EVIDENCE CAN MAKE OR BREAK AN INVESTIGATION. For evidence to be forensically sound, it must be collected properly and deemed authentic. This chapter discusses two frameworks for ensuring forensic soundness: the DFRWS framework and an event-based digital forensic investigation framework.
System forensics specialists conduct disk-based analysis investigations, store evidence, and do other work in a computer forensics lab. A lab facility must be physically secure so that evidence is not lost, corrupted, or destroyed. The lab should contain a variety of system forensics hardware and software, including forensic workstations and current and legacy software. In addition, the lab must have defined policies, processes, and procedures. Investigators must follow these policies, processes, and procedures. By doing so, they can ensure the integrity of analysis and results so that they will stand up in court.
System forensics is a discipline that combines elements of law and computer science. It involves collecting and analyzing data from computer systems, networks, wireless communications, and storage devices. A forensic specialist must collect data in such a way that it is admissible as evidence in a court of law. Evidence can make or break an investigation, so it's important that evidence be forensically sound.
The courts currently recognize two main classes of electronic information:
Human-generated information—Human-generated information is created by humans. It includes e-mails, text messages, word processing documents, digital photos, and other records that are transmitted or stored electronically.
Computer-generated information—Computer-generated information is records that are produced by a computing device. It includes logs, content analysis, packet captures, and reconstructed artifacts. The admissibility of computer-generated records depends on their authenticity.
The investigator should acquire, retain, retrieve, and deliver information in a forensically sound fashion to ensure that it is admissible. Forensic soundness occurs when data remains complete and materially unaltered. In other words, the evidence is what a forensic specialist says it is: unchanged since collection. To ensure forensic soundness, forensic examiners must follow a process that is reliable, repeatable, and documented. Various organizations have developed criteria for or explanations of forensic soundness. The U.S. Department of Justice and the International Organization on Computer Evidence are two examples.
Rodney McKemmish proposed the following simplified set of principles for forensic soundness:
Minimally handle the original—A forensic specialist should apply digital forensics processes to original data as little as possible. Instead, an investigator should copy relevant data and examine it.
Account for any change—Changes sometimes occur to evidence during a forensic examination. In such cases, a forensic specialist should note the nature, extent, and reason for the changes.
Comply with the rules of evidence—During an investigation, a forensic specialist should keep in mind the relevant rules of evidence. (See the following sidebar, "Rules of Evidence.")
Avoid exceeding one's knowledge—A forensic specialist should not undertake an examination that is beyond his or her current level of knowledge and skill. It is important to seek help when needed.
Forensic specialists should generally make copies of evidence rather than work with the original evidence. To guarantee forensic soundness, they must collect their evidence using a method that does not alter any data on the drive or device that they are duplicating. Also, the evidence must contain a copy of every bit, byte, and sector of the source drive. The copy should include unallocated empty space and slack space, exactly as the data appears on the source drive or device. Finally, the forensic specialist must document the manner used to obtain the evidence. In other words, the specialist must report on the origin of the evidence as well as its handling by investigators. The specialist should note any hardware or software errors encountered during the forensic examination process and explain their impact. The process used to obtain and analyze evidence should be transparent. This means someone else must be able to independently examine and verify the process. In addition, the process must produce an audit trail.
Accidental human error can easily change or delete electronic data. So can computer processes. The results of the forensic process may become evidence in court. Therefore, it's critical to take measures to ensure the reliability and accuracy of data.
Forensic frameworks and processes come in many models. Further, specialists may take numerous approaches to cyber investigations. The three primary goals of forensics methods are to:
Acquire evidence without altering or damaging the original.
Authenticate that recovered evidence is the same as the originally seized data.
Analyze the data without modifying it.
These three goals apply regardless of the model used.
The Digital Forensics Research Workshop (DFRWS) is a nonprofit, volunteer organization. Its goal is to enhance the sharing of knowledge and ideas about digital forensics research. DFRWS sponsors annual conferences, technical working groups, and challenges to help drive the direction of research and development. In 2001, the DFRWS developed a framework for digital investigation that is useful today. The DFRWS framework is a matrix with six classes:
Identification
Preservation
Collection
Examination
Analysis
Presentation
Note
For more information on the DFRWS, see http://www.dfrws.org.
As shown in Table 4-1, each of these classes has several elements.
In 2004, Brian Carrier and Eugene Spafford, researchers at the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University, proposed a model that is more intuitive and flexible than the DFRWS framework. This model, an event-based digital forensic investigation framework, is shown in Figure 4-1. This model has five phases:
Table 4-1. The DFRWS digital investigation framework.
