Labs and Tools
Forensic laboratories and tools are pivotal to the success of any digital forensic
investigation. Laboratory accreditation is a mechanism implemented to ensure that
reliable and accurate results are obtained from any analysis.
Forensic tools come in a wide range of categories including hardware, software,
commercial, and open source.
American Society of Crime Laboratory Directors/Laboratory Accreditation Board
(ASCLD/LAB), Regional Computer Forensic Laboratory (RCFL), Standard
Operating Procedure, Quality Assurance (QA), Write Block, Accreditation,
Certification, Examiners Final Report
Introduction
We will explore the different types of laboratory setups as well as the hardware and
software tools in common use. We also look at Standard Operating Procedures and
Quality Assurance, two critical components of an effective digital forensic lab.
Obtaining and maintaining laboratory accreditation, although time-consuming and
expensive, greatly improves a lab's performance and the quality of its findings.
Examiner certification ensures that the skill of the labs meets a minimum level.
These elements come together to ensure that only valid and reliable results are
produced and that justice is served.
Forensic Laboratories
Forensic labs closely follow the jurisdictional lines of law enforcement (local,
county, state, and federal). The majority of these facilities are run by a law
enforcement agency. The FBI's crime laboratory in Quantico, Virginia, has the
distinction of being the largest lab in the world.
,Not all computer forensic examinations are conducted in what would be considered
a traditional laboratory setting. Many agencies conduct them locally at their
departments if they have the necessary equipment and trained personnel on hand.
Digital forensics isn't cheap, so not every agency can afford to train and equip their
own examiners. One way to meet this ever-growing demand is the Regional
Computer Forensic Laboratory (RCFL) program started by the FBI. The RCFL
program runs sixteen facilities throughout the United States.
They provide digital forensic services and training to all levels of law enforcement.
Each RCFL is staffed and managed by a partnership of local, state, and federal law
enforcement agencies.
The RCFL program is a great success, and making a significant dent in the backlog
of digital forensic examinations across the country. During fiscal year 2010,
RCFLs nationwide performed 6,564 forensic examinations and processed a
whopping 3,086 terabytes of data.
The RCFLs process a wide variety of digital devices and media including
smartphones, hard drives, GPS (Global Positioning System) units, and flash drives.
In 2010, RCFL examiners helped convict rapists, terrorists, and crooked
politicians.
Virtual Labs
Digital labs don't have to be confined to a single location. Today's technology
makes it possible to run a “virtual” lab with the examiners and the central evidence
repository located in geographically separate locations. This arrangement has
several advantages including cost savings, greater access to more resources (tools
and storage for example), access to diverse and greater expertise, and reduction of
unnecessary duplication of resources.
This virtual arrangement allows for distinct role-based access. For example, full
access could be granted to examiners and laboratory management. Prosecutors,
investigators, and defense attorneys would have restricted access. This restricted
access would limit what those folks could see and what they could do (read only,
etc.).
,There are some considerable concerns with this approach:
1. Security—The security of the system must be robust enough to maintain the
level of evidence integrity required by the courts. Otherwise there could be
catastrophic consequences, such as rendering evidence from multiple cases
inadmissible.
2. Performance—For this scheme to work, connectivity must be both speedy and
reliable. No connection or a slow connection will quickly impact the organization's
ability to function.
3. Cost—Startup costs in particular are substantial and potentially beyond what
many agencies can afford.
Lab Security
Lab security is always a major concern. Access to the evidence and facilities must
be strictly managed. Strict security plays a key role in maintaining the integrity of
the digital evidence that passes through the laboratory. Only authorized, vetted
personnel should have access to critical areas such as examination stations and
evidence storage.
Unauthorized individuals are usually kept out using doors and other physical
barriers along with access controls such as keys, swipe cards, and access codes.
Digital solutions such as swipe cards and access codes offer an advantage over
older methods such as keys.
Electronic means provide a ready-made audit trail that can be used in support of
the chain of custody. Security is further enhanced with alarm systems and the like.
