Software and hardware tools you need to begin your investigation
With the increased number of cybercrime attacks that hit both the public and the private sector, the need for computer forensics lab to capture and analyze digital evidence with high accuracy increases. You may think that computer forensics labs are limited to law enforcement agencies. However, this is not true: many corporations in the United States maintain digital forensics labs with advanced investigation capabilities that exceed those of many police labs.
As we talked about in Chapter 1, digital forensic investigations can be broadly segmented into two types, public and private investigation. Obviously, law enforcement agencies and security services are the pioneer in establishing digital forensics labs; however, with the advance of computing technology and the widespread use of smartphones and wearable devices, most typical crimes have now become associated with a type of digital evidence. This crowds police labs with long waiting lists of digital evidence from various legal cases that need to be investigated. The long waiting lists—which may sometimes last for months or years—encourage large and even mid-sized corporations to have their own in-house lab to investigate cybercrime issues related to their work and property.
Today’s banks, tech companies, retailers (such as Amazon and Walmart), and utility providers are using their own digital forensics labs to speed the investigation process and to reduce the various costs associated with digital investigations. Compared with police labs, private corporations have more flexibility in terms of procuring the latest software (including upgrades) and hardware needed for supplying their labs, while some police labs may still use old software versions because of budget limitations and the lack of trained professionals.
In-house digital forensics analysts usually work closely with law enforcement agencies to solve cases related to their businesses. For instance, once someone finds evidence of or witnesses an illegal activity (e.g., violation of polices, industrial sabotage, leaking secrets, or other related crimes), the reporting company’s digital forensic investigators or the e-discovery team will contact law enforcement and work with them hand in hand to capture and analyze acquired evidence and to move the case to a court of law.
Having an in-house digital forensics lab in today’s digital age is a great investment for any company which values its data assets; however, this comes with a cost. For instance, assuming that just one forensic analyst is hired and one forensic workstation is supplied with the main necessary tools to do the job (both hardware and software), even the smallest lab will have an annual expenditure of no less than $150,000! Small companies may not be willing to pay for this extra expense if they face few incidents. Many small and medium-sized corporations outsource their digital forensics work to an accredited third-party digital forensics laboratory to save costs.
Accrediting digital forensics lab is a key issue to consider, whether you are planning to establish an in-house lab for your organization or you think to outsource your digital forensics work to a third-party provider. Accreditation ensures that your laboratory—or the one whose services you want to use—meets the established standards of the authoritative body in terms of using reliable methods, appropriate tools (in terms of hardware and software), and competent personnel to perform its duties.
Digital forensics labs can come in different sizes: of course, the budget plays a crucial role when planning for the lab, but the expected tasks (work scope) required for this lab will be the cornerstone in determining the needed equipment and software tools. For instance, large corporations are investing in creating advanced labs that handle all types of computing devices and cases like malware, external breaches, network, GPS, and mobile forensics. These labs have well-trained professionals and contain the latest versions of forensic software in addition to different specialized hardware tools. No matter the size of your forensics lab, it must contain the minimum tools to capture, preserve, analyze, and present digital evidence in a forensically sound manner.
A small digital forensics lab is the most prevalent: only a small budget is needed and it can initiate quickly. Such labs are usually run by one to five people and focus on handling one type of device (e.g., mobile forensic or Windows OS forensic). It does not need pricey equipment like the networking infrastructure and security solutions needed by the big labs; however, it still needs to have the appropriate digital forensic software to analyze evidence in addition to essential hardware like a hardware write blocker (some are incorporated into the forensic workstation itself), cables, appropriate storage solutions, and other electrical devices like UPS and digital cameras, in addition to a dedicated forensic computer to do the analysis.
Before listing the software and hardware equipment necessary for the forensic lab, it is essential to discuss the physical facility requirements of this lab. Maintaining the security and integrity of the digital evidence in addition to that of the lab’s equipment should be a top priority, especially since these labs might become a target of cybercriminals in order to stop or interrupt investigations.
Lab Physical Facility Requirements
- 1.
Must have one entrance door.
- 2.