IDENTIFICATION | PRESERVATION | COLLECTION | EXAMINATION | ANALYSIS | PRESENTATION |
|---|---|---|---|---|---|
Even/crime detection | Case management | Preservation | Preservation | Preservation | Documentation |
Resolve signature | Imaging technologies | Approved methods | Traceability | Traceability | Expert testimony |
Profile detection | Chain of custody | Approved software | Validation techniques | Statistical | Clarification |
Anomalous detection | Time synchronization | Approved hardware | Filtering techniques | Protocols | Mission impact statement |
Complaints | Legal authority | Pattern matching | Data mining | Recommended countermeasure | |
System monitoring | Lossless compression | Hidden data discovery | Timeline | Statistical interpretation | |
Audit analysis | Sampling | Hidden data extraction | Link | ||
Data reduction | Spatial | ||||
Recovery techniques |
Readiness—There are two readiness phases: the operations readiness phase and the infrastructure readiness phase. The operations readiness phase involves training people and testing investigation tools. The infrastructure readiness phase involves configuring the equipment. This could include adding network monitoring tools and increasing the logging levels.
Deployment—There are two deployment phases: the detection and notification phase and the confirmation and authorization phase. In the detection and notification phase, someone detects an incident and alerts investigators. For example, an intrusion detection system could detect a network intrusion. Or an investigator could use logs or communications of the suspect to detect a contraband incident. In the confirmation and authorization phase, investigators receive authorization to conduct the investigation. In a corporate environment, the incident response team may conduct a brief analysis of a system to confirm that it has been compromised. For a critical system, the response team may need additional permission before it can conduct a full analysis. In a law enforcement environment, an officer may obtain a search warrant at this point.
Physical crime scene investigation—The physical investigation involves examining the physical objects at the crime scene where a digital device exists. Investigators collect physical evidence and try to link a person to the suspect computer activity. This set of phases includes searching for physical evidence and reconstructing physical events. When forensic specialists find physical objects that may have digital evidence in them, they conduct a digital investigation. This phase uses the analysis results from one or more digital crime scene investigations.
Digital crime scene investigation—This set of phases involves examining the digital data for evidence. An investigation occurs for each self-contained digital device. In general, this process involves preserving the system, searching for digital evidence, and reconstructing digital events. The digital crime scene investigation phases are a subset of the physical crime scene investigation phases. The conclusions drawn in the digital investigation are used in the physical investigation.
Presentation—During the preceding phases, investigators develop and test theories about the events related to the incident. At this point, a forensic specialist presents the results either to a corporation or a court of law.
Note
For more information on CERIAS, see http://www.cerias.purdue.edu.
Most system forensic work occurs in forensics labs. A lab facility must be physically secure so that evidence is not lost, corrupted, or destroyed. Setting up such a lab is expensive and time-consuming.
Organizations try to constantly reduce costs. It's therefore important to plan ahead to ensure that money is available for facilities, tools, supplies, and training for a forensics lab. In addition, setting up a computer forensics lab requires the support of managers and other team members. A business case is a reasoned proposal for making a change. A business case can help justify the acquisition of newer and better resources to investigate computer forensics cases.
How to develop a business case depends on the organization in question. For a sole proprietor, creating a business case is fairly simple. If the owner needs money to buy tools, he or she can save money for the purchase or negotiate with a bank for a loan. For a public entity such as a police department, on the other hand, budgets are planned a year or more in advance. Public agency department managers present their budget proposals to upper management. If the supervisors approve the proposal, they then make money available to acquire resources outlined in the budget. Some public organizations might have other funds available to spend immediately for special needs. Managers can divert these funds for emergencies or other unforeseen needs.
Private-sector businesses, especially large corporations, are motivated by the need to make money. A business case should demonstrate how computer forensics investigations can save money and avoid risks that could damage profits. For example, forensic investigations may be able to prevent litigation involving the company. A lawsuit, regardless of who wins, can cost an employer several hundred thousand dollars. A business case should compare the cost of training and conducting forensic investigations with the cost of a lawsuit. A business case should also show how computer forensics investigations can improve profits. Investigations can, for instance, protect intellectual property, trade secrets, and future business plans.
The following are some key elements for creating a computer forensics business case:
Justification of the need for a lab—The business case should justify to the person controlling the budget the reason a lab is necessary. Advertising the lab's services to previous, current, and future customers and clients can justify future budgets for the lab's operation and staff.
The lab budget—As discussed later in this chapter, the budget should include facility costs, hardware costs, and software costs. It's important to be as exact as possible when estimating the costs of these items. Making a mistake could cause delays and possible loss of the opportunity to start or improve the lab.
