CHAPTER 3
Creating a Lab
We’ll Cover
 
image   Choosing where to put your lab
image   Gathering the tools of the trade
image   Choosing forensic software
image   Storing evidence
 
In the last chapter, we talked about where to get training and certifications for your budding computer forensics career. Now you’ve made it to the part of the book where you start to get down to the business of actually performing computer forensics. Before we can perform our first examination, however, we need to have a few things in place, including the following:
 
image   A space for your lab
image   Hardware tools
image   Software tools
image   A place to store evidence
 
Creating your first lab can be a bit overwhelming if you don’t have the experience to know exactly what you need and don’t need. Many newcomers turn to documentation provided by federal law enforcement agencies for lab creation and storage, mainly because they offer documentation free on the Internet for state and local agencies to follow. But, truth is, you can’t perform criminal investigations—only law enforcement and those they contract with can do so. After all, you have to take reasonable steps to protect your evidence, but you don’t need to build an air gap network with radio frequency shielding around it just to find out if someone was playing games at work! Your lab can perform forensic investigations for your employer or for customers who you represent in civil court. You could assist law enforcement if you hand a case over that they agree to take on, but law enforcement typically will re-create your work and present it themselves in court. You could also help criminal defendants in their cases, but that’s beyond the scope of this book.
Choosing Where to Put Your Lab
A forensic lab can be located inside any building if it can provide the proper controls and resources. The most important factors when choosing where to place your lab are access controls (both physical and network), electrical power, air conditioning, and privacy.
Access Controls
Any lab needs to have stringent physical and network access controls in place. Controlling who can access your equipment, evidence, and forensic images is important, because you’ll need documented proof that you’ve properly maintained custody of evidence you’ve taken into your possession.
LINGO
The process of proving who had access and control of something is called its chain of custody. A lot of people think of the chain of custody as some complicated mechanism that is fragile and difficult. In reality, however, the concept of the chain of custody has been in existence way before computers and before all the technical controls people put in place even existed. The chain of custody is just a document listing who has had possession of an item.
Documenting Chain of Custody
A chain of custody document simply states who has had possession of something—no matter what the thing is—and where it has been stored. The document can be as simple as a piece of paper stored with the object, to as complicated as a radio frequency ID (RFID) tag attached to the object, tracking its every movement. Regardless of how complicated you make it, to establish chain of custody with regard to a piece of evidence, you need to document the following:
 
image   Where you received the evidence
image   Who you received evidence from
image   When you received evidence
image   What you did with the evidence
image   Where you stored evidence
Figure 3-1 shows a sample chain of custody document.
image
Figure 3-1   Chain of custody document
To maintain the chain of custody of a forensic image, three things must be captured and preserved:
 
image   Information about the physical system where the evidence came from   This could be a desktop, laptop, DVD, thumb drive, or an external hard drive, for example. You must include information that identifies the physical system, such as the make, model, and serial number, which can be verified later if necessary.
image   Information about where the forensic image is stored   You must include the make, model, and serial number of the drive or the server/network attached storage (NAS) on which the forensic image is being stored.
image   The forensic image itself   If you follow the proper procedures as laid out in this book, the forensic image will contain a hash value either embedded within it or in a separate file. The hash value allows you and others to know that the contents of the image have not changed since they were captured originally.
LINGO
Hash or hashing refers to a mathematical algorithm that takes data of any length and converts it to a fixed set of hexadecimal characters that represent that data. Showing that a hash value is the same from the time evidence was gathered to the time it is provided to the court proves to others that the data has not been changed.
In Actual Practice
The two most popular hash systems used in computer forensics, Message-Digest algorithm 5 (MD5) and Secure Hash Algorithm-1 (SHA-1), both create a unique summation of your data, but SHA-1 uses more bits (160, while MD5 uses 128) to represent the data, allowing for less chance of any two documents having the same hash value. So, for instance, if you made a forensic image of a 1 TB drive and made a SHA-1 hash of its contents, you would get a 160-bit value that represents its content. You can’t go from the 160-bit hash back to the 1 TB of data, so it’s safe to share the hash value with others, and the hash value is repeatable.
As long as the contents of the forensic image do not change, the hash value will always remain the same. No matter the length of data you hash—be it a megabyte, a gigabyte, or a terabyte—if you change even 1 bit of information within the data, the hash value will change. This unique summation of data combined with the fact that you cannot determine the data hashed from the hash itself (which makes this a one-way hash) make hashes the standard for evidence authentication.
Physical Access Controls
Physical access controls can be a human guard, a lock with a key, a combination door lock, a padlock, or a proximity card sensor. Whatever it is, a physical access control is used to keep out people who should not have access to your evidence, and to ensure that only people who should have access to your lab can be there. You do not want the cleaning crew or facilities people to have access to your forensic lab. If you have a choice in the matter, your physical access control should include some form of logging to keep track of who has gone in and out of your lab. If your budget, location, or company restricts such a device, you should demand that no master keys be in the possession of anyone but those performing the investigative work. The goal here is to prevent someone from trying to discredit your evidence by claiming that an unauthorized person easily gained access to your lab and tampered with the evidence.
Network Access Controls
Just as you need to protect physical access to your lab, you must protect network access. The images you create and your analysis of those images will be performed on workstations in your lab, and you need to be able to protect the network from claims of tampering. To accomplish this, some people create a network for their forensic workstations that is separate from the company network and bring new software over via external storage.
image
Your Plan
To determine whether you need to keep your forensic workstation off the company network, answer the following questions. If you answer “no” to any of them, you may need to keep evidence on a separate network.
 
