computer forensic
ariannaeliza97
Computer Forensics: Investigation Procedures and
Response, Second Edition
Chapter 2 Computer Forensic Lab
© Cengage Learning 2017
Objectives
After completing this chapter, you should be able to: • Understand and evaluate physical security needs • Understand evidence lockers and how to secure
them • Create a forensic work area • Configure a computer forensic lab • Understand and evaluate equipment needs
2 Computer Forensics: Investigation Procedures and Response, Second Edition
© Cengage Learning 2017
Objectives
After completing this chapter, you should be able to (cont’d): • Understand basic forensic workstation
requirements • Understand the tools and software forensic
investigators use • Understand data destruction industry standards
3 Computer Forensics: Investigation Procedures and Response, Second Edition
© Cengage Learning 2017
Introduction to the Computer Forensic Lab
• This chapter: – Describes the needs of a forensic investigator, such
as the lab and the office – Discusses the physical security needs of a lab and
recommends how to maintain security
Computer Forensics: Investigation Procedures and Response, Second Edition
4
© Cengage Learning 2017
Physical Security Needs of a Forensic Lab
• Physical security considerations of a lab: – Access to emergency services – Lighting at the site – Physical environment of the lab – Structural design of parking
Computer Forensics: Investigation Procedures and Response, Second Edition
5
© Cengage Learning 2017
Physical Security Recommendations for a Forensic Lab
• Level of physical security required for a forensic lab depends on: – The nature of the investigations that are carried out
in the lab • The assessment of risk for a forensic lab varies
from organization to organization
Computer Forensics: Investigation Procedures and Response, Second Edition
6
© Cengage Learning 2017
Basic Requirements
• Keep a log register at the entrance of the lab that contains: – Name of the visitor – Date and time of the visit – Purpose of the visit – Name of the official the visitor has come to see – Place the visitor has come from – Address of the visitor
• Give visitors a visitor’s pass to differentiate them from the lab staff
Computer Forensics: Investigation Procedures and Response, Second Edition
7
© Cengage Learning 2017
Basic Requirements
• Install an intrusion alarm in the lab • Deploy guards near premises of the lab • Place closed-circuit cameras in lab and its
premises – To monitor human movements within the lab
• Close windows in lab
Computer Forensics: Investigation Procedures and Response, Second Edition
8
© Cengage Learning 2017
Workstation Security
• Workstations should be shielded from transmitting electromagnetic signals
• TEMPEST – An unclassified short name referring to
investigations and studies of compromising emanations
– Costly to build TEMPEST lab because checks and maintenance have to be carried out at regular intervals
• Some vendors have come up with workstations that emit only low amounts of radiation Computer Forensics: Investigation Procedures and
Response, Second Edition 9
© Cengage Learning 2017
Fire Safety
• Fire can be disastrous in a forensic lab • Any electrical device can be a source of fire
– Does not generally happen with computers • Fires may break out in computers if the servo-voice
coil actuators in a hard drive freeze due to damage in the drive
• Ribbon cables do not respond well to excessive power – High voltage passed through a ribbon cable causes
sparks to fly
Computer Forensics: Investigation Procedures and Response, Second Edition
10
© Cengage Learning 2017
Fire-Suppression Systems
• Fire-suppression systems: – Dry chemical fire extinguisher system deals with
fires that occur due to chemical reactions – Sprinkler system should be checked frequently to
make sure it is still working • Fire extinguishers should be placed within and
outside the lab • Lab personnel and guards should be given
instructions on how to use them
Computer Forensics: Investigation Procedures and Response, Second Edition
11
© Cengage Learning 2017
Evidence Locker Recommendations
• Evidence containers must be secured – Should be located in a restricted area that is only
accessible to lab personnel • All evidence containers must be monitored and be
locked when not in use • Storage containers or cabinets should:
– Be made of steel – Include either an internal cabinet lock or an external
padlock • Lab personnel must regularly inspect the content of
evidence storage containers
Computer Forensics: Investigation Procedures and Response, Second Edition
12
© Cengage Learning 2017
Checking the Security of a Forensic Lab
• General steps to check for security policy compliance: – Examine the ceiling, floor, and exterior walls of the
lab at least once a month to check for structural integrity
