COS/PSA 413 Day 6
Agenda Questions? Assignment 2 Due Lab 1 Write-ups Corrected 1 A, 1 B, 2 C’s and 1 F Lab 2 Write-ups Due tomorrow Pay more attention to detail, answer the question! Lab tomorrow at N105 Using Linux tools Project 4-2, Project 4-5 Individual labs, no teams required http://www.lowfatlinux.com/ Discussion on The Investigator’s Office and Laboratory Chapter 5 in 1e and Chapter 3 in 2e
The Investigator’s Office and Laboratory Chapter 5
Learning Objectives Understand Forensic Lab Certification Requirements Determine the Physical Layout of a Computer Forensics Lab Select a Basic Forensic Workstation Build a Business Case for Developing a Forensics Lab Create a Forensic Boot Floppy Retrieve Evidence Data Using a Remote Network Connection
Understand Forensic Lab Certification Requirements American Society of Crime Laboratory Directors (ASCLD) – A national society that sets the standards, management, and audit process for labs used in crime analysis including computing-forensics labs used by the police, FBI, and similar organizations.
Understand Forensic Lab Certification Requirements Identify the duties of the lab manager and staff: Set up the guidelines for managing cases. Promote group consensus for decision making. Establish and promote quality assurance. Create and monitor lab policies. Evaluate hardware and software needs. Balance costs and needs.
Understand Forensic Lab Certification Requirements Uniform Crime Report – Information collected at the federal, state, and local levels to determine the types and frequencies of crime committed. Federal Reports http://www.fbi.gov/ucr/ucr.htm Regional Summaries http://fisher.lib.virginia.edu/crime
Understand Forensic Lab Certification Requirements
Understand Forensic Lab Certification Requirements Acquiring Certification and Training International Association of Computer Investigative Specialists (IACIS) – One of the oldest professional computing-forensics organizations, IACIS was created by police officers who wanted to formalize credentials in computing investigations. IACIS restricts membership to only sworn law enforcement personnel or government employees working as computer forensic examiners. High Tech Crime Network (HTCN) – A national organization that provides certification for computer crime investigators and computing-forensics technicians.
Understand Forensic Lab Certification Requirements Certified Electronic Evidence Collection Specialist (CEECS) – A certificate awarded by IACIS upon completion of a written exam. Certified Forensics Computer Examiners (CFCE) – A certification awarded by the IACIS upon completion of the correspondence portion of testing.
Understand Forensic Lab Certification Requirements Certified Computer Crime Investigator, Basic Level Candidates have two years of law-enforcement or corporate-investigative experience or a bachelor’s degree and one year of investigative experience. Eighteen months of the candidate's experience directly relates to the investigation of computer-related incidents or crimes. Candidates have successfully completed 40 hours of training from an approved agency, organization, or training company. Candidates must provide documentation of at least 10 cases in which they participated.
Understand Forensic Lab Certification Requirements Certified Computer Crime Investigator, Advanced Level Have three years of investigative experience in any area or a bachelors degree and two years experience. Four years of direct experience with the investigation of computer crimes. Complete 80 hours of related training from an approved source. Candidates served as lead investigator in at least 20 cases during the past three years and were involved with at least 40 cases as a lead investigator, supervisor, or in a supportive capacity.
Understand Forensic Lab Certification Requirements Certified Computer Forensic Technician, Basic Level A certificate awarded by the HTCN upon successful completion of their requirements. Same requirements for Certified Computer Crime Investigator, Basic Level, but all experience must be related to computer forensics. Certified Computer Forensic Technician, Advanced Level – A certificate awarded by the HTCN upon successful completion of their requirements. Same requirements for Certified Computer Crime Investigator, Advanced Level, but all experience must be related to computer forensics.
Understand Forensic Lab Certification Requirements EnCE – Certification program sponsored by Guidance Software. EnCE certification is open to both the public and private sector, and is specific to the use and mastery of EnCase computer forensic analysis.
Understand Forensic Lab Certification Requirements Other Training and Certifications High Technology Crime Investigations Association (HTCIA) SysAdmin, Audit, Network, Security Institute (SANS) Computer Technology Investigators Northwest (CTIN) New Technologies, Inc. (NTI) National Cybercrime Training Partnership (NCTP) National White Collar Crime Center (NW3C)
Determine the Physical Layout of a Computer Forensics Lab Secure Facility – A facility that can be locked and provides limited access to the contents. TEMPEST – An unclassified term that refers to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems cannot be easily monitored or accessed by someone from outside the facility.
Determine the Physical Layout of a Computer Forensics Lab Identify Security Need Requirements Small room with true floor to ceiling walls. Door access with a locking mechanism, which can be either a regular lock or combination lock; the key or combination must be limited to you and your manager. Secure container such as a safe or file cabinet with a quality padlock that prevents the drawers from opening. Visitors log listing all persons who have accessed your lab.
Determine the Physical Layout of a Computer Forensics Lab Ergonomics – The study of designing equipment to meet the human need for comfort while allowing for productivity.
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab Environmental Conditions How large is the room, and how much air moves through it per minute? Can the room handle the increased heat generated by the workstation? What is the maximum number of workstations the room can handle? How many computers will be located in this room? Can the room handle a small RAID server’s heat output?
Determine the Physical Layout of a Computer Forensics Lab Recommended Eyestrain Considerations Chair height needs to bring the eye level to monitor. Ensure proper distance from monitor. Place material to be viewed while looking at the monitor at the same level as the monitor. Use zoom when reading small font. Make sure monitor is clear of glare. Use a filter screen if necessary. Use lighting. Eliminate direct light on the computer monitor.