image   Do you have super user control of your workstation?
image   Can you keep other IT personnel from having access to your workstation?
image   Can your workstation have its own domain or workgroup?
image   Can you install a firewall on your workstation that prevents outside connections?
image   Can you control whether or not domain policies are pushed to your workstation?
image   Are you allowed to install and control your own security and antivirus software?
If you’ve made it this far with only “yes” answers, you can successfully use logical access controls to keep your forensic workstation on the company network. You will want to make sure that you know who has the ability to access your forensic network and keep a log of who has accessed it.
If you answered “no” to any of these questions, you should think about removing your forensic workstation from the company network. Although this may not be convenient, it will prevent possibly sensitive information in your investigations from being leaked out by a curious IT administrator.
In either case, appropriate network access controls will allow you to state that no one else but you or other authorized personnel could physically or virtually access the images stored on the workstation. This is what will allow you to defend your evidence from crazy conspiracy theories made by guilty parties who watch too many movies.
image
Electrical Power
This may seem obvious, but as your lab grows, you will need to make sure you can provide enough dedicated power to all the equipment that will find its way into your lab. The more cases you work, the more storage you’ll need, and the more storage and images you have, the more processing power your system will need. It’s a cycle that gets going pretty rapidly as you prove your capabilities to others and your workload increases. As people find out what you are capable of, you’ll find new uses for your skills that you may not have thought of before.
Make sure you have at least one dedicated circuit available as you grow the lab. Make sure you use uninterruptible power supplies to connect to that dedicated circuit. A UPS ensures that you won’t lose your work in the event of a power outage.
Some companies may have UPSs integrated into the outlets—congratulations if you are this lucky. Otherwise, you’ll have to determine how much load your workstation and those accessories that can’t be turned off, such as a USB hub that your external storage is plugged into, draw to see how long a particular UPS will last. Some of the newer consumer UPS models will display the current power draw and the estimated amount of time that the battery will last; this is useful if you don’t have the experience to determine your power draw otherwise.
LINGO
An uninterruptible power supply (UPS) is a battery powered device that serves two purposes: It provides battery power in case the circuit loses power, preventing your workstation from powering off while doing something important, such as capturing a forensic image. It also ensures that the power that reaches your equipment is conditioned, meaning that the UPS will eliminate any variances in voltage that could potentially damage your equipment.
Air Conditioning
When you have enough steady power flowing into your workstation and accessories, you’ll quickly find out that what they take in for power, they expel out in heat! Your hardworking equipment will produce a lot of heat as it keeps those fans spinning to keep up with the heavy load imposed on your systems by your forensic analyses. The more systems in your lab, the more heat is generated.
Budget Note
You might find that installing a portable air conditioner can be expensive. You can buy an inexpensive small temperature probe to record the high temperatures in the lab and keep track of whether they show a potential for equipment damage. You might find that, even without air conditioning, the room may stay cool enough to accommodate the full system without any problems.
More and more buildings are no longer providing air conditioning 24 hours day. This means that at night, while your equipment is running (and you are hopefully sleeping), the heat generated will be trapped in your lab with nowhere to go. If enough heat builds up, it can lead to system failure and loss of data, neither of which helps you make your deadlines, or cases. This is especially true if your lab is in an area with hot summer months, especially if no air conditioning is provided over the weekends.
The answer to this problem is air conditioning and ventilation; typically, a portable air conditioner (amazon.com and newegg.com both sell them) will suffice in a small lab.
In Actual Practice
Because you are obviously a scientist, or a soon-to-be computer scientist (put on your lab coats!), you realize that to cool the air, heat must be removed. This means that your handy lab air conditioner or ventilation system needs to have somewhere to put all that heat. The other byproduct of the process is water vapor, and most of today’s consumer units can expel that vapor with the hot air exhaust.
You might be able to place the exhaust of your portable air conditioner into the register of the building’s existing air conditioning system. Otherwise, you may be able to route the unit’s exhaust into the ceiling, but make sure you check with your building management before doing this.
