Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility
312
Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility
312eBook
Available on Compatible NOOK devices, the free NOOK App and in My Digital Library.
Related collections and offers
Overview
- Provides guidance on creating and managing a computer forensics lab
- Covers the regulatory and legislative environment in the US and Europe
- Meets the needs of IT professionals and law enforcement as well as consultants
Product Details
| ISBN-13: | 9780080949536 |
|---|---|
| Publisher: | Elsevier Science |
| Publication date: | 04/19/2011 |
| Series: | Establishing and Managing a Successful Facility Series |
| Sold by: | Barnes & Noble |
| Format: | eBook |
| Pages: | 312 |
| File size: | 546 KB |
About the Author
Andrew has been involved in several information security projects for the Government Communications Electronic Security Group (CESG), the Office of the E-Envoy, the police and a defense contractor. He acted as the technical advisor for the then National Crime Squad Data Acquisition and Recovery Team and he is currently on the committees for five information security and computer forensic conferences. He also sat on two working groups of the governments Central Sponsor for Information Assurance National Information Assurance Forum. He holds posts as an adjunct professor at Edith Cowan University in Perth, Australia and the University of South Australia in Adelaide.
He has authored six books in the areas of Information Warfare, Information Security and Digital Forensics, including co-authoring Digital Forensics Processing and Procedures, First Edition.
Read an Excerpt
Building a Digital Forensic Laboratory
Establishing and Managing a Successful FacilityBy Andy Jones Craig Valli
Syngress
Copyright © 2009 Elsevier, Inc.All right reserved.
ISBN: 978-0-08-094953-6
Chapter One
An Introduction to Digital Forensics
For gauging the scientific validity of evidence, it should be seen whether the technique in question can be or has been tested; whether the technique has been subjected to peer review and publication; its known or potential error rate; the existence of standards controlling its operation and whether the methodology in question has attracted widespread acceptance within the relevant scientific community.
—U.S. Supreme Court in Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579, 113 S.C.T. 2786 (1993); popularly referred to as the "Daubert Standard"
Introduction
As computers and microprocessor-controlled devices become more capable and have a greater number of services available, they have become more ubiquitous and are increasingly integrated into our everyday lives. They are used in an growing number of ways, and as a result of this, more and more information is stored on computers of all types, from the ubiquitous desktop computer to the laptop, the personal digital assistant (PDA), and an ever-increasing range of other devices. As a result of this, the term "digital forensics" is used throughout this book wherever possible since it more accurately reflects our environment than "computer forensics."
The increasing ubiquity of digital devices, and our reliance on them, will result in digital forensics playing an ever-greater role in both civil and criminal litigation. It has been estimated that over 85 percent of all crimes committed today leave a trail of digital evidence.
Digital forensics is in a state of transition from "art" to "science" and is moving from the domain of a small number of highly skilled experts to an integral component of the information security enterprise. This change has been driven by factors that range from the increasing maturity of the area to the growing reliance in all areas on computers. As organizations have steadily adopted new technologies and services, more and more volumes of information have been stored electronically. Partly as a result of this, legislation has been introduced to ensure this information is processed and stored in a suitable manner so privacy, corporate governance, and a range of other concerns can be appropriately satisfied. The transition of digital forensics from art to science has been assisted by the introduction and acceptance of procedures, as well as improved and more widely accepted digital forensic software. The growing maturity of the subject area has meant an increasing number of practitioners with experience, and academic institutes that are providing suitable courses and qualifications.
Some History
Digital Forensics emerged as a scientific discipline initially developed in the U.S. by federal law enforcement agents in the mid- to late 1980s. The development started shortly after the introduction of personal computers (PCs) into businesses at the start of the 1980s when U.S. federal law enforcement organizations noticed the rise of white-collar crimes that were aided by these new personal computers. In the period since then, the processing power, storage capacity and speed of PCs has increased enormously. The field of digital forensics has had to keep pace with these developments and been forced to diversify so that today it has expanded to encompass a range of disciplines involving computers, networks, telecommunications, security, law enforcement, and the criminal justice system.
