Building a Forensic Workstation - Digital Archaeology (2014)

Digital Archaeology (2014)

19. Building a Forensic Workstation

The civilizations of ancient times did not have huge factories churning out products at the rate of a few hundred thousand per day. If a particular tool was needed, the appropriate craftsman was called upon to make it. While it is true that there are several different commercially available models from which a forensic department can select its systems, it is also quite possible—and far more economical—for an organization with some moderately skilled hardware technicians to build the systems on their own. In this chapter, I will define what makes up a forensic workstation. From there, I will describe some of the most popular commercially available products, and then go on to discuss the components that go into making a system from scratch, and what to think about when selecting each part.

A cautionary note is in order here. This chapter is targeted for PC hardware technicians and presupposes that the reader has a working knowledge of computer hardware. There is neither time nor space in this volume to explain every term used in this chapter. Several good volumes on computer hardware exist, including two by this author. Among these are The A+ Guide to PC Hardware Maintenance and Repair (Graves 2006) and Scott Mueller’s (2012) Upgrading and Repairing PCs, which receives annual updates.

Which brings up the next thorn in the side of any PC designer. This chapter will speak of processor speeds, memory capacity, rotational speed, and the like. By the time this book sees print, what was state of the art at the time I wrote these words is trailing technology when you read it. Keep that in mind, and recognize that it is the concepts that matter and not the specifications.

What Is a Forensic Workstation?

At the heart, a forensic workstation is just a more powerful computer. There are a few other differences that set this machine apart from the glorified word processor that sits on most people’s desks. There are three major factors to address when setting up any machine to perform digital investigations—power, security, and the accessibility and authenticity of data. It isn’t just the hardware that dictates how well these factors will be addressed either. Your choice of an operating system has a significant impact on all of the above.

Computer Power

Systems that are dedicated to forensic investigations need to be significantly more powerful than those used for conventional office applications. The tasks performed by this system involve extremely complex searches of very large data sets. Trying to crack an encryption password can involve billions of trial and error attempts. A lot of CPU power and vast amounts of memory will dramatically speed up the effort.

Significant amounts of hard disk space are required for image files, temporary files, and the more complex applications run by the digital detective. A typical forensic workstation does not have a single hard disk, but will likely contain an array of several. Details about the individual components that go into the making of a workstation are covered in the second half of this chapter.

Computer Security

A lot of the work that is done by the forensics team is of a nature that its findings are likely to get somebody in trouble—perhaps significant amounts of trouble. Therefore, it stands to reason that if that someone can find out who is looking into their activities, they might try to put a stop to it. Forensics labs are typically in secure environments to start with. Gaining physical access to the machines should be as difficult as possible without making it inaccessible to the forensics team.

Network security is another issue. It is a good policy for the forensic stations to be on their own subnet, isolated from the rest of the corporate network. There should be no Internet access directly to these computers. If Internet access is deemed necessary for the forensic network, it should be through a secure firewall.

Operating system security is similar to any other system. A good antivirus product needs to be updated regularly. Additional precautions should be regularly taken. Scan each system regularly to see if a rootkit has made its way into the system.

Accessibility and Authenticity of Data

Accessibility and authenticity is an arena where the forensic workstation differs greatly from most other desktop computers. Due to the wide variety of data sources the system must be able to access, the I/O subsystem must be substantially beefed up. Additionally, it is necessary to assure that original evidence is not overwritten by processes in the investigative procedure. To do this, there must be some mechanism in place that write-protects the device being copied.

On many systems, the BIOS can be configured to write-protect certain ports. Since BIOS is a function of the system board, your selection of this component should factor in this capability. Another method of write-protecting specific types of components is to use a third-party controller board instead of an on-board controller built into the system board. This is something that will be discussed in greater detail later in the chapter.

Commercially Available Forensic Workstations

While this book is not intended to be a promotional guide for specific products, this is an area in which there are relatively few options. Therefore, I will try to describe the features available in each one without intending or inferring any preference of one brand over the other. I do not have extensive hands-on experience with every brand. Some brands that will be discussed in this section include Digital Intelligence, Forensic Computers, and Tritech Forensics.

Each of these manufacturers features a line of products, and it is outside of the scope of this book to attempt a complete review. The following represents only a sampling of products available at the time of this writing. This is a very volatile industry, and by the time you are reading this, it is likely that the offerings will be different.

