Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Stop criminals in their tracks
Don’t let criminals destroy your life
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
Creating a digital forensic laboratory is a responsible step. The effectiveness of the laboratory depends on what software, hardware and equipment will be purchased.
DFC specialists took part in the creation and upgrade of several digital forensic laboratories owned by state organizations and private entities and today they will share their tips and tricks.
Choosing a workstation configuration is an important step. The effectiveness of digital examiners depends on the way the workstation is configured.
However, we want to pay special attention to one point: the workstation should work as quietly as possible. Imagine an open space where several powerful computers are installed, each of which makes a noise like a server. The employees’ headache and poor health are guaranteed. Silent workstation performance is achieved by using low-noise fans and passive cooling systems.
Do not use top hardware. The idea to buy the most expensive processor, memory, motherboard for your new workstation is not the best one. We had many problems with the workstation in which similar components were used.
In our opinion, this configuration is optimal today:
OS: Windows 10 Pro 64-bit
CPU (2): E5-2660 v4 (14 core)
RAM: 64 GB DDR-42133 ECC
OS Drive: 1 TB SSD
Temp/Cache/DB Drive: 256 GB SSD
Data Drive: 8 TB 7200rpm
RAID Drives: 5×4 TB 7200rpm
Video Card: GeForce GTX 1080
We recommend to use two or more monitors for each workstation.
The most effective work is achieved when a digital examiner uses two workstations in its work.
Use NET Storages to store cases, forensic images, etc. NET Storages with a volume of 100-150 TB proved to be quite effective.
Use 10Gbit Net Cards. They will allow you to transfer data from the workstation to NET Storages quickly.
A Tableau Write Blockers Kit
It’s a good idea to have as more different forensic software in the digital laboratory. This will allow a forensic examiner to make cases as quickly and efficiently as possible. Also, this makes it possible to recheck the results of the research effectively.
However, if you have a limited budget, we recommend buying this software:
Windows 10 Pro
AXIOM (Magnet Forensics)
The rest of the tools can be purchased as the laboratory develops.
Also, a lot of research can be done using freeware tools. Sometimes these tools outperform functionality of commercial tools.
If you create a digital forensic laboratory in a government organization, for example in the police department, then most likely they have their own case management software and then your task is just to add a new laboratory to the network of existing ones.
In other cases, you can use free and chargeable CRM systems. Besides, some CRM systems can be adapted to your management needs.
We recommend Kirjuri (Kirjuri is a web application for managing cases and physical forensic evidence items.) and Lima Forensic Case Management of all the specialized tools.
We recommend using a separate workstation for the production of video forensics cases. We recommend using the following forensic tools:
Very good results of recovering deleted videos can be obtained using X-ways Forensic. We have written about this tool above.
We recommend using a separate workstation to carry out mobile forensics research.
There are a lot of tools for mobile forensics. That is why it is difficult for a beginner to understand what they need to carry out this research effectively. We recommend using the following mobile forensic tools:
UFED 4PC (with CHINEX, UFED Camera Kit)
Cellebrute UFED Touch
Cellebryte cables and adapters
Oxygen Forensics DETECTIVE
Elcomsoft Mobile Forensic Bundle
We recommend using SР Flash tool to retrieve data from MTK based phones.
A Faraday Box (Ramsey)
We recommend using the following tools for Cloud forensics:
UFED Cloud Analyzer
Elcomsoft Cloud eXplorer
We recommend using flashers for JTAG research:
Easy Z3x JTAG BOX
Samsung anyway S101
For Chip-off we recommend using:
VISUAL NAND RECONSTRUCTOR (STARTER KIT, Rusolut)
SMARTPHONE KIT (Rusolut)
CHINESE SMARTPHONE KIT (Rusolut)
NuProg-E UFS/EMMC Programmer
IN-UFS-Socket BGA Opentop
N-UFS-065-BGA095-115130-02O BGA Opentop
N-UFS-050-FBGA153-115130-02O BGA Opentop
We recommend using Weller WHA 300 Hot Air Reworking Station or Ersa HR100 Hybrid Rework system for disordering chips.
We recommend using a separate workstation for the production of Data recovery. You will need special hardware and tools for data recovery:
PC-3000 Express Professional System (Acelab)
Data Extractor Express (Acelab)
PC-3000 Flash (Acelab)
Many people believe that it is enough to buy ordinary office desks and chairs to equip a digital forensic lab. However, it is not so. Tables must have abrasion resistant coatings. We recommend the use of special laboratory tables.
Office chairs should be as convenient as possible. We recommend using not ordinary office chairs but gaming chairs.
The table where the electronic equipment is assembled and disassembled should be equipped with an antistatic mat and an antistatic bracelet.
About the authors
Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.
Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.
Save my name, email, and website in this browser for the next time I comment.