Unauthorized access isn't the only threat to the evidence. The risk of fire, flooding,
and other natural disasters also must be addressed.
The chain of custody continues at the lab, as does the paperwork. In the lab, the
evidence must be signed in and out of the evidence storage area for examinations
and court. This log must be completed each and every time the evidence is
removed or returned to the evidence room or vault. This checkout and check-in
process can be done the old-fashioned way with pen and paper or electronically
with scanners and bar codes.
, Just like in the field, network access to evidence in the lab is also a concern. This is
true for both the Internet and the lab's own computers.
Best practice tells us that the machine used to perform the examination should not
be connected to the Internet. Removing this connection removes that argument that
the evidence was somehow compromised by someone or something (malware for
example) via the Internet.
Virtual labs will need to be able to articulate how the integrity of their evidence is
maintained, given the nature of their operation.
Malware (viruses, worms, and the like) could be hiding on any evidence drive
brought in for examination. Connecting it in some manner to the internal network
poses a major risk to not only the lab's computers but evidence from other cases as
well. To mitigate the risk, these drives should be scanned for viruses by at least one
antivirus tool prior to examination.
Evidence Storage
When the evidence is not actively being examined, it must be stored in a secure
location with limited access. One of the best solutions is a data safe. These safes
come in multiple sizes and are specifically designed to protect digital evidence
from theft and fire.
Some types of digital media are very vulnerable to heat (tape, for example). A data
safe is able to keep the media at an acceptable temperature long enough for the fire
to be extinguished.
Evidence storage locations must be kept locked at all times when not actively
being used. A log or audit trail should also be maintained detailing who entered,
when they entered, and what they removed or returned.
Access to evidence storage and other sensitive areas can be controlled by a variety
of means including pass codes and key cards. Electronic controls have some
distinct advantages over keys. One significant advantage is the ability to log each
and every time an individual accesses a restricted area. This audit trail can be very
helpful in monitoring and verifying the chain of custody.
Forensic laboratories and tools are pivotal to the success of any digital forensic
investigation. Laboratory accreditation is a mechanism implemented to ensure that
reliable and accurate results are obtained from any analysis.
Forensic tools come in a wide range of categories including hardware, software,
commercial, and open source.
American Society of Crime Laboratory Directors/Laboratory Accreditation Board
(ASCLD/LAB), Regional Computer Forensic Laboratory (RCFL), Standard
Operating Procedure, Quality Assurance (QA), Write Block, Accreditation,
Certification, Examiners Final Report
Introduction
We will explore the different types of laboratory setups as well as the hardware and
software tools in common use. We also look at Standard Operating Procedures and
Quality Assurance, two critical components of an effective digital forensic lab.
Obtaining and maintaining laboratory accreditation, although time-consuming and
expensive, greatly improves a lab's performance and the quality of its findings.
Examiner certification ensures that the skill of the labs meets a minimum level.
These elements come together to ensure that only valid and reliable results are
produced and that justice is served.
Forensic Laboratories
Forensic labs closely follow the jurisdictional lines of law enforcement (local,
county, state, and federal). The majority of these facilities are run by a law
enforcement agency. The FBI's crime laboratory in Quantico, Virginia, has the
distinction of being the largest lab in the world.
,Not all computer forensic examinations are conducted in what would be considered
a traditional laboratory setting. Many agencies conduct them locally at their
departments if they have the necessary equipment and trained personnel on hand.
Digital forensics isn't cheap, so not every agency can afford to train and equip their
own examiners. One way to meet this ever-growing demand is the Regional
Computer Forensic Laboratory (RCFL) program started by the FBI. The RCFL
program runs sixteen facilities throughout the United States.
They provide digital forensic services and training to all levels of law enforcement.
Each RCFL is staffed and managed by a partnership of local, state, and federal law
enforcement agencies.