Digital Intelligence

Digital Intelligence is the home of FRED and FREDDIE. FRED is an acronym of Forensic Recovery of Evidence Device, while FREDDIE is Forensic Recovery of Evidence Device Diminutive Interrogation Equipment. FRED is available as FRED, FRED DX, FRED SR, and FRED-L. Each of these models is available in multiple configurations. FREDDIE is a portable field machine designed for a first responder or field investigator.


FRED can be had as a basic model or two DX models, one with a single RAID array and one with dual RAID arrays. RAID stands for Redundant Array of Independent Disks and can contain anywhere from two to dozens of hard disks. In FRED’s case, each array contains five individual disk drives. All configurations include write-protected ports for IDE drives, SATA, and SCSI drives.

A device unique to FRED is the UltraBay. This device occupies the top 20% of the tower and provides external connections for a wide variety of devices. Write-protected ports can be switched between conventional read/write to write-protect mode by way of keypad controls. Additional ports allow USB, FireWire, and eSATA devices to connect to the system in either mode.

A built-in imaging shelf allows bare hard disks to be installed in hot-swappable bays. A push of a button opens the tray, and a hard disk is easily inserted. Both power and data buses are configured in such a way that the drive (regardless of form factor) plugs right in without fighting with a lot of cables. The system has two shock-mounted SATA bays that also support IDE drives, and an additional four hot-swap bays that support IDE or SATA drives.

For reading digital media, a forensic media card reader provides write-protected access to virtually every type of memory card currently manufactured. As with the drive connectors, any of these ports can be switched between read/write and write-protect with a few keystrokes.

USB support includes all versions from 3.0 down. There are six 3.0/2.0 ports and eleven 2.0/1.x ports. Of these, one each is write-protect only. One 400Mb/s FireWire port connects from the back of the system. Three 800Mb/s FireWire ports are also available, two from the back and one out of the UltraBay.

On the standard FRED, there are two hard disks included. A 300GB hard disk hosts the OS and the forensic software, while a 1.5TB disk holds the data. The RAID-equipped models feature a 150GB OS/Application disk and a 1.5TB data disk. As configured, the array is not populated. It can be configured with between two and five SATA or SAS drives connected to an Adaptec 8-port RAID controller in RAID 0 (a striped array for fastest performance). Since the controller supports 2TB drives, this allows up to 10TB of storage for large forensic images. The dual-raid offers another drive set up to 10TB.

The buyer has two different processor options for any of these systems. The lowest priced option includes an Intel i7 quad-core processor and 6GB of triple channel DDR. It can be upgraded to 24GB. The dual-Xeon option boasts two quad-core Xeon processors and ships with 12GB of RAM. This option allows the user to install as much as 144GB of RAM for extremely memory hungry operations.

All FRED models ship with Windows 7 and Windows 98SE configured as a dual-boot system. A full forensic distribution package of SuSE Linux is included on DVD. Additional software that ships with the system includes

• DriveSpy (a DOS shell for forensic applications)

• Image (a DOS shell for creating forensic images)

• PDWipe (a disk wiping utility that exceeded DoD specifications for data security)

• PDBlock (a DOS utility for write-protecting hard disk drives) and PART (a DOS partitioning utility)

The SR model of FRED adds enhanced processing and I/O as well as more robust networking capabilities. It is the equivalent of the dual-Xeon DX with dual gigabit Ethernet controllers. Expansion slots are all PCIe, and each of the processors is equipped with a dedicated memory bank. This is the equivalent of having six memory channels.


FREDDIE is an integrated device that has some of the aspects of a portable computer (without the sleek form factor of a laptop) and some of the aspects of a full-sized workstation. It isn’t exactly a lightweight—the base model comes in at around 55 pounds. However, the investigator will not feel like a lot of shortcuts were taken in the design.

The unit is equipped with the same UltraBay as is featured in the lab machines. The computer is powered with a 3.2GHz quad-core processor and ships with 12GB of triple-channel memory. A 300GB 10,000 rpm SATA drive hosts the OS and applications, while a 1.5TB 7,200 rpm drive acts as a repository for data. It has two shock-mounted SATA drive bays for attaching additional drives. Seven SATA connections on the rear of the computer allow for connecting a large number of externally mounted drives. Eleven USB and two FireWire ports provide connectivity to external peripheral devices. The Digital Intelligence Forensic Media Card Reader ships as an accessory device for connecting virtually every form of flash memory device currently (or historically) in production. Write-protection exists for every form of media.

