Computer Forensics Lab Management

Questions and Answers

Which of the following best describes the role of the American Society of Crime Laboratory Directors (ASCLD) in computer forensics?

• They offer guidelines for managing labs, acquiring certification, and auditing procedures. (correct)
• They manage day-to-day operations of forensic labs.
• They provide official certifications for forensic examiners.
• They develop the hardware and software used in forensic investigations.

Which of the following is NOT a typical duty of a computer forensics lab manager?

• Estimating how many cases an investigator can handle
• Enforcing ethical standards among lab staff members
• Setting up processes for managing cases
• Personally conducting all the forensic investigations (correct)

When planning a lab budget, it is sufficient to only consider the costs of hardware and software.

False (B)

According to the content, what is the primary purpose of checking statistics from the Uniform Crime Report when planning a computer forensics lab budget?

To understand the types of computer crimes that are most likely to occur. (B)

What is the name of the organization created by police officers who wanted to formalize credentials in computing investigations?

International Association of Computer Investigative Specialists (IACIS)

Which of the following certifications is offered by AccessData?

AccessData Certified Examiner (ACE) (A)

A computer forensics lab does not require a secure physical environment as most investigations are conducted virtually.

False (B)

What is the primary reason for locating evidence containers in a restricted area?

To ensure only authorized personnel can access the evidence (A)

If a combination locking system is used for evidence containers, how often should the combination be changed according to the content?

Every six months or when required (C)

It is acceptable to place keys for evidence padlocks anywhere in the lab as long as they are labeled correctly.

False (B)

Which of the following is a recommended practice for overseeing facility maintenance in a computer forensics lab?

Minimizing the risk of static electricity. (D)

What type of log should be maintained to record every instance an evidence container is accessed?

Evidence Log

According to the content, what should audits of a computer forensics lab include?

Ceiling, floor, roof, and exterior walls of the lab (B)

A basic forensic workstation should always be the most high-end, costly system available to ensure optimal performance.

False (B)

What is a general guideline for the ratio of computer investigators to the population in a region, according to the content?

One investigator for every 250,000 people (D)

Computing components generally last between ______ to 36 months under normal conditions.

18

Which of the following is a key element in creating a business case for developing a forensics lab?

Demonstrating how the lab will help save money and increase profits (D)

When preparing a business case for a computer forensics lab, implementation should precede approval and acquisition to demonstrate its viability.

False (B)

Match the forensics lab responsibility with the appropriate staff role:

Setting up processes for managing cases = Lab Manager Applying deductive reasoning to investigations = Staff Member Maintaining fiscal responsibility for lab needs = Lab Manager Acquiring knowledge & training in hardware & software = Staff Member

Which of the following is the MOST critical reason for computer forensics labs to seek certification?

To ensure the admissibility of evidence in court. (D)

What is a key consideration when planning a lab budget for a private company, in contrast to a law enforcement agency?

Hardware and software inventory (D)

A secure forensics lab should have a locking mechanism for ______ access.

door

Why might a computer forensics lab use low-emanation workstations?

To meet TEMPEST facility requirements without the high cost. (D)

It is acceptable for containers storing digital evidence to remain unlocked, provided they are located in a secure room.

False (B)

Which of the following is most appropriate for disposing of sensitive documents from a computer forensics lab?

Hiring specialized companies. (B)

Which of the following practices best ensures physical security of a computer forensics lab?

Enforcing a sign-in log for visitors. (A)

Besides doors and locks, what other physical aspects of the lab should be part of routine security audits?

Ceiling, floor, roof, and exterior walls

What type of workstation setup is most suitable for mundane digital forensics tasks with limited resources?

A less powerful workstation meeting minimum requirements. (A)

Computer forensics investigators in private and corporate environments should only focus on Windows-based systems, as these are the most common.

False (B)

Which of the following hardware peripherals should any computer forensics lab have in stock?

IDE cables. (D)

Which type of software is essential to maintain licensed copies of in a forensics lab for examination of financial records?

Financial software (D)

Which practice is most important for ensuring workstation and investigation file integrity in a computer forensics lab?

Using a disaster recovery plan. (B)

For effective risk management, computer components in a forensics lab should be considered for upgrades at least every ______ months.

18

A laptop PC is always the best choice for a forensic workstation due to its portability and processing power.

False (B)

What is a key element needed when a Business Case is Developed for a Forensics Lab?

Plan you can use to sell your services to management or clients. (C)

Which of the following is a key aspect when preparing a Business Case for a Computer Forensics lab?

All of the above (D)

Match the action with the appropriate step when preparing a Business Case for a Computer Forensics Lab

Acceptance Testing = Steps Justification = When preparing Budget Development = When preparing Correction for Acceptance = Steps

Where do computer forensics labs conduct investgations and store evidence?

computer forensics lab

Lab facility must be physically secure so that evidence is not lost, corrupted, or destroyed.

