Digital Forensics

Lecture 3
The Investigator’s Office and Laboratory
 Objectives
• Describe certification requirements for
computer forensics labs
• List physical requirements for a computer
forensics lab
• Explain the criteria for selecting a basic
forensic workstation
• Describe components used to build a
business case for developing a forensics
lab
 Understanding Forensics Lab
Certification Requirements
• Computer forensics lab
– Where you conduct your investigation
– Store evidence
– House your equipment, hardware, and
software
• American Society of Crime Laboratory
Directors (ASCLD) offers guidelines for:
– Managing a lab
– Acquiring an official certification
– Auditing lab functions and procedures
 Identifying Duties of the Lab
Manager and Staff
• Lab manager duties:
– Set up processes for managing cases
– Promote group consensus in decision making
– Maintain fiscal responsibility for lab needs
– Enforce ethical standards among lab staff
members
– Plan updates for the lab
– Establish and promote quality-assurance
processes
– Set reasonable production schedules
– Estimate how many cases an investigator can
handle
 Identifying Duties of the Lab
Manager and Staff (continued)
• Lab manager duties (continued):
– Estimate when to expect preliminary and final
results
– Create and monitor lab policies for staff
– Provide a safe and secure workplace for staff
and evidence
• Staff member duties:
– Knowledge and training:
• Hardware and software
• OS and file types
• Deductive reasoning
 Identifying Duties of the Lab
Manager and Staff (continued)
• Staff member duties (continued):
– Knowledge and training (continued):
• Technical training
• Investigative skills
• Deductive reasoning
– Work is reviewed regularly by the lab
manager
• Check the ASCLD Web site for online
manual and information (but it's not free,
as far as I can tell)
 Lab Budget Planning
• Break costs down into daily, quarterly,
and annual expenses
• Use past investigation expenses to
extrapolate expected future costs
• Expenses for a lab include:
– Hardware
– Software
– Facility space
– Trained personnel
 Lab Budget Planning
(continued)
• Estimate the number of computer cases
your lab expects to examine
– Identify types of computers you’re likely to
examine
• Take into account changes in technology
• Use statistics to determine what kind of
computer crimes are more likely to occur
• Use this information to plan ahead your
lab requirements and costs
 Lab Budget Planning
• Identify crimes committed with specialized
software
• When setting up a lab for a private company,
check:
– Hardware and software inventory
– Problems reported last year
– Future developments in computing technology
• Time management is a major issue when
choosing software and hardware to purchase
 Acquiring Certification and
Training
• Update your skills through appropriate
training
• International Association of Computer
Investigative Specialists (IACIS)
– Created by police officers who wanted to
formalize credentials in computing investigations
– Only open to law enforcement officers or full-
time civilian employees of law enforcement
agencies
– Certified Electronic Evidence Collection
Specialist (CEECS)
– Certified Forensic Computer Examiners
(CFCEs)
 Acquiring Certification and
Training (continued)
• High-Tech Crime Network (HTCN)
– Certified Computer Crime Investigator, Basic
and Advanced Level
• Basic requires 3 years of experience and 10 cases
– Certified Computer Forensic Technician, Basic
and Advanced Level
 Acquiring Certification and
Training (continued)
Certifications that are available without
police experience
• EnCase Certified Examiner (EnCE)
Certification
• AccessData Certified Examiner (ACE)
Certification
• Other Training and Certifications
– High Technology Crime Investigation
Association (HTCIA)
 Acquiring Certification and
Training (continued)
• Other training and certifications
– SysAdmin, Audit, Network, Security (SANS)
Institute
– Computer Technology Investigators Network
(CTIN)
– NewTechnologies, Inc. (NTI)
CyberSecurity Forensic Analyst
(CSFA)