As with the full sized models, FREDDIE is configured to dual-boot from either Windows 7 Ultimate 64-bit or Windows 98SE. Optionally, a SuSE Linux DVD allows for a Linux configuration to be built. All of the same software that ships with FRED also ships with FREDDIE.

Forensic Computers

Forensic Computers offers a line of 11 lab systems and 6 portable field systems. Their base model lab system is a full tower with a heavy compliment of WiebeTech components. Bay one is occupied with a WiebeTech Forensic Labdock. This is a write-protected I/O interface that allows USB, IDE, and SATA devices to be connected over an external interface. Beneath it is a Wiebetech RTX100H-INT trayless SATA dock for hot-swapping SATA devices. The third bay is occupied by a hardware-based encryption device by Dataport. The fourth bay hosts a Blu-ray DVD-ROM burner. Two hard disks compliment the system. A 300GB drive acts as the OS/Application drive. A 1TB internal SATA drive functions as data storage. The OS that ships with the unit is Windows 7 Ultimate, 64-bit.

Each model of the line gets progressively more powerful and feature laden until you reach the Forensic IV. This is a dual-Xeon machine with 24GB of RAM and a pair of 2.4GHz quad-core Xeon processors. A Tableau Forensic Bridge is built into the top bay and is designed to interface with virtually every type of hard disk made over the past several years. Everything from 1.8” IDE drives to solid-state SATA drives and even SCSI can hook up to this device.

As of this writing, a complete listing for Forensic Computers’ offerings includes

• Forensic Tower

• Forensic Tower 6-core

• Forensic Tower IISE

• Forensic Tower III Core i7

• Forensic Tower III Dual Xeon

• Forensic Tower IV Core i7

• Forensic Tower IV Dual Xeon

• Forensic Analysis Workstation I

• Forensic Analysis Workstation II

• The Ultimate Forensic Machine

• Forensic Analysis SE—Rackmount

In addition to the lab machines, the company also manufactures a line of portable field machines. Their Airlite series differ from other companies’ portable offerings in that the basic machine possesses a form factor of a standard laptop computer, as opposed to the “lunch box with drive bays” approach seen elsewhere. The rest of the kit is an extensive accessory package that connects to the laptop via USB or FireWire ports. The forensic accessories are all part of the Tableau line distributed by Access Data.

Tritech Forensics

Tritech Forensics does not offer a wide or versatile line of workstations, but the one it offers is a viable option with somewhat lower cost than its competition. It is available with a choice of processors. The Intel 3.2GHz processor is listed as a six core. The AMD offering is an eight-core processor. Either way, the machine ships with 16GB of RAM.

Its storage is configured with three physical drives. The first is a high-speed 128GB solid-state drive. The OS/Application drive is a 450GB 10,000 rpm SATA drive. Data is stored on a 3TB 7,200 rpm drive. Forensic connections are made through a Tableau bridge similar to the one offered by Forensic Computers. It ships with Windows 7 Ultimate, 64-bit.

Building a Forensic Workstation From Scratch

An organization that maintains a computer support staff may be equipped to build its own forensic workstations at a substantial savings in cost. Two approaches can be taken in tackling this challenge. One way is to purchase a base computer model that has the power specifications desired and build it up by adding components specific to the task. The other way is to start from scratch, building from raw components. Either way, careful selection of products can save a lot of time and reduce headaches later on down the road.

The Hardware of a Forensic Workstation

As mentioned earlier, a key difference between the machine we’re building and a standard desktop computer is power. Power is such a relative term, isn’t it? Not so much so when discussing the machine that is going to look for invisible needles in 2TB haystacks. Most of the processes that forensic applications perform are processor intensive to the extreme and will eat up as much memory as you can possibly throw at them.

Operating systems that support large memory addresses (i.e., 64-bit vs. 32-bit) and that support more than one multicore processor are possible base candidates for a forensic workstation. In the case of the forensic workstation, power is also meant in a quite literal sense. Insomuch as the system is likely to be operating a larger number of components simultaneously, a hefty power supply is essential.

