EnCase® basically performs two different functions--acquisition and analysis. You must plan your forensic system(s) around those. You might even want to consider getting two different computers.

Field Acquisitions
The most important feature to keep in mind for field acquisitions is connectivity. Going out into the field, you never know what kind of hardware you are going to come up against. And if you cannot bring the suspect's computer or hard drive back to the forensic lab with you, it is of the utmost importance that you have something that will allow you to successfully and reliably image the suspect media. To that end, you need either a media device or a field computer that will attach to all types of hardware out there.

A luggable computer is one option, a small desktop designed for field acquisitions. A list of companies that market such devices is below. The advantage of these computers is that most, if not all, connectivity is on the outside of the case, so that, for example, attaching an internal hard drive to the luggable without even opening the forensic computer cover is possible. Many also come with drive drawers, where you place the suspect hard drive in it to acquire its image.

Of course, options like that can get expensive. Cheaper alternatives are to simply bring an external USB or Firewire hard drive with you out into the field (as well as the latest EnCase boot disk with the appropriate DOS drivers) and attach that to the perpetrator's PC. This could also include external removable media such as external Jaz drives, external Zip drives, or what have you. With removable media, however, keep in mind that you will need to bring along as much media as necessary. For a 100-gig Subject hard drive, that would be at least a 100- gig Storage hard drive! Keep in mind, Jaz drives and other forms of removable media are never as reliable as a hard drive. We at Guidance Software always recommend acquiring media to a hard drive.)

Or simply buy a small desktop computer and stock it with PCI and SCSI (at least the Adaptec 29160)cards that may be needed, a large hard drive, and at least 512 Megs of RAM. Bring that out into the field with you along with a monitor and keyboard to go too.

Many investigators use laptop computers in the field for their portability, this is a good solution but you will want to ensure that you have all of the possible acquisition methods covered. The items you will want to make sure are available on your laptop are: a working onboard or PCMCIA NIC, multiple Firewire and USB ports, a parallel port, a floppy or CD-Rom that can be booted from, and the FastBloc FE.

Lab Analysis
The lab analysis machine (the Forensic PC) should be your work-horse. It totally depends on your budget, of course, but you should get as much machine as you can afford. Important features to keep in mind for the analysis machine are speed and hard drive real-estate. A Pentium-4 or equivalent running at 2.5 MHz or higher with 2- gigs of RAM is a good start. You should have one hard drive for your OS and applications (40 gigs would be fine) and a second hard drive for evidence file storage (120 gigs is a good beginning). A good lab analysis machine should also have a "computer forensic friendly" BIOS along with additional room to grow.
Do we recommend any particular model or brand of computer? No. We feel that you should build or purchase a machine that meets our recommendations along with meeting your budget and forensic needs. Remember, your computer forensic needs DIFFER GREATLY from those of the home and business user.

Need more?
If you have any more questions about forensic computer or acquisition computer hardware configurations, feel free to e-mail Technical Support at support@guidancesoftware.com.

Here is a list of forensic computer suppliers that EnCase users have recommended in the past:

CyberForensic Associates
12882 Valley View St. Suite 6
Garden Grove, Ca. 92845
Voice (714) 895-6775
Fax (714) 895-0011
http://www.cyberforensic.com

Forensic-Computers.com
203 South Jefferson St., Suite B
Lewisburg, WV 24901
Call: 304-647-5421
Fax: 304-647-5452
Toll Free: 877-877-4224
http://www.forensic-computers.com

• Forensic-Computers.com offers a 5% discount on all forensic hardware for EnCase users/buyers!
• One stop shopping! Order forensic hardware, EnCase and EnCase training and place on ONE purchase order!