– Examine the doors to ensure they close and lock correctly
– Check if the locks are working properly – Examine the log register to make sure all entries are
correct and complete
Computer Forensics: Investigation Procedures and Response, Second Edition
13
© Cengage Learning 2017
Checking the Security of a Forensic Lab
• General steps to check for security policy compliance (cont’d): – Check the log sheets for evidence containers to
check when the containers have been opened and when they were closed
– Acquire evidence that is not being processed and store it in a secure place
Computer Forensics: Investigation Procedures and Response, Second Edition
14
© Cengage Learning 2017
Work Area of a Computer Forensic Lab
• The forensics lab should be built in an area where human traffic is light
• An ideal lab consists of: – Two forensic workstations – One ordinary workstation with Internet connectivity
Computer Forensics: Investigation Procedures and Response, Second Edition
15
© Cengage Learning 2017
Work Area Configuration
• Configuration of the work area depends on the budget allocated for the forensics lab – On average, the workstation occupies the area of a
desk – As the complexity and number of cases increase,
the workstation area increases • The work area should have ample space
– Provide additional space for case discussions among investigators
• The layout of the forensics lab should be well planned and should be scalable Computer Forensics: Investigation Procedures and Response, Second Edition
16
© Cengage Learning 2017
General Configuration of a Forensic Lab
• A forensics lab should have the following: – Workstations – UPS – Bookracks – Necessary software – Reference materials – Safe locker and storage shelf – LAN and Internet connectivity
Computer Forensics: Investigation Procedures and Response, Second Edition
17
© Cengage Learning 2017
Equipment Required in a Forensic Lab
• Some of the pieces of equipment common to any computer forensics lab are: – Cabinets – Printers and scanners – Additional hard drives – Tape drives
Computer Forensics: Investigation Procedures and Response, Second Edition
18
© Cengage Learning 2017
Electrical Needs
• Electrical needs of a computer forensic lab: – Amperage = measurement of the electric current – Emergency power and lighting for:
• All evidence sections • All security sections, electronic security systems, and
telephones • X-ray processing rooms and photography dark rooms
– Electrical outlets – Uninterruptible power supply
Computer Forensics: Investigation Procedures and Response, Second Edition
19
© Cengage Learning 2017
Communications
• Factors to consider include: – Bandwidth – Dial-up access – Disconnection – Network
• Bandwidth – Refers to the width of the range of frequencies that
an electronic signal uses on a given transmission medium
Computer Forensics: Investigation Procedures and Response, Second Edition
20
© Cengage Learning 2017
Basic Workstation Requirements in a Forensics Lab
• Hardware requirements for a basic forensic workstation: – Processor with high computing speed – 8 GB RAM – DVD-ROM with read/write capabilities – Motherboard that supports IDE, SCSI, and USB,
with a slot for a LAN/WAN card and a fan attached for cooling the processor
– Tape drive, USB drive, and removable drive bays
Computer Forensics: Investigation Procedures and Response, Second Edition
21
© Cengage Learning 2017
Basic Workstation Requirements in a Forensics Lab
• Hardware requirements for a basic forensic workstation (cont’d): – Monitor, keyboard, and mouse – Minimum of two hard drives for loading two different
operating systems
Computer Forensics: Investigation Procedures and Response, Second Edition
22
© Cengage Learning 2017
Recommended Hardware Peripherals
• Necessary tools include: – 40-pin 18-inch and 36-inch IDE cables, both ATA-33
and ATA-100 or faster – SATA cables – USB adapter cables with a variety of terminal ends – A variety of detachable storage media like Jaz
cartridges, Zip cartridges, and USB drives – Other electronic storage devices – CD/DVD readers and writers – Ribbon cables for floppy disks – Extra IDE hard drives
Computer Forensics: Investigation Procedures and Response, Second Edition
23
© Cengage Learning 2017
Recommended Hardware Peripherals
• Necessary tools include (cont’d): – Extra RAM – Extra SCSI cards – Graphics cards (ISA, PCI, AGP, and PCI Express) – Extra power cords – A variety of hard disk drives – Laptop hard drive connectors – Handheld devices – Supplementary storage devices for creating bit-
stream copies or clones of the suspect storage media for examination purposes
Computer Forensics: Investigation Procedures and Response, Second Edition
24
© Cengage Learning 2017
Maintaining Operating System and Application Inventories