From the outset, it is important to understand that the examination of computers and their associated peripheral devices is not only related to criminal offenses, but also addresses the general business environment for civil litigation issues. A failure to follow the correct procedures in either criminal or civil cases may render the evidence that has been gained, often at considerable effort and expense, worthless and unusable.
A number of important concepts have been developed as the art and science of digital forensics has evolved. Computing and information technology is relatively young in scientific terms, and is still in its infancy in legal terms. Digital forensics is a new discipline that has been born of this highly volatile and uncertain environment.
It is worth starting this book with a definition of digital forensics, but as with anything related to information technology, the term has a range of interpretations. The first definition given here is from one of the earliest and most respected of organizations, the Scientific Working Group for Digital Evidence. It defines digital forensics as:
Any information of probative value that is either stored or transmitted in binary form.
This definition is very concise, but at the same time generic and all encompassing, but for the practitioner it is not, in many ways, particularly helpful. A more useable definition is that:
Computer forensics is the collection, preservation, analysis, and court presentation of digital-related evidence.
Another useful definition that has been attributed to Mark Pollit, a retired FBI special agent is:
Digital forensics is the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law.
The US-CERT defines digital forensics as:
... the discipline that combines elements of law and digital science to collect and analyze data from digital systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.
The point that all these definitions make is that digital forensics is not just about science, but also about the law. A failure to satisfy either aspect will mean that any investigation has failed.
Digital evidence is obtained from digital devices and associated peripheral devices through the application of digital investigation and analysis techniques, the data from which is preserved in a scientifically sound manner in an electronic form. The evidence can then be analyzed using acceptable and repeatable processes without fear of the evidence being contaminated by the analysis process. Once the analysis is completed, the necessary reports can be produced in a suitable form.
Principles of Digital Forensics
As the art and science of digital forensics has developed, four underlining principles have evolved and are now widely accepted. As defined in the UK Association of Chief Police Officers (ACPO) Good Practice Guide for Computer-Based Electronic Evidence, the principles are:
* Principle 1: No action taken by law enforcement agencies or their agents should change data held on a digital device or storage media which may subsequently be relied upon in court.
* Principle 2: In circumstances where a person finds it necessary to access original data held on a digital device or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
* Principle 3: An audit trail or other record of all processes applied to digital device-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
* Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
These principles have been developed within the law enforcement environment, which should not be surprising since it was law enforcement that was the first adopter in order to gather evidence for criminal cases. In the commercial environment, these principles hold equally true, and it should never be forgotten that an investigation started for civil litigation may become a criminal investigation.
Forensic evidence of all types must be collected by following rigorous and well-tested procedures in order to protect any such evidence from contamination or destruction, or from becoming subject to claims of tampering and improper handling, and to establish and preserve the chain of custody. Digital forensic evidence is no different. By following good scientific principles, the fragile and easily altered evidence collected will be provably sound and authentic. Any failure to follow the strict procedures developed and agreed upon may result in some digital evidence being excluded or limited by the courts.
The typical computer- or microprocessor-controlled device contains a range of potential sources of evidence to the skilled investigator. In modern computing devices, the places where information can be stored include the hard disk, the random access memory (RAM), CDs, DVDs, thumb drives, flash memory devices, and other external storage or processing devices that may be connected by wires, Bluetooth, WiFi, or infrared. To deal with this range of places where information that may be of evidential value can be stored, employing the specific knowledge and tools in order to safely access the information requires an increasing range of skills and experience.
Procedures
In order to satisfy the four principles, it is essential that the digital forensic investigation be undertaken using a set of procedures that have developed as the science, technology, and law have evolved. The procedures detailed next generate part of the evidence that demonstrates that the principles have not been breached. Some of the procedures in the digital forensic process are:
* Log all Actions: All actions taken in the investigation should be logged. This provides a record of all of actions taken at all stages of the investigation and serves a number of purposes. In addition to providing a record that all of the required actions were taken and carried out in the proper manner, this can also be used as a checklist for the investigators to make sure they have not missed anything.