Lab approval and acquisition—The approval process should include a risk analysis that describes how the lab will minimize the risk of litigation. The business case should also present an educated guess about how many investigations are likely and how long they will take to complete, on average. Acquisition planning involves researching different products to determine which ones are the best and most cost-effective. An organization should contact several vendors and designate engineers to learn more about each product and service. Important considerations include product prices, maintenance costs, and vendor reliability.
Implementation—The next step is to implement facilities and tools. The business case should include a timeline showing expected delivery or installation dates and expected completion dates. The business case should also include a coordination plan for delivery dates and times for materials and tools. The schedule should include inspection of facility construction, equipment, and software tools.
Acceptance testing—Following the implementation scheduling and inspection, an organization should develop an acceptance testing plan for the computer forensics lab to make sure everything works correctly. The acceptance testing should address facility inspection, testing of communications, hardware testing, and installation and use of software tools. The business case must anticipate problems that can cause delays in lab production. It should include contingencies to deal with system or facility failures. For example, the business case should list workarounds for problems, such as the wrong locks being installed on lab doors or electrical power requiring additional filtering.
Production—After taking care of all essential corrections, forensic specialists can begin production in their new computer forensics lab.
The American Society of Crime Laboratory Directors (ASCLD) provides guidelines for managing a forensics lab. It also provides guidelines for acquiring crime lab and forensics lab certification. ASCLD offers voluntary accreditation to public and private crime laboratories in the United States and around the world. It certifies computer forensics labs that analyze digital evidence and other criminal evidence, such as fingerprints and DNA samples. The ASCLD/LAB certification regulates how to organize and manage crime labs.
Note
For more information on ASCLD, see http://www.ascld.org. For more information on ASCLD/LAB certification, see http://www.ascld-lab.org.
Achieving ASCLD accreditation is a rigorous process. A lab must meet about 400 criteria to achieve accreditation. Typically, an unaccredited lab needs two to three years to prepare for accreditation. It spends this time developing policies, procedures, document controls, analysis validations, and so on. Then, the lab needs another year to go through the process. The lab manager submits an application. The lead assessor and a team spend one to two months reviewing the application and the policies and procedures, to make sure the lab is ready. The assessment takes about a week. Typically the assessment team generates five to 15 findings that require corrective action. The lab typically requires several months to make corrections to the satisfaction of the lead assessor. Once the facility has made all corrections, the lead assessor recommends the lab to the board of directors for accreditation. Finally, the ASCLD/LAB board of directors votes on whether to accredit the lab.
Note
As of January 2010, in the United States, computer forensics lab certification was not mandated. However, following the quality standards of the ASCLD/LAB program enhances a lab's credibility.
The ASCLD/LAB program includes audits to ensure that forensic specialists are performing lab procedures correctly and consistently for all casework. The society performs these audits in computer forensics labs to maintain the quality and integrity of analysis.
A system forensics lab manager performs general management tasks, such as promoting group consensus in decision making, maintaining fiscal responsibility for lab needs, and enforcing ethical standards among staff members. In addition, the lab manager does the following:
Plans updates for the lab, such as new hardware and software purchases
Establishes and promotes quality assurance processes for the lab's staff to follow, such as what to do when a case arrives. These processes may include logging evidence, specifying who can enter the lab, and establishing guidelines for filing reports
Sets production schedules for processing work
Creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence
Accounts for all activities of the lab's staff. Staff members in a system forensics lab should have sufficient training to perform their tasks. Necessary skill sets include hardware and software knowledge. For example, lab staff members must have knowledge of operating systems and file types, understand how to use forensic tools, be able to clearly document results, and have good deductive reasoning skills. The lab manager and peers should review staff members' work regularly to ensure quality. Staff members are also responsible for continuing technical training to update their investigative and computer skills. It's important to maintain a record of all training completed.
Note
Many vendors and organizations hold annual or quarterly training seminars. Some offer certification exams as well. For more information on training, see Chapter 15, "System Forensics Resources."
The ASCLD Web site summarizes the requirements of managing a computer forensics lab. It also discusses handling and preserving evidence, performing laboratory procedures, setting personnel requirements, and encouraging professional development. The site also provides a user license for printed and online manuals of lab management guidelines. ASCLD stresses that each lab should maintain an up-to-date library of resources in its field. For system forensics, these resources include software, hardware, information, and technical journals.
Budgeting for a forensics lab is similar to budgeting for any other activity. It involves three basic steps:
Identify the functions to be performed. Define the activities that must be completed to perform those functions.
Estimate the workload.
Estimate the cost to complete the defined activities for the estimated workload. Divide the costs into two basic categories, fixed and variable. Fixed costs are costs that do not change or that change very slowly as the volume of work changes. They include costs for space, computers, software, and other equipment. Variable costs are costs that are directly related to the volume of work. Examples of variable costs are costs for staff, gloves, disks, ink, and paper.
