computer forensic

profileariannaeliza97
_PPT_ch02.pdf

Computer Forensics: Investigation Procedures and

Response, Second Edition

Chapter 2 Computer Forensic Lab

© Cengage Learning 2017

Objectives

After completing this chapter, you should be able to: • Understand and evaluate physical security needs • Understand evidence lockers and how to secure

them • Create a forensic work area • Configure a computer forensic lab • Understand and evaluate equipment needs

2 Computer Forensics: Investigation Procedures and Response, Second Edition

© Cengage Learning 2017

Objectives

After completing this chapter, you should be able to (cont’d): • Understand basic forensic workstation

requirements • Understand the tools and software forensic

investigators use • Understand data destruction industry standards

3 Computer Forensics: Investigation Procedures and Response, Second Edition

© Cengage Learning 2017

Introduction to the Computer Forensic Lab

• This chapter: – Describes the needs of a forensic investigator, such

as the lab and the office – Discusses the physical security needs of a lab and

recommends how to maintain security

Computer Forensics: Investigation Procedures and Response, Second Edition

4

© Cengage Learning 2017

Physical Security Needs of a Forensic Lab

• Physical security considerations of a lab: – Access to emergency services – Lighting at the site – Physical environment of the lab – Structural design of parking

Computer Forensics: Investigation Procedures and Response, Second Edition

5

© Cengage Learning 2017

Physical Security Recommendations for a Forensic Lab

• Level of physical security required for a forensic lab depends on: – The nature of the investigations that are carried out

in the lab • The assessment of risk for a forensic lab varies

from organization to organization

Computer Forensics: Investigation Procedures and Response, Second Edition

6

© Cengage Learning 2017

Basic Requirements

• Keep a log register at the entrance of the lab that contains: – Name of the visitor – Date and time of the visit – Purpose of the visit – Name of the official the visitor has come to see – Place the visitor has come from – Address of the visitor

• Give visitors a visitor’s pass to differentiate them from the lab staff

Computer Forensics: Investigation Procedures and Response, Second Edition

7

© Cengage Learning 2017

Basic Requirements

• Install an intrusion alarm in the lab • Deploy guards near premises of the lab • Place closed-circuit cameras in lab and its

premises – To monitor human movements within the lab

• Close windows in lab

Computer Forensics: Investigation Procedures and Response, Second Edition

8

© Cengage Learning 2017

Workstation Security

• Workstations should be shielded from transmitting electromagnetic signals

• TEMPEST – An unclassified short name referring to

investigations and studies of compromising emanations

– Costly to build TEMPEST lab because checks and maintenance have to be carried out at regular intervals

• Some vendors have come up with workstations that emit only low amounts of radiation Computer Forensics: Investigation Procedures and

Response, Second Edition 9

© Cengage Learning 2017

Fire Safety

• Fire can be disastrous in a forensic lab • Any electrical device can be a source of fire

– Does not generally happen with computers • Fires may break out in computers if the servo-voice

coil actuators in a hard drive freeze due to damage in the drive

• Ribbon cables do not respond well to excessive power – High voltage passed through a ribbon cable causes

sparks to fly

Computer Forensics: Investigation Procedures and Response, Second Edition

10

© Cengage Learning 2017

Fire-Suppression Systems

• Fire-suppression systems: – Dry chemical fire extinguisher system deals with

fires that occur due to chemical reactions – Sprinkler system should be checked frequently to

make sure it is still working • Fire extinguishers should be placed within and

outside the lab • Lab personnel and guards should be given

instructions on how to use them

Computer Forensics: Investigation Procedures and Response, Second Edition

11

© Cengage Learning 2017

Evidence Locker Recommendations

• Evidence containers must be secured – Should be located in a restricted area that is only

accessible to lab personnel • All evidence containers must be monitored and be

locked when not in use • Storage containers or cabinets should:

