What kind of cool gear does a computer forensic investigator carry around? Mr. Colbert showed us some of the goodies. A digital camera is a must for taking pictures of the outside/inside of the computers and the surrounding crime scene. Pictures of the connections on the back of the PC are taken to help prove that the PC had network or printing capability. The bulk of the kit comprises of cables and screwdrivers. Many times odd sized screwdrivers are needed, especially for opening Apples and laptops.

We were shown the Guidance Software FastBloc device, which allows an investigator to safely transfer contents of a hard-drive to a PC. This a bit to bit transfer that ensures that an exact image in taken. In addition, FastBloc prevents any writes to the hard-drive by tricking the operating system into thinking that any writes are successful. Mr. Colbert explained it is important to block writes as 400-1000 files are changed on a typical Windows bootup.

The investigator simply attached the hard-drive to the FastBloc device and then attaches the FastBloc to the PC via USB or FireWire ports. This makes the FastBloc very laptop friendly. Since modern laptops have excellent CPUs and storage space, they are quickly replacing the "luggable" computers that have traditional been used in computer investigations.

Forensic software is used in looking at the data after it has been transferred to the PC. Guidance sells two versions of their EnCase software: the Enterprise edition and the Forensic edition. The Forensic edition is the stand-alone version that most investigators would use. It works well for examining one computer at a time. The Enterprise edition does the same thing, but works over the network. So a computer can be examined in real-time over the corporate network or even over the Internet.