It seems that I have been analyzing hard drives for a long time; well at least ten years now. Depending on the case I have two major tools that I use. Experienced Analysts can probably guess what they are. Lately I have taken some courses using Linux software tools for Acquisition and Analysis. I like the Acquisition capabilities, but the Analysis part seems to put me off. It just isn’t as easy and all-encompassing as the Windows-based tools. The reporting seems lacking as well.

I was talking to a colleague the other day who told me that a Linux product let him boot up a suspect machine just as the user would see it without making writes to the evidence drive. That is something I need to research, because for me I was thinking the only way to do that would be a $1200.00 Shadow device. I don’t like to spend money on software or tools that I may not need or would seldom need, so I was waiting for the time to come when I would need this type of tool and then I would buy it. The same goes for cell phone forensics. I might get 2 calls a month for this service and I always refer it to someone else. Why? because the ROI isn’t worth it at that pace.

Hardware, especially computer Analyst Stations, are the same story. I make my own out of off the shelf computers. Add the necessary write blockers, memory, specialty cards, bridges and such and there we go! Spending 7 or 8 thousand on a “do it all” machine just isn’t worth it to me. It’s the reliability of the forensic software and the expertise of the Analyst that in my opinion really counts. I refuse to take cases I know I can’t handle or use software, hardware or other tools that I have not thoroughly tested in my lab.