Building a Laboratory for Digital Forensics

A logger was once asked, “What would you do if you had five minutes to chop down a tree?” In response, the logger said, “I would spend the first two and a half minutes sharpening my axe.” The central point of this adage is that even with limited time and resources, tasks become more effectual after adequate preparations are made. In similar vein, digital forensic investigations require sufficient tools, experience, and knowledge to be conducted successfully. To illustrate the value of preparation in this field, forensic investigations have so many cascading effects for agencies, researchers, courts, criminals, and victims that it behooves agencies to have credible tools. Therefore, the forensic laboratory, which serves the primary research vehicle for investigators, supports the investigative process most when it carries powerful but cost-effective solutions (Evans). Considering a startup budget of $30,000-$50,000, a forensic lab requires expenditures on hardware, software, infrastructure, and workspace additions.

 
Among the various kinds of hardware used in a laboratory setting, forensic computers such as FRED units enable investigators to capture and analyze data from digital devices. In some cases, forensic computers best serve the needs of an investigation if they remain in the laboratory. For example, after retrieving digital evidence in the field during a non-intensive investigation, a forensic specialist can analyze the contents of cell phones, flash drives, or computer hard drives by mounting them with a stationary FRED unit. Alternatively, during more intensive investigations, forensic computers can be transported to the scene of an incident. For instance, in a case that involves a more trusted physical environment and/or on-site image analysis, a lighter solution such as the FRED-L would provide greater mobility with similar analysis capabilities. Provided that the agency has employed two forensic examiners with a workload involving 20-30 cases a year, at least two forensic computers should be made available to handle multiple tasks at once. Weighing in as the most expensive hardware components needed, new FRED units with RAID for data parity cost $8,549.00 each (digitalintelligence.com). Their mobile counterparts cost $4,999.00 (digitalintelligence.com).

 
In addition to core hardware devices, forensic laboratories require tools called write blockers to preserve the integrity of examined data. When analyzing evidence, write blockers prevent changes from being made to the contents of acquired drives. For example, if an investigator needs to copy data from a confiscated laptop, a write blocking device allows identical copies to be made without making alterations to event logs or anything else on the hard drive. Write blocking instruments hold significant value in a laboratory setting because they add to the credibility of an investigator’s testimony. For instance, a judge would be more likely to appraise a testimony as reliable if a write-blocker has assured that the examination is based on an identical copy of the original evidence. Though write-blockers come in both hardware and software forms, more sophisticated versions exist in the form of peripheral hardware devices. E.g. the UltraKit, vended by Digital Intelligence, consolidates various hardware write blockers for various circumstances. To accommodate situations where the agency has two active investigations, two UltraKits cost $3,600.00 (digitalintelligence.com).

 
Digital forensic labs also need data wiping utilities to sanitize media used in the field. Similar to physical forensic sanitization or surgical sanitization, digital forensic examiners must use specific tools to restore their primary devices to a clean state. Dedicated data wipers serve as the most reliable way to perform sanitizations because they thoroughly write over the hard drive without destroying the working components. By clearing out data remnants, digital investigators can examine new evidence without the risk of contaminating their findings. In many cases, even minor alterations made to forensic machines must be expunged to ensure the machines can be reliably reused. For example, on Windows systems, residual data remains on the hard drive after the user has “deleted” it through the user interface. Therefore, data wiping devices like Wiebetech’s Drive eRazer Ultra provide a way to furnish uncontaminated evidence on refreshed hardware. Software based wipers are often free, but for situations that demand a stand-alone solution, Wiebetech’s eRazer has a price tag of $249.00 (Kingsley-Hughes).

 
USB flash drives boast a flexible level of utility for a wide range of purposes in a variety of forensic settings. By formatting them with images of the appropriate software, USB drives provide a lightweight means of carrying mobile operating systems. For example, by formatting a forensic OS like Paladin or Raptor to a USB drive, an investigator can boot the operating system on machines in the field. Consequently, the investigator can conduct analysis without the burden of heavy hardware. USB drives also serve as a basic means of retaining data. Evidence, documentation, and other utilities can be stored on these lightweight drives. Moreover, several iterations of USB drives come protected by powerful forms of encryption. For example, Iron Key flash drives employ encryption to ensure the integrity and confidentiality of the data stored within. By encrypting, for instance, hard drive images, tools like the Iron Key lend credibility to forensic testimonies because they signify that evidence hasn’t been compromised. Iron Key S1000s run at anywhere between $120 and $978, depending on their size (amazon.com). Several assorted sizes are necessary to serve various purposes in a forensic environment.