Preferable to have no windows in the lab.
- 3.
Lab must be soundproof, meaning no one can eavesdrop on the conversations happening within the lab. This can be achieved by using soundproofing material on the ceiling and walls, and using carpet on the floor.
- 4.
Must have an alarm system at the entrance in addition to a biometric system to handle access to the lab. The access biometric system must record each visit to the lab; this log must remain backed up for many years to come for auditing purposes.
- 5.
Surveillance cameras should cover the entire lab, especially the main entrance and digital evidence room. The video recorder of the surveillance system (where video recording files are stored) should be stored in the most secure room in the lab, which is the “evidence storage room.”
- 6.
Must have fire suppression systems.
Note!
For high-risk investigations like cases related to national security, basic lab requirements are not enough. An advanced lab with high security measures must be used; such a lab must be provided with special coating materials to cover floors and walls to prevent electromagnetic radiation (EMR) emitted from the lab’s electronic devices to prevent electronic eavesdropping. More information on this issue can be found at www.sans.org/reading-room/whitepapers/privacy/introduction-tempest-981 .
Floor plan for large digital forensic lab: license server and internal lab network equipment in addition to Internet networking devices (router, firewall, and IDS) can be placed in the Internet/intranet room
Small digital forensics lab suitable for home or small companies
Note!
It is advisable to have extra unoccupied space, for the lab’s future expansion if possible.
Environment Controls
- 1.
Air cooling system to absorb heat generated from workstations. This is very important, as forensic workstations can remain operational for a number of days during evidence analysis (e.g., cracking a password) and this will produce heat, especially in small spaces.
- 2.
The lab must be well organized and clean. It must have healthy climate in terms of temperature, low humidity, and pure air.
- 3.
Good lighting in the entire lab and in each individual forensic workstation room.
- 4.
Electricity organizer equipment to avoid a sudden drop in power, and UPS units for the complete lab and especially for forensic workstations, storage server, and surveillance cameras.
Tip!
When the cleaning crew accesses the lab doing their job, an authorized member of lab staff should remain with them till they finish.
Hardware Equipment
The following hardware equipment is needed for the forensic lab, grouped into three categories:
- 1.
Licensing server (this is required by some digital forensics suites).
- 2.
Storage server configured for the standard removable hard drives (used to store digital evidence images and data processed and extracted from those images); this server must never get connected to the Internet.
- 3.
Forensic workstation(s) (covered in the section “Forensic Workstation”).
- 4.
Portable forensic laptop (used outside lab to capture evidence and for doing some analysis).
- 5.
Dedicated computer(s) for accessing the Internet/intranet.
- 6.
Administrative computer for log management and other issues.
- 7.
Hardware write blocker. This is a hardware piece that connects the media that contains digital evidence (like HDD) to a forensic workstation; the purpose of this device is to prevent any modifications to the data on the evidence drive during the acquisition process.
- 8.
Portable CD/DVD drive.
- 9.
USB reader.
- 10.
HDD and SSD enclosure with USB 3.0 interface.
- 11.
SD card reader.
- 12.
External hard drives and USB thumbs (USB 2.0 and USB 3.0) of different sizes.
- 13.
Tape drives for long-term data archiving.
- 14.
Data cables and connectors: Ethernet cables, RJ-45, BNC, modular adapters, ribbon cables, DIN split cables, VGA split cable, USB cables, audio cables, cable extenders, HDMI cables, FireWire (IEEE 1394), DVI cables, S video cables, DVI-to-DVI cables, serial cables, custom serial cables, SATA cables (mSATA and SATA Express), optical fiber cable, serial attached SCSI.
- 15.
Other tools like screwdrivers, multimeter, flashlight.
- 1.
Uninterrupted power supply (UPS) for each workstation/server and networking device.
- 2.
Projection device (in conference room).
- 3.
Printer.
- 4.
Scanner.
- 5.
Photocopier.
- 6.
Paper shredder.
- 7.
Digital cameras, including video cameras, and accessories.
- 8.
Telephone (preferably wireless).
- 9.
Wi-Fi access point.