• 70% of grade based on practical exam

• Three days to complete a case
 Determining the Physical
Requirements for a Computer
Forensics Lab
• Most of your investigation is conducted in
a lab
• Lab should be secure so evidence is not
lost, corrupted, or destroyed
• Provide a safe and secure physical
environment
• Keep inventory control of your assets
– Know when to order more supplies
Identifying Lab Security Needs
• Secure facility
– Should preserve integrity of evidence data
• Minimum requirements
– Small room with true floor-to-ceiling walls
– Door access with a locking mechanism
– Secure container
– Visitor’s log
• People working together should have
same access level
• Brief your staff about security policy
 Conducting High-Risk
Investigations
• High-risk investigations (national security
or murder) demand more security to
prevent computer eavesdropping
– TEMPEST facilities
• Electromagnetic Radiation (EMR) proofed
• http://nsi.org/Library/Govt/Nispom.html
– TEMPEST facilities are very expensive
• You can use low-emanation workstations instead
 Using Evidence Containers
• Known as evidence lockers
– Must be secure so that no unauthorized
person can easily access your evidence
• Recommendations for securing storage
containers:
– Locate them in a restricted area
– Limited number of authorized people to
access the container
– Maintain records on who is authorized to
access each container
– Containers should remain locked when not in
use
 Overseeing Facility
Maintenance
• Immediately repair physical damages
• Escort cleaning crews as they work
• Minimize the risk of static electricity
– Antistatic pads
– Clean floor and carpets
• Maintain two separate trash containers
– Materials unrelated to an investigation
– Sensitive materials
• When possible, hire specialized companies for
disposing sensitive materials
 Considering Physical Security
Needs
• Create a security policy
• Enforce your policy
– Sign-in log for visitors
• Anyone that is not assigned to the lab is a visitor
• Escort all visitors all the time
– Use visible or audible indicators that a visitor
is inside your premises
• Visitor badge
– Install an intrusion alarm system
– Hire a guard force for your lab
 Auditing a Computer Forensics
Lab
• Auditing ensures proper enforcing of
policies
• Audits should include inspecting:
– Ceiling, floor, roof, and exterior walls of the
lab
– Doors and doors locks
– Visitor logs
– Evidence container logs
– At the end of every workday, secure any
evidence that’s not being processed in a
forensic workstation
Determining Floor Plans for
Computer Forensics Labs
Determining Floor Plans for
Computer Forensics Labs
(continued)
Determining Floor Plans for Computer
Forensics Labs (continued)
 Selecting a Basic Forensic
Workstation
• Depends on budget and needs
• Use less powerful workstations for
mundane tasks
• Use multipurpose workstations for high-
end analysis tasks
 Selecting Workstations for
Police Labs
• Police labs have the most diverse needs
for computing investigation tools
– Special-interest groups (SIG) are helpful to
investigate old systems, like CP/M,
Commodore 64, etc.
• General rule
– One computer investigator for every 250,000
people in a region
– One multipurpose forensic workstation and
one general-purpose workstation
 Selecting Workstations for
Private and Corporate Labs
• Requirements are easy to determine,
because you can specialize
• Identify the environment you deal with
– Hardware platform
– Operating system
• Gather tools to work on the specified
environment
Stocking Hardware Peripherals
• Any lab should have in stock:
– IDE cables
– Ribbon cables for floppy disks
– SCSI cards, preferably ultra-wide
– Graphics cards, both PCI and AGP types
– Power cords
– Hard disk drives
– At least two 2.5-inch Notebook IDE hard
drives to standard IDE/ATA or SATA adapter
– Computer hand tools
Maintaining Operating Systems
and Software Inventories
• Maintain licensed copies of software like:
– Microsoft Office 2019, etc
– Quicken
– Programming languages
– Specialized viewers
– Corel Office Suite
– StarOffice/OpenOffice
– Peachtree accounting applications
Using a Disaster Recovery Plan
• Keep regular backups, using Ghost or
other utilities
– Win 11 has Windows Image Backup
• Store backups off-site but securely
• Be able to restore your workstation and
investigation files to their original condition
– Recover from catastrophic situations, virus
contamination, and reconfigurations
• Configuration management
– Keep track of software updates to your
workstation
 Planning for Equipment
Upgrades
• Risk management
– Involves determining how much risk is
acceptable for any process or operation
– Identify equipment your lab depends on so it
can be periodically replaced
– Identify equipment you can replace when it
fails
• Computing components last 18 to 36
months under normal conditions
– Schedule upgrades at least every 18 months
• Preferably every 12 months
 Using Laptop Forensic
Workstations
• Create a lightweight, mobile forensic
workstation using a laptop PC
– FireWire port
– USB 2.0 port
– PCMCIA SATA hard disk
• Laptops are still limited as forensic
workstations
– But improving
 Building a Business Case for
Developing a Forensics Lab
• Can be a problem because of budget problems
• Business case
– Plan you can use to sell your services to
management or clients
• Demonstrate how the lab will help your organization
to save money and increase profits
– Compare cost of an investigation with cost of a
lawsuit
– Protect intellectual property, trade secrets, and
future business plans
 Preparing a Business Case for
a Computer Forensics Lab
• When preparing your case, follow these
steps:
– Justification
– Budget development
• Facility cost
• Computer hardware requirements
• Software requirements
• Miscellaneous costs
– Errors and Omissions Insurance!
– Approval and acquisition
– Implementation
 Preparing a Business Case for
a Computer Forensics Lab
•
(continued)
Steps:
– Acceptance testing
– Correction for acceptance
– Production
Thank You!