D2.5 Forensic computing lab

specifications

Deliverable D2.5

Forensic computing lab specifications

Author(s): Sukhvinder Hara, Igino CoronaEditor(s): Giorgio GiacintoResponsible Organisation: University of Cagliari, ItalyVersion-Status: V2.0Submission date:Dissemination level: Internal

This project has been funded with the support of the Erasmus+ programme of the European Union© Copyright by the HEAL+ Consortium

.

DX.X AAAAAAA

Deliverable factsheetProject Number: 574063-EPP-1-2016-1-IT-EPPKA2-CBHE-JPProject Acronym: FORCProject Title: Pathway in Forensic Computing

Title of Deliverable: Forensic Computing Lab Specification

Work package: WP2 - Establish forensic computing pathway

Due date according to contract: 15.08.2018

Editor(s): Giorgio Giacinto, university of Cagliari, Italy

Contributor(s): Igino Corona, University of Cagliari, ItalySukhvinder Hara, Middlesex University, UK

Reviewer(s):

Approved by:

Abstract:

Keyword List: Lab Requirements; Software; Hardware;

Page 2 of 19

DX.X AAAAAAA

Consortium

Role Name Short Name

Country

1. Coordinator, academic partner

The University of Cagliari UniCA Italy

2. Forensic Computing Education expert, academic partner

Middlesex University MDX United Kingdom

3. Education expert, academic partner

Dublin City University DCU Ireland

4. Academic partner to establish a pathway program in forensic computing

Al-Quds university AQU Palestine

5. Academic partner to establish a pathway program in forensic computing

Palestine Technical University Kadoorie

PTUK Palestine

6. IT and forensic software developer partner

Al-Andalus Software Development ASD Palestine

7. Academic partner to establish a pathway program in forensic computing

Princess Sumaya University for Technology,

PSUT Jordan

8. Academic partner to establish a pathway program in forensic computing

The University of Jordan JU Jordan

Page 3 of 19

DX.X AAAAAAA

Revision History

Version Date Revised by ReasonV1.0 September 27, 2017 Sukhvinder Hara, MDX Initial proposal by MDX

V1.1 September 28, 2017 Igino Corona, UniCA Improved document with open-source alternatives, document refactoring

V1.2 September 29, 2017 Igino Corona, UniCA Integrated more information about write-blocker kits thanks to feedback provided by Sukhvinder Hara, MDX

V1.3 October 24, 2017 Igino Corona, UniCA Updated and improved document with Lab requirements clearly mapped to course objectives, a more complete evaluation of costs and budget constraints, and considering the feedback gathered from the Amman Meeting held on October 12, 2017.

V1.4 November 15, 2017 Igino Corona, UniCA Updated and improved document with feedback provided by Edward Jaser and Ali Hadi (PSUT), David Neilson and Sukhvinder Hara (MDX)

V1.5 November 30, 2017 Darragh O’Brien, DCU Fixed English typos and provided some suggestions for hardware/software equipment

V1.6 December 1, 2017 Igino Corona, UniCA Added hardware equipment warranty requirements and considered dual boot setup for workstations

V1.7 December 4, 2017 Igino Corona, UniCA Updated and improved document with feedback provided by Ali Hadi (PSUT) and Sukhvinder Hara (MDX)

V1.8 January 10, 2018 Igino Corona, UniCA Included initial budget and issues to be discussed in the London Meeting to finalize the budget

V2.0 February 19, 2018 Giorgio Giacinto, UniCA Update after the meeting in London, February 12-16, 2018

Page 4 of 19

Statement of originality: This deliverable contains original unpublished work except where clearly indicated otherwise. Acknowledgement of previously published material and of the work of others has been made through appropriate citation, quotation or both.

Disclaimer:This project has been funded with support from the European Commission. This publication reflects the views only of the author, and the Commission cannot be held responsible for any use which may be made of the information contained therein.

DX.X AAAAAAA

Page 5 of 19

DX.X AAAAAAA

Table of ContentsDeliverable factsheet 2Consortium 3Revision History 4Table of Contents 5List of Figures 6List of Tables 7List of Abbreviations 8Executive Summary 91. Introduction 10

Page 6 of 19

DX.X AAAAAAA

List of FiguresFIGURE 1: BIOMEDICAL & HEALTH INFORMATICS LANDSCAPE (MANTAS, 2010, P7) 11

Page 7 of 19

DX.X AAAAAAA

List of Tables

TABLE 1: FRAMEWORK OF CURRENT MASTER PROGRAMMES AT PARTNER COUNTRIES 20

Page 8 of 19

DX.X AAAAAAA

List of AbbreviationsThe following table presents the acronyms used in the deliverable in alphabetical order.