 
Core hardware components need peripheral hardware and other accessories to perform essential tasks. Monitor screens provide a visual interface for investigators to view information provided by their computers. For example, many forensic units would require a monitor so a forensic examiner can operate it effectively. Furthermore, computer mice and keyboards permit investigators to navigate the graphical interfaces of operating systems. For instance, wireless mice and keyboards would allow investigators to click icons without the clutter associated with wired peripherals. Additionally, forensic labs require various kinds of wiring to interface with the local network, the internet, and other devices. E.g. Ethernet cables, failover power cables, strips, and port wires are needed to provide electricity and connectivity to workplace machines. Moreover, tools should be used to manage the electric flow of devices before devices burn themselves out. PCUs and surge protectors prevent hardware like monitors from overheating. Surge protectors, monitors, and wires vary in cost, but should not exceed a total of $700 (amazon.com).

 
Specialized software should be employed on forensic operating systems to optimize forensic hardware. An OS like Sumuri’s PALADIN 7 comes prepackaged with an array of utilities for forensic examination (sumuri.com). For example, PALADIN has several applications that allow an investigator to triage a machine and estimate its priority in an investigation. In other words, if any inculpatory or exculpatory evidence is found using PALADIN’s software, the forensic investigator can request a warrant or take the user into custody. PALADIN has a host of features that allow the user to search a machine for relevant evidence. For instance, it has applications that enable the investigator to search for hidden data, keywords, applications, network activity, and records. Furthermore, it provides programs that analyze imaged hard drives for past web activity, deleted files, and suspicious behavior. E.g. TKS and Autopsy enable investigators to search for an abundance of different kinds of artifacts. For expediency, PALADIN offers solutions for investigators of any skill level. Concerning, inexperienced examiners, PALADIN provides a graphical interface for users familiar with user-friendly forms of Linux. For experienced investigators, PALADIN grants numerous command line options, packages, modules, and opportunities for developers to harness the open source nature of the operating system. As an open source OS, PALADIN is free. Despite its affordability, it also enjoys a credible reputation, which gives it admission in court.

 
Although PALADIN and other open source operating systems provide a wide range of forensic solutions for free, some proprietary options like EnCase accomplish forensic tasks with more user friendliness (Stephenson). EnCase enables the user to image hard drives, creating exact duplicates of suspicious evidence. For example, it can image and analyze drives that use Unix, Windows, Mac, Linux, AppleiOS, and Android operating systems. Furthermore, it consolidates analyzed material into a comprehensive report. For instance, with EnCase, the investigator can present findings with customized headers and footers. Alternatively, reports can be generated in a Microsoft Word format to cater to a wide audience. Analyzed image contents can include web activity, applications, logs, timelines, hidden content, and virtually any relevant information stored on a disc image. EnCase v8 licenses cost $3,000; it is therefore recommended that an agency with a budget of $20,000-$50,000 limit the number of EnCase purchases to one to three licenses. With regard to agencies who have investigators with little experience in the field, EnCase’s easily understood interface acts as a reliable solution.

 
Since investigators need access to the world-wide-web to inform their analyses and update their systems, an independent network should be established for dedicated use in the forensic laboratory. A dedicated connection, separated from the agency’s network, improves the security posture of the laboratory. For example, by using a segmented network, the risks involving malicious network sniffers on the agency’s general network are averted. Inversely, by employing a dedicated laboratory network, threats have a harder time pivoting into the agency’s general network. Additionally, if the local laboratory network faces the internet with an independent connection, investigators can use it to acquire resources and enable forensic analyses. For instance, with an internet connection, open source forensic software can be downloaded, relevant data can be researched, and cloud services can be employed. A direct line to the internet also ensures that equipment is up to date for use in the field. E.g. investigators can use the connection to patch their software, implement new iterations of software, update operating system drivers, and download new tools as needed. DSL subscriptions typically cost between $25-$45 dollars a month, while cable or fiber-optic connections can range between $25-$145 dollars a month. For direct wired connections to laboratory machines, Cisco offers a Small Business ISR4321-SEC/K9 Router with Security (SEC) Bundle at the price of around $1,500 (Newegg.com).

