Digital Forensics: Workstations and Servers

At AVADirect, some of the most powerful computers we build are workstations that provide solutions for digital forensics. You’ve probably seen such workstations used on TV shows like CSI. The powerful capabilities of these digital forensics workstation computers comes from a combination of high-performance hardware and specialized software. There are many areas of digital forensics that include computer forensics, mobile device forensics, network forensics, database forensics, and forensic data analysis. Each area may require specialized hardware and specialized software. Mobile device forensics workstations, for example, need hardware to be able to connect to a wide variety of cell phones and software to read the data, such as communications or location data. Network forensics workstations need to be able to connect to a network and find vulnerabilities, evidence of intrusion, or capture and analyze packets of information from the network.

Forensic Data Analysis

Forensic data analysis plays a part in many of the other areas of digital forensics. An investigator must clone the suspect hard drive and then ingest, index and analyze the data, all while preserving the digital chain of custody. Specialized hardware is required to allow the workstation to connect to the hard drive via IDE, SATA, SCSI, USB, FireWire or other connection. A specialized device called a write blocker supplies the interface but limits the connection to read only so that the original suspect hard drive and it’s data is protected and cannot be altered.

Digital Forensics Servers

Specialized forensic servers may be used to store the data in arrays, or contain distributed processing units for data analysis. Specialized software is required to allow the workstation to read date from many different operating systems and identify information such as when a specific file was modified, accessed or changed or which files were removed from the operating system’s file structure. Data recovery can play a huge role in restoring files that have been deleted.

Chain of Custody

Most importantly, the evidence collected by a digital forensic investigator must be admissible in a court of law. Among other things, this means that the digital chain of custody must be preserved. The term "chain of custody" refers to documentation that identifies all changes in the control, handling, possession, ownership, or custody of a piece of evidence. Digital evidence is different from physical evidence, in that a carefully protected image of a hard drive is as good as the original hard drive in the eyes of a court. The first image of a hard drive that investigators take is known as the "best evidence," because it's closest to the original source.