A Suitable Enclosure

The enclosure requirements for the workstation are based on a number of factors. There are two questions to ask before selecting this component: Is it desirable to connect many peripherals and source drives directly to the system? Does the IT infrastructure require rack-mounted devices or blade servers? If a lot of peripherals are going to be connected directly to the system, the enclosure needs to feature sufficient drives bays—both internal and external—to fill the needs, and it (along with the system board) must allow for sufficient expansion slots.

The power supply is frequently an integral part of the enclosure, although there are some manufacturers that sell the two components separately. If the power supply ships with the enclosure, make sure that it is the right type to work with the intended system board and that it has sufficient power connectors and can provide enough power to light up all the devices that will eventually become a part of the system. A computer that will be powering several PCIe expansion cards, a dozen disk drives, and several other devices is not going to last very long with a small power supply. For the purposes of this project, 650 W is a minimum, and 850 W is a good starting point.

In the first paragraph of this section, I mentioned that there would be both internal and external bays for disk drives. Due to the nature of the forensic investigation, hard disks are going to be added and removed on a regular basis, unless the organization intends to invest in a dedicated forensic disk imaging device (which is the best approach to take, by the way.) Therefore, external bays are more critical than internal bays. An enclosure that features hot-swappable drive bays in abundance is the best approach to take. There is still a need for internal bays. At the minimum, two internal bays are necessary, and for reasons I will discuss later, three or even four are better.

A lab that does not own a dedicated imaging system will have a particular need for hot-swap bays. At least two drive bays should be configured to be able to hot-swap both IDE and SATA drives. While current models of desktop computers all ship with SATA drives, there are still many millions of computers in the real world that operate from IDE drives.

Processor Power

It isn’t necessarily raw speed that makes a good CPU, although it is certainly true that you can’t really have one that is too fast! The ability to process several threads of code and work on multiple tasks simultaneously is a more critical talent for the CPU to possess. Additionally, a faster front side bus makes a better performer as well. The front side bus is the electronic communications path between the CPU and the rest of the components in the system. Therefore, while a 3.02GHz processor sounds much faster than a 2.5GHz processor, a larger view might be in order. The 2.5GHz quad-core processor with the 1,033Mhz front side bus may do many things faster than the 3.02GHz dual-core processor with an 800MHz front side bus.

The logic behind that reasoning is actually quite simple. A machine that can work on 4 questions at a time will answer 16 questions in four cycles. The machine that only addresses 2 at a time requires eight cycles. Assuming that speed was the only factor considered (which you cannot really do), then the quad-core finished the task in 0.0000000016 second, while the 3.02GHz required 0.0000000026 ticks. In those terms, that doesn’t sound like much. But realize that the 2.5GHz was 1.6 times faster than the 3.02GHz for this task.

How does the front-side bus come into play? It determines how many times per second the results of calculation by the CPU can be sent to RAM or other parts of the system. When the CPU can’t dump its results, it stays idle until it can. Think of it as a conveyor belt. If the bottling machine is putting out 200 bottles per minute, but the packager only gets 100 out, what happens? Either the bottles get dumped, or hopefully, the bottling machine waits for the queue to empty.

Most of today’s modern processors are multicore. What this basically means is that the designers built them to be the equivalent of two or more CPUs on the same chip. Each core can run processes separately from its counterparts as long as the operating system supports such a trick. Linux distributions since the release of the 2.0 kernel have all supported multiple processors. Windows has supported multiprocessor systems since the release of Windows 2000. Anything new you purchase is going to support multiple processors.

Currently there are two major players in the CPU field. Intel and Advanced Micro Devices (AMD) have been competing heavily on this playing field for several decades. As much as either company will disagree with this statement, neither company makes a “better” processor than the other. Each one may do certain things better than the other, but that’s about it.

As of this writing, the Intel line of processors offers up to four cores per processor, each core capable of processing two threads simultaneously. AMD recently released a CPU boasting eight cores. It is questionable whether or not it will actually be faster than the Intel quad cores, because with the AMD CPU, each core only processes a single thread.

Computer Memory

When looking at memory specifications, it isn’t hard to become a little dazed by all the terminology. There is DDR, DDR2, DDR3, and then the vendor throws out the term RDRAM to mix things up a little more. DDR simply means dual data rate, and the numbers that follow indicate the generation. The technical details could take up several pages, but it boils down to the fact that each generation is capable of processing more instructions on every clock cycle. RDRAM stands for Rambus Dynamic Random Access Memory and is a completely different technology. If your system board requires Rambus memory, it will say so in the technical specifications.