 
Beyond the necessary technical utilities, forensic laboratories also require adequate physical space to accommodate practical needs of investigators. A shared workspace should be allocated for the use of multiple investigators. The common area should equate to about half of the total space used for the laboratory. Furthermore, each examiner should be given separate workspaces for individual use; each workspace ideally consists of 48-64 square feet or larger. Additionally, each workspace should include a workstation for computer use, while the common area ought to have a table for shared needs. Comfortable chairs with armrests should be included for long work hours (Evans).

 
Within the laboratory workspace should reside numerous practical utilities with respect to their most useful placement. All rooms should be outfitted with ample lighting to illuminate areas where hands on work is conducted. The process of deconstructing a computer and handling small parts requires extensive lighting to be conducted most easily. Furthermore, every workspace needs a table or tech bench to support physical examination processes. For instance, when examining a computer, investigators need a platform roughly 34 inches deep by 48 inches wide (Evans). Particularly in the common area, storage facilities would enable investigators to save evidence safely and securely. E.g. evidence lockers, drawer safes, and storage cabinets provide means of shelving evidence and hardware. In the case of storage cabinets, units should be 24 by 36 by 78 inches to hold up to 6 computers. Additionally, drawer safes should feature individual locks on each drawer for separate use. Accounting for cost, affordable tech benches have a price of around $150, evidence lockers can range from $300-$600 (Putty), and storage cabinets cost about $380 (amazon.com).

 
To ensure the confidentiality, integrity, and availability of forensic data, security controls should be implemented in a physical and technical sense. Security cameras would help detect intruders and other anomalies should malicious physical activity occur. For example, a CCTV system would capture footage of break-ins or internal crimes. To complement detective controls like CCTVs, alarm systems provide more assurance that incidents of intrusion are detected from their onset. Furthermore, physical access controls would prevent unauthorized access to facilities and resources. For instance, a badge reader system would allow only authorized parties to gain entry, while obstructing entry of unauthorized parties. Moreover, locks should be implemented on storage containers and entryways to prevent intrusion and unsanctioned access. Considering expenditures, affordable security cameras cost between $100 and $200 a piece (amazon.com), alarm systems cost about $225 each (amazon.com), badge reading access control costs $140 each (barcodegiant.com), and combination locks cost around $5 each.

 
In aggregate, hardware, software, infrastructure, and workspace additions should cost at bare minimum $30,000. Depending on the number of supplies bought, as would be the case with flash drives, locks, or other accessories, the budget could be reasonably pushed to $40,000. Forensic tools add the most value to the investigative process when they are economical and effective. To exemplify the worth of effective tools in the field of digital forensics, investigations have numerous implications for agencies, researchers, courts, criminals, and victims that valid tools are a necessity. Investigations demand adequate tools, skillsets, and education to conduct auspiciously. Therefore, as is the case with most of life’s challenges, full preparation serves as a key to success.

 

References:
Amazon.com: Ironkey Basic S1000 USB Flash Drive (IK-S1000-128GB-B): Computers & Accessories. (2017). Amazon.com. Retrieved 10 June 2017, from https://www.amazon.com/Ironkey-Basic-S1000-Flash-IK-S1000-128GB-B/dp/B00TIXSJVW/ref=sr_1_1?ie=UTF8&qid=1495944110&sr=8-1&keywords=IKS1000B%2F128GB

 
Amazon.com: Tennsco 2470BK 36 by 24 by 78-Inch Deluxe Steel Storage Cabinet with 4 Adjustable Shelves, Black: Kitchen & Dining. (2017). Amazon.com. Retrieved 10 June 2017, from https://www.amazon.com/Tennsco-2470BK-78-Inch-Storage-Adjustable/dp/B00275FL4G

