For those of you that have had a lab for a while or are just getting started these are some great guidelines to streamline and maximize your time in the lab. From procedure steps to the machine options there are always choices that a lot of times will depend on how much you want to spend. This article will review the first stage of the setup. Part 2 will focus on the second stage of setting up a lab including staffing and management of a lab.

Step 1. What is the purpose of your lab?

Knowing what types of digital evidence, you want to process will help you to determine what equipment you need and the processes you should have in place. It is always a good idea to know what types of data you want to be processing if you are processing for-profit and to determine how long it will take you to get the money you invested in the lab back.  If you are the public sector the same principles apply to make sure you are using your budget wisely.

Conduct a thorough evaluation of your capabilities and the availability of resources. We recommend doing a quick analysis that allows you to see what is going to work and what is not before you start investing.

Some questions to answer include:

1. What digital forensic services are you offering? For example, will this lab be a full-service digital forensics lab that handles all types of devices and casework, or will it be a lab that is focused on one particular niche such as mobile forensics?
2. What types of devices will you be examining (PCs, servers, tablets, smartphones, USB drives, DVRs, game consoles)?
3. What types of operating systems and file systems will you need to examine? Will these include Windows, Mac/iOS, Linux/Unix, Android, Chrome, NTFS, FAT, YAFFS, and EXT? Don’t forget there is always accessory data as well such as SQLite, Plist, EXIF, and live memory data as well.

 One final area is making sure you can extract, export, search, and to convert different types of data. This will be important so you know in the end what you are going to be providing as a work product. Whether it is reports, exports, or both you need to make sure you have a plan so that you add the science of a repeatable process into your digital forensic lab. 

Once you define your services you will be able to better meet your customer’s need. Make sure they are also areas you are interested in. Digital forensics is an ongoing skill set that requires continue education and development.

Step 2. What space do you have or need?

The first concern is always space as you need to keep your forensic area clear of other matters. Two reasons for this can make a big impact on you. The first is that evidence should always be treated as precious cargo and needs to be maintained, locked up, and have controlled access. Keep environmental controls in mind with a clean, cool, and dry environment. Nothing is worse than having damage happen to evidence due to poor controls.

The second is the mental health of your staff. When you are dealing with potential items that can be mentally harmful you must have a set area to keep it in. That way you can walk away from that zone and work from a separate area for day to day matters.

This second point is one often overlooked in digital forensics and needs to be addressed as a primary need. Keeping your mind sharp is part of what makes you a good digital forensic examiner and knowing you can close the door on a case and take a break is a great way to facilitate this.

Chain-of-custody issues need to be considered as well as the increased likelihood that evidence could be lost, misplaced, or damaged while in transit. You may also want to consider who your main clients are for your lab. Will the lab be convenient for them and does this matter? The location of your lab may also have a large impact on some of the upcoming topics we will be reviewing, such as network connectivity, environmental controls, power requirements, and security controls.

The Paraben lab uses lab tickets to help manage the intake of evidence into the lab. Those tickets are kept with the evidence as an internal tracking tool on top of the traditional chain-of-custody forms.

Finally, keep in mind digital forensics is not a spectator sport and the lab area should not be viewed by the rest of your workforce. Keep the data clean, secure, and private to ensure that any materials reviewed are done so in a professional manner.

Step 3. What equipment do you have or need?

As with many geeks out there you might have a bunch of equipment that you can use in your lab. There is nothing wrong with building a forensic workstation as long as you keep a few things in mind.

1. Make sure the processing power matches what you are working on.
2. Have a clean drive with a licensed operating system
3. Dedicate the machine to digital forensics.

When it comes to processing power needs change based on the types of evidence you deal with. Keep that in mind if you want to invest in one machine or two machines so you can dedicate a system for computer evidence processing and one to mobile evidence processing.   Some labs will dedicate the less powerful systems to acquisition and have a primary power system for actually breaking down the data. No matter which option you use it is always a good idea to have more than one machine in a lab and then have options in the configuration.

Choosing a workstation configuration is an important step. The effectiveness of digital examiners depends on the way the workstation is configured. The workstation should work as quietly as possible. Silent workstation performance is achieved by using low-noise fans and passive cooling systems.

We recommend using two or more monitors for each workstation. The most effective work is achieved when a digital examiner uses two workstations in its work.

There are many forensic workstation providers out there such as Digital Intelligence, Forensic Computers, EDAS Fox, SUMURI, and many more. You can work with anyone of these vendors to design a workstation that fits your needs. Many of the custom workstations will come with specialized equipment such as write blockers built into the machines.

Keep in mind you also need to consider the storage of your evidence. Who will need to access the image files and where will they need to be accessed? Will you store image files on individual hard drives, on your forensic workstations, on a network storage device, or some hybrid?

Many organizations will choose to set up a storage network. There are lots of options available for this configuration. The best practice is for your digital forensics lab to have a stand-alone network consisting of its cabling, switch, and router. This lab-specific network will allow all devices within the lab to communicate with each other in a secure environment while allowing connectivity to the existing corporate network infrastructure and the Internet through specific secured ports and protocols. Implementing a lab-specific network can be done relatively inexpensively depending on the type of hardware you choose to implement and the installation costs for cabling.