If your lab space is small and you are drawing in the air from the same space, you may encounter a condition called “negative pressure”: this means that the air conditioner is constantly recycling the air in the room into and out of the unit. This can cause the system to become inefficient, and in long-term use it could lower the unit’s lifespan. You can cure this problem with a dual-hose portable air conditioner, but it means you now have to run two lines—one for air into your unit from another space and one to run out the hot air.
Privacy
Privacy may be the most practical requirement for your lab. As you undergo your investigations, you will be viewing materials that can be sensitive or incredibly offensive even to the most hardened Internet veteran. What you don’t want is that nice new employee who is unscarred by the Web’s horrors to get his or her first glimpse of its ugly underbelly while walking by your cube. Nor do you want delicate personnel matters to be visible to people walking by. This means that, above all, you and your lab need privacy. You should not work with your lab door open, and you should never perform your examinations in a cubicle surrounded by other employees’ cubicles.
If you work in a corporate environment where only employees of a certain level are granted an office with a door, you should explain that you also need an office with a door that closes. Let them know that it’s better and less expensive to bruise the ego of a manager who must now work in the cube with the fake door than to endure the hostile workplace lawsuit filed by the sensitive worker who claims to have been scarred by the “sexual tendencies of fellow employees on display on your examination workstation.”
IMHO
Although no lawsuits may be filed, there is no reason to subject coworkers to some of the strange things you will see as you work investigations. At a minimum, you can expect some complaints to human resources and some coworkers who can no longer look you in the eye. If you work in this field long enough, at some point, nothing will shock you anymore. My latest discovery on a suspect’s system was quicksand erotica; I don’t think I can ever unsee that.
In Actual Practice
Here are two choice stories from other examiners who had to have their lab in an open-cube environment:
I was once forced to conduct an investigation in my cubicle, and there was a significant amount of disturbing pornography on the system being examined. Some of the offensive materials were seen by a large portion of the IT staff, as my cubicle was at a well-traveled intersection and the short cubicle walls provided no real privacy. While no lawsuits were filed, there were a couple of complaints to HR. And many of them could no longer look at two popular superheroes the same way again.
I had an open-cube setting at a prior company, and a member of the InfoSec Engineering team sat next to me. He was fond of holding conferences in his cube space (usually with project managers and customers for the various projects he was consulting on), and I had to refrain from conducting certain investigations at work during that time for just this reason. I did get a privacy filter for my monitors, but since they were directional filters, if the visitors moved to the right angle, they’d still get an eyeful.
Gathering the Tools of the Trade
After you’ve secured the physical space to start your lab, you’ll need to fill that space with all the hardware and software you’ll need for your investigations. The available range of tools can fill a room pretty quickly, so let’s talk about what you actually need to get started.
Write Blockers
A write blocker …well, it blocks writes. As simple as that sounds, a write blocker is one of the most fundamental tools in your lab. Every time you are working from a piece of original evidence, you need to prevent writing to it, unless it’s impossible to do so. There will be times when what you are forensically imaging does not have a write blocker available, and you are using enterprise forensic software that runs as an agent on the suspect’s computer, or lawyers agree not to write block so the server can keep running while you make the forensic image; barring that and any other situation you find yourself in, don’t write to original evidence. If you do, make sure that you document your actions so you can exclude them from your investigation later.
Budget Note
Write blockers used to be considered expensive, at around $1000. However, at the time of this writing, you can purchase a Serial Advanced Technology Attachment (SATA) write blocker from Digital Intelligence on the Web for less than $400. If that’s out of your price range, you might want to reconsider doing this work, because all the blank drives you’ll need to store the forensic images you create will quickly outpace that.
Your ability to protect the state of the original evidence during its preservation will help you avoid challenges to the evidence you create. Write blockers are key in this regard, because they physically connect between your workstation and the original evidence to prevent any writes from occurring. They simply return a successful write to the operating system, without passing the data on to the device it is protecting.
