June 22, 2020
For those of you that have had a lab for a while or are just getting started these are some great guidelines to streamline and maximize your time in the lab. From procedure steps to the machine options there are always choices that a lot of times will depend on how much you want to spend. This article will review the first stage of the setup. Part 2 will focus on the second stage of setting up a lab including staffing and management of a lab.
Step 1. What is the purpose of your lab?
Knowing what types of digital evidence, you want to process will help you to determine what equipment you need and the processes you should have in place. It is always a good idea to know what types of data you want to be processing if you are processing for-profit and to determine how long it will take you to get the money you invested in the lab back. If you are the public sector the same principles apply to make sure you are using your budget wisely.
Conduct a thorough evaluation of your capabilities and the availability of resources. We recommend doing a quick analysis that allows you to see what is going to work and what is not before you start investing.
Some questions to answer include:
- What digital forensic services are you offering? For example, will this lab be a full-service digital forensics lab that handles all types of devices and casework, or will it be a lab that is focused on one particular niche such as mobile forensics?
- What types of devices will you be examining (PCs, servers, tablets, smartphones, USB drives, DVRs, game consoles)?
- What types of operating systems and file systems will you need to examine? Will these include Windows, Mac/iOS, Linux/Unix, Android, Chrome, NTFS, FAT, YAFFS, and EXT? Don’t forget there is always accessory data as well such as SQLite, Plist, EXIF, and live memory data as well.
One final area is making sure you can extract, export, search, and to convert different types of data. This will be important so you know in the end what you are going to be providing as a work product. Whether it is reports, exports, or both you need to make sure you have a plan so that you add the science of a repeatable process into your digital forensic lab.
Once you define your services you will be able to better meet your customer’s need. Make sure they are also areas you are interested in. Digital forensics is an ongoing skill set that requires continue education and development.
Step 2. What space do you have or need?
The first concern is always space as you need to keep your forensic area clear of other matters. Two reasons for this can make a big impact on you. The first is that evidence should always be treated as precious cargo and needs to be maintained, locked up, and have controlled access. Keep environmental controls in mind with a clean, cool, and dry environment. Nothing is worse than having damage happen to evidence due to poor controls.
The second is the mental health of your staff. When you are dealing with potential items that can be mentally harmful you must have a set area to keep it in. That way you can walk away from that zone and work from a separate area for day to day matters.
This second point is one often overlooked in digital forensics and needs to be addressed as a primary need. Keeping your mind sharp is part of what makes you a good digital forensic examiner and knowing you can close the door on a case and take a break is a great way to facilitate this.
Chain-of-custody issues need to be considered as well as the increased likelihood that evidence could be lost, misplaced, or damaged while in transit. You may also want to consider who your main clients are for your lab. Will the lab be convenient for them and does this matter? The location of your lab may also have a large impact on some of the upcoming topics we will be reviewing, such as network connectivity, environmental controls, power requirements, and security controls.
The Paraben lab uses lab tickets to help manage the intake of evidence into the lab. Those tickets are kept with the evidence as an internal tracking tool on top of the traditional chain-of-custody forms.
Finally, keep in mind digital forensics is not a spectator sport and the lab area should not be viewed by the rest of your workforce. Keep the data clean, secure, and private to ensure that any materials reviewed are done so in a professional manner.
Step 3. What equipment do you have or need?
As with many geeks out there you might have a bunch of equipment that you can use in your lab. There is nothing wrong with building a forensic workstation as long as you keep a few things in mind.
- Make sure the processing power matches what you are working on.
- Have a clean drive with a licensed operating system
- Dedicate the machine to digital forensics.
When it comes to processing power needs change based on the types of evidence you deal with. Keep that in mind if you want to invest in one machine or two machines so you can dedicate a system for computer evidence processing and one to mobile evidence processing. Some labs will dedicate the less powerful systems to acquisition and have a primary power system for actually breaking down the data. No matter which option you use it is always a good idea to have more than one machine in a lab and then have options in the configuration.
Choosing a workstation configuration is an important step. The effectiveness of digital examiners depends on the way the workstation is configured. The workstation should work as quietly as possible. Silent workstation performance is achieved by using low-noise fans and passive cooling systems.
We recommend using two or more monitors for each workstation. The most effective work is achieved when a digital examiner uses two workstations in its work.
There are many forensic workstation providers out there such as Digital Intelligence, Forensic Computers, EDAS Fox, SUMURI, and many more. You can work with anyone of these vendors to design a workstation that fits your needs. Many of the custom workstations will come with specialized equipment such as write blockers built into the machines.
Keep in mind you also need to consider the storage of your evidence. Who will need to access the image files and where will they need to be accessed? Will you store image files on individual hard drives, on your forensic workstations, on a network storage device, or some hybrid?
Many organizations will choose to set up a storage network. There are lots of options available for this configuration. The best practice is for your digital forensics lab to have a stand-alone network consisting of its cabling, switch, and router. This lab-specific network will allow all devices within the lab to communicate with each other in a secure environment while allowing connectivity to the existing corporate network infrastructure and the Internet through specific secured ports and protocols. Implementing a lab-specific network can be done relatively inexpensively depending on the type of hardware you choose to implement and the installation costs for cabling.
Step 4. What software do you need?
Software is one of the highest expenses beyond people that you will have in your lab. The cost of software in digital forensics varies greatly between manufacturers. Keep in mind those costs are often higher just based on the size of the manufacturer you are dealing with. When purchasing software you need to do a comparison of all your different choices. Just because a company is the largest in the business doesn’t mean that other smaller companies don’t have something that is just as good. Do an honest evaluation and make your decisions based on a few key points.
- Always pick from forensic companies
You don’t want to just pick a random tool for the internet for a job. Make sure the tool is designed to work with items as digital evidence. There is a lot that goes into the backend behind the scenes to make sure all that data is dealt with properly.
- Evaluate the company service
When you add digital forensic software into your lab you are starting a relationship with that company. You want to make sure you know who they are and how quickly they will resolve issues you will have. Having issues when dealing with the large variety of data that exists in digital forensics is inevitable.
- Is it supporting what you need?
Don’t get caught up in a trend when you are starting a lab. Make sure you are getting tools that support what you need not what is hot. If your client base is not doing a lot of chat in WhatsApp then that should not be a feature you require your tool to have.
- Have more than one tool
Don’t think that you get a one and done when it comes to digital forensic software. You need to make sure you get a primary tool and a backup. Digital evidence should always be processed and cross-verified. There are lots of free and open-source options available such as Autopsy that can be part of your lab. Get a foundation tool and cross-validate with something that is more budget-friendly. Take a look at our Validation eBook for the process to follow.
Many times, comparison charts are available, check the charts and ask how they generate them to ensure that the data you are seeing is fair and complete before following in a potential marketing trap.
Small Businesses: Don’t Make These 7 Common Cybersecurity Mistakes
Guest Blog Post: Lance Cody-ValdezHackers are going after SMBs with a vengeance – 43 percent of all cyberattacks are directed toward these smaller companies, according to a Hacked report. SMBs make for “soft” targets, as many don’t have basic cybersecurity safeguards...
Why is Triage a good step in Digital Forensics?
Many people discount the value of triage. Investigators try to obtain all the data at once, which can be costly and unproductive. With the data gap gone between mobile and computer-related data, you can analyze terabytes now without breaking a sweat. Triage and...
Fall is full of new data in iOS 16 messages
With each fall we see changes in the smartphone world with new firmware updates that bring extra spice to the pumpkin spice season. This year was not an exception with iOS 16 showing lots of new data that will add to our digital investigations. iOS 16 held a lot of...