Building the Perfect Forensic Workstation

When working cases in digital forensics, having the right hardware significantly impacts the efficiency and effectiveness of investigations. In a recent podcast Manny Kressel, CEO and Founder of Bitmindz Forensic Solutions described the critical aspects of designing and building computers tailored for forensic examiners. Manny highlighted the importance of understanding the examiner's needs, key hardware considerations, and overcoming challenges with IT departments.

Understanding the Examiner's Needs

When designing and building a computer for digital forensics, it's crucial to understand the specific needs of the examiners. As Manny emphasizes, every examiner's requirements can vary widely depending on the nature of their caseload. Some may require high-end workstations for processing large volumes of data, while others might need specialized systems for specific tasks like cell phone extraction.

Forensic examiners often deal with a variety of cases that demand different hardware configurations. For instance, an examiner focusing on cell phone data might need a system with fast processing capabilities but not necessarily a lot of storage. On the other hand, an examiner handling extensive datasets might prioritize storage and data transfer speeds.

In addition to the types of cases primarily worked, digital forensic examiners need to consider the specific needs of the software used. Each forensic software suite has different requirements and will utilize the hardware in different ways. For example, Forensic Toolkit (FTK) can process large amounts of evidence very quickly, but to get the most out of FTK a forensic workstation should have at least four SSD drives. 

Key Hardware Considerations

When looking to purchase a forensic workstation the utilitarian approach of “big box” computer manufacturers may not provide the best “bang for your buck.” However, when looking at building (ordering) a custom purpose-built workstation it may be difficult to know what components need priority of spending for those less experienced with computer hardware. During the podcast, Manny provided some guidelines for how to prioritize the purchase of a workstation. 

1. Processor and Motherboard: The processor and motherboard form the backbone of any forensic workstation. A fast processor is essential for running complex forensic processing efficiently. High-end processors and motherboards with PCIe Gen 4 or 5 NVMe slots will ensure optimal performance.

2. Storage: Both speed and capacity are vital when it comes to storage. NVMe SSDs are preferred for their high read/write speeds, which are crucial for processing large datasets quickly. For storage-intensive tasks, incorporating multiple SSDs or RAID configurations can provide the necessary capacity and speed. When considering storage it is important to choose the right type of storage based on the specific use case, whether it’s for real-time processing or long-term data storage.

3. Cooling Systems: Efficient cooling systems are necessary to prevent overheating, especially in high-performance workstations. Proper cooling will extend the life of the hardware, which will minimize cost in the long run. Use liquid cooling for processors as well as high-quality fans, to maintain optimal operating temperatures and ensure system stability.

4. Graphics Cards: Depending on the specific needs, such as AI graphics processing or password cracking, high-end GPUs  significantly accelerate certain forensic tasks, making them an important consideration for some examiners. However, if examinations do not require high GPU load, the costs may be reduced here and prioritized on other components. 

Working with experts such as Manny allows forensic labs to get the most powerful machines at the lowest cost. Manny illustrates this point by saying, “[It's] important because you know, you could spend $5,000 on a Dell, but then you end up with like a 4060 when you're trying to do graphics rendering. Like no, it's not going to [work as well as you want.] You need to know how to cut corners efficiently to get people what they need.”

To use the password cracking example: a forensics lab may invest in a workstation that has very little storage and only decent processing. However, they invest in high-end graphics cards and cooling for breaking passwords and file encryption quickly. 

Challenges and Solutions with IT Departments

One of the common challenges in acquiring the right hardware for digital forensics is dealing with IT departments that may not fully understand the unique requirements of forensic work.

To overcome this challenge, clear communication and detailed justification are essential. Providing a comprehensive explanation of how specific hardware components enhance forensic investigations can help IT departments understand the necessity. Manny suggests creating a justification letter outlining the benefits and requirements of the hardware, which can then be presented to IT decision-makers.

Another approach is to involve IT departments early in the planning process. By collaborating with IT staff and educating them on the specific demands of forensic software and workflows, forensic teams can ensure that their hardware needs are met more effectively. 

Consider existing IT policies and work with the IT department early to integrate them with forensic workstation and workflow requirements.  This is especially important if your organization is Zero Trust, HiTrust, SOC2, or other cybersecurity policy compliant. Functionalities like administrator access, removable drive permissions, BIOS access, and more are all things IT departments typically don’t like users to have access to, but are required for a forensic examiner.

Also consider components outside of the workstation chassis. Example: There may be policies as to the size or number of monitors certain positions within a company, agency, or government office may have. No one wants to conduct digital forensic examinations on one 19-inch monitor!

Conclusion

By understanding the unique needs of forensic examiners, prioritizing key hardware components, and effectively communicating with IT departments, organizations can equip their forensic teams with the workstations they need to perform their work efficiently.

Utilizing the correct hardware ensures, as Manny says, “the examiner gets out of the chair.” Digital Forensics can be stressful in many ways, and proper hardware can help minimize some of that stress, by allowing cases to be closed quicker. As the field of digital forensics continues to evolve, staying ahead with the appropriate hardware solutions will remain essential for solving complex cases fast without sacrificing quality.

Justin Tolman has been working in digital forensics for 12 years. He has a bachelor’s degree in Computer Information Technology from BYU-Idaho and a master’s degree in Cyber Forensics from Purdue University. After graduating he worked as a Computer Forensic Specialist with the Ohio Bureau of Criminal Investigation and currently works as the Forensic Subject Matter Expert and Evangelist at Exterro. Justin has written training manuals on computer and mobile device forensics, as well as (his personal favorite) SQLite database analysis. He frequently presents at conferences, on webinars, produces YouTube content, and hosts the FTK Over the Air podcast.