True (A)

Which lab will have a more difficult time planning and setting up?

Police Department (C)

A Forensic workstation needs to have what to be effective?

All of the above (D)

Flashcards

Computer Forensics Lab

A place where you conduct investigations, store evidence, and house your equipment, hardware, and software.

ASCLD

Organization that offers guidelines for managing a computer forensics lab, acquiring certification, and auditing lab functions.

Lab Manager Duties

Setting up processes, promoting consensus, maintaining fiscal responsibility, enforcing ethical standards, planning updates, and estimating case load.

Lab Manager Duties (continued)

Estimating result timelines, creating lab policies, providing a safe workplace, and knowledge of hardware, software, and file types.

Staff Member Duties

Having knowledge and training, technical skills, investigative skills, and having work reviewed regularly.

Lab Budget Planning

Breaking costs into daily, quarterly, and annual expenses, and using past expenses to predict future costs.

Factors for Lab Budget Planning

Consider hardware, software, facility space, trained personnel, number and types of computer cases, and changes in technology.

Budget Statistics Check

Check the Uniform Crime Report and identify crimes committed with specialized software.

Certification

Can be obtained from IACIS as Certified Electronic Evidence Collection Specialist (CEECS).

Physical Requirements

Keep the lab secure so evidence is not lost, corrupted, or destroyed, and maintain inventory control.

Minimum Security Requirements

Secure facility, small room, floor-to-ceiling walls, door access with locking mechanism, secure container, and visitor's log.

TEMPEST facilities

Containment of electromagnetic radiation.

Evidence Containers

Secure lockers that prevent unauthorized access to evidence.

Evidence Container Features

Made of steel, internal cabinet or external padlock secured in a restricted area, and keep an evidence log.

Maintaining Lab Facilities

Repairing damages, escorting cleaning crews, using antistatic pads, cleaning floors and carpets, create 2x trash containers.

Physical Security

Create/enforce a security policy, sign-in logs, visitor badges, intrusion alarm system, and guard force.

Auditing

Inspections of ceilings, floors, doors, visitor logs, and evidence container logs.

Forensic Workstation Choices

Depends on budget and needs but can use less powerful machines for mundane tasks.

Workstations for Police Labs

Special interest groups (SIG), one investigator for every 250,000 people, and general purpose workstation.

Workstations for Private Sector

Easy to determine depending on the environment (hardware and operating system).

Peripheral Stock

IDE Cables, ribbon cables for floppy disks, graphic cards both PCI and AGP types, power cords and computer hand tools.

Software Inventory

Microsoft Office, Quicken, programming languages, specialized viewers, Corel, StarOffice, accounting applications.

Disaster Recovery Plan

Restoring investigation files and keep track of software updates.

Equipment Upgrades

Involves determining how much risk is acceptable for any process or operation and identify equipment to replace.

Laptop Forensic Workstations

Using firewire, USB 2.0, and PCMCIA SATA hard disk.

Business Case

Planning how your services will sell management of clients, and how the lab can save the organization money.

Build the Case

Justification, budget development, approval/acquisition, and implementation.

Study Notes

Computer Forensics Lab

• This is where investigations are conducted, evidence is stored, and equipment is housed.
• The American Society of Crime Laboratory Directors (ASCLD) provides guidelines for managing, certifying, and auditing forensics labs.

Lab Manager Duties

• Setting up case management processes
• Promoting group consensus in decision making
• Maintaining fiscal responsibility
• Enforcing ethical standards
• Planning lab updates
• Establishing quality-assurance processes
• Setting production schedules
• Estimating caseloads and timelines for preliminary/final results
• Creating/monitoring lab policies
• Providing a safe and secure work environment

Staff Member Duties

• Having knowledge and training in hardware, software, operating systems, file types, technical skills, investigative skills and deductive reasoning
• Regularly reviewing work

Lab Budget Planning

• Costs should be broken down into daily, quarterly, and annual expenses.
• Past expenses should be used to predict future costs.
• Expenses include hardware, software, facility space, and trained personnel
• The Uniform Crime Report provides crime statistics.
• For a private lab, check hardware/software inventory, past problems, and future tech developments.
• Time management is a major issue when choosing software and hardware to purchase.