Write blockers come in many varieties, as shown in Figure 3-2: you’ll find USB write blockers (A), FireWire write blockers (B), SATA write blockers (C), and more. To decide which write blocker to choose, look at your environment to see what type of equipment is in use. If you are doing computer forensics within a corporate environment, you may have standard hardware configurations, and this makes it much simpler to know what write blockers you need to purchase. If you are planning on offering computer forensics as a service to third parties, you’ll need to be prepared for anything, which means getting all the different write blockers you can afford, or at least the most popular such as SATA, Parallel ATA (PATA), and USB.
image
Figure 3-2   (A) USB write blocker, (B) FireWire write blocker, and (C) SATA write blocker
LINGO
Original evidence refers to the source of your evidence. For instance, if you were asked to investigate an employee’s desktop, the desktop and its hard drive would be considered the original evidence. The forensic image you make from that hard drive is not original evidence; it is a copy of it. The same concept applies to CDs, DVDs, thumb drives, cell phones, tablets, and any other source of electronic data you are asked to investigate.
Not all write blocking has to be done using physical hardware. You can also write block using software, which provides a much more flexible option to protect original evidence. Software write blocking can occur at the interface level. Windows supports USB write blocking via registry tweaks or from the operating system level. Windows Server Standard FE and Linux/BSD both can be configured not to write to drives that are attached without being instructed to do so. (See Chapter 5 for more information.)
In Actual Practice
Many examiners just starting out feel uncomfortable with the idea that they may accidently write to a piece of original evidence. This is legitimate fear, because forensic imaging is a procedure that, although simple, can make the biggest impact if you make a mistake, which may even mean you lose a case. This can lead many to use portable imaging devices that have built-in write blocking and can offer some serious speed in its acquisition of data. There is nothing wrong with using these devices, but they can be expensive, and their exclusive use can cause issues in scaling out your imaging to meet the demand of imaging many machines at once.
image Note
Many people say that if a disk gets written to while imaging, it will automatically end a case. That is not exactly true, however. If you document what went wrong and contain the impact to the disk and explain the issue, you will likely be able to get the evidence admitted in civil court.
Drive Kits
If you choose to use a software write blocker, drive kits will become your best friends. These typically USB-based adaptors, such as the one shown in Figure 3-3, provide an easy and compact connection for an internal hard drive to your workstation.
image
Figure 3-3   A drive kit
Figure 3-3 shows a drive kit that connects a USB 3.0 port on my workstation directly to a SATA laptop drive. You can see that the power plugs into the drive kit directly, which provides a very portable adaptor for attaching drives to a workstation or laptop. When I go onsite, I’m usually armed with my laptop, a write blocker, these drive kits, and software write blocking.
In Actual Practice
Make sure you test your equipment before you go onsite. Especially when dealing with drive kits which are fairly cheap, you need to test them: If they even work, you may get a bad one from time to time that you have to return. In addition, their speed can vary. Almost all of the drive kits are sourced from no-name manufacturers, so two boxes could have two different chip sets. The same advice goes to any equipment you plan to bring with you out of the lab environment. You need to make sure you are prepared and have everything you need, and that everything is working as it should, so you don’t waste time.
If you are looking for a more permanent solution to place in your lab, look into purchasing an external drive dock (see Figure 3-4). They allow you to place the empty dock on a stable service in your lab and keep the power and cables attached. Just place the drive in the dock and power it on with your favorite software write blocker turned on. This can also be handy when you don’t want to use external drives to store images, because it can be a pain to keep up with all the different AC adaptors they come with.
image
Figure 3-4   External drive dock
External Storage
The key to successful external storage usage is getting the highest transfer rate available to you. USB 3 is pretty great, external SATA (eSATA) is becoming the standard on more systems, and the new Intel/Apple Thunderbolt interface standard is starting to get traction. You also need to make sure your external storage has good heat dissipation. Nothing can ruin your day faster than an external drive overheating and crashing after being three-quarters of the way done imaging a 2-terabyte hard drive.
IMHO
When I was first working cases, I lived off of external storage. I would dedicate one external drive to each case and place both the forensic image and the case data on it. Now that the scale of my work demands large servers and storage systems, I still use external storage when I’m creating forensic images.
Screwdriver Kits