- 10.
Headset .
- 11.
Symmetrical power supply.
- 1.
Router and switch device to connect forensic workstations with the storage server within the lab.
- 2.
Internet network; should be separated from the lab’s internal network. You need a firewall, a switch, and a router (the three components can be combined in one device).
- 3.
Networking cables.
Please note, there should be an isolated network within the lab that connects forensic workstations and the storage server used to store digital evidence image copies. The server must be placed in the evidence room to restrict access to it. No Internet access is allowed for this lab-specific network.
Forensic examiners may need to research online for more information about their findings or to collaborate with peers, so an Internet connection should be available within the lab through a direct line to the intended computer(s) only.
Furniture and Consumable Materials
Forensics examiners will spend hours sitting at their workstations when investigating a digital evidence, so they must feel comfortable in their seat to remain productive. Use ergonomic chairs (which must be adjustable according to user needs) for forensic workstations; computer screens must also be of good quality as examiners will be staring at them for a long time. Computer monitor must be adjusted to be facing the examiner’s head at least 20 inches away, and the top line of the screen should be at or below eye level to avoid possible health effects on the examiner such as neck and head pain, excessive fatigue, and eye strain.
Aside from the furniture, the digital forensic lab has administrative work, so the following general office consumables are also required in the lab:
Paper, pens and pencils, staples, toner cartridge, labels, envelopes, envelope sealer, folders, sheet protectors, suspension files, binders, clipboards and files, markers and highlighters, punches, staplers and staples (including electric), plastic static bags, nonelectronic whiteboards, notice boards and accessories, packaging material (e.g., cardboard boxes).
Evidence Container
Collected storage media that contain original digital evidence (like HDD, SSD, flash drive, SD cards, smartphone, tablets, CD/DVD) must be stored in a secure locked room within a safe closed cabinet. The cabinets in the evidence storage room must protect against fire and flood, and must withstand if the lab collapses as a result of an earthquake; the cabinet must also protect the contents from electromagnetic emanations to avoid damaging seized equipment. The entire room must be secured from general access using proper security methods that can be automatically recorded, like digital lock and keycard access. The evidence room must contain a log that must be signed by each one visiting the room detailing the visit’s purpose and the date/time when the visit took place. This helps to maintain the chain of custody of seized evidence.
Forensic Workstation
Pro for Workstations—very recommended.
Windows 10 Enterprise.
Both editions support up to 6 TB RAM and four processors; however, compared with modern Windows Server editions (Windows Server 2016 Standard edition supports 24 TB of RAM memory), those two editions are less expensive in terms of the license, as they belong to the Windows desktop product line.
Now, let us discuss needed hardware for the forensic workstations. Obviously, when working with digital evidence, a powerful computer is needed to process and search within image files. Forensic computers require high levels of processing power and large amounts of RAM memory; they also need a lot of storage and many expansion slots to attach different types of devices. Building a forensic workstation is expensive; however, it is still considered a cost-effective solution for small companies compared to purchasing a ready-made computer forensic workstation, which costs much more.
- 1.
RAM memory: At least 24 GB (DDR4). More is great!
- 2.
CPU: At least two physical CPUs (Intel i9 8th-generation processor has 10 cores and 20 threads) for each workstation.
- 3.
Motherboard : One that can accommodate the required number of processors and amounts of RAM, along with the video controller card.
- 4.
Hard drives: A combination of SSD and HDD—at least 512 GB of SSD and 4 TB of HDD.
- 5.
Video controller: Nvidia Geforce, latest version is recommended with at least 8 GB of GDDR5X memory.
- 6.
Triple burner (Blu-ray, DVD, CD).
- 7.
External hard drive enclosure with USB 3.0 interface.
- 8.
Write-protection: You can purchase this piece individually or you can purchase one that can be integrated into your workstation. The hardware write blocker must support data acquisitions from SATA, SAS, IDE, USB, FireWire, and PCIe storage devices. Some manufacturers include UltraBlock ( https://digitalintelligence.com/products/ultrablock ) and Tableau Forensic Universal Bridge, which can be integrated into your machine ( www.guidancesoftware.com/tableau/hardware//t356789iu ).
