DFIR Lab - Tools and Tips

    My Digital Forensics lab setup is nothing spectacular, but still perhaps better than many are able to accommodate. There are many commercial products for acquiring and analyzing images from multiple devices and manufacturers. Also, there are a multitude of free programs offered by the community for agencies that are more budget limited. Some commercial products also offer advanced services for those that are unable to obtain images, or without a forensics capability. 

    In my case, the department gave me a custom built Dell Precision 5820 with a Core i9-9820x processor, a Radeon Pro WX 5100 GPU, and 128 GB of RAM. Using an SSD drive for my operating system and 2 4TB Hard Drives to store data. This setup allows me to use Magnet Axiom on multiple devices at once at high speed, thanks to the multiple cores and threads in my CPU and the 8GB graphics card for sorting images. The graphics card is an absolute must, by the way. Before I installed it, it took days to process some phones. 

    There are other commercial vendors offering forensic software as well. I am eager to add Cellebrite to my arsenal soon. Some others are:
    However, there are many tools out there that are so amazing, you wouldn't believe that they're free! Some of these include:
  • KAPE       (Thank you Eric Zimmerman)
  • iLEAPP    (Thank you Alexis Brignoni)
  • APOLLO  (Thank you Sarah Edwards)
  • MEAT       (Thank you Jack Farley)
  • Autopsy
    And so many more! Some of the Commercial vendors, like Magnet, even offer multiple free tools alongside of their paid software. You can find most of them at AboutDFIR.com by clicking on the Tools tab. 

    There also may (or may not) exist a tiny little grey box that allows for extractions of iPhones that works like something from the world of witchcraft and wizardry, called a GrayKey. I may (or may not) be able to say more, as the first rule of GrayKey is "Don't talk about GrayKey."

    If your agency is only looking at mobile devices, you will need to also purchase a multitude of charging cables. I prefer Anker cables, but you can choose any manufacturer you want. 

    Faraday bags are also a must. They protect your devices from being able to access the mobile network, which can allow the owner to remote access and erase all of their data while it is still in your possession. There are probably more, but these are the two I currently use. 
    Whatever your budget, you can get started for very little and add to your toolkit as you go. Where I would recommend spending the most money at first is training. While there is a lot of free training out there, you just can't touch the knowledge and experience gained by investing in vendor-specific and non-vendor specific (aka SANS) courses. They go far more in depth than you will ever get with free "awareness" level classes, and they allow for certification that you can use to bolster your credentials in court. 

    So, go check out these links and download some free tools. Start learning, practicing, and forensicating today! And, if you come across new tools or have suggestions for setting up a lab, leave a comment below. 



  1. It is truly a well-researched content and excellent wording. I got so engaged in this material that I couldn’t wait to read. I am impressed with your work and skill. Thanks.
    Computer Forensics Investigation service San Diego

  2. This information is very interesting. I like your blog because the content was really impressive. Thank you for giving much of information.
    digital forensic investigator in london

  3. The article you've shared here is fantastic because it provides a wealth of information that will be incredibly beneficial to me. Thank you for sharing that. Continue to post. Cyber Security Training Courses In Canada

  4. People working on cyberattacks are more knowledgeable as compared to an average IT professional. Gone are the days where amateur hackers were attacking our systems. Women In Cybersecurity Field


Post a Comment

Popular Posts