The RCFL program is a great success, and making a significant dent in the backlog
of digital forensic examinations across the country. During fiscal year 2010,
RCFLs nationwide performed 6,564 forensic examinations and processed a
whopping 3,086 terabytes of data.
The RCFLs process a wide variety of digital devices and media including
smartphones, hard drives, GPS (Global Positioning System) units, and flash drives.
In 2010, RCFL examiners helped convict rapists, terrorists, and crooked
politicians.
Virtual Labs
Digital labs don't have to be confined to a single location. Today's technology
makes it possible to run a “virtual” lab with the examiners and the central evidence
repository located in geographically separate locations. This arrangement has
several advantages including cost savings, greater access to more resources (tools
and storage for example), access to diverse and greater expertise, and reduction of
unnecessary duplication of resources.
This virtual arrangement allows for distinct role-based access. For example, full
access could be granted to examiners and laboratory management. Prosecutors,
investigators, and defense attorneys would have restricted access. This restricted
access would limit what those folks could see and what they could do (read only,
etc.).
,There are some considerable concerns with this approach:
1. Security—The security of the system must be robust enough to maintain the
level of evidence integrity required by the courts. Otherwise there could be
catastrophic consequences, such as rendering evidence from multiple cases
inadmissible.
2. Performance—For this scheme to work, connectivity must be both speedy and
reliable. No connection or a slow connection will quickly impact the organization's
ability to function.
3. Cost—Startup costs in particular are substantial and potentially beyond what
many agencies can afford.
Lab Security
Lab security is always a major concern. Access to the evidence and facilities must
be strictly managed. Strict security plays a key role in maintaining the integrity of
the digital evidence that passes through the laboratory. Only authorized, vetted
personnel should have access to critical areas such as examination stations and
evidence storage.
Unauthorized individuals are usually kept out using doors and other physical
barriers along with access controls such as keys, swipe cards, and access codes.
Digital solutions such as swipe cards and access codes offer an advantage over
older methods such as keys.
Electronic means provide a ready-made audit trail that can be used in support of
the chain of custody. Security is further enhanced with alarm systems and the like.
Unauthorized access isn't the only threat to the evidence. The risk of fire, flooding,
and other natural disasters also must be addressed.
The chain of custody continues at the lab, as does the paperwork. In the lab, the
evidence must be signed in and out of the evidence storage area for examinations
and court. This log must be completed each and every time the evidence is
removed or returned to the evidence room or vault. This checkout and check-in
process can be done the old-fashioned way with pen and paper or electronically
with scanners and bar codes.
, Just like in the field, network access to evidence in the lab is also a concern. This is
true for both the Internet and the lab's own computers.
Best practice tells us that the machine used to perform the examination should not
be connected to the Internet. Removing this connection removes that argument that
the evidence was somehow compromised by someone or something (malware for
example) via the Internet.
Virtual labs will need to be able to articulate how the integrity of their evidence is
maintained, given the nature of their operation.
Malware (viruses, worms, and the like) could be hiding on any evidence drive
brought in for examination. Connecting it in some manner to the internal network
poses a major risk to not only the lab's computers but evidence from other cases as
well. To mitigate the risk, these drives should be scanned for viruses by at least one
antivirus tool prior to examination.
Evidence Storage
When the evidence is not actively being examined, it must be stored in a secure
location with limited access. One of the best solutions is a data safe. These safes
come in multiple sizes and are specifically designed to protect digital evidence
from theft and fire.
Some types of digital media are very vulnerable to heat (tape, for example). A data
safe is able to keep the media at an acceptable temperature long enough for the fire
to be extinguished.
Evidence storage locations must be kept locked at all times when not actively
being used. A log or audit trail should also be maintained detailing who entered,
when they entered, and what they removed or returned.
Access to evidence storage and other sensitive areas can be controlled by a variety
of means including pass codes and key cards. Electronic controls have some
distinct advantages over keys. One significant advantage is the ability to log each
and every time an individual accesses a restricted area. This audit trail can be very
helpful in monitoring and verifying the chain of custody.