• Applications and OSs that must be maintained: – All Windows OSs through Windows 10 – Linux, Unix, and Mac OS X operating systems – All Microsoft Office versions – Quicken – Programming language applications – Specialized viewers such as Quick View and
ACDSee – Corel Office Suite – Star Office / Open Office
Computer Forensics: Investigation Procedures and Response, Second Edition
25
© Cengage Learning 2017
Maintaining Operating System and Application Inventories
• Applications and OSs that must be maintained (cont’d): – Peachtree accounting applications – Forensic software, such as:
• Bit-stream backup utilities • Password recovery tools • Recovery tools for deleted data • Partition recovery tools • Searching tools • Firewalls and intrusion detection systems • Updated antivirus software
Computer Forensics: Investigation Procedures and Response, Second Edition
26
© Cengage Learning 2017
Common Terms
• Configuration management – Process of keeping track of all changes made to
hardware, software, and firmware throughout the life of a system
• Risk management – Decision-making process involving considerations of
political, social, economic, and engineering factors with relevant risk assessments relating to a potential hazard
• Business case – Justification to upper management or a lender for
purchasing new equipment, software, or other tools
Computer Forensics: Investigation Procedures and Response, Second Edition
27
© Cengage Learning 2017
Required Forensic Tools
• Forensic professionals use a variety of tools both in the lab and in the field
Computer Forensics: Investigation Procedures and Response, Second Edition
28
© Cengage Learning 2017
Storage Bags
• Different types of bags have been developed to make sure evidence stays safe and secure – Wireless storage bags: use a special fabric that
shields wireless devices from wireless signals that could potentially alter or eliminate data
– Passport bags: to protect passports that contain RFID chips
Computer Forensics: Investigation Procedures and Response, Second Edition
29
© Cengage Learning 2017
Remote Chargers
• Remote chargers are used to provide power for devices that may contain vital evidence – Chargers allow investigators to retrieve evidence
from devices such as phones and other handhelds that have run out of power
Computer Forensics: Investigation Procedures and Response, Second Edition
30
© Cengage Learning 2017
Write Block Protection Devices
• Tools that prevent the alteration or erasure of data during an investigation – Used when examining or copying data from a
storage device to a forensic laptop or workstation • Different types for different storage device
connections
Computer Forensics: Investigation Procedures and Response, Second Edition
31
© Cengage Learning 2017
Data Acquisition Tools
• Cables – Forensic professionals should have all the cables
he/she will need to connect a laptop to a device • Rapid action imaging devices (RAIDs)
– Allow a forensic investigator to copy a suspect hard drive to a clean hard drive quickly
• SIM card readers – Used to extract data from SIM cards
• Video-capture devices – Can take pictures of screen when data cannot be
obtained from the device Computer Forensics: Investigation Procedures and
Response, Second Edition 32
© Cengage Learning 2017
Forensic Archive and Restore Devices
• Forensic archive and restore robotic devices are used by investigators to archive forensic data – Can copy a large number of CD-ROM or DVD media
discs containing forensic data – Many can also print labels for the copies so the
investigator will know what is on the discs
Computer Forensics: Investigation Procedures and Response, Second Edition
33
© Cengage Learning 2017
Mobile Forensic Laptops
• Equipped with all the specialized software a forensic specialist needs in the field
• Have fast processors, large amounts of RAM, and large hard drives
• Equipped with DVD burners and media card readers
• Also have some form of write block protection, provided either through hardware or software
Computer Forensics: Investigation Procedures and Response, Second Edition
34
© Cengage Learning 2017
Mobile Forensic Laptops
Computer Forensics: Investigation Procedures and Response, Second Edition
35
Figure 2-1 A typical mobile forensic laptop has all the software and connections a forensic investigator needs to acquire and analyze data in the field
© Cengage Learning 2017
Forensic Workstations
• Like forensic laptops, forensic workstations have all the software a forensic specialist needs
• Additional features: – Equipped with DVD burners and media card readers – Typically top-of-the-line systems – Allow for the hot swapping of hard drives
• Investigators can connect a suspect hard drive to a workstation for analysis without having to turn off the workstation
– Provides write block protection
