From the course: CompTIA Security+ (SY0-601) Cert Prep: 9 Operations and Incident Response

Digital forensics toolkit

From the course: CompTIA Security+ (SY0-601) Cert Prep: 9 Operations and Incident Response

Start my 1-month free trial

Digital forensics toolkit

- [Instructor] Forensics work is computationally intense and it requires access to a robust digital forensics toolkit. You'll need to begin with a digital forensics workstation. When you're selecting the hardware that you're going to use for forensics, be sure to choose a system that has quite a bit of RAM and a powerful CPU. Both of those will be invaluable when performing the computationally-intensive process of processing evidence and calculating hash values. You'll also want a system with plenty of onboard hard disk space for storing intermediate analyses. Your forensics workstation should be loaded with the forensic software of your choice. You'll need a forensic analysis tool such as EnCase, FTK, or Autopsy. These are robust suites of forensic tools that dramatically speed up the analysis process. They can consume images and other forensic artifacts and quickly process them, pulling out relevant information for your analysis. You'll also need a set of cryptographic tools. These include hashing utilities such as md5sum and shasum as well as encryption tools that you can use to protect sensitive evidence or communicate with other incident response team members in a secure fashion. And you'll need log viewers capable of processing the log files from all the various components of your enterprise infrastructure. In addition to storage on your forensics workstation, you'll need access to a good supply of large removable media drives for the storage of drive images and other forensic evidence. Make sure that those drives are wiped clean before each time that you use them to store evidence. And don't forget to include write blockers to prevent the accidental corruption of evidence while you process it as well as a collection of drive adapters, connectors, and cables of various types to process devices that you bring into evidence. You should also have access to the documentation that is part of your forensic and incident response process. This includes a copy of your incident response plan, chain of custody forms, incident forms, and a call list and escalation list for other team members that you might need to contact. And finally, you'll want to have some miscellaneous other items available to you as you collect evidence. These include standard office supplies, cameras to collect photographic and video evidence, crime scene tape, evidence bags, and tamper-proof seals. Now, that's a lot of items to collect in advance of a forensic task but you'll be happy that you've done those when the time comes to use your toolkit. You don't want to be hunting around for a connector or driving to the store to purchase drives when an incident is underway.

Contents