Chapter 3: The Investigator s Office and Laboratory

Transcription

1 Chapter 3: The Investigator s Office and Laboratory Dept. of Computer Science 1

2 Objectives Describe certification requirements for computer forensics labs List physical requirements for a computer forensics lab Explain the criteria for selecting a basic forensic workstation Describe components used to build a business case for developing a forensics lab Dept. of Computer Science 2

3 Forensics Lab Certification Requirements Computer forensics lab Conduct the investigation Store evidence House equipment, hardware, and software American Society of Crime Laboratory Directors (ASCLD) guidelines Managing a lab Acquiring an official certification Auditing lab functions and procedures Dept. of Computer Science 3

4 Lab manager duties: Lab Manager Duties Set up processes for managing cases Promote group consensus in decision making Maintain fiscal responsibility for lab needs Enforce ethical standards among lab staff members Plan updates for the lab Establish and promote quality-assurance processes Set reasonable production schedules Estimate how many cases an investigator can handle Dept. of Computer Science 4

5 Lab Manager Duties Estimate when to expect preliminary and final results Create and monitor lab policies for staff Provide a safe and secure workplace for staff and evidence Dept. of Computer Science 5

6 Knowledge and training: Hardware and software OS and file types Deductive reasoning Technical training Investigative skills Deductive reasoning Lab Staff Duties Work reviewed regularly by the lab manager Dept. of Computer Science 6

7 Lab Budget Planning Daily, quarterly, and annual expenses Use past investigation expenses to extrapolate expected future costs Expenses for a lab include: Hardware Software Facility space Trained personnel Dept. of Computer Science 7

8 Lab Budget Planning Estimate the number of computer cases lab expects to examine Consider changes in technology Statistics as predictor of kinds of computer crimes Dept. of Computer Science 8

9 Lab Budget Planning Uniform Crime Report Identify crimes committed with specialized software Lab for private company, check: Hardware and software inventory Problems reported last year Future developments in computing technology Time management Dept. of Computer Science 9

10 Lab Budget Planning Dept. of Computer Science 10

11 Certification and Training Update skills through appropriate training International Association of Computer Investigative Specialists (IACIS) Certified Electronic Evidence Collection Specialist (CEECS) Certified Forensic Computer Examiners (CFCEs) Dept. of Computer Science 11

12 Certification and Training High-Tech Crime Network (HTCN) Certified Computer Crime Investigator, Basic and Advanced Level Certified Computer Forensic Technician, Basic and Advanced Level EnCase Certified Examiner (EnCE) Certification AccessData Certified Examiner (ACE) Certification Dept. of Computer Science 12

13 Certification and Training Other training and certifications High Technology Crime Investigation Association (HTCIA) SysAdmin, Audit, Network, Security (SANS) Institute Computer Technology Investigators Network (CTIN) NewTechnologies, Inc. (NTI) Southeast Cybercrime Institute at Kennesaw State University Federal Law Enforcement Training Center (FLETC) National White Collar Crime Center (NW3C) Dept. of Computer Science 13

14 Physical Requirements for Computer Forensics Lab Most investigation is conducted in a lab Should be secure Provide a safe and secure physical environment Keep inventory control of your assets Dept. of Computer Science 14

15 Identifying Lab Security Needs Secure facility Minimum requirements Small room with true floor-to-ceiling walls Door access with a locking mechanism Secure container Visitor s log People working together should have same access level Brief your staff about security policy Dept. of Computer Science 15

16 Conducting High-Risk Investigations Demand more security than minimum lab requirements TEMPEST facilities Electromagnetic Radiation (EMR) proofed TEMPEST facilities are very expensive Can use low-emanation workstations instead Dept. of Computer Science 16

17 Using Evidence Containers Known as evidence lockers Must be secure Recommendations Locate in a restricted area Limited access Maintain records of authorized access Locked when not in use Dept. of Computer Science 17

18 Using Evidence Containers Combination locking system: Same level of security for the combination as for the container s contents Destroy any previous combinations Only authorized personnel may change lock combinations Change combination every six months Dept. of Computer Science 18