Computer Forensics: Investigation Procedures and Response, Second Edition
36
© Cengage Learning 2017
Imaging Workstations
• Forensic laboratories are equipped with workstations devoted solely to imaging storage devices – Including hard drives, CDs, DVDs, USB drives, and
media cards • Workstations typically store images on tapes • Some of these workstations include password-
cracking capabilities – So that data can be accessed even on password-
protected storage devices
Computer Forensics: Investigation Procedures and Response, Second Edition
37
© Cengage Learning 2017
Software
• Forensic professionals use a variety of software tools for different tasks
• Most of this software is used for extracting and analyzing data on storage devices
• Software tools can also examine a live computer – Can both examine and record the live system state
• Registry, running processes, logged-in users, files on all connected drives, and network configuration
Computer Forensics: Investigation Procedures and Response, Second Edition
38
© Cengage Learning 2017
Investigations at a Computer Forensic Lab
• Types of computer forensic investigations that are conducted at a computer forensic laboratory – Child pornography and sexual exploitation – Use of e-mail, instant messaging, and chat – Computer hacking and network intrusion – Copyright infringement – Software piracy – Intellectual property disputes – Identity theft – Online auction fraud
Computer Forensics: Investigation Procedures and Response, Second Edition
39
© Cengage Learning 2017
Investigations at a Computer Forensic Lab
• Types of computer forensic investigations (cont’d) – Credit card fraud – Other financial frauds and schemes – Telecommunications fraud – Threats, harassment, and/or stalking – Extortion and/or blackmail – Online gambling – Drug abuse and/or distribution – Employee or employer misconduct – Theft, robbery, and/or burglary
Computer Forensics: Investigation Procedures and Response, Second Edition
40
© Cengage Learning 2017
Data Destruction Industry Standards
• Standards include: – American: DoD 5220.22-M – American: NAVSO P-5239-26 (RLL) – American: NAVSO P-5239-26 (MFM) – German: VSITR – Russian: Russian Standard, GOST P50739-95
Computer Forensics: Investigation Procedures and Response, Second Edition
41
© Cengage Learning 2017
Procedures at a Computer Forensic Lab
• Some examples of typical procedures: – Creating an exact replica of a hard disk drive or
other storage device – Identifying leads and computer evidence contained
in files and slack space – Documenting findings and providing expert witness
testimony to help clarify technical computer issues – Finding, documenting, analyzing, and recording data
on a formatted or purposely damaged hard drive • All procedures in a computer forensic lab must
meet federal standards Computer Forensics: Investigation Procedures and
Response, Second Edition 42
© Cengage Learning 2017
Summary
• An ideal lab consists of two forensic workstations and one ordinary workstation with Internet connectivity
• A lab should be inspected on a regular basis to check if the policies and procedures implemented are followed
• A forensics lab should be under surveillance at all times to protect it from intrusions
• Forensic investigators use a wide variety of software and hardware tools in the field and in the lab
Computer Forensics: Investigation Procedures and Response, Second Edition
43
- Computer Forensics: Investigation Procedures and Response, Second Edition
- Objectives
- Objectives
- Introduction to the Computer Forensic Lab
- Physical Security Needs of a Forensic Lab
- Physical Security Recommendations for a Forensic Lab
- Basic Requirements
- Basic Requirements
- Workstation Security
- Fire Safety
- Fire-Suppression Systems
- Evidence Locker Recommendations
- Checking the Security of a Forensic Lab
- Checking the Security of a Forensic Lab
- Work Area of a Computer Forensic Lab
- Work Area Configuration
- General Configuration of a Forensic Lab
- Equipment Required in a Forensic Lab
- Electrical Needs
- Communications
- Basic Workstation Requirements in a Forensics Lab
- Basic Workstation Requirements in a Forensics Lab
- Recommended Hardware Peripherals
- Recommended Hardware Peripherals
- Maintaining Operating System and Application Inventories
- Maintaining Operating System and Application Inventories
- Common Terms
- Required Forensic Tools
- Storage Bags
- Remote Chargers
- Write Block Protection Devices
- Data Acquisition Tools
- Forensic Archive and Restore Devices
- Mobile Forensic Laptops
- Mobile Forensic Laptops
- Forensic Workstations
- Imaging Workstations
- Software
- Investigations at a Computer Forensic Lab
- Investigations at a Computer Forensic Lab
- Data Destruction Industry Standards
- Procedures at a Computer Forensic Lab
- Summary