- 9.
Advanced cooling system: It is preferred to use liquid CPU cooling system with—at least—dual fans.
- 10.
LCD panel with high resolution (full HD IPS display), at least 22 inches for better display.
- 11.Ports
USB 3.0 ports
Thunderbolt 3
Microphone and headphone jack.
Integrated LAN controller to access the lab’s LAN network.
These are the preferred hardware pieces for building a forensic workstation; please keep in mind that your lab needs to have at least one portable digital forensic laptop workstation for acquiring and performing some analysis on data outside the lab. For instance, it is preferable to purchase one forensic laptop from a vendor which specializes in offering such ready solutions.
Commercial Ready-Made Digital Forensic Workstation
- 1.
Tri-Tech Forensics ( www.tritechforensics.com/Digital-Forensics/DF-workstations ). Prices begin from $5800 for the workstation and $2300 for the digital forensic laptop workstation.
- 2.
Digital Intelligence ( https://digitalintelligence.com/store ).
Forensic Software
The type of forensic software needed for your lab will depend on your work scope; for instance, the type of operating system (Windows, Linux, or Mac) and the file system you are going to examine will determine your required forensic tools.
Most popular computer forensic suites are built for Windows OS; the open source counterpart is mainly geared toward Linux with some being also ported into Windows OS. Let us begin with the commercial tools.
Commercial Forensics Tools
- 1.
EnCase ( www.guidancesoftware.com )
- 2.
Belkasoft Evidence Center ( https://belkasoft.com )
- 3.
- 4.
X-Ways Forensics ( www.x-ways.net/forensics )
Free and Open Source Forensic Tools
- 1.
The Sleuth Kit ( www.sleuthkit.org ): Supports both Linux and Windows.
- 2.
Autopsy: A graphical interface to The Sleuth Kit and other digital forensics tools ( www.sleuthkit.org/autopsy ).
- 3.
dd for Windows ( www.chrysocome.net/dd ): A forensic imaging tool for Windows systems.
- 4.
Magnet RAM Capture: Capture RAM memory ( www.magnetforensics.com/free-tool-magnet-ram-capture ).
- 5.
Belkasoft Live RAM Capturer ( https://belkasoft.com/ram-capturer ).
- 6.
Volatility: Analyzes RAM (volatile memory) images ( www.volatilityfoundation.org ).
- 7.
Memoryze: Captures and analyzes memory images and on live systems. Can include the Windows Paging file in its analysis ( www.fireeye.com/services/freeware/memoryze.html ).
- 8.
Mandiant Redline: Live memory analysis; includes Memoryze tool within it ( www.fireeye.com/services/freeware/redline.html )
- 9.
Bulk Extractor: Scan an acquired hard drive digital image and extract useful information from it such as e-mail addresses, credit card numbers, URLs, and other types of information ( http://downloads.digitalcorpora.org/downloads/bulk_extractor ).
- 10.
Encrypted Disk Detector: Check for encrypted volumes on a computer system during incident response ( www.magnetforensics.com/free-tool-encrypted-disk-detector ).
Linux Distribution for Digital Forensics
- 1.
CAINE ( www.caine-live.net ).
- 2.
DEFT ( www.deftlinux.net ).
- 3.
Helix3 Free version ( https://e-fenseinc.sharefile.com/d/sda4309a624d48b88 ).
- 4.
SANS Investigative Forensics Toolkit (SIFT) ( http://digital-forensics.sans.org/community/downloads ); Vmware appliance.
- 5.
Santoku Linux for Mobile Forensics ( https://santoku-linux.com ).
- 6.
Kali Linux Forensics Mode ( www.kali.org/downloads ).
Virtualization Technology
Virtualization technology allows examiners to install more than one operating system on the same workstation; this proves useful when conducting malware analysis (to avoid infecting the forensic workstation) or when testing forensic tools before using them officially. The virtual machine will run in a sandbox isolated entirely from its host machine’s operating system. Popular virtual machines include VirtualBox ( www.virtualbox.org ) and Vmware Workstation Player ( www.vmware.com/products/player/playerpro-evaluation.html ).