Abbreviation Description

WP Work Package

WPL Work Package Leader

FORC Pathway in Forensic Computing

IT Information Technology

PS Palestine

JO Jordan

SE Sweden

ES Spain

NL The Netherlands

DF Digital Forensics

Page 9 of 19

DX.X AAAAAAA

Executive Summary

Page 10 of 19

DX.X AAAAAAA

1. IntroductionThis deliverable is aimed at defining hardware and software specifications for FORC laboratories on digital forensics. To this end, for each course, a detailed analysis of lab requirements has been performed, considering the feedback from all project partners. The output this analysis follows.

All courses will exploit training material produced by this project, in the form of a Book which may be available also in an electronic form within the labs.

Courses that focus on digital forensics foundations (A1), procedures (B1), legal, business and ethical aspects (C1), do not require special instrumentation.

Courses that focus on digital forensics techniques, tools (D1), network forensics (D2), mobile forensics (D3), emerging trends (D4) require special instrumentation in terms of hardware and software tools. In the following sections, we firstly describe the high-level infrastructure for Digital Forensics Labs, agreed among all partners and justified by the expected number of students per class. Subsequently, more specific requirements regarding digital evidence acquisition, storage and analysis are provided and summarized in Table 1.

High-level Laboratory InfrastructureOne of the key commitments for the FORC project is to prefigure

high-quality lab activities, characterized by many, continuous face-to-face interactions between instructor and students. Towards this goal, all partners agree that the number of students per class should be kept relatively low (maximum 20 students per class).

In fact, at MDX, labs are composed of a maximum of 21 students, whereas in PSUT student numbers do not exceed 18 per class. Given these numbers, the simplest solution for the laboratory is to provide for a dedicated workstation for each student and instructor. Instructors can employ their workstation for training purposes, e.g., by sharing their screen with a projector during an investigation, while each student can learn and experiment independently, using his/her workstation. This solution is already in place at MDX and has been exploited with success by MDX over recent years.

Digital Evidence CollectionD1-4 courses may require the acquisition of digital evidence,

following the best practices described in courses B1 and C1. All partners recognize that it is important to identify solutions that ensure compatibility with as wide a range of devices as possible in order to

Page 11 of 19

DX.X AAAAAAA

closely reflect real-word cases. At the same time, data collection tools must preserve data integrity and ensure repeatability of the investigation process. To this end, there is a requirement for lab equipment permitting read-only mounting of the devices under investigation, and suitable storage solutions to save collected data. Read-only mounting can be guaranteed through either hardware (write-blocker kits) or software solutions (e.g. Operating Systems that force read-only mount by default, e.g., ). However, write-blocker kits are a preferred choice for both compatibility and data integrity guarantees and are widely accepted in court proceedings, since they may be specifically developed and thoroughly tested for digital evidence acquisition from many different real-word devices. For example, write blockers allow students to handle physical drives securely by providing adaptors and cables for: 

PATA/IDE 2.5" drives (with PATA Adapter 25) PATA/IDE 3.5 SATA 2.5" drives SATA 3.5" drives iSCSI (network attached SCSI) SATA SSD (solid state drives) SAS 2.5" drives (with SAS Expansion Module) SAS 3.5" drives (with SAS Expansion Module) Hitachi 1.8" drives (with PATA Adapter 25) Toshiba 1.8" drives (with PATA Adapter 18-TOSH) MacBook Air 2010 (with SATA Adapter) MSATA (with SATA Adapter) Mini PCIe PATA (with PATA Adapter mPCIe) Mini PCIe SATA (with PATA Adapter mPCIe) Mini PCIe USB (with PATA Adapter mPCIe) PCIe/NVMe (with adapter) USB Thumb Drives (USB 3.0/2.0/1.1) USB drives via USB cable (USB 3.0/2.0/1.1) FireWire drives via FireWire cable (with FireWire Expansion Module)

This is also the way in which real-world practitioners work and mirroring this approach is thus important for enhancing students’ future employability.

Digital Evidence StorageWorkstations will have dedicated storage for running the host

operating system and virtual machines for analysis purposes. Further storage is required to independently preserve digital evidence or the outputs of an independent investigation by each student/instructor.

Page 12 of 19

DX.X AAAAAAA

However, all partners recognize that lab equipment should also provide for shared storage, so that instructors can easily share digital evidence among multiple students, for common exercises. Shared storage is a convenient and cost-effective solution since digital evidence may require a large volume of disk space. The simplest way to implement a shared storage within each laboratory is to create a Storage Area network (SAN).Finally, in order to facilitate the exchange of digital evidence and analysis results between laboratories and the rest of world, portable storage devices may also be employed.