Depending on the organization, a forensics lab must provide its budget estimate on a monthly, quarterly, annual, or multi-year basis. The budget must comply with the organization's normal budget processes. If it does not, management is sure to deny or reduce it.
Forensics labs must not create their budgets in a vacuum. They must develop them based on prior expenditures and workload histories. Information regarding prior expenditures is available from the organization's accounting and inventory systems. This information serves as a basis for determining what is already available to the lab and what it must acquire to complete the estimated workload.
A forensic specialist should understand the costs associated with a forensics lab. Having this understanding helps the forensic specialist better estimate costs and make good decisions about what cases to accept and which analyses to conduct. The following sections discuss the primary items that affect the budget of a forensics lab.
For a new computer forensics lab, startup costs might consume most of the budget. The first step with a new lab is determining how much floor space is needed. Preserving evidence and stocking enough supplies requires a lot of storage space. A good rule of thumb is to estimate 150 square feet per person. An organization's facility manager can provide an estimate on per-square-foot costs for the area or building.
Computers and other hardware are critical to a digital forensics lab. In planning its hardware needs, a lab should consider the following:
Computers—Based on the number of cases a lab expects to examine, the lab manager should determine how many computers the lab needs. The hardware equipment a computer forensics lab needs depends on the types of investigations and data the lab will analyze. A lab may need, for example, Windows personal computers (PCs), UNIX workstations, or Linux servers.
Storage needs—The volume of storage used in forensic examinations is increasing as the cost of storage continues to decrease. Therefore, a lab should plan to acquire more storage than initially required.
Technological changes—A lab must keep up with pending technological changes, such as new processors, storage technology, or other devices. For example, forensics labs should be prepared to address cases that include examination of tablet PCs and other newly introduced technologies. In addition, forensic specialists must often evaluate data stored on obsolete systems. Thus, they must be able to examine data stored on both state-of-the-art and legacy systems.
Obsolescence—A forensics lab's inventory should maintain information about whether hardware items still have a useful life. For example, a computer system might still have a useful life according to accounting procedures. But it may no longer be able to process the expanding volumes of data or new forensic software required to perform analyses. The budget estimate for computers should identify the costs of replacing obsolete equipment as well as the costs associated with repair and maintenance and purchase of new equipment. As a general practice, a lab must replace its computers every one to four years.
Like hardware, software is critical to a digital forensics lab. A lab's software requirements are largely independent of the volume of data processed. Instead, they are based on the functions to be performed. Thus, a lab should develop a profile of the following:
Types of cases—Based on the types of cases expected, the lab can determine the nature of the data—text, database files, graphics, pictures, and so on. It can also determine the activities that will be needed to conduct analyses. For example, if the lab expects cases involving banking transactions, it may need software that can directly examine electronic funds transfers.
Licensing—Software licensing is typically based on the number of users, the number of concurrent users, or the number of systems or processors on which it is installed.
Obsolescence—Like hardware, software also grows obsolete. Software eventually becomes outdated. Its publisher may stop providing support for the software. A lab should consider replacement costs in its software budget.
Other costs—A lab should consider installation, support, and maintenance costs.
An organization should brainstorm on other items, tools, and supplies to consider purchasing for its lab. For example, it probably needs general office supplies. It may also have specific needs for daily operations, such as errors-and-omission insurance for the lab's operation and staff.
A forensics lab may at first appear to be normal office space. This appearance is deceptive. A lab facility must be physically secure so that evidence isn't lost, corrupted, or destroyed. Lab equipment often requires special power and cooling arrangements. Also, a lab needs humidity controls to minimize the potential for damage by static electricity.
Tip
A lab should consider what it needs to maintain a safe and secure environment when determining its physical lab expenses.
A computer forensics lab should preserve the integrity of evidence and its analytical functions. A number of organizations produce documents that provide guidance in establishing secure facilities, including the National Institute of Standards and Technology (NIST).
Note
Forensic examiners must be briefed on the lab's security policy. Only examiners and personnel who must know about an investigation should be able to access information about that case.
The following are some of the physical attributes of a secure forensics lab:
True floor-to-ceiling walls—Drop ceilings and subfloors are acceptable only in a room with true-floor-to-true-ceiling walls.
Solid doors that resist penetration—Tempered-glass doors are acceptable for interior locations.
Door access with a locking mechanism—If possible, each door should also be equipped with a smart card system that records entries and exits. A door should allow egress in the event of a power failure, but entry should require keyed access.
Secondary storage for evidence, such as a fire-resistant safe—This storage should enable evidence to be separated by case.
Video monitoring—The lab should use video to monitor the facility, secured storage, and all entry points.
Blast-resistant windows—Any windows that could provide direct access into the facility must be blast resistant.
