CYSE 407 MID-TERM
BY JOHN COVER
NEEDS ASSESSMENT
I have been tasked with creating and building a forensic laboratory for a mid-sized police department. To determine how many technicians, I need to hire, I have to start by estimating the number of cases my lab expects to examine and identifying the types of computers I will likely need to examine, such as Windows PCs, Apple systems, or Linux workstations. I will start by collecting state crime statistics for the current year and several previous years to determine types of computers or other devices associated with these crimes. I will then create a chart and list the number of crimes committed that involve Windows, Linux/UNIX, and Apple computers. In addition to estimating resources for digital investigations, I will determine what resources will be needed to examine mobile devices, such as smartphones and tablets that may have been identified in the analysis. Once the analysis is complete, I can determine the personnel needed to support the lab.
I will also need to evaluate the development of an evidence storage area and evidence transport devices to get the evidence to these storage areas. I will have to develop and evaluate the security measures in keeping the evidence safe and tamper proof as well as keeping the evidence safe from destruction or damage.
I will also need to determine the accreditation process that the lab will need to go through and ensure that the lab meets all standards in the field, as well as accreditation for all my technicians and investigators.
LAB ACCREDITION PLAN
In 2017, the general requirements for the competency of testing and calibration laboratories, ISO/IEC 17025, was updated to reflect the changing technologies that the world faces today. The guidelines provided allow forensic labs to operate competently and to generate valid results that can be shared among local and international organizations.
According to our text, the ANSI-ASQ National Accreditation Board (ANAB) (www.anab.org), a wholly owned subsidiary of ANSI (American National Standards Institute) and ASQ (American Society for Quality), provides accreditation of crime and forensics labs worldwide. This accreditation includes forensics labs that analyze digital evidence. For a lab to be accredited, ANAB audits the lab’s tasks and functions to ensure correct and consistent results for all cases. These audits are done on subscribing members’ forensics labs to ensure the quality and integrity of their work.
List of Approved Accredited Organizations in the US and International Standards
American Society of Crime Laboratory Directors (ASCLD; www.ascld.org)
International Organization of Standards (ISO)
International Association of Computer Investigative Specialists (IACIS) (www.iacis.com)
EC-Council, www.eccouncil.org/Certification
SysAdmin, Audit, Network, Security (SANS)
Institute, www.sans.org or https://digital-forensics.sans.org/certification
Defense Cyber Investigations Training Academy (DCITA), www.dcita.edu
International Society of Forensic Computer Examiners (ISFCE, www.isfce.com) for the Certified Computer Examiner (CCE) certification
Computer Technology Investigators Network (CTIN), www.ctin.org
Digital Forensics Certification Board (DFCB), www.dfcb.org/certification.html
Cloud Security Alliance
(CSA), https://cloudsecurityalliance.org/education/
OFFICE/BUILDIING DESIGN
The lab itself should be an enclosed room that can be secured and lockable. The space should avoid windows and be constructed in such a manner as to prevent unauthorized entry into the facility. Doors should be wooden with a heavy locking device to prevent break-ins.
The power supply to the lab and the outlets that need to be installed should be determined to ensure an uninterrupted amount of power with some kind of back-up generator.
Fire suppression systems should also be a consideration as to what kind should be installed.
According to our textbook, “Each digital forensics investigator in a lab should have a private office where he or she can manage cases, conduct interviews, and communicate without eavesdropping concerns.” Ideally, each technician should have their own office to work in but budget constraints may make it hard to assign technicians to office spaces. Alternative plans could have two technicians assigned to an office where they can manage their cases.
Workstations can be aligned so that the forensic evaluations and testing can be done in an open room format, perhaps separated by cubicle type walls to give a little privacy to the testing that is being done.
A storage area should be designated to store evidence and should be secure at all times.
Internet/Intranet should be kept separate from evidence being evaluated by the technicians but accessible as needed.
LABORATORY FLOOR PLAN
Figure 2.4 from Textbook
EVIDENCE STORAGE PLAN
Media Storage:
Our text recommends a technician makes sure to make two copies of every image and to use a different method to create each image copy, when beginning an investigation to preserve evidence.
Lab Storage Requirements:
The most important thing when processing evidence to maintaining the integrity of the evidence. The storage area that the evidence will be kept in while in the lab’s custody should be restricted to lab personnel only. The text book recommends checking with the local law enforcement to ensure that the lab meets all requirements by the state and local law enforcement when it comes to evidence storage.
Evidence Custody Form:
An evidence custody form should be developed or a form used by local law enforcement can be used to ensure the chain of custody is being preserved when evidence is being handle to maintain its integrity of the evidence.
This form should include the name of the investigator and the lab and the type of evidence being taken into custody. The form should include any and all who has handled the evidence and the dates and times it was handled. It should also include any additional pertinent information and each piece of evidence should have its own evidence custody form.
File Cabinets
File cabinets should be installed with secure locking mechanisms to keep files secure.
INVENTORY
Inventory control methods need to be developed to ensure that all hardware and software is accounted for and to keep track of what is out of date and needs to be replaced. The area where your inventory is being placed should be place in an area that is secure from all outsiders and maintained so that equipment/software and evidence is shielded from any outside environmental effects.
