Home » Physical Security » Investigations/Forensics

What to Bring on a Computer Forensics Investigation

A complete checklist for a computer forensics expedition

Kris Haworth has learned through years of trial and error all the things she needs to have on hand for a middle-of-the-night computer forensics investigation. Haworth, a managing director of the consultancy LECG, which provides electronic discovery services, packs a big black suitcase stuffed with the tricks of her tradeâ¬from a flashlight for reading serial numbers off the backs of computers, to about 30 different pieces of software, to an extra power strip. She packs them in a wheeled hard-side suitcases that she lugs all over the world. Recently, Haworth walked CSO through her checklist for a forensics expedition.

Forensics system: A cross between a laptop and a desktop computer, this device is used to boot up one hard drive and send its image to another. The device has a pop-up screen and a roll-up keyboard.

10 to 15 IDE hard drives for making images.

Antistatic bags for storing hard drives.

A handful of 100GB USB drives or thumb drives, in case Haworth can't get the forensics system to recognize an IDE hard drive. Bonus: "They don't need a power source."

An extra keyboard, in case the one that comes with the forensics system is damaged, as once happened when it was slammed into the lid of the suitcase. During an investigation, she says, "going to buy a keyboard is more difficult than it sounds."

An external DVD/CD drive: Haworth learned this while doing work at a company with lots of Sony Vaio laptops, which have a small hard drive that's hard to remove without damaging. Rather than pulling the hard drives, she and her team booted up each laptop from a CD-ROM, then used a network cable to pull all the information onto the new hard drive.

Network cables, various (USB, FireWire, IDE).

Write blocker: Attached between a hard drive and the disk it's being copied to, this device ensures that data is not changed during the imaging process.

Power strips: "Every now and again, something ridiculous happens, like there aren't enough power outlets."

Forensics tools on CDs and floppy disks: Haworth uses Guidance Software's EnCase, Norton Ghost and New Technologies' SafeBack. EnCase, she says, is the best one, the "granddaddy of all imaging tools," but she also relies on the other two as backups because some systems don't work with EnCase.

License keys: Forensics software often needs a USB token, intended to prevent unlicensed copies from being used.

Digital camera: Haworth takes pictures of the workstation, even if there's nothing left to work on. One time, she photographed evidence that someone had pulled all the hardware prior to the investigation; another time she photographed carpet markings indicating that each computer had recently been moved or replaced.