07 Digital Forensics Lab

--- title: '07 Digital Forensics Lab' disqus: hackmd --- 07 Digital Forensics Lab === <style> img{ /* border: 2px solid red; */ margin-left: auto; margin-right: auto; width: 90%; display: block; } </style> ## Table of Contents [TOC] Forensic Lab Certification Requirements --- - digital forensic lab - whr u conduct inves. - store evi - house equipment, hardware and software - american society of crime lab directors (ASCLD) has guidelines for - managing lab - acquiring official certification - auditing lab funcs and procedures ### Duties of Lab Manager and Staff - lab manager duties - setup processes for managing cases - processes shld be reviewed regularly - promote grp consensus in decision making - maintain fiscal resp for lab needs - enforce ethical standards among lab staff - plan updates for lab - establish and promote quality assurance process - ensure staff know what to do - set reasonable prod schedules - based on existing res - estimate num of cases an investigator can handle - certain cases are longer - estimate when to expect prelim and final results - create and monitor lab policies for staff - provide safe and secure workplace for staff and evi - staff member duties - have knowledge and training - hardware and software - os and file types - deductive reasoning - work reviewed regularly by lab manager to ensure quality - check ASCLD website for more info ### Lab Budget Planning - breakdown costs into daily, quarterly and annual expenses - more understanding for these expenses, better delegate res for ea inves. - use past inves. expenses to extrapolate (extract) expected future costs - like budget estimation - expenses for lab include - hardware - software - facility space - training personnel - estimate num of comp cases your lab expects to examine - identify types of comp to examine - account for changes in tech - upgrades? - use stats to determine type of comp crimes more likely to occur - better estimate res needed - plan ahead lab requirements and costs - when setting up lab for priv company, check - hardware and software inventory - probs reported last year - future developments in computing tech - time management is major issue when choosing software/hardware to buy ![](https://i.imgur.com/63bv7rk.png) ### Certification and Training - update skills through training - thoroughly research requirements, cost and acceptibility in area of employment - address min skills for conducting comp inves. at many lvls - international association of comp investigative specialists (IACIS) - created by police officers who wanted to formalise creds in comp inves. - candidates who complete IACIS test designated as **certified forensic computer examiner (CFCE)** - accessdata certified examiner (ACE) certification - open to pub and priv sectors - specific to use and mastery of accessdata ultimate toolkit - exam has knowledge based assessment (KBA) and prac skills assessment (PSA) - other training and certifications - ec-council - sysadmin, audit, network, security (SANS) institute - expensive - defence cyber investigations training academy (DCITA) ### Physical Requirements for Lab - shld be secure so evi not lost/corrupted/destroyed - provide safe and secure phy env - secure facility shld preserve integrity of data - keep inventory control of assets - know what u have/dont have - know when to order more - min requirements - small room with true floor-to-ceiling walls - door access with locking mechanism - secure container - visitor's log - ppl working tgt shld have same access lvl - brief staff abt security policy ### Conducting High Risk Investigations - high risk inves. demand more security than min lab requirements - tempest facilities - electromagnetic radiation (EMR) proofed - leaking signal can be used to reconstruct info - such facils can stop info systems from leaking through emanations - includes unintentional radio/electrical signals/sounds/vibrations - very expensive - can use low-emanation workstations instead ### Using Evidence Containers - AKA evi lockers - must be secure so no unauth person can easily access your evi - recommendations for securing storage containers - locate in restricted area - limited num of authorised people to access container - maintain records on who is authorised to access ea container - containers shld remain locked when not used - if combination locking system used - secure the combi - destroy prev combi after setting new one - allow only authorised personnel to change lock combi - change combi every 6 months when needed - if using keyed padlock - appoint key custodian - resp for distributing keys - stamp sequential nums on ea dupe key - maintain registry listing which key assigned to which authorised person - conduct monthly audit - take inventory of all keys - place keys in lockable container - same lvl of security for key as evi container - change locks and keys annually - containers shld be made of steel with internal cabinet/external padlock - if possible acquire a **media safe** - designed to protect electronic media - if possible build evi storage room in your lab - keep evidence log - update everytime evi container opened and closed ### Overseeing Facility Maintenance - immediately repair phy dmgs - escort cleaning crews as they work - feasible? - minimise risk of static electricity - antistatic pads - clean floor and carpets - minimise dust - maintain 2 separate trash containers - materials unrelated to inves. - sensitive materials - when possible hire specialised companies for disposing sensitive materials ### Physical Security Needs - enhance security through security policies - enforce policy - maintain signin log for visitors - visitor - anyone not assigned to lab - escort all visitors all time - use visible/audible indicators that visitor in premises - visitor badge - install intrusion alarm system - hire guard ### Auditing Forensics Lab - auditing ensures proper enforcing of policies - shld include inspecting following facility components - ceiling, floor, roof and exterior walls of lab - doors and door locks - visitor logs - evi container logs - end of every workday, secure any evi not process in workstation ### Floor Plans for Lab - config of work area depends on - budget - amt of avail floor space - num of comps assigned to ea investigator - ideal config - 2 forensic workstations - 1 for 2-3 cases a month - one on-forensic workstation withh internet ![](https://i.imgur.com/wbYHME3.png) ![](https://i.imgur.com/gju3MeR.png) ![](https://i.imgur.com/vRoDGcN.png) ### Selecting Basic Forensic Workstation - depend on budget and needs - use less powerful workstations for mundane tasks - use multipurpose workstations for res-heavy analysis tasks - identify env - hardware platform - os - police labs have most diverse needs for comp inves. tools - lab may need legacy systems and software to match what's used in community - small, local police dept might have 1 multipurpose pc and 1/2 general purpose pc - can use pc with firewire, usb3 or SATA hard disks to create lightweight, mobile forensic pc ### Stocking Hardware Peripherals - shld have stock - IDE cables - ribbon cabbles for floppy disks - extra usb3 or newer cables and SATA cards - SCSI cards - prefer ultrawide - gpu - both PCI and AGP types - assorted firewire and usb adapters - hard disk drives - at least 2 2.5 inch notebook ide hard drives to standard ide/ata or sata adapter - comp hard tools ### Maintaining OS and Software Inventories - maintain licensed copies of software - microsoft office - current and old - quicken - personal finance management tool - programming langs - visual basic and visual c++ - specialised viewers - quick view - viewer for any file - libreoffice, openoffice or apacheoffice - peachtree and quickbooks accounting apps Summary --- ![](https://i.imgur.com/i7fmDxJ.png) ![](https://i.imgur.com/VLppQPn.png) ###### tags: `DFI` `DISM` `School` `Notes`