Most electronic stores sell these kits; you’ll want a kit with what is commonly called a “jewelers” set of screwdrivers. You can use these smaller screwdrivers to unscrew all of the tiny screws you’ll find in many laptops. Other good things to look for in screwdriver kits are Torx head and star heads for those vendors who don’t want to make it easy to remove a hard drive from their device. If you get a Torx head kit, make sure to get the ones that fit the security bits as well, because they can be used on regular and secure Torx head screws. The only real problem with screwdriver kits is that if you have to travel to do your work, Transportation Security Administration (TSA) agents may take them away at the airport.
Antistatic Bags
You’ll find that many people buy official bags that say “EVIDENCE” on them, but that’s really unnecessary, because you already know that it’s evidence and anyone who does not know that shouldn’t be handling them. Any, preferably resealable, antistatic bag is as good as another. Antistatic bags prevent static shock from damaging the components that allow your original evidence to work and are always a good idea to have around. These bags are cheap and recommended for your kit, because a drive dying due to static shock equals a bad day.
Adaptors
As you open up more and more computers, especially ultra-portable laptops, you’ll find new hard drive interfaces you didn’t even know existed! When this happens, you’ll need an adaptor to bridge from that new interface (such as a ZIF [Zero Insertion Force] interface, shown in Figure 3-5) to something you can handle with your current equipment, such as SATA.
image
Figure 3-5   ZIF interface adaptor
In Actual Practice
You’ll never know what type of adaptor you’ll need until you actually need it. The best way to prepare is to find out from your IT staff what standard equipment they deploy and what interfaces to the hard drives need to be covered 90 percent of the time. This is a broad statement, however, because new laptops and devices (such as tablets) always introduce new drive standards. If you are in a corporate environment where such hardware is controlled and defined, adaptors will be less of an issue for you.
Forensic Workstation
Any good desktop PC can be used as a forensic workstation. Although many companies out there want to sell you a purpose-built forensic workstation, you don’t have to buy one to perform an examination. What you do need is all of the processing power, memory, and storage space you can afford to get to handle the complicated tasks ahead of you. As your lab grows larger, you may find yourself migrating these tasks to dedicated servers with even more power to handle the growing demands of ever larger cases.
IMHO
Many people start their first examinations using their work-issued laptop. There is nothing wrong with this, but you’ll quickly find that having to leave your laptop running overnight processing evidence becomes a hindrance when you need to get other work done. Even if an available desktop is slightly less powerful than your laptop, it might be dedicated to the long-term tasks you assign to it, and desktops are usually better than laptops at handling the heat that builds up from long-term operation.
Choosing Forensic Software
You have your space, you have your hardware, and now you need to figure out what software you are going to use for your analyses. For most computer forensic professionals, the choice of whether to use open source and free tools or commercial tools comes down to budget. This book covers three popular forensic suites used for analysis: SANS Investigate Forensics Toolkit (SIFT), Guidance Software’s EnCase Forensic, and AccessData’s FTK Digital Forensics Software.
In Actual Practice
There are many other options on the market as well. Although this book focuses on SIFT, EnCase Forensic, and FTK, this does not imply that you could not or should not choose another application that you find more suitable. You’ll find the need for many specialty computer forensic software packages as your career progresses. You might need software to acquire data from certain types of smartphones, to recover certain types of data, to parse certain types of data, and more! You won’t know you need it until you need it, so make sure to keep Google handy when someone asks you, “Can you do X with that?”
Open Source Software
You might hear a lot of legal conjecture arguments for and against open source software. One camp likes to say that open source is better, because you can easily defend and explain to the smallest detail what your program is doing because you have access to the source code. The other camp says that a closed source vendor’s software is better because they will testify regarding the validity of their tool.
IMHO
For civil work, I have found the neither camp’s argument holds any weight. If you can represent that your analysis can be confirmed using multiple tools when questioned, then there is rarely an issue. For criminal work, where guilt beyond a reasonable doubt must be proven, I can see this being a bigger issue, but we in the civil world don’t have these concerns. Choose your tools because of your comfort and experience with them, not because of what someone tells you is bulletproof in court.
SIFT
Lots of open source tools and bootable environments are available today, but the one I like the most and spotlight in this book is SIFT. Although most open source tools are packaged in bootable environments, SIFT is made to run as a static virtual environment that you can optionally install to a drive, making it a great tool for both Linux users and Windows users who want to learn more about it without leaving behind their current environment.
