logicube Echo Plus®, Sonix®, OmniClone®
10Xi/5Xi/2Xi, and Forensic Talon®
Figure: OmniPort

EC-Council
Logicube: Desktop
WritePROtects
Logicube Desktop WritePROtects is a data recovery adapter used
to protect the hard drives
It comes in two versions:
• IDE Desktop WritePROtect
• SATA Desktop WritePROtect
It allows only a small subset of the ATA specification commands
to flow to the protected drive and blocks all other commands
It connects via IDE or SATA cable to the HDD forensic tools for
data capture
It guarantees read-only access when analyzing the captured or
cloned drive under Windows
Figure: Desktop WritePROtects

EC-Council
Logicube: USB Adapter
• Store/restore images to a network server
• Modify a drive's contents
• Defragment the master drive
• Reformat the master drive
• Manage partitions using the third party
software
It allows the investigator to:
USB Adapter allows for cloning and drive management directly through
the USB (1.1 or 2.0) port on a PC or laptop
It is capable of cloning at speeds up to 750 MB/min
Figure: USB Adapter

EC-Council
OmniClone IDE Laptop Adapters

EC-Council
Logicube: Cables
• F-CABLE-30A
• F-CABLE-5
• F-CABLE-9
• F-CABLE-RP10
• F-CABLE-RP15
• F-CABLE-RP2
• F-CABLE-RP5
• F-CABLE-SOL
OmniClone IDE Cables
• F-CABLE-SAS5
• F-CABLE-SATA
• F-CABLE-SATA18
• F-CABLE-SATAEP
• F-CABLE-SATAXI
OmniClone SATA Cables
• F-CABLE-RP2U
• F-CABLE-RP5U
• F-CABLE-RP10U
• F-CABLE-RP15U
• F-CABLE-SOLU
• F-CABLE-5U
• F-CABLE-9U
• F-CABLE-30U
• F-CABLE-XI, F-CABLE-2XI
• F-CABLE-5XI, F-CABLE-10XI
OmniClone UDMA IDE Cables
• F-CABLE-SCSI
• F-CABLE-SCSI2
• F-CABLE-SCSI4
OmniClone SCSI Cables

EC-Council
Power Supplies and Switches
Tableau products share common power supply
requirements
Tableau T2 Drive Power Switch:
• Using the T2, you can safely connect and disconnect a device
from a power supply without having to turn off the power
supply
• No forensic kit bag should be without a T2
Tableau TP1 Power Supply:
• Ensures that a single power supply would work across full
lines of Tableau products
• Tableau sells the TP1 under two part numbers:
• Part number "TP1" includes the power supply and a 6' US-style
IEC line cord
• Part number "TP1-NC" includes only the power supply itself
Figure: T2 Drive Power Switch
Figure: TP1 Power Supply

EC-Council
DIBS Mobile Forensic
Workstation
• Full size laptop with Intel Pentium M Centrino
1.7 GHz processor
• 1GB DDR2 SDRAM 533MHZ
• 80GB ATA-100 forensic hard drive running
Windows XP
• Forensic software and operating systems are
fully installed and configured on the hard drive
Major Specifications:
DIBS® computer forensic equipment is designed
for easy operation under standard operating
conditions
Figure:
DIBS Mobile Forensic Workstation

EC-Council
DIBS Advanced Forensic
Workstation
DIBS® Advanced Forensic Workstation is a highly
developed and versatile item of the forensic equipment
and yet it is easy and intuitive to learn and use
It provides copying and analysis of drives using the
Windows XP operating system
The custom designed unit uses standard components and
sub-assemblies of the highest quality, configured in such a
way so as to maintain maximum evidential integrity
Hardware and software modifications are tailored
according to the needs of the forensic investigation,
enabling the investigator to accurately and efficiently
perform computer forensic analysis
Figure: DIBS Advanced Forensic
Workstation

EC-Council
DIBS® RAID: Rapid Action
Imaging Device
DIBS® RAID is a tough yet lightweight unit
designed to enable copying of a suspect computer
hard disk onto another clean hard disk
The average copying speed can be as fast as 2.4GB
per minute and depending on the specifications of
the hard drives, up to 4GB per minute
Two complete copying units are included together
with a selection of hard disks to which copies can
be madeFigure: Rapid Action Imaging
Device

EC-Council
Forensic Archive and Restore Robotic Devices:
Forensic Archive and Restore (FAR Pro)
The system includes an all in one Robotic Duplicator,
with a 100 disk capacity and customized software
Achieves forensic investigative data
The software performs MD5 and SHA1 hashes to
validate the archive
The unit will also print labels
Figure: FAR Pro

