Download Chapter 3: The Investigator s Office and Laboratory... Show
Chapter 3: The Investigator’s Office and Laboratory Saint Xavier University Dept. of Computer Science 1 Objectives • Describe certification requirements for computer forensics labs • List physical requirements for a computer forensics lab • Explain the criteria for selecting a basic forensic workstation • Describe components used to build a business case for developing a forensics lab Saint Xavier University Dept. of Computer Science 2 Forensics Lab Certification Requirements • Computer forensics lab – Conduct the investigation – Store evidence – House equipment, hardware, and software • American Society of Crime Laboratory Directors (ASCLD) guidelines – Managing a lab – Acquiring an official certification – Auditing lab functions and procedures Saint Xavier University Dept. of Computer Science 3 Lab Manager Duties • Lab manager duties: – – – – – – – – Set up processes for managing cases Promote group consensus in decision making Maintain fiscal responsibility for lab needs Enforce ethical standards among lab staff members Plan updates for the lab Establish and promote quality-assurance processes Set reasonable production schedules Estimate how many cases an investigator can handle Saint Xavier University Dept. of Computer Science 4 Lab Manager Duties • Estimate when to expect preliminary and final results • Create and monitor lab policies for staff • Provide a safe and secure workplace for staff and evidence Saint Xavier University Dept. of Computer Science 5 Lab Staff Duties • Knowledge and training: – – – – – – Hardware and software OS and file types Deductive reasoning Technical training Investigative skills Deductive reasoning • Work reviewed regularly by the lab manager Saint Xavier University Dept. of Computer Science 6 Lab Budget Planning • Daily, quarterly, and annual expenses • Use past investigation expenses to extrapolate expected future costs • Expenses for a lab include: – – – – Hardware Software Facility space Trained personnel Saint Xavier University Dept. of Computer Science 7 Lab Budget Planning • Estimate the number of computer cases lab expects to examine • Consider changes in technology • Statistics as predictor of kinds of computer crimes Saint Xavier University Dept. of Computer Science 8 Lab Budget Planning • Uniform Crime Report • Identify crimes committed with specialized software • Lab for private company, check: – Hardware and software inventory – Problems reported last year – Future developments in computing technology • Time management Saint Xavier University Dept. of Computer Science 9 Lab Budget Planning Saint Xavier University Dept. of Computer Science 10 Certification and Training • Update skills through appropriate training • International Association of Computer Investigative Specialists (IACIS) – Certified Electronic Evidence Collection Specialist (CEECS) – Certified Forensic Computer Examiners (CFCEs) Saint Xavier University Dept. of Computer Science 11 Certification and Training • High-Tech Crime Network (HTCN) – Certified Computer Crime Investigator, Basic and Advanced Level – Certified Computer Forensic Technician, Basic and Advanced Level • EnCase Certified Examiner (EnCE) Certification • AccessData Certified Examiner (ACE) Certification Saint Xavier University Dept. of Computer Science 12 Certification and Training • Other training and certifications – High Technology Crime Investigation Association (HTCIA) – SysAdmin, Audit, Network, Security (SANS) Institute – Computer Technology Investigators Network (CTIN) – NewTechnologies, Inc. (NTI) – Southeast Cybercrime Institute at Kennesaw State University – Federal Law Enforcement Training Center (FLETC) – National White Collar Crime Center (NW3C) Saint Xavier University Dept. of Computer Science 13 Physical Requirements for Computer Forensics Lab • Most investigation is conducted in a lab • Should be secure • Provide a safe and secure physical environment • Keep inventory control of your assets Saint Xavier University Dept. of Computer Science 14 Identifying Lab Security Needs • Secure facility • Minimum requirements – – – – Small room with true floor-to-ceiling walls Door access with a locking mechanism Secure container Visitor’s log • People working together should have same access level • Brief your staff about security policy Saint Xavier University Dept. of Computer Science 15 Conducting High-Risk Investigations • Demand more security than minimum lab requirements – TEMPEST facilities • Electromagnetic Radiation (EMR) proofed – TEMPEST facilities are very expensive • Can use low-emanation workstations instead Saint Xavier University Dept. of Computer Science 16 Using Evidence Containers • Known as “evidence lockers” – Must be secure • Recommendations – – – – Locate in a restricted area Limited access Maintain records of authorized access Locked when not in use Saint Xavier University Dept. of Computer Science 17 Using Evidence Containers • Combination locking system: – Same level of security for the combination as for the container’s contents – Destroy any previous combinations – Only authorized personnel may change lock combinations – Change combination every six months Saint Xavier University Dept. of Computer Science 18 Using Evidence Containers • Keyed padlock: – – – – – – – Appoint a key custodian Stamp sequential numbers on each duplicate key Maintain registry listing which key assignment Conduct monthly audit Take inventory of all keys regularly Place keys in a lockable container Maintain same level of security for keys as for evidence containers – Change locks and keys annually Saint Xavier University Dept. of Computer Science 19 Using Evidence Containers • Container should be: – Made of steel – Internal cabinet or external padlock • If possible, acquire a media safe • When possible, build evidence storage room • Keep an evidence log Saint Xavier University Dept. of Computer Science 20 Overseeing Facility Maintenance • Immediately repair physical damage • Escort cleaning crews • Minimize risk of static electricity • Maintain two separate trash containers – Materials unrelated to an investigation – Sensitive materials • When possible, hire specialized companies for disposing sensitive materials Saint Xavier University Dept. of Computer Science 21 Physical Security Needs • Create a security policy • Enforce the policy – Sign-in log for visitors • Anyone that is not assigned to the lab is a visitor • Escort all visitors all the time – Visible or audible indicators that a visitor is inside your premises – Intrusion alarm system – Hire a guard force Saint Xavier University Dept. of Computer Science 22 Auditing a Computer Forensics Lab • Ensures proper enforcing of policies • Should include: – – – – – Ceiling, floor, roof, exterior walls Doors and doors locks Visitor logs Evidence container logs At the end of every workday, secure in forensic workstation any evidence not being processed Saint Xavier University Dept. of Computer Science 23 Determining Floor Plans for Computer Forensics Labs Saint Xavier University Dept. of Computer Science 24 Determining Floor Plans for Computer Forensics Labs Saint Xavier University Dept. of Computer Science 25 Determining Floor Plans for Computer Forensics Labs Saint Xavier University Dept. of Computer Science 26 Selecting Basic Forensic Workstation • Depends on budget and needs • Use less powerful workstations for mundane tasks • Use multipurpose workstations for high-end analysis tasks Saint Xavier University Dept. of Computer Science 27 Selecting Workstations for Police Labs • Have the most diverse needs – Special-interest groups (SIG) • General rule: Per 250,000 people … – One computer investigator – One multipurpose forensic workstation – One general-purpose workstation Saint Xavier University Dept. of Computer Science 28 Selecting Workstations for Private and Corporate Labs • Identify the environment – Hardware platform – Operating system • Gather tools appropriate to that environment Saint Xavier University Dept. of Computer Science 29 Stocking Hardware Peripherals – – – – – – – IDE cables Ribbon cables for floppy disks SCSI cards, preferably ultra-wide Graphics cards, both PCI and AGP types Power cords Hard disk drives At least two 2.5-inch Notebook IDE hard drives with standard IDE/ATA or SATA adapter – Computer hand tools Saint Xavier University Dept. of Computer Science 30 OS and Software Inventories • Licensed copies of software: – – – – – – – Microsoft Office 2007, XP, 2003, 2000, 97, and 95 Quicken Programming languages Specialized viewers Corel Office Suite StarOffice/OpenOffice Peachtree accounting applications Saint Xavier University Dept. of Computer Science 31 Disaster Recovery Plan • Restore workstation and investigation files to original condition • Includes backup tools for single disks and RAID servers • Track software updates to workstation Saint Xavier University Dept. of Computer Science 32 Planning for Equipment Upgrades • Risk management – How much risk is acceptable for any process or operation? – On what equipment does lab depend? – Equipment which can be replaced when it fails • Computing components: 18 to 36 months under normal conditions – Schedule upgrades every 12-18 months Saint Xavier University Dept. of Computer Science 33 Using Laptop Forensic Workstations • Lightweight, mobile forensic workstation – FireWire port – USB 2.0 port – PCMCIA SATA hard disk • Limited as forensic workstations Saint Xavier University Dept. of Computer Science 34 Building Business Case for Developing a Forensics Lab • Budget problems! • Business case • Demonstrate how lab will help organization save money and increase profits Saint Xavier University Dept. of Computer Science 35 Preparing Business Case for Computer Forensics Lab • Follow these steps: – Justification – Budget development • Facility cost • Computer hardware requirements • Software requirements • Miscellaneous costs – Approval and acquisition – Implementation Acceptance testing – Correction for acceptance – Production Saint Xavier University Dept. of Computer Science 36 Summary • A computer forensics lab is where you conduct investigations, store evidence, and do most of your work • Seek to upgrade your skills through training • Lab facility must be physically secure so that evidence is not lost, corrupted, or destroyed • Harder to plan a computer forensics lab for a police department than for a private organization or corporation Saint Xavier University Dept. of Computer Science 37 Summary (continued) • A forensic workstation needs to have adequate memory, storage, and ports • Prepare a business case to enlist the support of your managers and other team members when building a forensics lab Saint Xavier University Dept. of Computer Science 38 What are the requirements to set up a workstation for computer forensics?The computer forensics workstation should have facilities and tools to:. Support hardware-based local and remote network drive duplication.. Validate the image and the file's integrity.. Identify the date and time of creation, access and modification of a file.. Identify deleted files.. Support removable media.. What process refers to recording all the updates made to a workstation?The recording of all updates made to a workstation or machine is referred to as configuration management. A disaster recovery plan ensures that workstations and file servers can be restored to their original condition in the event of a catastrophe.
What are the considerations you should have when deciding what data acquisition method to use on your investigation?Determine the Best Acquisition Method. Size of the source disk: Know if you can retain the source disk as evidence or return it to the owner. ... . Methods to reduce data size are: Use Microsoft disk compression tools like DriveSpace and DoubleSpace which exclude slack disk space between the files.. What are the resources required for forensic investigation?Such resources include software packages used for gathering, preserving and analyzing digital evidence and the necessary skills, training and certifications that a forensic auditor must possess.
|
Briefly outline the process of selecting workstations for a police computer investigation lab.
zusammenhängende Posts
Urheberrechte © © 2024 ihoctot Inc.
