So let me premise this by saying I do not have a hard CS/IS background. I am a law student working in cybersecurity law but I am getting more into the IT side of things by working for a major research university’s CISO/Associate Legal Counsel (tech guy who got his JD) in the school’s IT dept.
One area that has always interested me is digital forensics and I have been talking to our resident tech who does it for the school. He mainly uses Cellebrite which I obviously cannot get, but he gave me the names of several free tools such as hashcat and DeSleuth kit. I am currently playing with DeSleuth kit and noticed that it just eats resources (go figure huh?).
I will probably be upgrading my cpu/mobo/ram this generation (current specs are a 11700k, strix z590-e, 32gb 3600 cl16 gskill ram, and a 3090 ftw3 ultra) so I can play with the new hardware.
For anybody with some insight into how the above mentioned programs work, what should I be looking at in terms of the new generation of hardware? My initial thoughts were to go with the 13700k, but I am not sure on how the e-cores would play with processing the information from DeSleuth kit. I’m also open to building on AM5 when it comes out. My end goal for this hobby would be the fastest processing (relative I know, but hopefully there is a sweet spot) speed without delving into enterprise hardware. I’ve got enough problems learning basic consumer products.
If you’ve made it this far, thank you! But I do have another request, if you could explain your answers so that a 12 year old would understand, that would be helpful. I.e. more cpu power because of l2 cache would reduce processing time etc. Thanks for any and all help!!!
Edit: I should add that DeSleuth took forever to process a 64gb thumbdrive that I’ve been using for a few years. It did pull files/pics/vids off of it that were crazy old (I think I used it as a windows backup at one time) but it took about 2/3 hours to do. I’m hoping more of something would decrease that time.
unfortunately, the weakest link in computer forensics is usually the drive you are connecting too. a good example is that 64gb thumbdrive you are talking about. pretty much any even vaguely recent PC will max out the read speed on that and no matter how fast the PC doing the recovery is, you have a hard cap on what that drive will do.
when someone brings you a 20 year old IDE drive for recovery of forensics purposes, it may only be 4gb, but be prepared to spend 1 or 2 days trying to pull data from it.
you still want a nice, reliable, machine with lots of RAM to do your work on, but dont over think this build. a 5800x with 64gb ram and a mediocre GPU would handle MOST forensics tasks very well.
if you are looking into armitage stuff or crypto/cyber cracking, then the tools and build are different. but that does not sound like the use case here.
even hashcat will be limited by something other than the CPU before you get to what you are looking for.
So if in this mythical new build, I put a pcie4 drive like a Firecuda 530 as either the primary os or a storage/work drive, and create an image of that old thumb drive to copy over, that would conceivably speed up the processing?
So the answer to that really depends on what forensic suite or tool you’re running. Commercial applications such as FTK and Encase are designed to run multi threaded jobs and keep all cores at 100% during discovery… so the more cores the better. But a lot of the opensource freeware tools only run single threaded so they will benefit more from higher clock speed. Either way I think a 11700k or 5900X would be excellent choices for a homelab forensics PC. The GPU is a bit overkill IMO as there is very little password or encryption cracking performed in the real world. Most of the time you’ll be using a dictionary or taking a known password from your suspect and trying variants of it using regex patterns. Personally I’d opt for a 3070 or 3080 and put the savings toward some fast scratch storage… which brings me to my last point. When working investigations you’ll always capture a forensic image and then process it using a tool. The read speed is going to be more important on the drive you capture the image to. And write speed on your case DB or drive you export artifacts to. Also I recommend having either an eSATA HDD dock or hot-swapable bay for archival storage of images you want to keep long-term on spinning rust.
This is where fast storage really helps. Were you running analysis directly on the drive? Or did you create a forensic image first?
Here’s a few free programs that I would recommend in addition to DeSleuth (is that SleuthKit or something else? I’ve never heard of it).
FTK Imager - Create images in encase format (E01) or RAW (dd). Supports hashing of both image and target file system. You can also mount the image as a read-only virtual disk to explore without altering it. Very handy tool.
Autopsy - Front end GUI to The Sleuth Kit. Maybe you’re already using this?
AccessData FTK demo - I can’t seem to find a download link for this anymore. I think it was version 3.0 or older but still had great ediscovery capabilities when running against small capacity devices. I’ll dig through my archives a little later and update this post with a link if I find it.