Visitors' log—A lab should maintain a paper or electronic sign-in log for all visitors. The log should list each visitor's name, the date and time of arrival and departure, the name of the visitor's employer, the purpose of the visit, and the name of the lab member receiving the visitor. Anyone who is not assigned to the lab should be considered a visitor. This includes cleaning crews, facility maintenance personnel, friends, and family members. All visitors to the lab should be escorted by an assigned authorized staff member. The escort should ensure that the visitors don't accidentally or intentionally tamper with an investigation or evidence.
Visitors' badges and alarms—A lab should use a visible signal, such as visitors' badges, to identify visitors. A lab may also elect to install a visible or audio alarm to let all specialists know that a visitor is in the area.
The level of physical security required depends on the nature of the lab and the type of work the lab does. A regional computer crime lab has high physical security needs because of the impact of lost, corrupted, or otherwise damaged evidence. Physical security needs of a corporation are probably not as high because the impact of lost or compromised data is much lower.
People may be willing to spend significant resources to compromise or stop high-risk investigations, such as those involving national security or murder. These individuals might use physical attacks, such as throwing a bomb. They might use social attacks to compromise an investigator. Or they might use technological attacks, such as planting a Trojan or virus on lab software. High-risk investigations therefore demand increased security.
Protecting against those who have significant resources and incentives to compromise an investigation is extremely difficult. Any security can be broken by unlimited resources and unlimited time. Further, technology improvements tend to help the attacker more than they help prevention. For example, devices for eavesdropping on conversations or computer transmissions are dropping in price while the capabilities are increasing. Detection, on the other hand, is becoming more difficult and expensive. An individual today has the capability to eavesdrop using nanny cams or wireless surveillance systems. A few years ago, such technology was available only to a country's intelligence agencies.
Anyone can go online and find instructions for building a sniffing device that can illegally collect computer emanations. These devices can remotely pick up anything typed on a monitored device that emits electromagnetic radiation (EMR). The EMR from a computer can be picked up as far away as a half mile.
The U.S. Department of Defense shields computers from EMR detection under its TEMPEST program. Shielding all computers would be impossible because of the high cost involved. To protect high-risk investigations, however, a lab might also consider implementing TEMPEST protection. TEMPEST certifies equipment that is built with shielding that prevents EMR. In some cases, TEMPEST can be applied to an entire lab. Shielding a lab is an extremely high-cost approach that includes the following measures:
Lining the walls, ceiling, floor, and doors with specially grounded conductive metal sheets
Installing filters that prevent power cables from transmitting computer emanations
Installing special baffles in heating and ventilation ducts to trap emanations
Installing line filters on telephones lines
Installing special arrangements for entrances and exits that prevent the facility from being open to the outside at all times
Creating and maintaining a TEMPEST-certified lab is expensive. Such a lab must be inspected and tested regularly. Only large regional computer forensics labs that demand absolute security from eavesdropping should consider complete TEMPEST protection. For smaller facilities, use of TEMPEST-certified equipment is often a more effective approach.
Forensic specialists should use evidence storage containers to store data and evidence while an investigation is in progress. Storage containers, also known as evidence lockers, must be secure so that no unauthorized person has access. They can be locked using high-quality padlocks, with limited duplicate-key distribution. Or they can be secured with electronic locking systems.
A lab must maintain evidence custody/inventory forms that record the contents of the storage containers. These forms should also indicate when material is removed or entered, when material is transferred, and who authorizes each transfer. A lab should retain these records for at least three years or as required by applicable legal requirements.
Tip
Forensic specialists should inspect evidence storage containers periodically. They should also move evidence for closed cases to a secure offsite facility.
Tip
An evidence room must be secure. Therefore, a lab should have at least two controlled exits and no outside windows.
Storage containers should be made of a material that resists penetration, such as steel or a modern composite material. The containers should also protect the contents against magnetic fields and against fire and water damage.
In addition to the evidence storage containers, a forensics lab needs an evidence storage room. This room provides longer-term storage and storage of items that are too large to fit inside an evidence locker, such as a large server or a disk array. The evidence room should be located close to the lab, but it may or may not be within the lab itself. Security for this room must be equal to or better than the level of security of the lab. That is, evidence should be protected at least as well in the evidence room as it is in the main lab area.
Facility maintenance is critical to maintaining the integrity of investigations. Evidence can easily become contaminated. For example, random flecks of dirt can damage recording media. Or plugging a vacuum cleaner into a power socket for the monitor can destroy a PC. A lab requires proper maintenance at all times to ensure the safety and health of lab personnel. Lab staff should ensure that any damage to the floor, walls, ceilings, or furniture is repaired immediately. Also, cleaning crews should undergo background checks. Their work within highly sensitive areas must be monitored. In addition, a lab should clean its floors and carpets at least once a week to help minimize dust.
