One concept that is common on the railroad is Division of Labor. Certain people are assigned a specific job. That's what they do. That's all they do.
On freight trains, the Engineer operates and is responsible for the engines, and the Conductor is responsible for the body of the train. If you're in the rail yard and have a problem with your train, a Carman helps with car problems and an Electrician diagnoses the locomotive, a Clerk brings you your paperwork, and a Switchman or Utility Man generally lines those pesky switches for you.
Up in the control tower, the Yardmaster plans and directs the various aspects of the operation, but only a Control Operator is allowed to request signals and provide on-track protection. Once your train leaves the yard, the Train Dispatcher (who is also a Control Operator and a Clerk) is charged with safely and efficiently moving you to your destination.
This division of labor may seem antiquated to many, but the railroad is an old industry with old habits. "We've done it this way for 150 years," an old bastard of a manager once told a certain idealistic young Train Dispatcher who was trying to computerize a process, "...and we're not going to change it now." Although seemingly outdated, there is some beauty in the division of responsibilities. One person simply cannot do everything, and a person with too many tasks can never master them all. It is this concept that I've carried into my forensics work - at least into the design of my system.
Computer 1 - The Evidence Machine
I don't trust that Windows will keep its hands off my media. None of us do. But thanks to great marketing by the "big boy" software vendors, most of us operate with a blind devotion to using only Windows-based tools, miring ourselves in the consequential (and reasonable) FUD that Windows is going to reach out and touch our discs every time when we plug them in. Hardware write-blockers, like lubricating cream specifically developed to keep our big fat legs from chafing each other while we walk, represent a gazillion-dollar industry that sprang up to solve a problem that shouldn't have existed in the first place.
Because I don't trust Windows, I don't let it anywhere near my evidence media. I have a computer that, for forensic work flow purposes, only does acquisition. Like the railroad workers described above, that's what it does. That's all it does. This workstation runs a forensically-sound OS (Andy Rosen's SMART Linux, which is built atop a stripped down Ubuntu). This workstation can't play videos. It doesn't analyze data. It can't even access the Internet. All it does is run SMART and save the disc images to a RAID which is directly attached via eSATA.
As far as specifications are concerned, there's nothing fancy here. This is actually a slightly outdated computer workstation that I picked up for $140 at my local used computer shop. (Here in Austin, we have plenty of used Dell computers previously donated to schools by the Dell Corporation available in shops.) I added an eSata card and was good to go. I have found that the acquisition computer doesn't need to be speedy. Also, SMART being a slick, scaled-down distro, not much memory is required.
Computer 2(a)(b)(c)(d) - The Analysis Machine
For analysis, I use VMware Workstation on a Windows 7 Host. This computer is fancier - it boasts a hex-core processor and 16 GB of RAM - but I didn't take out a second mortgage to get it. With the monitor and a few 2TB hard drives I picked up on Black Friday, this workstation cost me about $1200 to build.
It's important to note that the host system itself does no forensic analysis. All work is performed via VMs. This helps keep my host system uncluttered and free to do important things - like making invoices. :-)
At any one time, I have the following VMware workstations running or paused:
- SMART by ASR Data
- BackTrack
- Windows XP Professional (for surfing the Internet - more on that in Part 3)
- SANS SIFT Workstation (Linux)
- SANS FOR-408 Workstation (Windows XP)
- SANS FOR-408 Workstation (Windows 7)
Each of these workstations is networked together in such a way that they can all attack the evidence together. That's for Part 3. Stay tuned!