Analysis ToolsD1-4 courses may require analysis of digital evidence, following the

best practices described in courses B1 and C1. To this end, a common choice would be to resort to general-purpose tools, i.e., software whose aim is to support digital forensic analysis of data stored by a wide range of (popular) operating systems, file systems, networks and applications.

More specific tools may be required by course D3, which focuses on mobile forensics. Such tools may work only on specific mobile devices, processors, operating systems (e.g., Android, iOS, Windows Mobile) and related applications.

Finally, ad-hoc/new tools may be required by course D4, which focuses on emerging trends, since it may focus on specific (new) applications and protocols that are not covered by general-purpose and mobile analysis tools.

Page 13 of 19

DX.X AAAAAAA

Allocated BudgetAccording to project proposal, the overall budget for laboratory

equipment amounts to 252,776 EURO, to be equally distributed among four Universities: PTUK, AQU, PSUT, JU. This budget has been obtained estimating the costs (VAT excluded) to purchase the following items.

Personal Computers for development of course material

Page 14 of 19

Table 1 High-level laboratory requirements for FORC Digital Forensics CoursesCourse Training

Material

Digital Evidence Collection

Digital Evidence Storage

Analysis Tools

Foundations of digital forensics

(A1)

Book produced by the

FORC project

- - -

Digital Forensic

procedures (B1)Legal

aspects of digital

forensics (C1)

Business aspects of

digital forensics

and ethics (C1)

Digital investigation techniques and tools

(D1)

Write blockers

(hardware kits)

Portable storage

Workstation’s Storage

Storage Area Network

(SAN)

General-purpose forensics software

Network forensics

(D2)Mobile

forensics (D3)

Mobile forensics software

Emerging trends in

digital forensics

(D4)

Ad-hoc/New

forensics software

DX.X AAAAAAA

Server for hosting Learning Management System with Course and Training Modules Content and Activities

Interactive LCD for class rooms Textbooks & access for Electronic resources for instructors

and university library use Computer Forensic Lab (HW): Computers, card-readers,

servers, Tableau forensic kits, Screw driver kits, Faraday bags, IDE hard disks, computers, servers, Solid state disks

Computer Forensic Lab (SW): Access Data Forensic Toolkit V4, Access Data Imager (free), Access Data Password Recovery Toolkit, EnCase, XRY Mobile forensic complete kit, DVD Inspector, Paraben forensic software

Heavy duty network printer for FORC pathway lab

With respect to the above list, the following amendments are made- All partner Universities are willing to use their own computers to

perform such activity, to use the allocated budget for the lab necessities;

- All partner Universities will use their existing server to store course and training modules content and activities;

- Each partner University will check if the Lab needs an interactive LCD display or a projector;

- Partners will mainly use their own resources for providing students and instructors access to textbooks & other electronic resources;

- Each partner University will check if a heavy-duty network printer is needed for the Lab.

Proposal ImplementationThe key points of the proposal implementation agreed by all partners are:

Easy installation/setup The laboratory should support all Digital Forensic activities with

open-source software The laboratory should support the use of commercial software

widely employed by practitioners in court cases

Open-source tools support digital forensics activities without license costs for the institution, but also allow students to approach analysis activities that are not handled effectively by commercial tools (e.g., designing an ad-hoc data parser to extract the information requested by a

Page 15 of 19

DX.X AAAAAAA

judge). So, expertise in their use not only enables students to propose an alternative when commercial solutions are not available, but also enables them to address new challenges and build custom solutions, having access to basic forensics modules. In other terms, open-source software can be used to write ad-hoc/new forensics software, that may be required by the “Emerging trends in digital forensics (D4)” course.

On the other hand, commercial software is typically used by practitioners and widely accepted/trusted in court cases, and therefore familiarity with such software is important in terms of students’ future employability. Moreover, such software may be accompanied by a large set of cables and adapters for digital acquisition, provide a more intuitive/user-friendly interface (thus speeding up the analysis process) and provide greater functionality than open-source solutions. Since commercial tools are characterized by license costs, in the following, whenever necessary, we will make cost-effective choices, in accordance with the allocated budget.

Physical data/equipment protectionIn order to protect data and portable instrumentation devices

against theft or unauthorized use, a simple lockable cupboard can be bought for each laboratory.

Licensing ServerWhenever commercial software is used, a dedicated licensing server

is necessary to centralize license management. Any reasonably provisioned (4GB RAM) computer running Windows Server OS will suffice for this purpose. Note that the licensing server can allocate licenses related to both lab workstations and virtual machines pre-loaded with digital forensic tools, as is done at MDX. Virtual machines can be made available to students for use on their personal laptops, to work off-site.

