→
Preparing labs
Have labs ready for in-depth analysis. The author aims to use older, hand-me-down hardware rather than the latest and greatest — that is often the reality.
→
Forensic lab
A forensic lab needs its own machine — analysing and indexing data is heavy. The constraints are disk read/write speed, RAM and CPU.
- RAM: 16 GB minimum; forensic tools build an index/database of artifacts and consume a lot.
- CPU: analysis spikes to 80–100% — more cores help considerably.
- Disk: the single most important factor. An NVMe PCIe drive can be ~20× faster than an old 7200 RPM SATA disk, saving many hours.
→
Example hardware
| Component | Spec |
|---|---|
| RAM | 128 GB |
| Disks | 1× 1 TB NVMe (OS) · 2× 2 TB (image analysis + index) · 1× 8 TB (storage/temp) |
| CPU | Intel i9 Extreme or Ryzen Threadripper |
| GPU | RTX 3080 / AMD 6900 XT — must support CUDA |
Can less do it? Yes — an older i7, 16 GB RAM and a SATA SSD will still let you investigate; it just takes longer. Start there for the first year or two and build knowledge.
→
Virtualization & ready-made VMs
For both new and old PCs, start with VMware or VirtualBox on a Linux host (Ubuntu / Linux Mint) — Linux leaves more resources for the VMs.
- Security Onion — a complete SIEM (Zeek), analysis, capture and IR setup as an ISO.
- REMnux — Linux toolkit for malware analysis.
- Kali / Ubuntu — general-purpose offensive and base systems.