Digital forensics toolkit

- [Instructor] Forensics work is complex and requires access to a robust digital forensics toolkit. You'll need to begin with a digital forensic workstation. When you're selecting hardware to use for forensics, be sure to choose a system that has quite a bit of RAM and a powerful CPU. Both of these will be invaluable when performing the computationally intensive process of processing evidence and calculating hash values. You'll also want a system with plenty of onboard hard disk space for storing intermediate analyses. Your forensic workstation should be loaded with the forensic software of your choice. You'll need a forensic analysis tool, such as EnCase, FTK, or Helix. These are robust suites of forensic tools that dramatically speed up the analysis process. They can consume images and other forensic artifacts and quickly process them, pulling out relevant information for your analysis. You'll also want to have access to cryptographic tools. These include hashing utilities, such as md5sum and shasum, as well as encryption tools that you can use to protect sensitive evidence or communicate with other incident response team members in a secure fashion. You'll also need log viewers capable of processing the log files from all the various components of your enterprise infrastructure. When you take the exam, you'll need to be familiar with these tools. Know that EnCase, FTK, and Helix are all forensic suites. Fortunately, you don't need to know the detailed functioning of each of these tools. The CySA+ Exam objectives specifically state that the intent of the objective is to be able to compare and contrast the general purpose and reasons for using these tools but that you will not be tested on vendor-specific feature sets. In addition to having storage available on your forensic workstation, you'll need access to a good supply of large, removable media drives for the storage of drive images and other forensic evidence. Make sure that those drives are wiped clean before each time that you use them to store evidence. Don't forget to include write blockers to prevent accidental corruption of evidence while you process it and a collection of drive adapters, connectors, and cables of various types to process devices that you bring into evidence. You should also have access to the documentation that is part of your forensic and incident response process. This includes a copy of your incident response plan, chain of custody forms, incident forms, and a call list and escalation list for other team members that you might need to contact during an investigation. And finally, you'll want to have some miscellaneous other items available to you as you collect evidence. These include standard office supplies, cameras to collect photographic and video evidence, crime scene tape, evidence bags, and tamper-proof seals. That is a lot of items to collect in advance of a forensic task, but you'll be happy that you've collected it in advance when the time comes to use your toolkit. You don't want to be hunting around for a connector or driving to the store to purchase drives when an incident is underway.