Laboratory Information Management System (LIMS)
A content management system is needed in the lab to organize the reception, tracking, handling, and return of evidence in the digital forensic laboratory. You can use an open source content management system for this task: Drupal ( www.drupal.org/home ) and Moodle ( https://moodle.org ) are examples.
Other Software
During your analysis of the digital evidence, additional software will be needed like digital file metadata viewers, MS Office suite or the free alternative Open Office, compressed file (ZIP, RAR) extractor, data recovery tools, antivirus software for the Internet/intranet PCs, different operating systems including legacy OS like Windows XP and 2000, different file type viewers, and different programming languages (in order for some tools to work).
Tip!
During a digital forensic analysis, a lot of different tools will be used; your selection of tools will depend on how effective each tool for the task in hand. Sometimes, it is preferred to use two different tools to analyze the same piece of data if you are in doubt.
Validation and Verification of Forensics Hardware and Software
It is the responsibility of the digital forensic laboratory to determine whether a new technique, method, or hardware or software tool is suitable to use during the investigation process.
Forensics software/hardware is considered valid for use during an official trial if it has been used previously by a reputable scientific lab, law enforcement agency, educational institute/university, or the like. However, if a specific tool or methodology is new and not approved/used previously by such bodies, it is the responsibility of the lab to test it, validate its results, and finally document the finding before using it in evidence testing. A specific procedure must be in place to perform internal validation and verification of new tools and methodologies (including the in-house-developed tools and methods); each lab has its own rules to conduct this process.
Tip!
For small labs, it is advisable to reduce the hassle and opt to use externally ready validated tools.
To check the reliability of computer forensic tools, NIST has launched the Computer Forensic Tool Testing (CFTT) project ( www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt ) to establish a methodology for testing computer forensic software tools. This project will effectively help examiners to select the best tools (both hardware and software) to conduct examination in addition to understanding the tools’ capabilities based on the testing report published by NIST.
Lab Manager
- 1.
Suggest work process for managing cases.
- 2.
Support the most complex forensic analysis cases handled by the lab.
- 3.
Ensure that lab staff are trained according to implemented quality standards.
- 4.
Conduct annual check on lab personnel performance.
- 5.
Support the technical development of junior digital forensics staff.
- 6.
Enforce ethical standards among lab staff.
- 7.
Create, monitor, and enforce lab policies and procedures for staff.
- 8.
Oversee facility maintenance.
- 9.
Oversee court testimony before presenting it officially.
- 10.
Check lab software and hardware equipment and ensure that everything is functioning properly.
- 11.
Procure lab consumable material needs.
- 12.
Approve validation studies conducted on different forensics tools (both hardware and software) and give final approval to use them in the lab.
- 13.
Research new methodologies and recommend new software and hardware tools to be used in the lab.
- 14.
Handle—or supervise—the disposition of sensitive materials.
- 15.
Suggest future expansion for the lab.
- 16.
Represent the lab to clients and at specialized events such as conferences, seminars, and so on.
Secrecy Requirements
The identity of people working in the digital forensic lab must keep secret. The role of the forensic team is to find who is behind a criminal activity, and some crimes could be committed by terrorist groups or criminal organizations who will be willing to stop investigations of their activities in any way.
Lab Data Backup
Backing up is a way to protect your sensitive data when a failure happens to your computing device. It is essential to have at least three copies of your data (one offsite and one at lab) in a secure, safe location, and these must be protected with a strong password so you can retrieve your important data in the case of system failure, virus attack, or natural disaster. The backup should include the data on the forensic workstations and in main storage server – if you have one.
Windows offers a free backup feature (suitable for the forensic workstations) that can be accessed from Control Panel ➤ Backup and Restore (Windows 7). This utility will allow you to back up your Windows drive onto an external drive. The feature is available in Windows 7, 8, and 10. However, Windows versions 8 and 10 have another backup utility called File History, which can also be configured to back up your personal/work files to an external drive or network location.
Note!