Take breaks often and let your eyes focus at distant objects. Determine the Physical Layout of a Computer Forensics Lab Continued... Have regular eye exams and if necessary, buy a pair of prescription glasses. Take breaks often and let your eyes focus at distant objects.
Structural Design Considerations - Ensure the lab is a secure room. Determine the Physical Layout of a Computer Forensics Lab Structural Design Considerations - Ensure the lab is a secure room. Use heavy construction materials if possible. Look for large opens in walls, ceilings, and floors. Avoid windows in lab exterior. Verify computer systems are facing away from any internal or external windows.
Ensure enough amperage is supplied to the lab. Determine the Physical Layout of a Computer Forensics Lab Electrical Needs Ensure enough amperage is supplied to the lab. Organize outlets for easy access. Install an Uninterruptible Power Supply (UPS) for important computer systems.
Determine the Physical Layout of a Computer Forensics Lab Communications Dedicated ISDN is preferred for computer network and voice communications. Dial-up Internet Access should also be available. Do not keep forensic workstations attached to the Internet. Consider installing a dedicated network for the computer forensics computers.
Fire-Suppression Systems Determine the Physical Layout of a Computer Forensics Lab Fire-Suppression Systems If necessary, install a dry chemical fire-suppression system. Verify lab has a sprinkler system installed. Install dry chemical fire extinguishers.
Determine the Physical Layout of a Computer Forensics Lab
Evidence Locker Recommendations Determine the Physical Layout of a Computer Forensics Lab Evidence Locker Recommendations The evidence locker should be located in a restricted area that is only accessible to lab personnel. The number of people authorized to open the evidence container should be kept to a minimum. All evidence containers should remain locked when they are not under the supervision of an authorized person.
Determine the Physical Layout of a Computer Forensics Lab Evidence Locker Combination Recommendations Provide the same level of security for the combination as the content of the container. Destroy any previous combinations after setting up a new combination. Allow only authorized personnel to change lock combinations. Change the lock combinations every six months and when an authorized person leaves the organization.
Determine the Physical Layout of a Computer Forensics Lab Evidence Locker Padlock Recommendations Appoint a key custodian responsible for distributing keys. Stamp sequential numbers on each duplicate key. Maintain a registry listing the assigned key. Conduct a monthly audit to ensure no keys were lost. Take an inventory of all keys. Leave the keys in the lab. Change locks and keys annually. Do not use a master key for several locks.
Repair any damages immediately. Consider anti-static pads. Determine the Physical Layout of a Computer Forensics Lab Facility Maintenance Repair any damages immediately. Consider anti-static pads. Maintain two separate trash containers.
Physical Security Needs Maintain a sign-in for all visitors. Determine the Physical Layout of a Computer Forensics Lab Physical Security Needs Maintain a sign-in for all visitors. Hire a security guard, if necessary.
Determine the Physical Layout of a Computer Forensics Lab Auditing a Computer Forensics Lab Inspect the ceiling, floor, roof, and exterior walls. Inspect doors to make sure they close and lock correctly. Check the locks to see if they are damaged or need to be replaced. Review the visitors log. Review the logs for evidence containers. Secure any evidence at the end of the workday that is not being processed.
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab
Selecting a Base Forensic Workstation Special Interest Groups (SIG) – Associated with various operating systems, these groups maintain Listservs and may hold meetings to exchange information about current and legacy operating systems.
Selecting a Base Forensic Workstation Consider stocking the following hardware peripherals: 40-pin 18-inch and 36-inch IDE cables, both ATA-33 and ATA-100 or faster. Ribbon cables for floppy disks. Extra SCSI cards. Graphics cards, PSI and AGP. Extra power cords. A variety of hard disk drives. Laptop hard drive connectors. Computer handheld tools such as screwdrivers and pliers.
Selecting a Base Forensic Workstation Maintain Operating System and Application Inventories Office XP, 2000, 97, 95 Quicken Programming language applications such as Visual Studio Specialized viewers such as QuickView and ACDC Corel Office Suite StarOffice/OpenOffice Peachtree accounting applications
Selecting a Base Forensic Workstation Configuration Management – The process of keeping track of all upgrades and patches you apply to your computer operating system and application software. Risk Management – Involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
Building a Business Case for Developing a Forensic Lab Business Case – Justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility.
Creating a Forensic Boot Floppy Assemble the following tools: Disk editor installed on your computer A blank floppy disk that has been formatted MS-DOS operating system Computer that can boot to a true MS-DOS level Forensic acquisition tool such as DriveSpy Write-blocking tool to protect the evidence
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Common Tools SnapBack EnCase Retrieving Evidence Data Using a Remote Network Connection Common Tools SnapBack EnCase
Chapter Summary A computing-forensics lab is where you conduct investigations, store evidence, and perform most work. A variety of computing-forensics hardware and software is needed. Be sure to keep your skills up to date with plenty of training. Plenty of schools and companies provide specific training for computing-forensics. Your lab must be physically secure so that evidence is not lost, corrupted, or destroyed. Be sure to take ergonomics into consideration. Before you set up a computing-forensics lab, create a business case. Justify acquiring new and better resources.
Chapter Summary Creating a bootable forensic disk is necessary to make sure you do not contaminate digital evidence. Be sure the boot floppy disk does not alter any files on the suspect computer system. If you are working on a LAN, you can retrieve evidence across the network if necessary.