 
Amazon.com: UniquExceptional MA30RcR Motion Detector Alarm with Rolling Code Remote Control (White): Camera & Photo. (2017). Amazon.com. Retrieved 10 June 2017, from https://www.amazon.com/UniquExceptional-MA30RcR-Detector-Rolling-Control/dp/B009X5BN7C

 
APC Performance SurgeArrest 11 Outlet with Phone (Splitter), Coax and Ethernet Protection, 120V. (2017). Apc.com. Retrieved 10 June 2017, from http://www.apc.com/shop/us/en/products/P-P11VNT3?gclid=CjwKEAjwse7JBRCJ576SqoD7lCkSJABF-bKu4PWYhFMq41T-0D4qlDLSjzxriIw7k8iBJC4uvhuvJxoCLqfw_wcB

 
Cisco Small Business ISR4321-SEC/K9 Router with Security (SEC) Bundle 2 x 10/100/1000Mbps LAN Ports – Newegg.com. (2017). Newegg.com. Retrieved 10 June 2017, from https://www.newegg.com/Product/Product.aspx?Item=N82E16833150516&ignorebbr=1&nm_mc=KNC-GoogleAdwords-PC&cm_mmc=KNC-GoogleAdwords-PC-_-pla-_-Network+-+Routers+%2F+Remote-_-N82E16833150516&gclid=Cj0KEQjwyN7JBRCZn7LKgb3ki8kBEiQAaLEsqgF2Mt2cHM2ZBW61SsJYN7dQbozDIqvfgnCEJmtSBZ4aAn4r8P8HAQ&gclsrc=aw.ds

 
Evans, B. (2015). Is Your Computer Forensic Laboratory Designed Appropriately?. Security Intelligence. Retrieved 10 June 2017, from https://securityintelligence.com/is-your-computer-forensic-laboratory-designed-appropriately/

 
FRED. (2017). Digitalintelligence.com. Retrieved 10 June 2017, from https://www.digitalintelligence.com/products/fred/

 
FRED-L. (2017). Digitalintelligence.com. Retrieved 10 June 2017, from https://www.digitalintelligence.com/products/fredl/

 
Kingsley-Hughes, A. (2017). How to securely erase a hard drive with both hardware and software | ZDNet. ZDNet. Retrieved 10 June 2017, from http://www.zdnet.com/article/how-to-securely-erase-a-hard-drive-with-both-hardware-and-software/

 
Putty, L. (2017). Lyon Locker PP53523SU Four Tier 12x12x12 3-Wide Hasp Handle Assembled Putty. Global Industrial. Retrieved 10 June 2017, from http://www.globalindustrial.com/p/storage/lockers/lyon/lyon-locker-four-tier-12x12x12-12-door-assembled-putty?infoParam.campaignId=T9F&gclid=Cj0KEQjwyN7JBRCZn7LKgb3ki8kBEiQAaLEsqg586gbZs9sie_sf6gZiz7cB_xSx9_D0voGrb6g6v3MaAqL-8P8HAQ

 
RDR-80581AKU-C06: RF IDeas – Big Sales, Big Inventory and Same Day Shipping!. (2017). Barcodegiant.com. Retrieved 10 June 2017, from http://www.barcodegiant.com/rf-ideas/part-rdr-80581aku-c06.htm?aw&adtype=pla&gclid=CjwKEAjwse7JBRCJ576SqoD7lCkSJABF-bKu1XTCXsOMn99MSvh8IHkLyOif66XTF8snO8X-qdkRaRoCD5fw_wcB

 
Stephenson, P. (2017). EnCase Forensic v7.09.02 product review | SC Media US. Scmagazine.com. Retrieved 10 June 2017, from https://www.scmagazine.com/encase-forensic-v70902/review/6892/

 
SUMURI. (2017). PALADIN (64-bit) – Version 7.02 – SUMURI. SUMURI. Retrieved 10 June 2017, from https://sumuri.com/product/paladin-64-bit-version-7/

 
UltraKit v4.1. (2017). Digitalintelligence.com. Retrieved 10 June 2017, from https://www.digitalintelligence.com/products/ultrakit/

Advertisements

One thought on “Building a Laboratory for Digital Forensics

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s