– Be made of steel – Include either an internal cabinet lock or an external

padlock • Lab personnel must regularly inspect the content of

evidence storage containers

Computer Forensics: Investigation Procedures and Response, Second Edition

12

© Cengage Learning 2017

Checking the Security of a Forensic Lab

• General steps to check for security policy compliance: – Examine the ceiling, floor, and exterior walls of the

lab at least once a month to check for structural integrity

– Examine the doors to ensure they close and lock correctly

– Check if the locks are working properly – Examine the log register to make sure all entries are

correct and complete

Computer Forensics: Investigation Procedures and Response, Second Edition

13

© Cengage Learning 2017

Checking the Security of a Forensic Lab

• General steps to check for security policy compliance (cont’d): – Check the log sheets for evidence containers to

check when the containers have been opened and when they were closed

– Acquire evidence that is not being processed and store it in a secure place

Computer Forensics: Investigation Procedures and Response, Second Edition

14

© Cengage Learning 2017

Work Area of a Computer Forensic Lab

• The forensics lab should be built in an area where human traffic is light

• An ideal lab consists of: – Two forensic workstations – One ordinary workstation with Internet connectivity

Computer Forensics: Investigation Procedures and Response, Second Edition

15

© Cengage Learning 2017

Work Area Configuration

• Configuration of the work area depends on the budget allocated for the forensics lab – On average, the workstation occupies the area of a

desk – As the complexity and number of cases increase,

the workstation area increases • The work area should have ample space

– Provide additional space for case discussions among investigators

• The layout of the forensics lab should be well planned and should be scalable Computer Forensics: Investigation Procedures and Response, Second Edition

16

© Cengage Learning 2017

General Configuration of a Forensic Lab

• A forensics lab should have the following: – Workstations – UPS – Bookracks – Necessary software – Reference materials – Safe locker and storage shelf – LAN and Internet connectivity

Computer Forensics: Investigation Procedures and Response, Second Edition

17

© Cengage Learning 2017

Equipment Required in a Forensic Lab

• Some of the pieces of equipment common to any computer forensics lab are: – Cabinets – Printers and scanners – Additional hard drives – Tape drives

Computer Forensics: Investigation Procedures and Response, Second Edition

18

© Cengage Learning 2017

Electrical Needs

• Electrical needs of a computer forensic lab: – Amperage = measurement of the electric current – Emergency power and lighting for:

• All evidence sections • All security sections, electronic security systems, and

telephones • X-ray processing rooms and photography dark rooms

– Electrical outlets – Uninterruptible power supply

Computer Forensics: Investigation Procedures and Response, Second Edition

19

© Cengage Learning 2017

Communications

• Factors to consider include: – Bandwidth – Dial-up access – Disconnection – Network

• Bandwidth – Refers to the width of the range of frequencies that

an electronic signal uses on a given transmission medium

Computer Forensics: Investigation Procedures and Response, Second Edition

20

© Cengage Learning 2017

Basic Workstation Requirements in a Forensics Lab

• Hardware requirements for a basic forensic workstation: – Processor with high computing speed – 8 GB RAM – DVD-ROM with read/write capabilities – Motherboard that supports IDE, SCSI, and USB,

with a slot for a LAN/WAN card and a fan attached for cooling the processor

– Tape drive, USB drive, and removable drive bays

Computer Forensics: Investigation Procedures and Response, Second Edition

21

© Cengage Learning 2017

Basic Workstation Requirements in a Forensics Lab

• Hardware requirements for a basic forensic workstation (cont’d): – Monitor, keyboard, and mouse – Minimum of two hard drives for loading two different

operating systems

Computer Forensics: Investigation Procedures and Response, Second Edition

22

© Cengage Learning 2017

Recommended Hardware Peripherals

• Necessary tools include: – 40-pin 18-inch and 36-inch IDE cables, both ATA-33

and ATA-100 or faster – SATA cables – USB adapter cables with a variety of terminal ends – A variety of detachable storage media like Jaz

cartridges, Zip cartridges, and USB drives – Other electronic storage devices – CD/DVD readers and writers – Ribbon cables for floppy disks – Extra IDE hard drives

Computer Forensics: Investigation Procedures and Response, Second Edition

23

© Cengage Learning 2017

Recommended Hardware Peripherals

• Necessary tools include (cont’d): – Extra RAM – Extra SCSI cards – Graphics cards (ISA, PCI, AGP, and PCI Express) – Extra power cords – A variety of hard disk drives – Laptop hard drive connectors – Handheld devices – Supplementary storage devices for creating bit-

stream copies or clones of the suspect storage media for examination purposes

Computer Forensics: Investigation Procedures and Response, Second Edition

24

© Cengage Learning 2017

Maintaining Operating System and Application Inventories

• Applications and OSs that must be maintained: – All Windows OSs through Windows 10 – Linux, Unix, and Mac OS X operating systems – All Microsoft Office versions – Quicken – Programming language applications – Specialized viewers such as Quick View and