Memory and CPU go hand in hand. The later generations of CPU take the later generation of memory. Each CPU has a front-side bus speed, as discussed in the previous section. The memory must have the same bus speed to communicate with the CPU efficiently. It only makes sense. Among the various versions of DDR, there is a degree of backward compatibility. But going backwards slows down the rest of the system to keep up with the older memory. This sort of defeats the purpose of building a super-powered machine to solve our cases more rapidly. When building a machine, use the latest proven technology.

How much memory do you need? Ideally, you will populate the system with as much memory as it will support. This is dependent on both the system board used to build the workstation and the operating system used to run it. There will be a discussion of OS considerations later in the chapter, but in general, a 32-bit OS will support up to 4GB of RAM, while the newer 64-bit versions support much more. Build a 64-bit system, and dual-boot to a 32-bit OS if necessary. Forensic suites are memory hogs, and you need as much as you can get. For example, Access Data recommends 2GB of RAM per processor core. So a quad-core machine needs 8GB. A dual-processor quad-core needs 16GB.

Most of the multicore processors support dual-channel memory. Quad-core processors support four-channel memory. This means that if there are two threads running on a dual-core or four threads on a quad-core, each thread can have its own dedicated memory channel. (Quad-core processors also use dual channel memory, but will either require two pairs of memory chips or will “time-share” a single pair of chips. Obviously, the latter option will impair performance slightly.) This greatly reduces the number of processor cycles required to process each command. So essentially, you can speed up the system by correctly configuring your RAM in BIOS.

Memory should be purchased and installed in identical configurations. Mismatched memory sticks are a common source of memory errors and blue-screened operating systems. At the very least, each chip populating a single channel must be identical. Ideally, all memory modules in the system should match.

System Boards

The system board (or motherboard, as it is often called) is the most critical element in the mix. This component determines what kind of CPU you can use, what types and how much memory you can install, how many peripherals can be connected, and what type of peripheral support is provided. Some of this is a function of the BIOS, and some is a function of the physical form factor.

The system board and the enclosure are going to be married for life, so they must be a compatible mix. The form factor needs to match for both systems. A Micro ATX board is not going to be suitable for a full-sized tower case. The reverse won’t even be possible. Additionally, the power connector must be able to mate with the power supply. As long as the enclosure and system board match, there should be no problem here.

Choice of processor is critical here as well. There will be one crop of boards to choose from that will support Intel processors and another selection for AMD processors. There is no intercompatibility. If you purchase an AMD processor and a board that supports Intel chips, one or the other is going back to the vendor. So decide on your CPU and system board at the same time. If it has been decided to use multiple processors, then the playing field will be significantly reduced. There are far fewer dual-processor options in the build-your-own market.

This early in the game, you might not have a solid idea of how much memory you want to install. But it’s time to start thinking about it. While there will likely be a healthy supply of motherboards long into the foreseeable future, getting a board with all the features you will need for a forensic workstation can be more challenging. A quick review of a popular hardware vendor disclosed 88 Intel-based boards that supported only two DIMM modules and only two that allowed up to 12 modules. Manufacturers clearly are targeting the hobbyist and the mass-production users. That’s where the majority of their income lies. Far fewer computers are built that require substantial amounts of memory.

The amount of memory on a single module is known as its density. DDR3 is currently available in up to 16GB packages. So in theory, one could assume that a board with eight slots could support 128GB of RAM. Unfortunately, in that regard one could easily assume wrong. Not all chipsets support the 16GB memory module. In some cases, the 16GB module will work, but will be recognized as an 8GB module. In other case, the system will refuse to boot. So it is imperative to make sure that your selection of system board not only supports the number of memory modules you plan on installing, but also the density of those modules.

The number and types of expansion slots must be considered as well. PCI Express (PCIe) is the current standard of slot architecture. There are several incarnations of this slot. PCIe 3.0 is the fastest form and is backwardly compatible with earlier versions, so purchasing a board that only supports this version won’t hurt. (As of this writing, PCIe 4.0 is in development, but not yet released.)

There are also three different slot types. PCIe x1 is a very short slot that is used for devices that require low voltage and minimal data transfer rates. Sound cards and network interface cards frequently find their homes here. PCIe x4 is a longer slot. It will accept PCIe x1 devices as well. Some disk controller cards are designed to this standard. The PCIe x16 is the most commonly seen slot. It accepts both of the other standards as well and allows the highest data transfer rates and the highest voltages.

