Arresting cybercrime with digital forensic workstations
In digital forensics, as with most things, it's important to have the right tools for the job. Of primary importance is having a workstation that will perform the highly intensive processing required by digital forensics operations. John Samborski, CEO of Ace Computers, discusses design considerations for this technology.
Digital forensics is the acquisition, scientific examination, and analysis of data - usually evidence - extracted from electronically stored information (ESI) sources such as computers, tablets, mobile phones, external memory devices and even game consoles. It's not enough to be able to retrieve that evidence, it also needs to be tracked and preserved so that it can be used in court or for other exacting purposes. To that end, digital forensics requires purpose-built workstations.
In order to design forensic workstations, we first determine what types of media need to be forensically read and retrieved from suspect data and included in the chain of custody - from the scene of the crime, to the investigator, and ultimately to the court. In other words, the workstation needs to demonstrate who has had access to the digital information being used as evidence. Another consideration is the type of media the system needs to acquire data from.
Then we look at the workstation's purpose: data acquisition, processing, or both. Many systems we build are multipurpose and can perform forensic data acquisition and processing equally well.
We also look at the required processing speed and the number of processors, processor cores, and amount of memory required for processing. The number of processors and cores per processor are determined by the software's system requirements.
Once this is established, the next step is to plan and include write-protected data acquisition methods. The most basic media is a hard drive write-blocked forensic bridge. A write-blocked flash media card reader is also useful for forensically reading media cards such as SD cards, CompactFlash, and others; this prevents the addition of anything to the source data. A read-only media card reader will prevent accidental corruption of the data.
Once the data can be read in a forensically safe manner, the data needs to be stored on either a target drive, a RAID array, or both. With the storage system defined, the design of the RAID system or the allowance for destination drive bays needs to be specified.
Another decision is whether graphic processing units (GPU) - for assistance in breaking passwords - need to be included. Normally, systems are shipped with a single graphics card used for display purposes, but users can also leverage the intense processing power of the GPU for assistance in brute-force password cracking. By using a higher-end graphics card or multiple graphics cards, the forensic system can also be used to shorten the time needed to break a password installed on a system or to open up files which have been encrypted.
We also build specialized password/decryption servers and clusters with multiple GPU optimized systems designed for 24/7 operation. These are frequently used in the federal market by government and law enforcement agencies. We have benchmarked numerous platforms and found the optimal design and configuration for password cracking and it is one of our strongest areas of expertise.
Since the system components change often, it is best to work with a systems integrator that is actively involved in the market and will know how to optimize the design based on the latest software, hardware and thermal techniques.
• John Samborski, P.E, is founder and president of Ace Computers in Elk Grove Village.