EC-Council
Basic Software Requirements in
a Forensic Lab
• To make an exact copy of the target hard disk data without
altering data
Imaging software:
• To convert one type of file into another typeConversion software:
• To compare different files and convert documentsAnalysis software:
• To view the different types of image and graphic filesViewing software:
• To gather and examine data on a real-time basisMonitoring software:
• To get the information from the encrypted files, hash sets, and
erase utilities
Security utility software:
Computer forensics lab should have the following basic software:

EC-Council
Maintain Operating System and
Application Inventories
The following are the application inventories and
operating systems that must be maintained:
• Windows XP, 2003, and Windows 2000 operating system
• Linux / Unix / Mac OS X / iMac operating system
• EnCase, FTK, and other forensic software
• Imaging tools like R-drive, SafeBack etc.
• Programming language applications such as Visual Studio
Suite
• Graphics tools such as Adobe Photoshop, CorelDraw etc.
• Specialized viewers such as QuickView and ACDC
• MS Office Corel Office Suite / StarOffice/OpenOffice

EC-Council
Paraben Forensics Software:
Device Seizure
Device Seizure v2.1 is a software that acquires and analyzes data from over
1,950 mobile phones, PDAs, and GPS devices including iPhones
It was designed from a forensic grade tool that has been upheld in countless
court cases
Device Seizure can acquire the following data:
• SMS history (Text Messages)
• Deleted SMS (Text Messages)
• Phonebook
• Call history
• File system (physical memory dumps)
• GPS waypoints, tracks, routes, etc.
• PDA databases
• Registry (Windows Mobile Devices)

EC-Council
Device Seizure: Screenshot 1

EC-Council
Device Seizure: Screenshot 2

EC-Council
Paraben Hard Drive Forensics:
P2 Commander
• Back end Firebird database for supporting massive amounts of data
• Multi-threading and task scheduling capabilities to process more data in less time
• Examines logical and physical disks as well as individual files and folders with
FAT12, FAT16, FAT32, and NTFS file systems
• Chat database plug-in supports many chat clients for viewing chat database contents
• Forensic Sorter plugs-in sorts data into relevant categories
P2 Commander Features:
Paraben's P2 Commander is a comprehensive digital forensic tool
designed to handle more data efficiently during the entire forensic
process
It utilizes Paraben's advanced plug-in architecture to create
specialized engines that focus on things such as e-mail, network e-
mail, chat logs, and file sorting

EC-Council
P2 Commander Screenshot

EC-Council
Paraben Hard Drive Forensics:
P2 eXplorer
Paraben's P2 eXplorer mounts the forensic image on the machine
while preserving the forensic nature of the evidence
The image is mounted as the actual bitstream image, preserving
unallocated, slack, and deleted data
Features:
• Mounts Paraben's Forensic Replicator images (PFR)
• Mounts compressed & encrypted PFR images
• Mounts WinImage non-compressed images
• Mounts EnCase images (up to v4.02a)
• Mounts RAW images from Linux DD & other tools

EC-Council
P2eXplorer Screenshot

EC-Council
Crucial Vision
http://crucialsecurity.com/
Crucial Vision is a digital forensics bulk-process preview and
holistic examination tool
It performs faster searching and processing by implementing the
patent-pending algorithm to find more files in the FAT file system
It employs unique file recovery technology
Forensics analysts can encounter large volumes of data by
providing a holistic view of all their data

EC-Council
Crucial Vision: Screenshot 1
Source: http://crucialsecurity.com/

EC-Council
Crucial Vision: Screenshot 2
Source: http://crucialsecurity.com/

EC-Council
CD/DVD Inspector
CD/DVD Inspector Features:
• Complete CD imaging
• Supports creation of ZIP images from media
• Supports DVD media recovery
• File scanning
• Built-in image viewer
• Low-level sector examination and scanning
• CD Text, ISRC, and RID audio disc display
CD/DVD Inspector is a software for intensive analysis and extraction of data
from CD-R, CD-RW, and DVD media
It reads all major CD and DVD file system formats including ISO-9660, Joliet,
UDF, HFS, and HFS+

EC-Council
AccuBurn-R for CD/DVD Inspector
AccuBurn-R produces exact copies of discs that
have been imaged using CD/DVD Inspector
It supports all type of discs, such as:
• VCD / SVCD / XVCD video discs
• Karaoke discs
• Unfinalized drag-and-drop discs (write-once
media)
• Discs with read errors
• DVD Video