Each partner University will check the availability of existing servers in their IT department to act as a licensing server for the Forensic Computing Lab.

WorkstationWorkstations should be characterized by powerful computation and memory specifics, high quality displays (at least two displays per workstation), together with a reasonable amount of (and capability to extend) storage for running Virtual Machines and independent digital

Page 16 of 19

DX.X AAAAAAA

acquisition/analysis. To this end, all partners agreed on these key features (considering the specs of the Forensic Computing Lab at MDX that is equipped with DELL Precision Workstations 5000 series All-in-one):

Memory: Minimum 16GB, Suggested 32GB RAM OS: Windows 10 Network card: Ethernet/Wifi Storage: 2 disk slots (suggested: 4 slots): 1 SSD 250GB (Suggested

500GB) + 1 HDD 2TB Graphics Card: with good support to resolution 4K@60Hz (at least 2

outputs) – suggested NVIDIA Display IPS 4K: 27inch

Write Blocker KitA very popular, widely employed/tested write blocker kit is Tableau, also used at MDX Labs. Tableau is the most recognized and respected write blocker, with a long history of use, developed by Guidance Software which also created the well-known . Tableau is well maintained and regularly releases firmware updates, provides compatibility with a wide range of hard drives, supports detection of Host Protected Areas (HPA) of the disk being acquired.

Storage Area NetworkThere are many solutions for SAN. A key feature is to provide a way to share files among multiple hosts (workstations). To this end, a Network Attached Storage can be used. A good, cost-effective solution may be characterized by a storage of at least 16TB.

Portable StorageA good, cost-effective solution may be characterized by a storage of at least 4TB, with USB 3.0 connections.

General-purpose forensics softwareCommercial. Ad discussed in deliverable D2-1.1 “State of the art report on EU FC programmes”, both Encase (Guidance software), and Forensic Toolkit (FTK by AccessData) can be viewed as the industry standards. However, the academic package of Encase includes a limited number of

Page 17 of 19

DX.X AAAAAAA

licenses (10) and costs about 3,000 Euro/year. As the project would require at least 20 licenses, the overall cost would be 6,000 Euro/year, and it appears to be uneconomical for the project.

Academic licenses for FTK are typically less expensive (30 licenses per year can be purchased for about 2,000 Euro) and are affordable given the allocated budget. The Access Data Academic Program - contains

FTK Imager FTK Toolkit FTK Registry Viewer FTK Password decryption

Academic licenses are provided by a regional supplier. Training can be booked online from global providers.

Commercial. Hex Editor WinHex by X-ways software technologies – lab edition

Open-source. SANS SIFT (*) is a popular linux distribution supported by the reputable SANS institute. SIFT make readily available and regularly update the best/most widely-known open-source tools and frameworks for digital forensics, such as Autopsy (, foremost/bulk_extractor/scalpel, Volatility (), etc. Using these tools one can perform digital forensics activities, at no cost:

it may include many open-source hex editors, such as Bless WxHexEditor DHEX

Mobile forensics software

Commercial. Cellebrite is a well-known, reputable company that produces Digital Forensic tools for mobile devices’ analysis. The cost of 20 licenses is around 3,000 Euro per year and includes Physical Analyzer, UFed for PC, the mobile imaging unit. It is thus affordable according the allocated budget.Students kits are an extra 110 Euro per student and include teaching material and practical exercises. The student kit enables students to gain an Industrial Qualification and in particular, two certificates:

CCPA – Physical Analyzer CCO – Logical Operator

Page 18 of 19

DX.X AAAAAAA

Training must be booked through Cellebrite when the purchase is made. Please note to have access to any of their material, the instructor needs to complete training and pass the instructors course at 80% and over.

Open-source. Santoku (*) Linux distribution specifically crafted for mobile device investigation

(*) Suggested Open-Source Distributions to be installed as virtual machines (Guests).Further details:

A three (or more)-year warranty for all hardware equipment is an optional, desired feature, in order to cover the whole FORC project duration

Commercial tools can be installed into the main (host) OS: Microsoft Windows 10

Suggested virtualization software (open-source): Oracle Virtualbox o Device images can be easily shared between host and guest OS

(shared folder), so that one can analyze the same image using both commercial and open-source tools

o A shared folder might also be remote, e.g., a folder on the instructor’s workstation, shared between all (students) workstations using NFS (network file system). This way, the instructor can easily update/add images for different lessons.

Page 19 of 19