Henry B. WolfeHenry B. Wolfe has a longcomputing career spanningmore than 43 years. Hecurrently specializes incryptographic problemswhere related to forensicinvestigation, generalcomputer security,surveillance, and electronicforensics teaching thesetopics to law enforcement(both in New Zealand andinternationally) as well as atthe graduate level in theUniversity of Otago locatedin Dunedin, New Zealand,where he is an associateprofessor.
seized equipment, as well as official certifiedevidentiary copies of seized data, will be storedin this vault and, with the appropriate enforcedsign-out/in procedures, it will serve to maintainthe chain of evidence. Therefore, access to thevault and its contents should be logged andmonitored at all times.There also needs to be adequate lockablestorage space for various specialized equipmentthat will, over the course of investigations, beacquired and used for other investigations. Thisspace must also accommodate consumables likeCDs, DVDs, removable hard drives of variouscapacities, paper, toner cartridges, etc.
A number of computers is required, including anetwork server with large storage capacity(preferably configured for the standardremovable hard drives). This server will be usedto manage, document and administer cases,store various software tools, and manage one-off specialist hardware. The hardware that must bemanaged will include, for example, devices likeRimage CD production units, CopyPro floppydisk readers, printers, etc. The evidentiary copyof seized data is usually written to CD or DVDand, because of the large capacity of currenthard drives, this can be a time-consumingprocess. The Rimage, and other units like it,make it possible to create, number and label themedia unattended, producing as many as 50CD/DVDs without intervention. Capturing thecontents of floppy disks is even more timeconsuming, and devices like the CopyPro canacquire as many as 50 floppy disks withoutintervention. The capabilities of these types of devices may vary from model to model; the twomentioned above are merely examples withspecific capacities.There should also be separate Internetconnection(s). (NEVER connected to theforensics server). The Internet will be useful forfinding and sharing forensics information andtechniques and for communicating with otherforensics professionals. Staying abreast of developments in this field is a vital part of staying viable in the forensics arena. TheInternet provides one source to help accomplishthis need.There should be a number of workstations thatconnect to the internal network. This numberwill depend on how many forensics people areemployed. The workstations will enable them towork on individual cases simultaneously andhave access to the shared devices and resources.Portable acquisition computers (the kit) will berequired. Ideally, each should be configuredidentically with the standard forensics suite of tools and removable hard drives (the samestandard hard drives as above) of variouscapacities. Each kit should have a robustcarrying case that can accommodate extra harddrives, an array of associated connection plugsand converters, and a hard drive write blockersuch as FastBlock. The forensic kits will be usedfor on-site acquisition and/or seizure. It isusually preferable for acquisition to beundertaken in the controlled conditions of thelaboratory, however there are circumstanceswhere that is not practical and an evidentiaryacquisition must be undertaken on site (forexample, when dealing with an Internet serviceprovider). These kits must also have anassortment of forms, labels, tags, pens, tape,evidence bags, an electronic camera, a GPSS,etc, all of which are vital to the process of seizure and acquisition.There will be an ongoing need to obtaindevices, media, cables, converters, andspecialized media readers of various types, bothfor experimental purposes and for theacquisition of evidence from media other thanhard drives or floppies (for example, SIMs, flashmemory of various description, iButtons, etc).The hardware and physical premises constitutethe largest outlay of funds. This, however, is anongoing process and funds must be allocated
Setting up an electronic evidence forensics laboratory Henry B. Wolfe