File history backup-specific folders relate to the current Windows user account by default (e.g., desktop, contacts, OneDrive, and so on). To configure it to back up other folders or drives, you should use the File History app. Go to Settings ➤ Update and Security ➤ Backup and then click “More options” in the “Back up using File History” panel to include more locations in your backup.
- 1.
Comodo Backup ( www.comodo.com/home/backup-online-storage/comodo-backup.php ): This is a free backup solution that is easy for ordinary computer users; it walks you through a wizard and asks you exactly what you want to do. It can back up data to a local drive, optical media like a CD/DVD/BD disc, network folder, external drive, or FTP server; it can also be sent to a recipient over e-mail. The backup can be divided into pieces and protected with a password. Recovering data is easy and needs only a few clicks.
- 2.
Cobian Backup ( www.cobiansoft.com/cobianbackup.htm ): This is a multithreaded program that can be used to schedule and back up your files and directories from their original locations to other directories/drives on the same computer or another computer in your network. FTP backup is also supported in both directions (download and upload). Cobian works silently in the background to check your backup schedule and perform the required tasks.
For the forensic storage server, which tends to be a high-end RAID server, a specialized program should be used to perform backup and restore from it.
Training Requirements
- 1.
Computer hardware
- 2.
Networking basics
- 3.
General computer forensic knowledge (this book is adequate for this task!)
- 4.
Forensic software specific training (e.g., FTK, EnCase)
- 5.
Legal training covering digital crime laws implemented in different countries, search warrants, testifying in courts, and determining the effective jurisdiction law when investigating a case.
The field of digital forensics requires continual learning, research, and communicating with others in the field. As a digital forensic professional, you should have a general understanding about the latest technologies.
Lab Policies and Procedures
- 1.
Lab physical security policy (e.g., security measures that need to be followed to access the lab area).
- 2.
Accessing top restricted area policy: Who is authorized to access the evidence storage room?
- 3.
Handling digital evidence (e.g., a write blocker should be attached to the suspect hard drive when acquiring it).
- 4.
Evidence seized at response scene.
- 5.
Evidence analysis (e.g., steps and tools to handle each piece of evidence).
- 6.
Evidence chain of custody (e.g., documenting who has accessed digital evidence since its arrival to the lab, and also when and why).
- 7.
Evidence disposition (e.g., how sensitive materials should be disposed of securely: a paper shredder for paper files, destruction equipment to safely destroy [physically] hard drives and other storage media).
- 8.
Digital forensic report writing (e.g., the standard layout for reporting case analysis results).
- 9.
Expert testimony evaluation.
- 10.
Backup policy.
- 11.
Training polices.
- 12.
Quality standards.
The lab has specific preprinted forms for each type of work conducted within it or in the field; for instance, the evidence acquisition form (which record descriptions of evidence) and the chain of custody form are the most two important forms used in labs. Other work stages will also have their own form that detail what happened during this stage.
Documentation
Adhering to policies and procedures mentioned in the previous section is important for smooth and accurate work in the digital forensic lab. Each piece of work during the investigation process needs to be supplemented by paper/electronic forms, and examiner notes are also very important and need to be documented in detail during the investigation process. This allows another examiner to continue working on the specified case and allows the lab’s quality assurance staff to repeat the process again to ensure that the exact same results are produced every time.
Documentation is an integral part of digital forensic investigations; it begins in the field before obtaining the seized computing device and continues in the lab till reaching testimony. Litigation processes in the courts may span for months and years, and without this documentation, an examiner—who may be required to testify in court—may forget key facts from his/her case investigation, and this may result in weakening his/her testimony to the judge and jury.
Lab Accreditation Requirements
Accreditation ensures that your digital forensic lab is following a set of recognized standards imposed by the authoritative body. The accredited body will check your lab to see whether it is using reliable investigation methods, court-accepted hardware and software, and trained personnel, and if your lab’s physical layout meets established standards.
The accreditation is very important for any digital forensics lab, and we are going to briefly discuss the steps needed for any organization to start the accreditation process.
There are five steps in the accreditation process.