19 Using Evidence Containers Keyed padlock: Appoint a key custodian Stamp sequential numbers on each duplicate key Maintain registry listing which key assignment Conduct monthly audit Take inventory of all keys regularly Place keys in a lockable container Maintain same level of security for keys as for evidence containers Change locks and keys annually Dept. of Computer Science 19

20 Using Evidence Containers Container should be: Made of steel Internal cabinet or external padlock If possible, acquire a media safe When possible, build evidence storage room Keep an evidence log Dept. of Computer Science 20

21 Overseeing Facility Maintenance Immediately repair physical damage Escort cleaning crews Minimize risk of static electricity Maintain two separate trash containers Materials unrelated to an investigation Sensitive materials When possible, hire specialized companies for disposing sensitive materials Dept. of Computer Science 21

22 Physical Security Needs Create a security policy Enforce the policy Sign-in log for visitors Anyone that is not assigned to the lab is a visitor Escort all visitors all the time Visible or audible indicators that a visitor is inside your premises Intrusion alarm system Hire a guard force Dept. of Computer Science 22

23 Auditing a Computer Forensics Lab Ensures proper enforcing of policies Should include: Ceiling, floor, roof, exterior walls Doors and doors locks Visitor logs Evidence container logs At the end of every workday, secure in forensic workstation any evidence not being processed Dept. of Computer Science 23

24 Determining Floor Plans for Computer Forensics Labs Dept. of Computer Science 24

25 Determining Floor Plans for Computer Forensics Labs Dept. of Computer Science 25

26 Determining Floor Plans for Computer Forensics Labs Dept. of Computer Science 26

27 Selecting Basic Forensic Workstation Depends on budget and needs Use less powerful workstations for mundane tasks Use multipurpose workstations for high-end analysis tasks Dept. of Computer Science 27

28 Selecting Workstations for Police Labs Have the most diverse needs Special-interest groups (SIG) General rule: Per 250,000 people One computer investigator One multipurpose forensic workstation One general-purpose workstation Dept. of Computer Science 28

29 Selecting Workstations for Private and Corporate Labs Identify the environment Hardware platform Operating system Gather tools appropriate to that environment Dept. of Computer Science 29

30 Stocking Hardware Peripherals IDE cables Ribbon cables for floppy disks SCSI cards, preferably ultra-wide Graphics cards, both PCI and AGP types Power cords Hard disk drives At least two 2.5-inch Notebook IDE hard drives with standard IDE/ATA or SATA adapter Computer hand tools Dept. of Computer Science 30

31 OS and Software Inventories Licensed copies of software: Microsoft Office 2007, XP, 2003, 2000, 97, and 95 Quicken Programming languages Specialized viewers Corel Office Suite StarOffice/OpenOffice Peachtree accounting applications Dept. of Computer Science 31

32 Disaster Recovery Plan Restore workstation and investigation files to original condition Includes backup tools for single disks and RAID servers Track software updates to workstation Dept. of Computer Science 32

33 Planning for Equipment Upgrades Risk management How much risk is acceptable for any process or operation? On what equipment does lab depend? Equipment which can be replaced when it fails Computing components: 18 to 36 months under normal conditions Schedule upgrades every months Dept. of Computer Science 33

34 Using Laptop Forensic Workstations Lightweight, mobile forensic workstation FireWire port USB 2.0 port PCMCIA SATA hard disk Limited as forensic workstations Dept. of Computer Science 34

35 Building Business Case for Developing a Forensics Lab Budget problems! Business case Demonstrate how lab will help organization save money and increase profits Dept. of Computer Science 35

36 Preparing Business Case for Computer Forensics Lab Follow these steps: Justification Budget development Facility cost Computer hardware requirements Software requirements Miscellaneous costs Approval and acquisition Implementation Acceptance testing Correction for acceptance Production Dept. of Computer Science 36

37 Summary A computer forensics lab is where you conduct investigations, store evidence, and do most of your work Seek to upgrade your skills through training Lab facility must be physically secure so that evidence is not lost, corrupted, or destroyed Harder to plan a computer forensics lab for a police department than for a private organization or corporation Dept. of Computer Science 37

38 Summary (continued) A forensic workstation needs to have adequate memory, storage, and ports Prepare a business case to enlist the support of your managers and other team members when building a forensics lab Dept. of Computer Science 38