While I’m obviously just a pleb without any forensics background it’s just common sense to NEVER DO ANYTHING that could write to a storage device you are inspecting. ALWAYS make a complete image of it, make a backup of that and only then proceed to work with these images, NOT the original storage medium to not “tamper with evidence”.
There are SATA and USB (?) adapters you can plug between a storage device and the host to make it read-only, I’d consider these essential tools for that job.
I’d also only use a CPU/motherboard and maybe even a GPU with ECC support to be as safe as possible regarding data integrity.
for real world 100% tracking what you’re saying. but this is just me messing around learning the in’s and out’s of software/process right now and testing on my own equipment (the thumb drive was mine). but for wiw should probably start with following best practice in order to ingrain it. thanks for the tips on the read-only equipment. i didn’t know about those but will look into them
thanks for the info…yes DeSleuth is Sleuth kit (why I was calling it that…don’t ask me, it’s been a long week already).
So i was originally doing the work on my main machine which has a Seagate 530. I ran the program directly on the main drive and I conducted the analysis with the thumbdrive plugged in. Not off an image.
Yeah, live analysis over USB is always deathly slow. You should create a raw image using FTK imager on to the Seagate and then run the analysis from there.
As @aBav.Normie-Pleb suggested you should at least get a cheap read-only adapter to go along with your lab. It will be handy if you’re attempting recovery of deleted data on a friend/customer’s drive. For criminal investigations we use hardware-based write blockers that are NIST certified but honestly they do the same things as the cheap adapters minus the certificate. Another low tech option you can use in the interim is toggling automount off/on in Windows. This won’t protect the physical volume from being modified but it will preserve timestamps and prevent other metadata from be modified.
Also take a look at NIST’s forensics tools testing program. It has links to quite a few free forensic tools/suites that are regularly used during criminal investigations.
oh goodie…new things to play with. Going to go play with this stuff and see where things go. I’m sure I’ll be back but til then, thanks for all the help!
And once you have done that, and want to try to make more secure, you can start playing with a NAS/storage server, for backing up the data
Althought this would make sense once you have terabytes of data, and you need access to them
This is just a idea for the future, from what picked up, you are just figuring out the stuff currently
In more realistic deployments, it would be worth it to set up a backup mechanism, and made write only, with snapshots of your capturing devices.
So, once you want to try something new, this might be worth giving a try
I will probably be upgrading my cpu/mobo/ram this generation (current specs are a 11700k, strix z590-e, 32gb 3600 cl16 gskill ram, and a 3090 ftw3 ultra) so I can play with the new hardware.
actually over kill already…
forensics is basically looking at data. you dont need a huge machine in generally to do that.
tshark for instance is a few 100mb total to run. while its data files can run anywhere from 2-3mb to over a gig. but even at the larger end a basic pc with enough ram will handle it fine.
the only real benefit is that you have lots of gpu grunt for cracking hashed passwords.
but you aint gonna be doing much of that.
more likely you will be looking at text strings in files, creation dates, and meta data to compare one file to another.
rather than being leet haxor and cracking the password data bases to pwn a server.
as for what tools your gonna use. it will depend on the files your wanting to look at.
pictures, log files, data files all have there own software applications to extract the data.
as i mentioned to earlier.
tshark and its parent app wireshark are for looking at pcap files.
a pcap is a log file for net traffic. https://tryhackme.com/room/tshark
other apps like volatility, allow you to perform memory forensics on windows.
if you want to learn how volatility works and get an idea of its resource usage.
i never used a hardware blocker on drive imaging. a linux pc with dd will make a non watermarked clone of basically anything and it will do it with out any writeback on the original drive. (provided you do not have any auto-mount scripts or anything to handle new drives) a lot of the tools are open source at the base level, and actually one of the best drive cloning utilities was dd with a wrapper over it, or it was 5+ years ago anyway.
likely a limit of the thumb drive.
if its OLD usb-2 your probably looking at 30-60Mbps max.
which will drop for smaller files, as low as .1mbps.
there’s literally nothing you can do to speed up the transfer.
link removed… final image i made was corrupt.
tried usbimage to speed up the file transfers and make a bootable image of the drive. it failed
… and then there’s FileVault, BitLocker, and LUKS… and then there’s “key disclosure” laws which I’m very much but in favor of (IMO, data should be treated the same as individual testimony, not as physical evidence, imagine treating your brain as physical evidence… not good).