The vast majority of boards listed by the vendor reviewed supported three or fewer PCIe slots. Five products listed offered five or more PCIe 3.0 slots, while 14 products offered five or more PCIe 2.0 slots.

Permanent Hard Disks

The amount of long-term fixed storage is also a critical factor to consider. In the next section, I will discuss adding capabilities for hot-swapping or direct-connecting hard disks that are the subject of investigation. For maximum performance, adequate permanent storage is required as well. If you recall from the earlier section on commercially available forensic workstations, every single model offered featured a separate OS/Application drive and data drive. There are two reasons for this.

Reason number one is performance related. When hard disks are operational, they have several read/write heads mounted on arms that flick back and forth across the surface of the drive, looking for commands and data. All the arms are attached, so they have to move together. If the same disk is used for both data and applications, those arms are going to be jumping around faster than eighth-graders at a prom. To exacerbate matters, the OS is the first thing to go onto the hard disk, so it occupies all the space near the spindle of the drive. Data goes on last, so it would be along the center or outer tracks. The arm would move inward to get a command, outward to execute it, and so on and so forth. Reason number two is security. You can’t write-protect the OS.

Therefore, it is good to have a hard disk large enough to support the OS. Many investigators like to have a dual-boot system that allows them the boot to either Windows or Linux, or perhaps to an older version of Windows. Additionally, this drive will host all of the forensic applications that get installed to disk. Typically, smaller disks perform better than larger ones, so it’s a good idea to get the smallest disk that will adequately host the suite of forensic software and other utilities that are required. Always assume that several new applications are going to surface that will be needed.

A full forensic distribution of Red Hat Fedora is slightly under 3GB. A full installation of Windows 7 Ultimate, 64-bit is around a gigabyte. Forensic suites vary greatly, from just a few megabytes for The Sleuth Kit, which is primarily command-line drive, to over 3GB. Still, any way you look at it, 250GB is ample space for the OS drive. A fast drive is in order. A 10,000 rpm SATA or SAS is recommended. Several manufacturers now make 15,000 rpm drives.

The data drive must be much larger. Keep in mind that it is likely to be wiped and reformatted frequently, so brands with a good reputation for durability are the theme to follow. For the most part, some form of network attached storage or other external storage will likely be used as image libraries for evidence material. However, while an image is being processed, a copy will most likely be moved to the data drive of the forensic machine. Make it a big drive. As it was with the OS drive, speed is a virtue—although it is not quite as critical. A 7,200 rpm drive will suffice, although if the budget allows, the 10,000 rpm drive is better. The problem you may encounter here is that, as of this writing, the largest drive boasting this speed was 600GB. Most investigators do not consider this to be sufficiently large to serve as a data drive.

For ultimate speed and durability, there is no match for the solid-state drive. These devices have no moving parts, and access times for commands and data are significantly faster than conventional magnetic drives. Also, data deleted from solid-state drives is much more difficult to recover. However, as with the drives featuring higher rpms, there is a significant size limitation for solid-state drives. Pure solid-state drives peak out at around 256GB. Hybrid drives are available that integrate a solid-state drive with a magnetic disk drive. They allow for more space than pure solid state, but at a sacrifice in performance. Still, they are somewhat faster than purely magnetic drives.

Hot-Swap Bays

In the section on enclosures, the importance of having one or more hot-swap bays was discussed. Now is the time to explore that concept a little further. The hot-swap bay allows drives to be added to a computer system on the fly, without shutting down and restarting the system. They act somewhat like other removable media, except that they allow the investigator to take a suspect drive from a computer and add it to the forensic workstation without an exhaustive installation procedure.

In order to make forensically sound copies from target images, it is necessary to assure that the evidence device be fully protected from any write commands sent its way. Commercially available hot swap bays offer no write protection. They rely on a drive controller built into the system board or installed in one of the expansion slots on the system board. Such interfaces are designed with the idea that users generally want to copy data to their hard disks, and write-protection is not a standard feature.

There are a select few companies who offer solutions for this dilemma. Tableau (from Guidance Software) offers a line of controllers that install in one or more 5.25” drive bays and provide a write-protected interface to which hot-swap bays can connect. Some of the models also support external USB and FireWire interfaces. Table 19.1 lists four of the options available for building forensically sound solutions, along with the interfaces provided by each model.