RECOMMENDED BASIC SOFTWARE/HARDWARE REQUIREMENTS:
SOFTWARE:
| Software | Details | Price range |
| Raptor | Imaging tool with a write blocker that prevents the operating system from mounting the targeted hard drive. | FREE |
| DD (stands for Data Duplicator) | Open source tool for copying and converting data. It enables to quickly clone or create exact raw disk images. | FREE |
| Hashcat | Open source password cracking tool | FREE |
| John The Ripper | Open source password cracking tool | FREE |
| Autopsy/Sleuth Kit | Open source digital forensics tool. | FREE |
| OSForensics | Great digital forensics tool which has multiple capabilities: the ability to recover deleted files, collect system information, extract passwords, view active memory, search files and within files and much more. | Professional edition: |
HARDWARE:
Analysis Computer – 3
Digital Camera – 2
VCR/CD Player – 2
Hard Drives/USB Drives (Assorted Memory) – 4
Monitors – 4
Assorted Anti-static Bags
Screw Drivers/Socket Wrenches
Assorted Cables
Telephones
Workstations – at least 8 work stations assigning 2 technicians per station
LAB SECURITY MEASURES
The lab should be set up with a desk area with a security guard to ensure that no one enters the lab that shouldn’t be in the lab. There should be a log book where personnel can sign in or some kind of badge accesses system could be developed to get in and out of the lab.
Lab doors should be solid with locking mechanisms in place. Plans should be developed on how these mechanisms will work, as to who has keys or will be it be by electronic entry either through badges or codes.
Cameras could also be installed to ensure that the lab is used in the manner that it is supposed to be used and evidence can be surveilled to ensure integrity.
Visitor Rules need to be determined as to what kind of access they should have and where they will be allowed to go. Escort rules will have to be developed to escort visitors within the lab.
Evidence storage lockers to be kept in an evidence room should have secured locks on them to protect all secured evidence.
Fireproof safes are also a good investment and safes that protect electronic media.
An intrusion alarm should be installed to prevent unauthorized access.
An audit schedule should be developed to ensure that all lab rules and regulations are being followed in reference to security and lab procedures developed for evidence. This audit should include inspecting of the facility to ensure all is in working order and that all locks work.
LAB MAINTENANCE PLAN
A maintenance plan needs to be developed that maintains the health of its people and the security of the inventory and the evidence.
Cleaning crews should be escorted and monitored during their access to the lab.
Anything that needs to be repaired or replaced should be done immediately.
Floors and carpets should be cleaned at least weekly to keep down the dust and dirt that could cause static electricity that might damage equipment and or evidence.
Appropriate anti-static avoidance mats or rugs should be available throughout the lab.
Trash containers should be assigned for regular trash and containers for discarded sensitive material. Sensitive material should be disposed up in a secure manner.
Environmental controls should be installed to keep the equipment from overheating.
Lighting should be appropriate for the room so that technicians can see without strain.
PERSONNEL NEEDS
Depending on the results from your analysis, it was determined that at least 1 to 2 shift managers should be hired if the lab plans to run a 24-hour shift, otherwise one shift manager will be enough to start. Also, depending on how many hours the lab is run daily, 4 to 6 technicians would be desirable.
Lab Manager – 1 to 2 depending on established hours
Technicians – Up to 6 technicians
JOB DESCRIPTIONS:
LAB MANAGER –
The lab manager will develop processes for managing cases and will review them regularly. Besides performing general management tasks, such as promoting group consensus in decision making, maintaining fiscal responsibility for lab needs, and enforcing ethical standards among staff members, the lab manager plans the updates for the lab, such as new hardware and software purchases as changes in technology changes.
The lab manager will also establish and promote quality assurance processes for the lab’s staff to follow, such as outlining what to do when a case arrives, logging evidence, specifying who can enter the lab, and establishing guidelines for filing reports. To ensure the lab’s efficiency, the lab manager also sets reasonable production schedules for processing work.
The lab manager will create and monitor lab policies for staff and provide a safe and secure workplace for staff and evidence. Above all, the lab manager accounts for all activities the lab’s staff conducts to complete its work. Tracking cases such as e-mail abuse, Internet misuse, and illicit activities can justify the funds spent on a lab.
TECHNICIANS –
Technicians in a forensics lab should have enough training to perform their tasks. Necessary skills include hardware and software knowledge, including OSs and file types, and deductive reasoning. Their work is reviewed regularly by the lab manager and their peers to ensure quality. Staff members are also responsible for continuing technical training to update their investigative and computer skills and maintaining a record of the training they have completed.
REQUIRED KNOWLEDGE:
According to Bradford (2017), the following skills are needed to be successful in these positions:
Analytical talent; Computer science/tech skills; Understanding of cybersecurity; Organizational skills; Oral and Written Communication skills; and a Desire to learn and solve puzzles. Degrees in computer science or cybersecurity are required and accreditation’s as a CISSP, ENCE, and GCFE/A are a must.
REFERENCES/WORKS CITED
Guide to Computer Forensics and Investigations, 6th Edition. Bill Nelson; Amelia Phillips; Christopher Steuart. ISBN-10: 1-337-56894-5; ISBN-13: 978-1-337-56894-4.