ACDSee – Corel Office Suite – Star Office / Open Office

Computer Forensics: Investigation Procedures and Response, Second Edition

25

© Cengage Learning 2017

Maintaining Operating System and Application Inventories

• Applications and OSs that must be maintained (cont’d): – Peachtree accounting applications – Forensic software, such as:

• Bit-stream backup utilities • Password recovery tools • Recovery tools for deleted data • Partition recovery tools • Searching tools • Firewalls and intrusion detection systems • Updated antivirus software

Computer Forensics: Investigation Procedures and Response, Second Edition

26

© Cengage Learning 2017

Common Terms

• Configuration management – Process of keeping track of all changes made to

hardware, software, and firmware throughout the life of a system

• Risk management – Decision-making process involving considerations of

political, social, economic, and engineering factors with relevant risk assessments relating to a potential hazard

• Business case – Justification to upper management or a lender for

purchasing new equipment, software, or other tools

Computer Forensics: Investigation Procedures and Response, Second Edition

27

© Cengage Learning 2017

Required Forensic Tools

• Forensic professionals use a variety of tools both in the lab and in the field

Computer Forensics: Investigation Procedures and Response, Second Edition

28

© Cengage Learning 2017

Storage Bags

• Different types of bags have been developed to make sure evidence stays safe and secure – Wireless storage bags: use a special fabric that

shields wireless devices from wireless signals that could potentially alter or eliminate data

– Passport bags: to protect passports that contain RFID chips

Computer Forensics: Investigation Procedures and Response, Second Edition

29

© Cengage Learning 2017

Remote Chargers

• Remote chargers are used to provide power for devices that may contain vital evidence – Chargers allow investigators to retrieve evidence

from devices such as phones and other handhelds that have run out of power

Computer Forensics: Investigation Procedures and Response, Second Edition

30

© Cengage Learning 2017

Write Block Protection Devices

• Tools that prevent the alteration or erasure of data during an investigation – Used when examining or copying data from a

storage device to a forensic laptop or workstation • Different types for different storage device

connections

Computer Forensics: Investigation Procedures and Response, Second Edition

31

© Cengage Learning 2017

Data Acquisition Tools

• Cables – Forensic professionals should have all the cables

he/she will need to connect a laptop to a device • Rapid action imaging devices (RAIDs)

– Allow a forensic investigator to copy a suspect hard drive to a clean hard drive quickly

• SIM card readers – Used to extract data from SIM cards

• Video-capture devices – Can take pictures of screen when data cannot be

obtained from the device Computer Forensics: Investigation Procedures and

Response, Second Edition 32

© Cengage Learning 2017

Forensic Archive and Restore Devices

• Forensic archive and restore robotic devices are used by investigators to archive forensic data – Can copy a large number of CD-ROM or DVD media

discs containing forensic data – Many can also print labels for the copies so the

investigator will know what is on the discs

Computer Forensics: Investigation Procedures and Response, Second Edition

33

© Cengage Learning 2017

Mobile Forensic Laptops

• Equipped with all the specialized software a forensic specialist needs in the field

• Have fast processors, large amounts of RAM, and large hard drives

• Equipped with DVD burners and media card readers

• Also have some form of write block protection, provided either through hardware or software

Computer Forensics: Investigation Procedures and Response, Second Edition

34

© Cengage Learning 2017

Mobile Forensic Laptops

Computer Forensics: Investigation Procedures and Response, Second Edition

35

Figure 2-1 A typical mobile forensic laptop has all the software and connections a forensic investigator needs to acquire and analyze data in the field

© Cengage Learning 2017

Forensic Workstations

• Like forensic laptops, forensic workstations have all the software a forensic specialist needs

• Additional features: – Equipped with DVD burners and media card readers – Typically top-of-the-line systems – Allow for the hot swapping of hard drives

• Investigators can connect a suspect hard drive to a workstation for analysis without having to turn off the workstation