Table 19.1 Tableau Write Protection Devices

To install these devices, Tableau connects to the drive controller in the system, and the data cable from the hot-swap bays connects to Tableau. Drives that are inserted into hot-swap bays controlled by Tableau are automatically detected, and the user is prompted to specify whether the device should be write-protected or mounted in read/write mode.

The two top of the line systems also feature connections for standard cables used by IDE, SCSI, and SATA drives. A 4-prong Molex power connector provides electrical current. This allows drives to be connected to the units even if there are no hot-swap bays available on the system. These devices can be part of a build-your-own configuration or can be installed into any commercially available computer system.

Write-Protected I/O

Hard disks are not the only media types to be examined during an investigation. Memory cards are becoming more common, and there is a wide variety of types. In the previous section, a Tableau device listed provides FireWire and USB ports that can be set to write protect. An external memory card reader can be attached to one of these ports for making forensically sound copies of memory cards. There is a good selection of external readers that are rated “forensically sound.” To save space, it might be preferable to have a bay-mounted reader.

There are fewer companies who make such a product. Atech Flash Technology makes a 15-in-1 media card that reads all current varieties of CompactFlash, Secure Digital, Memory Stick, and xD Picture Card formats. It is a read-only device that fits into a standard drive bay and is powered from the PC’s power supply. It hooks up to an internal USB 2.0 connection. In order to facilitate installing the device into a system with only a single internal USB connector, it ships with a Y-connector. Another convenient feature is that it has an external USB 2.0 connection for adding external devices.

Addonics makes a similar model that also reads MicroDrive devices. While the Atech only supports Windows systems, the Addonics device can also be installed on a Linux box (kernel 2.4 or higher). This makes it a better solution for building dual-boot systems.

Note that neither of the internal devices described above have been tested by NIST. Their usefulness is implied only by the fact that they can be switched from Read/Write to Read Only mode. Before using these devices in an actual investigation, it is important that you perform rigorous tests in your own environment.


Another obstacle that the forensic workstation must overcome is that of allowing easy access to I/O ports, such as USB and FireWire. Most computers have one or two front-mounted USB ports. Only a few models have FireWire at all, and those that do have the connections on the rear (except certain Macintosh models, which have front-panel FireWire).

Having a good selection of I/O ports conveniently mounted on the front of the enclosure, where they are easily accessible, is a very desirable feature. Fortunately, several companies manufacture I/O front panels that mount in an external drive bay. Two options to consider are by Vantec and Syba. Both occupy a 5.25” drive bay.

The Vantec features four USB 2.0 connectors and four FireWire 400 connectors (two are 4-pin and two are 6-pin). Additionally, an eSATA connector allows SATA devices to be connected on the fly. In order to utilize the FireWire capability, the system board must have that feature built in, or an expansion card must be installed that supports FireWire. Syba’s unit is similar, but only has one each of the different FireWire connectors.

These devices are not intended to be write-protected devices. They are only designed to connect external peripherals. Therefore, if a forensically sound image is the reason for connecting a device, it is important to use one of the write-blocking accessories discussed in Chapter 18.

The Software of a Forensics Workstation

Investigations cannot be run on hardware alone. There needs to be an operating system (OS), and there needs to be several applications installed. Since the dedicated forensics software is covered in Chapter 18, “Tools of the Digital Investigator,” I will not go over it in detail here. However, it is important that you know the minimum requirements of the software you intend to use before building a workstation. It could be a little frustrating to build a single-CPU computer with 4GB of RAM only to find that you need dual CPUs and 8GB. In addition to forensics software, there are some productivity suites and other applications that will be needed.

Operating Systems

Just because the investigative team will be looking at systems with multiple operating systems, that does not mean they need machines running them all. Most forensic tools can capture data regardless of the target OS. But they will only run on a specific host OS. The majority of systems will run on Windows operating systems. A network server will be running one of the various Windows Server applications. The forensic workstation will run Windows 7 (Windows 8 was released toward the conclusion of writing this book, but too soon to be available for any significant testing.).

Windows 7 is available in several different builds (versions of a version, if you will). The least expensive of these is Windows 7 Home, which is inadequate for our purposes. Window 7 Professional will do anything the forensics professional truly needs. If there is some reason to need extended multimedia features, Windows 7 Ultimate is only a few dollars more. Either of these versions is available in both 32-bit and 64-bit versions. This is based on your selection of a CPU in the previous section. The 32-bit OS will run on a 64-bit CPU, but not vice versa. It is highly recommended that you plan for 64-bit operation across the board.