EC-Council
Flash Retriever Forensic Edition
• Complete imaging of flash devices in raw format
• Use with EnCase E01 image files
• Multiple-media support
• Thumbnail display for photos
• Report generator
• Supports row camera files
Flash Retriever Forensic Edition features:
Flash Retriever Forensic Edition is a professional tool for examining,
recovering, and documenting flash-based media
It recovers pictures and files from all types of flash media and creates
hashed image file and restores image file to media

EC-Council
Screenshot 1

EC-Council
Screenshot 2

EC-Council
ThumbsDisplay
• Shows all thumbnail file: thumbs.db,
thumbcache_idx.db, thumbcache_32.db etc.
• Displays all thumbnail images with original file name
and timestamp
• Prints individual image and copies to the clipboard for
inclusion in a document
• Displays thumbnail in three sizes: 96x96 (original)
150x150 or 200x200
ThumbsDisplay features:
ThumbsDisplay is a tool for examining and reporting on the
contents of Thumbs.db files used by Windows

EC-Council
TEEL Technologies SIM Tools:
SIMIS
SIMIS mobile handheld reader enables the investigator to
collect data from multiple SIM cards for on-site analysis and
later to review by using SIMIS PC software
Its independent testing and wide range of support of SIMs
enables examiners to get maximum data from the SIM
Features of SIMIS:
• Complete analysis and data dump of SIM cards
• Easy interfacing and reporting
• Unicode supported to display native language characters
• MD5 and SHA-256 hashing of data
• Nextel, Thuraya, Irridium, and Inmarsat SIM supported
• "Hot Number" enables identification of special interest numbers
during reads
Figure: SIMIS mobile handheld
reader

EC-Council
SIMulate
SIMulate features:
• Recovers and duplicates all available data from a
SIM card
• Produces a working duplicate or many duplicates
for evidence recovery and analysis
• Generates report with encrypted security hashes
• Generates any number of cards
SIMulate - Forensic SIM duplication tool recovers all available data from a SIM
Card under forensics examination and produces a working duplicate for
evidence recovery and analysis
Cards produced with SIMulate can be reused - It irretrievably erases data on
the SIMulate duplicate before writing new data to the card

EC-Council
SIMgen
SIMgen is a SIM card creation tool for handset interrogation and
is used to unlock data on phones with missing SIM cards
It allows the creation of a generic SIM card with user-
configurable IMSI, ICCID, and MSISDN
It allows the card details obtained from the handset’s physical
memory (typically) to be generated on a generic SIM
SIMgen features:
• Used for interrogating phones with SIM cards missing
• Enables examiners to program a blank SIM card with IMSI, ICCID,
and MSISDN
• No network connection
• Generates any number of cards
• SIMGen cards can be reused

EC-Council
LiveDiscover™ Forensic Edition
• Live forensic network mapping
• Live forensic vulnerability assessment
• Recognizes Windows, Unix, Linux, Macintosh,
VMS, Novell, OS/2, and Sun operating
systems
• Modifies or adds custom vulnerability scripts
• Generates the detailed forensic report
Features of LiveDiscover™ FE:
LiveDiscover™ scans a range of the selected IP addresses and
generates comprehensive forensic reports
It allows for the creation of customized vulnerability scripts and
provides a comprehensive view of the enterprise under investigation

EC-Council
Tools: LiveWire Investigator
• Examines a running computer while it continues to operate
• Conducts investigations without disrupting operations
• Maintains functionality of the critical systems
• Captures and records running state (Volatile Memory Snapshot, Live
Registry Examination, System Log)
• Collects key information on running programs, network connections,
and data transmissions (IP, NetBIOS, Routing table acquisition)
• Obtains information that would be lost if the system was shut down
(Running processes)
• Investigates and documents suspicious activity as it is occurs
Features of LiveWire Investigator:
LiveWire Investigator examines computer systems quickly and inconspicuously, capturing
relevant data, including running state, while the system being investigated continues to
operate
It is simple to operate; it adheres to digitals forensics best practices, and provides an
extensive array of data acquisition options and analytical tools

EC-Council
Summary
A Computer Forensics Lab (CFL) is a designated location for conducting computer
based investigation on the collected evidence
Budget for a forensic lab is allocated by estimating the number of cases that would
be examined
An ideal lab consists of two forensic workstations and one ordinary workstation with
Internet connectivity
The lab should be inspected on a regular basis to check if the policies and procedures
implemented are followed
Forensics lab should be under surveillance to protect it from intrusions
The American Society of Crime Laboratory Directors (ASCLD) is an international
body certifying forensics labs that investigate criminal cases by analyzing evidence

EC-Council

File000120

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à File000120

Similaire à File000120 (20)

Plus de Desmond Devendran

Plus de Desmond Devendran (20)

Dernier

Dernier (20)

File000120