A forensics lab should have separate containers for trash disposal. Items unrelated to an investigation should be placed in one of the containers. A second container, or multiple containers, should be used to destroy items related to investigations, based on destruction technique. For example, one container would be for paper items that will be shredded. Another would be for hard disks and compact disks (CDs) that will be crushed and melted. Yet another would be used for magnetic tapes that will be degaussed. Using separate trash containers maintains the integrity of criminal investigation processes and protects trade secrets and other private information.
To make sure a lab is following security policies and practices, it should conduct routine inspections of its facilities. Audits should include the following facility components and practices:
Inspect the lab's ceiling, floor, roof, and exterior walls at least once a month, looking for anything unusual or new.
Inspect doors to make sure they close and lock correctly.
Inspect locks and replace or change them when needed.
Review visitor logs to see whether they're being used properly and if there are any anomalies.
Review log sheets for evidence containers to determine when someone has opened and closed them.
Inspect the evidence storage room and evidence storage containers.
At the end of each workday, secure any evidence that's not being processed on a forensic workstation.
How to configure the work area for a computer forensics lab depends on a number of factors. It depends on the budget, the amount of available floor space, and the number of computers assigned to each investigator. For a small operation handling two or three cases a month, one forensic workstation may be sufficient to handle the workload. A typical workstation requires approximately the same space as an average desk. A lab that processes multiple, concurrent investigations requires more than one workstation.
A lab must have enough room around each workstation to allow space for discussions and to separate different investigations. For example, a work area for one person, containing three workstations, requires approximately 150 square feet of space. This space allows for two chairs so that the computing investigator can brief another investigator, a paralegal, or an attorney on the case.
An organization can configure a lab in a number of ways. A small lab may consist of two forensic workstations, a research computer, a workbench if space allows, and storage cabinets. A medium-size computer forensics lab, such as a lab in a private business, has more workstations. If possible, cubicles or even separate offices should be part of the layout to reinforce the need-to-know policy. These labs usually have more library space for software and hardware storage. State law enforcement and the Federal Bureau of Investigation (FBI) run most large or regional computer forensics labs. This type of lab has a separate evidence room for digital evidence. One or more custodians might be assigned to manage and control traffic into and out of the evidence room.
Tip
In some labs, each computer forensics investigator should have a private office where he or she can manage cases, conduct interviews, and communicate without eavesdropping concerns. Separate offices for supervisors and cubicles for investigators are more practical in other situations.
Note
Forensic workstations may be connected to an isolated local area network (LAN). Only a few machines should connect to an outside wide area network (WAN) or a metropolitan area network (MAN). Forensic workstations should not directly connect to the Internet.
A computer forensics lab must contain a variety of system forensics hardware and software, such as workstations, current and legacy operating systems and other software, and instruments. The following sections look at these components.
Many well-designed forensic workstations are available that can handle most computing investigation needs. A forensic workstation should have adequate memory, storage, and ports to deal with the common types of cases that come through the lab. In general, an organization should use less powerful workstations for mundane tasks and multipurpose workstations for higher-end analysis tasks. The following sections provide some guidelines for different settings.
Police departments in major cities have diverse needs for investigation tools because the communities they serve use a wide assortment of computing systems. Not all computer users have the latest technology, so police departments usually need older machines and software to match what's used in their community. For small, local police departments, however, the majority of work involves Windows PCs and Apple Macintosh systems. A small police department's computer forensics lab could be limited to one multipurpose forensic workstation and one or two basic workstations.
Computing systems in a lab should be able to process typical cases in a timely manner. The time it takes to process a case usually depends on the size and type of industries in the region. For example, suppose a lab is located in a region with a large manufacturing firm that employs 70,000 people. Based on crime reports consulted, the lab estimates that 12 percent of those employees might be involved in criminal behavior. The lab therefore estimates that 8,400 employees will commit crimes such as fraud and embezzlement. Such statistics can help estimate how much time is involved in processing these types of cases.
Until recently, the general rule was at least one law enforcement computer investigator for every 250,000 people in a geographic region. For example, if a community has 1 million people, the regional computer forensics lab should have at least four computer investigators, each with at least one multipurpose forensic workstation and one general-purpose workstation. This rule is quickly changing, however, as the amount of data stored on digital devices increases.
For a business conducting internal investigations or a commercial business providing system forensics services to private parties, equipment resources are generally easy to determine. Commercial businesses providing system forensics analysis for other companies can tailor their services to specific markets. They can specialize in one or two platforms, such as a Windows PC running a Microsoft operating system. They can also gather a variety of tools to meet a wider market. The type of equipment they need depends on their specialty. For general computer forensics facilities, a multipurpose forensic workstation is sufficient.
