How to make a simple forensic/investigation framework

From Forensics Wiki
Revision as of 15:13, 28 August 2009 by Atilaromero (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Often, forensic labs are overloaded and investigators complains about the long waiting time. The solution for both professionals is to reduce the amount of seized material.

But how do you know if a computer is relevant without looking into it? And how to look into it in a fast and forensic acceptable way?

Many procedures are emerging around the world to allow the investigator to access seized computer data remotely, in a environment configured and maintained by the forensic professional. The investigator can perform an initial analysis, quickly pointing the most important computers among all computers seized, speeding the subsequent forensic exam, which is more time consuming, and reducing the amount of computers in which the exam will be made.

Hardware

  • Server with large storage capacity - to keep the sized disk images.
  • Samba server - to be accessed by the investigators.

Software

  • GNU/Linux
  • Samba
  • SquashFS