You can download a virtual image of SIFT from http://computer-forensics.sans.org/community/downloads/.
Budget Note
Many people start off with open source software because of budget issues. You may have to successfully analyze an image and solve a case before a business is willing to get behind you and support your efforts with funding. All commercial tools support raw images, and you can easily move cases between the two, so don’t think that because you start with open source that you can’t transition between it and commercial tools. Many forensics professionals use both commercial and open source.
Commercial Software
If you are not familiar with Linux and are more comfortable in Windows, it might be best to stick with a commercial forensic suite. The end product of any tool you choose should be the same, in that your analysis should reach the same artifact no matter which tool you use that supports the file system or application you are analyzing. There are open source Windows tools, but none of them have been combined into a single package equal to SIFT, which is also well supported. Until that fact changes, that is the line we draw.
LINGO
A raw image, also called a “dd image” (for the dataset definition command, dd), is a computer forensic image of a system in which the data from the storage device is stored as a single file or multiple files, but without any type of container that stores checksums or hashes. For example, EnCase’s image format E01 contains the same data as a raw image but adds on cyclic redundancy checks (CRCs) and information about the image (such as what version of EnCase was used to make it, who made it, and its hash values).
IMHO
Every investigator should learn two things: Linux and programming. If you stick to just Windows and never learn how to program, you will be limiting your growth as an investigator. No single computer forensic tool provides every feature you want, and no operating system (OS) can provide all the functionality you need; you eventually will use every tool and OS you can get your hands on.
EnCase
EnCase Forensic version 7, the current version at the time of writing, has been dramatically updated to keep up with competitors, including support for distributed processing and better e-mail functionality. I’ve found EnCase to be not particularly user-friendly to a new user and new examiner, so I recommend you get training on the product if you plan to use it. A lot of the product’s extended functionality comes in the form of programs called EnScripts that can run within the tool and manipulate data in the images.
FTK
AccessData’s Forensic Toolkit (FTK) version 4 is the current version. FTK has become the tool to beat in my opinion. FTK is very user-friendly and provides base training materials and certification for free on the company web site. FTK supports distributed processing, offers fantastic e-mail support, is good support for encryption products, and offers one of the best imaging tools around: FTK Imager.
IMHO
Other commercial tools are on the market, such as ProDiscover, SMART Forensics, X-Ways, and more. On a daily basis, the one I use the most is FTK. It gives me the information I want to see in the best form for my workflow. After 14 years on the job, this is my favorite tool. What works best for you will be something you discover as you try more tools and analyze more data. Having said that, I own licenses for every major forensic suite except for ProDiscover, which some people love and some hate.
Storing Evidence
Evidence storage might be the most worrisome part of building a forensic lab. Many people involved in discussions that focus on computer forensics have never been to court and have never offered evidence to the court. As such, they have no practical experience as to what the court requires for evidence storage and tend to cite criminal best practices from the Secret Service or FBI. But evidence storage involves much more. Evidence storage requires that you keep physical access controls in place for the evidence, but does not dictate in what form that must be; read on to learn how to store evidence for civil cases.
Securing Your Evidence
When I first started working forensic cases, my original “evidence locker” was a locking file cabinet. From there, I moved up to a fireproof safe, and now I have a bona fide evidence room. All of these options are acceptable if you can prove chain of custody and show who had access to the storage system and the evidence stored within it. The question to ask is, who has access?
If your file cabinets have generic master keys, you should not use file cabinets to store evidence, unless you place some kind of secondary lock on them with a secure code that only you and the people who should have access know. This can be a padlock, but make sure it’s a top-notch padlock.
In Actual Practice
Even if your company’s management say that nobody has a master key, locking file cabinets are pretty terrible for evidence storage. They are easily forced open and their locks are very easy to open with something as easy as a paperclip.
If you can’t put your evidence in a separate physical space, a safe is a great option. Multiple safe options include fireproof types with electronic locks that let you use individual codes to access the contents.
image Tip
Safes can be heavy. Make sure the floor can support the weight of the safe.
 