Step 1: Self-Assessment
- 1.
Why you want to get accredited? What are the advantages for obtaining an accreditation? Is the accreditation required to improve services offered? Or to gain new customers?
- 2.
What is the appropriate standard to be accredited to (e.g., ISO 17025 or 17020)?
- 3.
What accreditation body do you want to conduct your accreditation process through? The most popular accreditation body for digital forensic laboratories is the American Society of Crime Laboratory Directors (ASCLD). The ASCLD ( www.ascld.org ) offers guidance on managing a forensic lab and auditing lab functions and procedures.
Note!
Other accreditation bodies include the United Kingdom Accreditation Service ( www.ukas.com/sectors/forensic-science ) and the ANSI-ASQ National Accreditation Board ( www.anab.org/forensic-accreditation/iso-iec-17025-forensic-labs ).
- 4.
What is your lab’s work scope? For example, do you want to focus on mobile forensics, GPS forensics, or computer forensics? You need to decide which specific services you want to get accreditation for.
- 5.
What are the current best industry practices that fall within your accreditation scope? Determine these in order to define the best investigation methodologies, software tools, and hardware equipment to propose for your lab’s work.
- 6.
Do you have support for accreditation from the organization’s top management?
Step 2: Identifying the Current Level of Conformance to the Target Accreditation Standards
- 1.
Your current lab practices—if you already have them—and the methodologies and tools used within it. For example, list how you capture digital evidence, what tools you use to investigate it, and how you write the case’s final report.
- 2.
List people working in the lab along with their professional certifications in addition to any training programs they follow in the digital forensic domain.
- 3.
Create a checklist of all quality requirements imposed by the accrediting body to achieve the accreditation.
Step 3: Closing the Gap
Bridge the gap between your lab’s current practices and practices required by the accreditation standard. Identify weak areas that need to be improved. Prioritize your needs by fixing the most nonconforming services first. You can also achieve incremental accreditation by accrediting one service each year (e.g., accredit computer forensics in the first year and mobile forensics in the second year). You can also seek help from other accredited private labs and government organizations.
Step 4: Implementation
In this step, you need to train your lab staff to update their work to meet standards required by the accredited body.
Step 5: Conformance to Standards Documentation
- 1.
Policies and procedures (e.g., the method used to capture digital evidence must be implemented according to the subject accredited standard).
- 2.
Resources (e.g., software and hardware needed, certifications or training programs that must be followed by lab workers).
- 3.
Performance.
Accreditation costs money and it is not mandatory for each digital forensic lab; however, acquiring accreditation will prove that your lab is following the quality standards issued by the accreditation body and will give additional credibility to your work.
Chapter Summary
A computer forensic laboratory is where you conduct your investigations, store your acquired digital evidence, and do much of your forensics work. Labs contain different sets of hardware and software tools that help examiners to acquire and analyze digital evidence and finally present their findings in a formal report.
In this chapter, we covered the essential equipment needed to create a digital forensic lab. We talked about the characteristics of the physical facility that is going to house the lab; we listed needed electrical equipment, lab furniture, and hardware devices related to digital investigation work; and we covered the minimum technical requirements of the forensic workstation responsible for analyzing digital evidence. We discussed the design and security requirements of the lab network, and then we talked about forensic software. There are different types of this: some are commercial while others are either closed source and free or open source.
It is recommended for the forensic software to be validated by a credible body before using it in investigation; in-house developed tools or ones that are not externally validated must undergo a verification process internally before being used officially in investigations.
Not only is the lab composed of hardware and software tools; the human aspect is the cornerstone of its work. Lab employees must have adequate skills to do their specified jobs, a set of policies and procedures that govern lab work must be strictly followed, and quality tests should be continually preformed to ensure the lab’s conformance to predefined quality standards set by an official accredited body (e.g., the ASCLD) or its parent organization.
This chapter is the last one to discuss the prerequisites for initiating a digital crime investigation. In the next chapter, we will begin to talk about the investigation process to solve cybercrime, starting with the procedures that must be followed to obtain the digital evidence and secure the crime scene.