RE: Laptop Considerations

From: Omar Herrera (oherrera@prodigy.net.mx)
Date: Sun Dec 12 2004 - 23:59:47 EST


My recommendations below...

> -----Original Message-----
> From: David Bouchard [mailto:lists@tigercomputersolutions.com]
> Sent: Saturday, December 11, 2004 9:47 PM
> To: pen-test@securityfocus.com
> Subject: Laptop Considerations
>
> I am about to be purchasing a laptop and I was wanting the advice of the
> list. I know this can be a very personal topic for some people, but I
> have
> to throw it out there anyway.
>
> Here's my situation...I'm about to be attending a degree program in
> Information Assurance and Forensics. I also have my own business doing a
> variety of things computer related. At some point I would like to delve
> more heavily into vulnerability assesment, penetration testing, and
> possibly
> forensics. I'm looking for a laptop that will be flexible enough to meet
> all these needs.
>
> This is what my immediate plans for the laptop are: for my business, I
> need
> to have some of the basic MS Office suite on it, as well as MS Publisher.
> I
> plan on making it into a dual-boot machine with some flavor of linux. I
> don't care to use a live linux CD because I want to be able to store logs,
> settings, and other data onto the drive, and I hope to eventually use
> linux
> for everything except the MS stuff that I have to use on occasion for my
> business.
> ...
> What I'm looking at right now is the Dell Latitude D600. I've supported
> and
> purchased a lot of Dell desktop computers and have been very happy with
> them
> and I have run Knoppix-STD on a Dell laptop and everything ran well. The
> D600 has the ports I'd like.
>
> Any thoughts or recommendations? Any capibilities that you think I've
> missed?

* It is better to have a complete installation of some Linux distribution on
your hard disk. I like live distributions for Linux such as Knoppix, I even
use them to teach information security, but for vulnerability assessment and
forensics it is much better to have a dual boot system with Windows and
Linux installed. Virtual machines might work, other people have succeeded to
run most tests on them but you have to consider that you won't have native
support of hardware so certain functions such as network traffic
creation/mangling might not work as expected.

* If you buy the MS Windows from your laptop provider, make sure they
provide you with a disc set of the original installation. Many vendors ship
only a customized distribution of the discs that are actually a hard drive
image of base installation. Reinstalling from these discs usually means
wiping all partitions (not good if you have another O.S. partition already
in place).

* If wireless card is already included, make sure your chipset is supported
and it has the capabilities you want (in case you will make vulnerability
assessments on wireless networks or you think you will need wireless access
for information transfer during forensics). For example, Orinoco and Prism
chipsets have important differences, and not all applications work with all
chipsets. Of course, make sure it has also some sort of network card for
cable connections.

* Make sure the machine has a good amount of ports (typically you will have
one firewire and at leas two USB 2.0). For forensics you will do well to
consider an external hard disk (100GB or +, usb2/firewire), even with
laptops with 80 or 100GB internal HD you will find out that you need more
hard disk space; it is a critical resource for forensics. You will also find
the extra ports useful for connecting two machines p2p with usb, an external
mouse or a small usb stick hard disk.

* Desirable accessories: floppy disk drive and CDR-RW. The reason is that
with forensics you usually don't know how you will access the machine to be
analyzed. Ideally you would have a turned off machine with the possibility
to remove the hard drive, mount it read-only on another machine, make a copy
of the disk image, fill chain of custody forms, blah, blah, blah. In real
life you will have several cases where you cannot even turn off the machine,
because it is a critical production server. Anyway, if it were a case where
the police needs to be involved and you have to follow detailed procedures
carefully to be able to make your case in court, a laptop will not suffice;
you will require specialized hardware and software. Yet most of the time we
do forensics just for an internal investigation, so you will need to have
several options to access the machine and transfer files or disk images for
analysis. Booting from floppy disks, CDR and even usb portable disks (on
some computers are options to access computers. You need the proper drives
on your laptop to prepare boot disks and toolsets (when doing live
forensics, where you would typically include trusted versions of useful O.S.
commands).

* Processor is not too critical for vuln. Assessment or forensics (unless
you do special things such as image processing and statistical analysis),
almost any Pentium/AMD processor over 1Ghz will do it. Memory on the other
hand is more important since several forensics and vuln. assessment tools
use a lot of RAM (you might want to run a sniffer during all network
vulnerability assessments, for example). Make sure you have at least 512 MB
ram on your laptop. Video is usually not important for these two activities
but take into account that several models of video cards (particularly from
ATI) make use of the system main memory.

The laptop you mention doesn't look like a bad option, I would argue only
against depending on Knoppix-std (it is quite limited for vuln. assessment,
for example, if you want to run a web proxy for protocol analysis/mangling
like Paros, you have to download a full version of the JRE to make it work,
which of course requires a lot of memory). I'm also not sure if Dell
provides standard installation disks of Windows.

Best regards,

Omar Herrera



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT