Planning a Digital Forensics Lab
Written by André Champagne   

So, you want to build a digital forensics lab? Maybe you have been tasked with researching how to put together a lab or maybe you have to actually do it but simply don’t know where to begin. Well, we are going to explore some options at your disposal and give you a basic foundation on some of the issues you will need to consider.

See this article in its original format in the Digital Edition!

Scope of Lab


Advertisement

The first step in this process should be to define the scope of your lab. Will this lab be a full-service digital forensics lab that handles all types of devices and case work, or will it be a lab that is focused on one particular niche such as mobile forensics? If you first define the scope of your lab then you will be better able to address exactly what issues you need to consider and to what extent they will be relevant for your lab. In addition, you should also consider scope creep and the adding of services in the future. You may want to prepare and plan now for these things instead of finding out that your initial lab setup will not be sufficient down the road when you will not be able to enhance or expand your lab without major effort and/or expense.

Lab Location and Space Requirements

Now you have a rough idea of the scope of your lab. The next thing to consider is space and location. You need a location to provide adequate space for your forensic staff, work areas, evidence storage, documentation, and equipment and tool storage. Also, is the lab going to double as the primary work area for one or more individuals? If for more than one, then you will likely need additional space to handle secondary computers, file folders, miscellaneous office supplies, and personal items. If possible, leave yourself additional space even if you don’t think you will need it. Rarely do people complain about having too much space and it can be very painful and expensive if you end up having to work in close quarters or if you have to relocate your lab at some point. These issues will become more apparent as we continue to discuss all the variables that go into a fully functional and properly equipped lab.

The location of your lab can also be very important and it is something that needs to be discussed. Will you be storing evidence in the lab? If not, where is your evidence stored and how convenient will it be to shuttle evidence around? Chain-of-custody issues need to be considered as well as the increased likelihood that evidence could be lost, misplaced, or damaged while in transit. You may also want to consider who your main clients are for your lab. Will the lab be convenient for them and does this matter? Location of your lab may also have a large impact on some of the upcoming topics we will be reviewing, such as network connectivity, environmental controls, power requirements, and security controls.

Once you have a location selected, then the fun of designing the layout of the lab begins. There are several important issues to consider in your design, which should include the location of workstations, work benches, power outlets, network ports, cabinets, and storage bins. Other things to consider may include height-adjustable workstations, wall-mounted monitors, portable clean room, Faraday cage, and fume hood if you are going to be doing JTAG and chip-off processing. Also, don’t forget to install a wireless phone system so you can move freely around your lab while talking with clients, colleagues, and vendors.

Environmental Controls

Regulating the environment of your lab can be a critical element that you don’t want to overlook. Improper temperature and humidity can cause damage to your expensive forensic equipment as well as the evidence that you introduce into your lab. Implementing temperature and humidity controls is highly recommended if at all possible. In addition to these controls, use proper materials when building your lab to include anti-static flooring and countertops and sufficient lighting for the entire lab and individual workstation areas. One final item to address is power. Plan properly so that you have adequate power, conditioned power, and emergency power. Large-scale building UPS systems are preferred but they are expensive and likely can only be implemented if the lab is being built as part of a much larger facility. At a minimum, look at rack-mounted UPS devices for your network equipment and stand-alone UPS units for your workstations.

Software and Hardware Tools

Now we revisit the purpose of your lab and what types of evidence items you will be examining. Having the proper software and hardware is critical to your operations. What types of devices will you be examining (PCs, servers, tablets, smartphones, USB drives, DVRs, game consoles)? What types of operating systems and file systems will you need to examine? Will these include Windows, Mac/iOS, Linux/Unix, Android, Chrome, NTFS, FAT, YAFFS, and EXT?

On top of these things you will need to consider even more granular processing that may be required, such as exploring SQL databases, viewing PLIST files, handling EXIF information, and capturing live memory to name just a few. One final area that should not be overlooked is your ability to extract, export, search, and convert different types of data. Most labs need robust utilities to handle these operations. One such example is having the ability to search through email files and export results to PST, EML, or MSG file types.

Once you have a handle on the extent of your lab’s capabilities then you can start identifying the appropriate software applications and hardware devices you will need. Some of your software will likely be commercial in nature while some of it will be open source or freeware (many useful tools can be downloaded for free). I would highly recommend that you spend time researching your software tools, talk with others in the forensic community for recommendations, and contact vendors for trial versions of their products. Software can get very expensive so do your due diligence before making your purchases.

A variety of hardware tools will also need to be considered for your lab. Some of these items will include forensic bridges (write blockers), forensic duplicators (imaging tools), data wiping/sanitation devices, forensic workstations, and media docking stations. Of course, you will also need a wide variety of cables, adapters, traditional tool kits, and specialized tool kits for working on the variety of evidence items that you will be subjected to. Depending on the services your lab will provide you may also need additional hardware for JTAG and chip-off processing, mobile device repair and data recovery.

Storage

Once you acquire your evidence into a forensic image file then where will this image file be stored? Who will need to access the image files and where will they need to be accessed? Will you store image files on individual hard drives, on your forensic workstations, on a network storage device, or some hybrid?

Storing (short term) and archiving (long term) your data are extremely important items for you to address. The methods you deploy for storing and archiving can affect the efficiency of your lab, chain-of-custody, security auditing, and data integrity. Two of the most common methods for storing data today are the use of individual hard drives and network storage devices. Both have their advantages and disadvantages. Some advantages of network storage include the ease of access, ability to set up automated backups, and the ability to keep large amounts of data accessible at any given time. Some possible disadvantages of network storage include security concerns and infrastructure costs. Weigh the pros and cons of each solution you consider.

As we all know, the size of data storage devices is increasing rapidly and this means that labs need to handle larger volumes of data. Your storage strategy should be flexible and easily expandable so that you can handle future storage demands. It is important that you research storage options carefully before implementing a storage and archiving strategy.

Data Network

One item that is often debated in forensic circles is how to approach the implementation of data networks within a digital forensic environment. As with most issues we have covered, the answer to this is going to be specific to how you approach your operations. Many times your IT policies and management philosophies will dictate the type of network that will be implemented.

Best practice is for your digital forensics lab to have a stand-alone network consisting of its own cabling, switch, and router. This lab-specific network will allow all devices within the lab to communicate with each other in a secure environment while allowing connectivity to the existing corporate network infrastructure and Internet through specific secured ports and protocols. Implementing a lab-specific network can be done relatively inexpensively depending on the type of hardware you choose to implement and the installation costs for cabling.

Another thing to consider in your lab is the implementation of virtual machines on your workstations. Virtual machines can provide you with a wealth of additional functionality to include a rich testing environment but they can also provide you with additional networking options. A virtual machine can be configured to use the Internet, allow you to do research, and give you the ability to download files and then share information to your host workstation. The virtual machine can have multiple layers of security applied to it, including attaching the virtual machine to its own network interface card (NIC). This area can get quite complex and you certainly want to have someone with extensive knowledge of networking and virtual machines configure such a system. The main thing to understand is that virtual machines are an additional option that may provide benefit for some labs.

Security Controls

Security is a topic of great concern in our world and it should not be overlooked when implementing your lab. If you plan on seeking a lab accreditation at some point, then this is going to be a topic of considerable importance to you.

Security comes in many forms and the two most important ones for your lab will be physical security and data security. Data security was briefly mentioned earlier and it deals with making sure the digital information your lab processes and produces is secured. Data security includes securing the data on its storage medium, securing the data while in transport across the network, auditing the access of this data, limiting the access of this data to authorized individuals, and ensuring the integrity of the data.