– Provides write block protection

Computer Forensics: Investigation Procedures and Response, Second Edition

36

© Cengage Learning 2017

Imaging Workstations

• Forensic laboratories are equipped with workstations devoted solely to imaging storage devices – Including hard drives, CDs, DVDs, USB drives, and

media cards • Workstations typically store images on tapes • Some of these workstations include password-

cracking capabilities – So that data can be accessed even on password-

protected storage devices

Computer Forensics: Investigation Procedures and Response, Second Edition

37

© Cengage Learning 2017

Software

• Forensic professionals use a variety of software tools for different tasks

• Most of this software is used for extracting and analyzing data on storage devices

• Software tools can also examine a live computer – Can both examine and record the live system state

• Registry, running processes, logged-in users, files on all connected drives, and network configuration

Computer Forensics: Investigation Procedures and Response, Second Edition

38

© Cengage Learning 2017

Investigations at a Computer Forensic Lab

• Types of computer forensic investigations that are conducted at a computer forensic laboratory – Child pornography and sexual exploitation – Use of e-mail, instant messaging, and chat – Computer hacking and network intrusion – Copyright infringement – Software piracy – Intellectual property disputes – Identity theft – Online auction fraud

Computer Forensics: Investigation Procedures and Response, Second Edition

39

© Cengage Learning 2017

Investigations at a Computer Forensic Lab

• Types of computer forensic investigations (cont’d) – Credit card fraud – Other financial frauds and schemes – Telecommunications fraud – Threats, harassment, and/or stalking – Extortion and/or blackmail – Online gambling – Drug abuse and/or distribution – Employee or employer misconduct – Theft, robbery, and/or burglary

Computer Forensics: Investigation Procedures and Response, Second Edition

40

© Cengage Learning 2017

Data Destruction Industry Standards

• Standards include: – American: DoD 5220.22-M – American: NAVSO P-5239-26 (RLL) – American: NAVSO P-5239-26 (MFM) – German: VSITR – Russian: Russian Standard, GOST P50739-95

Computer Forensics: Investigation Procedures and Response, Second Edition

41

© Cengage Learning 2017

Procedures at a Computer Forensic Lab

• Some examples of typical procedures: – Creating an exact replica of a hard disk drive or

other storage device – Identifying leads and computer evidence contained

in files and slack space – Documenting findings and providing expert witness

testimony to help clarify technical computer issues – Finding, documenting, analyzing, and recording data

on a formatted or purposely damaged hard drive • All procedures in a computer forensic lab must

meet federal standards Computer Forensics: Investigation Procedures and

Response, Second Edition 42

© Cengage Learning 2017

Summary

• An ideal lab consists of two forensic workstations and one ordinary workstation with Internet connectivity

• A lab should be inspected on a regular basis to check if the policies and procedures implemented are followed

• A forensics lab should be under surveillance at all times to protect it from intrusions

• Forensic investigators use a wide variety of software and hardware tools in the field and in the lab

Computer Forensics: Investigation Procedures and Response, Second Edition

43

  • Computer Forensics: Investigation Procedures and Response, Second Edition
  • Objectives
  • Objectives
  • Introduction to the Computer Forensic Lab
  • Physical Security Needs of a Forensic Lab
  • Physical Security Recommendations for a Forensic Lab
  • Basic Requirements
  • Basic Requirements
  • Workstation Security
  • Fire Safety
  • Fire-Suppression Systems
  • Evidence Locker Recommendations
  • Checking the Security of a Forensic Lab
  • Checking the Security of a Forensic Lab
  • Work Area of a Computer Forensic Lab
  • Work Area Configuration
  • General Configuration of a Forensic Lab
  • Equipment Required in a Forensic Lab
  • Electrical Needs
  • Communications
  • Basic Workstation Requirements in a Forensics Lab
  • Basic Workstation Requirements in a Forensics Lab
  • Recommended Hardware Peripherals
  • Recommended Hardware Peripherals
  • Maintaining Operating System and Application Inventories
  • Maintaining Operating System and Application Inventories
  • Common Terms
  • Required Forensic Tools
  • Storage Bags
  • Remote Chargers
  • Write Block Protection Devices
  • Data Acquisition Tools
  • Forensic Archive and Restore Devices
  • Mobile Forensic Laptops
  • Mobile Forensic Laptops
  • Forensic Workstations
  • Imaging Workstations
  • Software
  • Investigations at a Computer Forensic Lab
  • Investigations at a Computer Forensic Lab
  • Data Destruction Industry Standards
  • Procedures at a Computer Forensic Lab
  • Summary