Private companies conducting internal investigations can determine what types of forensic workstations they need, based on the types of computers they use. If a company uses only Windows PCs, internal investigators don't need a wide variety of specialized equipment. If a company uses many kinds of computers, the lab needs systems and equipment that support the same types of computers.
Operating systems are an essential part of a lab's inventory. A lab should maintain licensed copies of legacy operating systems to handle cases involving those systems. Microsoft operating systems should include Windows 7, Vista, XP, and NT. Macintosh operating systems should include Mac OS X, 9.x, and 8 or older. If an organization uses a UNIX, Linux, or Ubuntu operating system, the lab should maintain current and previous versions of those systems.
Note
Some computer forensics programs enable a forensic specialist to work from a machine running one operating system and examine disk drives running other operating systems. For example, a specialist may be able to use a Windows PC to examine both Windows and Macintosh disk drives.
Although most high-end system forensics tools can open or display data files created with popular programs, they don't support all programs. A lab's software inventory should include current and older versions of the following programs:
Microsoft Office
StarOffice/OpenOffice
Corel Office Suite
Database applications
Programming and development environments, such as Microsoft Visual Studio, Intel assemblers and compilers such as C++, and specialized image viewers, such as ACDSee, ThumbsPlus, XnView, and IrfanView
If the lab handles a lot of financial investigations, QuickBooks and Peachtree accounting applications
If a lab deals with both Windows PCs and Macintosh systems, it should have these programs for both platforms.
Table 4-2 lists some common system forensics software tools that a lab can expect to need.
Table 4-2. Forensic software tools.
CATEGORY OF TOOLS | EXAMPLES |
|---|---|
Chat Examiner | |
Visual TimeAnalyser | |
SnapBack DatArrest, SafeBack | |
Email Examiner, Network Email Examiner | |
PDWipe and Darik's Boot and Nuke (DBAN) | |
FileMon, File Date Time Extractor (FDTE), Decode-Forensic Data/Time Decoder | |
X-Ways Forensics | |
Cookie Decoder, Cookie View, Cache View, FavURLView, NetAnalysis | |
Ltools, Mtools | |
Maresware, LC Technologies Software, WinHEX Specialist Edition, Prodiscover DFT, NTI Tools, Access Data, FTK, EnCase | |
Partimage | |
Password recovery tools | @Stake, Decryption Collection Enterprise, AIM Password Decoder, Microsoft Access Database Password Decoder |
Ontrack Easy Recovery, Paraben Device Seizure 1.0, Forensic Sorter, Directory Snoop | |
Specialized software for analyzing registries, finding open ports, patching file bytes, simplifying log file analysis, removing plug-ins, examining P2P software, and examining SIM cards and various brands of phones | Registry Analyzer, Regmon, DiamondCS OpenPorts, Port Explorer, Vision, Autoruns, Autostart Viewer, Patchit, PyFlag, Pasco Belkasoft RemovEx, KaZAlyser, Oxygen Phone Manager for Nokia phones, SIM Card Seizure |
Evidor |
Forensics labs should stock a wide assortment of cables and spare expansion slot cards. A computer forensics lab should consider stocking the following peripheral devices and other tools:
An assortment of integrated development environment (IDE) cables and ribbon cables for CDs
Extra Small Computer System Interface (SCSI), cards, graphics cards, and extra power cords
A variety of hard drives—as many as possible and in as wide a variety as possible
2.5-inch adapters from notebook IDE hard drives to standard IDE/advanced technology attachment (ATA) drives, Serial ATA (SATA) drives, and so on
Computer hand tools, such as Phillips head and slotted screwdrivers, a socket wrench, and a small flashlight
Power testing equipment
Hardware write-blockers, such as PDBlock, Write-blocker, Nowrite, Lockdown, FireWire Drive Dock, IDE Drivelock kit, and SATA Drivelock kit
Write-protect card readers
Data sanitization tools, such as WipeMASSter
High-speed data duplication tools, such as ImageMASSter products
A number of organizations have created guidelines for lab processes and procedures. An organization should consider available policies and procedures developed by others as a basis for creating policies and procedures specific to its own work environment and organizational objectives. A lab should also establish a process for measuring and enforcing compliance with lab policies and procedures.
A computer forensics lab must plan for disasters, such as hard disk crashes, lightning strikes, and power outages. A disaster recovery plan helps a lab restore its workstations and file servers to their original condition after a catastrophic failure occurs.
Tip
As a general precaution, it is a good idea to back up a workstation once a week. It is possible to restore programs from the original disks or CDs, but recovering lost data without up-to-date backups is difficult.