Physical security is securing your physical environment. One key part of your physical security plan needs to be identifying which areas are considered secure areas. Physical security includes limiting physical access to the lab and evidence items (authorized individuals only), placing security controls on doors, implementing man traps, maintaining logs of all individuals entering secured areas, and implementing video surveillance where necessary. When defining your secured areas, be sure to consider areas where network and storage devices are kept. If these areas are accessed, then your data and entire network infrastructure can be compromised.

Accreditation

The dreaded word “accreditation” is finally here. Many will scoff at the mere mention of this word and horrifying images will pop into their heads. Don’t be afraid and open your mind to the concept of accreditation in digital forensics. Accreditation is certainly something that requires effort and can get costly for some. The cost factor can be greatly reduced by simply designing and managing your lab in a way that is compatible with most accreditation standards. If you have an existing lab then implementing the proper standards can get expensive depending on your lab layout, physical location, and current security controls.

The item that scares people most when it comes to accreditation is the requirement for strict policies and procedures and making sure staff adhere to them. Part of this process includes validating tools, which many labs currently do not do. To many in the digital forensics community most of the accreditation requirements seem like they have no value and are a waste of time. There certainly hasn’t been a big push for digital forensic labs to get accredited in recent years.

Now, on to the bad news for those of you who don’t want or don’t agree with accreditation: it is coming to your neck of the woods. Like most things, the accreditation of digital forensic labs will be a slow process but over time it will likely become a necessity for most. As attorneys, judges, and the general public become more educated on digital forensics, the pressure to elevate the standards in digital forensic labs is going to grow. Can anyone imagine DNA evidence being submitted to a criminal court that didn’t come from an accredited lab? It is only a matter of time until most, if not all, digital forensic labs (especially in the government sector) will need to be accredited or have most all of the same standards in place that are required for accreditation.

Lab Management

Now that your lab is operational, the key to success is dependent on how it is managed. Some of the key lab management issues to consider include:

  • Choose a lab manager
  • Implement policies and procedures for forensic analysis and reporting
  • Adhere to policies and procedures
  • Implement standard naming conventions for images, files, and reports
  • Implement standard reporting templates
  • Implement an evidence inventory system
  • Implement a lab inventory system for tools, hardware and software
  • Conduct a yearly audit on lab inventory and track maintenance contracts
  • Implement a case management system
  • Implement a training policy
  • Implement a security review policy
  • Implement a software and hardware validation policy
  • Implement policies and procedures for data storage and archiving to include at least annual testing of data backup systems
  • Implement a 1-, 3-, and 5-year budget plan for the lab

Think of your lab as a new home. If it is managed well and maintained properly it will last you a lifetime—but if you leave the windows open, let the appliances fall apart, and ignore the leaky roof, then you are going to have major issues. You should take proper care of your lab by making sure tools are maintained and upgraded, new tools are implemented as needed, policies adhered to, and staff skills are kept current through a robust training program. At the end of the day it isn’t your fancy software applications and cool hardware devices that will determine your success, but rather the people who use them.

This article is a high-level outline and not all-inclusive. More detailed lab guidelines and checklists can be obtained by contacting the author directly.


About the Author

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it is currently a forensic investigator for the Wright County (Minnesota) Sheriff’s Office. He has more than 20 years of experience in public safety IT and forensics. He holds numerous forensic certifications (CFCE, ACE, CME, others), has served on the Minnesota HTCIA board and currently serves on the Century College Computer Forensics Advisory Board (2009-Present).

 

 
< Prev   Next >






Forensic Podiatry (Part Two of Two)

THE DISCIPLINE of forensic podiatry—or, in other words, the examination of pedal evidence—has progressed significantly over the past ten years. It is no longer a question of “What can you do with a footprint?” but rather, “Who can we use to evaluate the footprint?” Cases involving pedal evidence, especially bloody footprints and issues of determining shoe sizing or fit issues compared to questioned footwear, have become more common over the past two or three years.

Read more...