Re: Forensic Equipment Recommendations

[Steven Alexander <steven.alexander () KCCD EDU>]

I assumed you meant workstations.  If your concern is just duplication and write blocking, then what you have is 
probably fine.  What's the specific desire for the TX1 over the TD3? I use a computer and a write blocker (e.g. TK8u) 
rather than a duplicator.  For imaging software, I use EnCase Imager.  For mobile, the write blocker is not necessary 
and you can create an image/backup with Magnet Acquire.  Mac can be tricky.  In the past,  I've imaged them three ways: 
by pulling the drive (when they were removable), using target disk mode, or live using dd.  I'd like to try BlackBag's 
Macquisition and Sumuri's Recon Imager but I haven't had the need for either recently.

Regards,

Steven Alexander
Director of IT Security
Kern Community College District
(661) 336-5111

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Franzi 
Willenbuecher
Sent: Tuesday, September 25, 2018 9:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Forensic Equipment Recommendations

Thank you all for your suggestions!

We currently have the Tableau TD3 Imager but I would need to replace it with the new TX1 for Mac capabilities, so I was 
wondering about alternatives.

Thanks,
Franzi

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Steven Alexander
Sent: Monday, September 24, 2018 11:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Forensic Equipment Recommendations

Franzi,

What are you using currently and what limitations are you facing that make you want to upgrade?

Silicon Forensics has solid workstations with a variety of RAID and SSD options, but they are fairly pricey. For 
consulting, I use an Alienware laptop with three SSD's and it works great.  It all depends on your needs.  The higher 
they are, the more it makes sense to work with a vendor that understands your workloads.

If your workload is light, not more than a few cases a month, any fast workstation with a couple of SSDs and 32 GB of 
RAM should be fine, but check the system requirements on the software you're using or plan to use.  You will generally 
get better performance if you can separate the location of the drive/device images from case and temporary files (may 
be less of an issue with SSD), and I prefer to keep those separate from the OS volume, so plan on using at least three 
drives.  If you're handling a heavier case load, you may run into storage issues with individual SSDs (requiring you to 
offload active cases to external storage) so an SSD RAID would be helpful.

Did you mean Apple mobile devices, i.e. iPhones and iPads, or did you mean Macs and (Apple/Android/whatever) mobile 
devices?  I use Magnet AXIOM as my go-to forensic software and it's worked fine with Android and Apple mobile devices.  
I don't think Magnet has added APFS support yet so if you're going to be working on a lot of Macs, I would look into 
that or check out BlackLight/Macquisition.

Regards,

Steven Alexander
Director of IT Security
Kern Community College District
steven.alexander () kccd edu<mailto:steven.alexander () kccd edu>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Franzi Willenbuecher
Sent: Friday, September 21, 2018 11:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Forensic Equipment Recommendations

Hello,

We are looking at upgrading our current forensic equipment - does anyone have a specific vendor or solution they 
recommend, especially relating to Apple and mobile devices?

Thanks,
Franzi

[Emporia State University]
Franzi Willenbuecher
Information Security Training Analyst
Information Technology
Emporia State University
620-341-6704
fwillenb () emporia edu<mailto:fwillenb () emporia edu>
hornet.emporia.edu