Acquiring Certification and Training

• Update skills through training.
• The International Association of Computer Investigative Specialists (IACIS) was created by police officers
  • IACIS offers the Certified Electronic Evidence Collection Specialist (CEECS) and Certified Forensic Computer Examiners (CFCEs) certifications
• The High-Tech Crime Network (HTCN) offers certifications for Computer Crime Investigator and Computer Forensic Technician at basic and advanced levels.
• Other certifications include EnCase Certified Examiner (EnCE) and AccessData Certified Examiner (ACE).
• The High Technology Crime Investigation Association (HTCIA) is another training resource.
• Other training and certifications can be obtained from:
  • SysAdmin, Audit, Network, Security (SANS) Institute
  • Computer Technology Investigators Network (CTIN)
  • NewTechnologies, Inc. (NTI)
  • Southeast Cybercrime Institute at Kennesaw State University
  • Federal Law Enforcement Training Center (FLETC)
  • National White Collar Crime Center (NW3C)

Physical Requirements for a Computer Forensics Lab

• The lab should be secure to prevent lost, corrupted, or destroyed evidence.
• It should provide a safe physical environment
• Inventory control of assets is a must.

Lab Security Needs

• A secure facility preserves the integrity of evidence.
• Minimum requirements include a small room with floor-to-ceiling walls, a locking door, a secure container, and a visitor's log.
• People working together should have the same access level.
• Staff should be briefed on the security policy.

High-Risk Investigations

• If conducting such investigations, more security than the minimum lab requirements is needed.
• Tempest Facilities are one type of added security and are EMR proofed
• Low-emanation workstations can be used to circumnavigate the high costs of Tempest facilities

Evidence Containers

• These must be secure to prevent unauthorized access, located in restricted areas, and only accessible by authorized personnel
• Records must be kept of authorized personnel
• They should remain locked when not in use
• If using a combination lock:
  • Provide the same level of security for the combination
  • Destroy previous combinations
  • Only authorized personnel may change the combination
  • Change the combination every six months or when required
• If using a keyed padlock:
  • Appoint a key custodian
  • Stamp sequential numbers on each key
  • Maintain a key registry
  • Conduct a monthly audit and inventory of keys
  • Place keys in a lockable container
  • Maintain the same level of security for keys as for evidence containers
  • Change locks and keys annually
• The container should be steel with an internal cabinet or external padlock.
• Acquire a media safe and build an evidence storage room if possible.
• An evidence log should be kept and updated whenever containers are opened or closed.

Facility Maintenance

• Physical damages should be immediately repaired.
• Cleaning crews should be escorted.
• Minimize static electricity with antistatic pads and cleaning.
• Maintain separate trash containers for unrelated and sensitive materials.
• Hire specialized companies for disposing of sensitive materials when possible.

Physical Security Needs

• Create a security policy and enforce it
• A sign-in log for visitors is required, and all visitors should be escorted.
• Use visible or audible indicators for visitors.
• Install an intrusion alarm system and hire a guard force if needed.

Auditing

• Auditing ensures proper enforcing of policies.
• Audits should include checking the ceiling, floor, roof, walls, doors, locks, visitor logs, and evidence container logs.
• At the end of each workday, secure evidence not being processed.

Workstations

• Selection depends on budget and needs.
• Less powerful workstations can be used for mundane tasks.
• Multipurpose workstations are for high-end analysis.
• Police labs have the most diverse needs.
  • One computer investigator for every 250,000 people in a region.
  • One multipurpose forensic workstation and one general-purpose workstation.
• It is easier to determine private and corporate lab requirements.

Hardware Peripherals

• IDE cables
• Ribbon cables for floppy disks
• SCSI cards (ultra-wide preferred)
• Graphics cards (PCI and AGP)
• Power cords
• Hard disk drives
• At least two 2.5-inch Notebook IDE hard drives to standard IDE/ATA or SATA adapter
• Computer hand tools

Software Inventories

• Maintain licensed copies of software such as Microsoft Office, Quicken, programming languages, specialized viewers, Corel Office Suite, StarOffice/OpenOffice, and Peachtree.

Disaster Recovery Plan

• This should restore the workstation and investigation files to the state they were in before virus contamination and reconfigurations
• Includes backup tools for single disks and RAID servers
• Configuration management should keep track of software updates

Equipment Upgrades

• Risk management determines acceptable risk levels in processes.
• Identify equipment your lab depends on for periodic replacement as well as equipment that can be replaced when it fails
• Computing components last 18-36 months under normal conditions, schedule upgrades preferably every 12 months and at least every 18 months

Laptop Forensic Workstations

• They can be lightweight and mobile, but are still limited as forensic workstations despite improvements
• Laptop workstations should have a FireWire port, USB 2.0 port, and PCMCIA SATA hard disk.

Building a Business Case

• A business case is used to sell services to management/clients
• Labs help save money and increase profits by protecting trade secrets and business plans
• Follow these steps in preparing a case:
  • Justification
  • Budget development (facility, hardware, software, miscellaneous)
  • Approval and acquisition
  • Implementation (acceptance testing, correction for acceptance, production)