A disaster recovery plan must also specify how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive it is analyzing. Central to any disaster recovery plan is a system for backing up investigation computers. Tools such as Norton Ghost are useful for restoring files directly.
A forensics lab should store system backups where they are easily accessible. It should also have at least one copy of backups onsite and a duplicate copy or a previous copy of backups stored in a safe offsite facility. Offsite backups should be rotated on a schedule that varies according to the lab's needs, such as every day, week, or month.
In addition, an organization should record all updates it makes to its workstations by using a process called configuration management. Some companies record updates in a configuration management database to maintain compliance with lab policy. Every time someone adds or updates software on a workstation, he or she should enter the change in the database or in a simple notebook to document the changes.
A disaster recovery plan can also address how to restore a workstation that is reconfigured for a specific investigation. For example, if a forensic specialist installs a suite of applications, the workstation might not have enough disk space for normal processing needs, causing problems during reconfigurations or even simple upgrades. The disaster recovery plan should outline how to uninstall software and delete any files the uninstall program hasn't removed in order to restore a system to its original configuration.
Tip
When planning a recovery procedure for RAID servers, a lab should consider whether the amount of downtime it takes to restore backup data is acceptable to the lab operation.
Labs using high-end redundant arrays of inexpensive disks (RAID) servers must consider methods for restoring large data sets. These large servers must have adequate data backup systems available in case of a major failure of more than one drive.
Risk management involves determining how much risk is acceptable for any process or operation, such as replacing equipment. A lab should identify the equipment it depends on and create a schedule for replacing that equipment. The lab should also identify equipment that it can replace when it fails.
Computing components are designed to last 18 to 36 months in normal business operations, and new versions of operating systems and applications that take up more disk space are released frequently. Therefore, systems periodically need more random access memory (RAM), disk space, and processing speed. To keep a lab current with updates in hardware technology, the facility should schedule hardware replacements at least every 18 months and preferably every 12 months.
The goal of a forensic investigation is to collect data and find a way to use it as evidence. Evidence must be collected properly and deemed authentic to be forensically sound. This chapter discusses the DFRWS framework and an event-based digital forensic investigation framework, both of which investigators can use to ensure forensic soundness of evidence.
Getting started with forensic investigation involves setting up a lab facility that is physically secure so that evidence is not lost, corrupted, or destroyed. The lab should contain a variety of hardware and software, such as instruments, current and legacy software, and forensic workstations. This chapter details some options for setting up an effective computer forensics laboratory. It provides a foundation for organizing, controlling, and managing a safe, efficient computer forensics laboratory. It also discusses policies, processes, and procedures for maintaining a lab.
American Society of Crime Laboratory Directors (ASCLD)
Business case
Computer-generated information
Configuration management
DFRWS framework
Digital Forensics Research Workshop (DFRWS)
Disaster recovery plan
Event-based digital forensic investigation framework
Evidence storage container
Evidence storage room
Federal Rules of Evidence (FRE)
Forensic soundness
Human-generated information
Lab manager
Rules of evidence
TEMPEST
To be _________, data must be complete and materially unaltered.
Which of the following governs whether, when, how, and why proof of a legal case can be placed before a judge or jury?
Forensic soundness
Computer-generated evidence
Rules of evidence
Human-generated evidence
A framework for digital investigation to ensure forensic soundness must have six phases.
True
False
A _________ can help justify the acquisition of newer and better resources to investigate computer forensics cases.
Which of the following provides guidelines for managing a forensics lab and acquiring crime and forensics lab certification?
NIST
ASCLD
FRE
DFRWS
Only very large computer forensics labs need a lab manager.
True
False
Which of the following costs should a computer forensics lab budget include? (Select three.)
Facility costs
Hardware costs
Software costs
Law enforcement costs
Cleaning costs
Staff members in a computer forensics lab should have sufficient training to perform their tasks. Necessary skill sets include all except which of the following?
Hardware knowledge
Software knowledge
Background as an attorney
Deductive reasoning
A forensic workstation should be set up in a secure room in a forensics lab. What are some important features for such a room? (Select three.)
Large room
Floor-to-ceiling walls
Locking doors
Fireproof doors
Secure containers that lock
Every organization should strive to make its lab a TEMPEST-qualified lab facility.
True
False
Evidence storage containers should store only current evidence. Evidence for closed cases should be moved to a secure offsite facility.
True
False
Which of the following logs should a computer forensics lab keep? (Select two.)
Computer use log
Lab visitors' log
Evidence container log
Criminal log
A forensics lab work area requires approximately _________ square feet.
Which of the following does a forensics lab not need to stock?
Workstations
Operating systems
Legal manuals
Hard drives
As a general precaution, it is a good idea to back up a workstation once a month.
True
False