If your collection of evidence is quickly filling up your safe (or safes), you should consider creating an evidence room. This can be as simple as a closet, or as large as a closed-door office space. You should make sure of the following:
 
image   The walls go to the ceiling all around the room; this means that even in a drop-down ceiling environment people can’t just crawl over.
image   There is controlled access to the room, preferably with a digital lock just like the lab itself.
image   There is no unsupervised access to a cleaning crew or other unauthorized personnel.
image   Any fire suppression system is “dry pipe,” which means you might have a chance to save your drives and systems from water damage. Remember, water/chemicals and electricity do not mix.
Organizing Your Evidence
Just as important as securing your evidence from alteration is being able to find it. Some people go as far as RFID tracking, but in a small lab you don’t need such a sophisticated system. You do need to create standards for how to label your evidence and track which drive it is located on, and where that drive is physically located.
Labeling
The more cases you work, the more organized you need to be. You can start with a spreadsheet if you are working alone, but as soon as you move beyond just you, then you need to provide something multiple people can access and modify. A hosted Google docs, SharePoint, or other type of multi-user document sharing site would work well for this. Make one row for each case listing the prefix, who the contact is for the person requesting the work, and how to get a hold of them.
IMHO
In my practice, we label each piece of evidence, starting with the law firm name, then the client name, and then the number of cases we’ve done for them. So, for example, if the law firm of Lawyer and Lawyer had a client named Big Company, and this is the first time we’ve ever done work for them, my evidence label would look like this: LL-BC-1, and the first piece of evidence would be LL-BC-1-1, and then LL-BC-1-2, and so on. I use this label to identify the physical drive; I notate it on the chain of custody; and I name the forensic image I create with that name—that way I can always easily know what evidence I’m working with.
For each case, you’ll need to create a standard label to keep track of all the evidence. If you are providing investigations inside a company, then you can adapt this naming scheme as well. You could prefix it with the initials of the person making the request, like JD-1-1 for John Doe’s first case and first evidence number. What you use for a prefix does not matter; you could use the state the case is in, for example. What does matter is that you are consistent with your naming and you keep track of it.
Tracking
On the same spreadsheet you’re using to keep track of cases, you should add a tab for each case listing the chain of custody basics, such as make, model, serial number of the drive you have copied the image on, or the original if you still have it, as well as the location of the drive. Don’t just use “the lab” as the location; you need to be specific about where, exactly, you are storing the evidence: a file cabinet, safe, room with shelves, and so on. And label the different shelves and areas with a letter-number combination to make it easy to identify where in that stack of drives the one you want is located.
Disposing of Old Evidence
When a case is over, never assume you can destroy the evidence. Ask your client or employer before you destroy anything. Then make sure you keep the e-mail or other document that says you are clear to destroy the evidence. Just because a case has been inactive for a year does not mean that some kind of litigation is still involved with the case. The more cases you work, the more drives you’ll need to store on indefinite hold. If you begin running out of space, you might consider secure offsite storage.
If you are allowed to destroy evidence, this doesn’t mean you’ll take the drive out and melt it or beat it apart with a hammer. Instead, you can permanently remove data from old drives, called “wiping,” and reuse them. You can reuse old drives to store evidence or use them to send copies of data to other parties or internal reviewers. My favorite wiping software is BCWipe from Jetico, but other products are on the market as well.
We’ve Covered
We’ve covered a lot in this chapter. Building and maintaining a lab is a lot of work, but a good lab goes a long way toward helping you defend your work. Don’t go crazy if you can’t achieve 100 percent of the requirements in this chapter; just do the best you can and try to achieve 100 percent as you move forward and show value to those who are funding you. In the next chapter, we’ll talk about how to approach an investigation so you start thinking like an investigator.
Choosing where to put your lab
 
image   Access controls
image   Importance of chain of custody
image   Physical lab security
image   Network security
image   Electrical power and temperature
image   Privacy
Gathering the tools of the trade
 
image   Write blockers
image   Drive kits
image   Screwdriver kits
image   External storage
image   Antistatic bags
image   Adaptors
image   Forensic workstation
Choosing forensic software
 
image   Open source for your budget
image   Commercial for ease of use
Storing evidence
 
image   How to store evidence securely
image   How to organize and keep track of evidence
image   How to dispose of old evidence and when it’s appropriate to do so
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.36.221