Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Computer forensics EC-Council V2-module5

Computer forensics EC-Council V2-module5

Ratings: (0)|Views: 2|Likes:
Published by agtpkustoms13
Setting Up Forensics Lab
Setting Up Forensics Lab

More info:

Published by: agtpkustoms13 on Oct 04, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Hank Wolfe
 Associate Professor,Computer Forensics &Security,Information Science Dept.,Otago School of Business,University of Otago,Corner of Clyde & UnionStreets, PO Box 56,Dunedin, New Zealand Tel: +64 3 479-8141Fax: +64 3 479-8311Email:hwolfe@infoscience.otago.ac.nz 
In our last column we took a look at being anexpert witness and giving forensic evidencetestimony. An added word of cautionary advice for private practitioners: CHARGE A LOT forexpert testimony! If you are involved in a high- profile case that drags on and on and you must testify as an expert witness repeatedly atthe whim and caprice of the various attorneys,it could disrupt your private practice andcause potential loss of current and futureearnings. Your current case load could beseriously delayed and your credibility for future work may also be damaged. The previous discussion, by nature, was very general, however each jurisdiction has a formal set of directives and guidelinesspecifically to assist expert witnesses so you must also refer to these for more details.The following discussion will be focused onsetting up an electronic evidence forensicslaboratory and the various parts that make upa professional facility. The many parts alsoinclude the portable forensics kit(s), whichincludes documentation forms, evidence bags,tags, labels, etc, as well as portable hardwareand associated software for undertaking anevidentiary acquisition on site. Not all suchactivities may be performed in the lab, but the mobile forensics toolkit must be fully compat-ible and in sync with the laboratory acquisi-tion equipment and software at all times.There may be accreditation for suchlaboratories, depending on the jurisdiction. For example, in the US one such accreditation may be sought from the American Society of Crime Laboratory Directors. If accreditation is possible in your jurisdiction, it may beadvisable to explore the criteria for achievingit. While there may be differing views as tothe value of accreditation, it is my opinionthat having it is one more stone in the foundation of credibility, and therefore itshould be viewed in a positive light.
The parts
There are several parts that make up a forensicslaboratory. Firstly, there is the physical facilityitself. This will be the home base for securestorage of evidentiary materials, for the analysisof captured data, for the operation of clonedsystems, for the production of final evidencereports, and for the physical premises where theforensics professional will perform most of theirduties and work. So, it is a secure storagefacility, an office, an operational laboratory, anda production facility all rolled into one.It should also have a separate interview facilityor office where interviews and/or collaborativeinvestigative procedures can be carried outwithout disturbing any ongoing technical orforensic work. Normally an investigating officeror attorney with an in-depth knowledge of thecase will have queries that can be answeredmore effectively in collaboration with theforensic investigator. The forensics professionalwill, in real-time, perform specific analysisand/or search actions to find the answer toquestions posed by the investigating officer orattorney.
Physical requirements
Physical floor space will be dictated by the sizeof the group that will occupy it. The spaceshould be in a secure location or containappropriate measures that will stopunauthorized access to the premises. It shouldhave an adjacent and secure walk-in lock-upvault that can keep intruders from gainingaccess to its contents as well as protect thecontents from fire/heat, smoke, water, andelectromagnetic emanations (and shouldgenerally not be near radio equipment). The
Computers & Security
Vol 22, No 8 0167-4048/03 ©2003 Elsevier Ltd. All rights reserved.
 Setting up an electronicevidence forensicslaboratory 
Henry B. WolfeHenry B. Wolfe has a longcomputing career spanningmore than 43 years. Hecurrently specializes incryptographic problemswhere related to forensicinvestigation, generalcomputer security,surveillance, and electronicforensics teaching thesetopics to law enforcement(both in New Zealand andinternationally) as well as atthe graduate level in theUniversity of Otago locatedin Dunedin, New Zealand,where he is an associateprofessor.
seized equipment, as well as official certifiedevidentiary copies of seized data, will be storedin this vault and, with the appropriate enforcedsign-out/in procedures, it will serve to maintainthe chain of evidence. Therefore, access to thevault and its contents should be logged andmonitored at all times.There also needs to be adequate lockablestorage space for various specialized equipmentthat will, over the course of investigations, beacquired and used for other investigations. Thisspace must also accommodate consumables likeCDs, DVDs, removable hard drives of variouscapacities, paper, toner cartridges, etc.
Hardware requirements
A number of computers is required, including anetwork server with large storage capacity(preferably configured for the standardremovable hard drives). This server will be usedto manage, document and administer cases,store various software tools, and manage one-off specialist hardware. The hardware that must bemanaged will include, for example, devices likeRimage CD production units, CopyPro floppydisk readers, printers, etc. The evidentiary copyof seized data is usually written to CD or DVDand, because of the large capacity of currenthard drives, this can be a time-consumingprocess. The Rimage, and other units like it,make it possible to create, number and label themedia unattended, producing as many as 50CD/DVDs without intervention. Capturing thecontents of floppy disks is even more timeconsuming, and devices like the CopyPro canacquire as many as 50 floppy disks withoutintervention. The capabilities of these types of devices may vary from model to model; the twomentioned above are merely examples withspecific capacities.There should also be separate Internetconnection(s). (NEVER connected to theforensics server). The Internet will be useful forfinding and sharing forensics information andtechniques and for communicating with otherforensics professionals. Staying abreast of developments in this field is a vital part of staying viable in the forensics arena. TheInternet provides one source to help accomplishthis need.There should be a number of workstations thatconnect to the internal network. This numberwill depend on how many forensics people areemployed. The workstations will enable them towork on individual cases simultaneously andhave access to the shared devices and resources.Portable acquisition computers (the kit) will berequired. Ideally, each should be configuredidentically with the standard forensics suite of tools and removable hard drives (the samestandard hard drives as above) of variouscapacities. Each kit should have a robustcarrying case that can accommodate extra harddrives, an array of associated connection plugsand converters, and a hard drive write blockersuch as FastBlock. The forensic kits will be usedfor on-site acquisition and/or seizure. It isusually preferable for acquisition to beundertaken in the controlled conditions of thelaboratory, however there are circumstanceswhere that is not practical and an evidentiaryacquisition must be undertaken on site (forexample, when dealing with an Internet serviceprovider). These kits must also have anassortment of forms, labels, tags, pens, tape,evidence bags, an electronic camera, a GPSS,etc, all of which are vital to the process of seizure and acquisition.There will be an ongoing need to obtaindevices, media, cables, converters, andspecialized media readers of various types, bothfor experimental purposes and for theacquisition of evidence from media other thanhard drives or floppies (for example, SIMs, flashmemory of various description, iButtons, etc).The hardware and physical premises constitutethe largest outlay of funds. This, however, is anongoing process and funds must be allocated
 Setting up an electronic evidence forensics laboratory Henry B. Wolfe

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->