The other viable alternative for a forensic workstation is Linux. In fact, I highly recommend that at least one of the forensic workstations in your lab be a Linux box. There are several utilities unique to Linux that have been mentioned in the course of this book that are valuable additions to the forensic arsenal.

Linux comes in a variety of distributions. All of them essentially run on the same core. This means that it doesn’t really matter if you choose Fedora, SuSE, or any of the other popular distribution packages. In fact, most of the major Linux distributors offer either a Security distribution or a Forensic distribution. Either would make a good start toward building your lab machine.

Application Software

Report writing, generating illustrations, and communications are all critical elements of everyone’s work. With the right software, all of these tasks are greatly facilitated. We are all familiar with Microsoft Office and how valuable it is to professional productivity. If the budget allows, Office is a great product. However, there are alternatives that work just as well.

OpenOffice is a suite of applications that is freely available from Apache Systems, available in versions to run on Windows, Linux, or OSX. It includes a word processor that contains most (if not all) of the features found in the Microsoft product. Its word processing application is fully compatible with other word processors on the market and has a full range of formatting, template, and automation functions. A spreadsheet application is included that exceeds Microsoft’s in many respects. Formulae can be entered in human language without knowing a lot of programming functionality or code. Hundreds of templates make creating individualized spreadsheets such as invoices or payroll statements easy. A relational database is included that allows you to build standalone data processing applications, including inventory, case logging, and so forth. For users who need a presentation program similar to PowerPoint, the OpenOffice Impress should impress. It does everything PowerPoint does and is completely compatible. While not as user friendly as the other applications in the suite, OpenOffice Draw is still a powerful illustration too. A leaner and less resource-intensive version of OpenOffice—OpenOffice Portable—might be a good choice for laptop computers. It can run from a USB removable drive.

In the Linux environment, KOffice is very similar to OpenOffice in every regard. It even adds a utility for generating mathematical formulae (something I’m sure every forensic investigator is bound to need). Macintosh users might find the NeoOffice a good choice. However, since this product is based on OpenOffice, there is little reason not to go with OpenOffice to start with.

Processing digital images requires a specialized application of its own. For years the industry standard for digital imaging has been Adobe Photoshop (current version as of this writing is CS6). Versions are available for Macintosh and Windows users. It remains the standard-bearer, and for serious photographers, there is little that competes with it. One serious competitor is Optics Pro (its current version is 7.0). It is also available for Macintosh and Windows platforms and has many similar features as Photoshop. A freeware program that is very powerful and available for Macintosh, Windows, and Linux is GIMP (an acronym for Graphics Image Manipulator Program). While the program does have a fairly steep learning curve, it is every bit as powerful as either of the other options mentioned.

Chapter Review

1. Summarize the minimal collection of components one will need to build a basic computer system. What additional (or different) components might be needed to turn that basic system into a viable forensic workstation?

2. Aside from raw speed, what other features of a microprocessor have an impact on the chip’s overall performance?

3. List the different factors a designer must consider when selecting what type of memory to use when building a system. Assume that the system board has been predetermined and cannot be changed by the designer.

4. What is the advantage of using hot-swap bays in building a system? Why is this component of particular interest to the digital investigator?

5. Explain the difference between 32-bit and 64-bit operating systems. What are some things to consider when settling on an OS for your workstation? What is one way of avoiding having to decide?

Chapter Exercises

1. Find an online computer parts supplier (Newegg, Tiger Direct, and Directron are some good examples), and put together a shopping list for your forensic workstation. Make two lists. One will be your dream station where cost is no object, and the other will be the one your boss will actually approve—based on cost/performance/capability comparisons.

2. Find a PC that you can use for this project. It need not be anything more than a desktop PC bought from a surplus store or a retired office computer. A 1.2GHz processor and a gigabyte of RAM are all that you will need. Download a copy of Fedora Linux (the latest version). Now install the basic forensic tools. At a minimum, install The Sleuth Kit, Autopsy, and OpenOffice.


Graves, M. 2006. The A+ Guide to PC hardware maintenance and repair. Clifton Park: Thomson/Delmar Publishing.

Mueller, S. 2012. Upgrading and repairing PCs. Indianapolis: Que Publishing.