* Record the Scene: Before any of the equipment at the scene is disturbed, either photographs or a video should be taken of the scene, including all of the connections related to the equipment. Once the initial photos of the scene have been made, it may be necessary to move the equipment slightly to give access to the rear of the equipment and the connections. If photographic or video equipment is not available, a diagram should be made to record the information; however, these days, this should be the exception. This will again form part of the evidence, but will also provide vital information if it becomes necessary to reconstruct the equipment in the laboratory. There is nothing worse than removing a large number of cables and devices, storing them and transporting them, following the appropriate procedures, only to find you cannot put it back together the way it was originally configured because you do not have the necessary information.
(Continues...)
Excerpted from Building a Digital Forensic Laboratory by Andy Jones Craig Valli Copyright © 2009 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
SECTION I: Computer Related Crime Investigations and Computer Forensics Management Support.This section provides a background to computer crime and addresses the Computer Forensics management issues related to Computer Forensic Incidents and Crime Investigations. It looks at how investigations are carried out, what needs to be considered in the planning of an investigation and the conduct of the investigation including the collection and storage of evidence. The section finishes with a number of case studies to highlight how things can go well if they are done properly and how they can go wrong if they are not.
Chapter 1. A Short History of Computer-Related Crimes and the Developing Need for Computer Forensics. This chapter will provide an overview of computer-related crimes from the less sophisticated and localized dial-up computer crimes to today's sophisticated, global, network attacks; as well as the history of the development of the computer forensics profession and increasingly formal computer forensics laboratories.
Chapter 2. An Introduction to Computer Forensics. This chapter provides an overview of the important concepts associated with "computer forensics." It describes the potential sources of evidence available in the typical microcomputer, how to conduct a search for evidence, and a method of conducting a search in a systematic and effective manner.
Chapter 3. Types of Forensic Investigation. This chapter will include the reasons for carrying out the investigation and the type of investigation that is being undertaken, for example single computer, network or mobile devices.
Chapter 4. Responding to Crimes requiring Computer Forensic Investigation. This chapter will talk about what actions are required, the management considerations and just as importantly, what should not be done when responding to a high tech crime scene. It will deal with the differing requirements that must be considered for the range of types of investigation that the laboratory may be called on to take part in including; stand alone PCs, Servers, Networks, Live Acquisition and wireless and will discuss the management issues that relate to the use of function specific tools.
Chapter 5. Management of the Collections of Evidence. As the title states, this chapter will talk about the management issues that relate to the collection of high technology crime scene evidence, a crucial part of any high technology investigation. It will also deal with issues such as continuity of evidence in of custody.
Chapter 6. Management of evidence storage. This chapter will address the issues that relate to the storage of evidence and the management issues that need to be considered to ensure that it is carried out effectively and to meet the relevant rules and legislation. We will also address the difficult question of long term storage periods, a particular problem for Law Enforcement.
Chapter 7. High Technology Crimes: Case Summaries. This chapter gives a range of cases that illustrate the types of incidents that may be encountered under the general grouping of high technology crimes. There are examples of cases that have been successful and other examples that highlight that a lack of good procedures can lead to considerable expense, loss of credibility and embarrassment. This chapter will also address the specific roles that the computer forensics laboratory and staff play in each of the cases cited.
SECTION II: Creating a Computer Forensics Laboratory.
This Section will provide a background explanation of Computer Forensics and address management issues related to the creation of a laboratory and a computer forensic investigations laboratory. The section will include an introduction to computer forensics and the types of investigation that may be encountered and will give advice on things that need to be considered when establishing a laboratory. The section will give advice on how to develop a workable business plan and an insight into where to locate the lab and how big it should be. The section also deals with the vitally important issue of quality assurance so that the efforts and risks taken are not wasted and the organisation gains and maintains a good reputation. Finally the section looks at staff selection, training and support and the regulations, standards and legislation that will need to be complied with if the lab is to be credible and successful.
Chapter 8. Establishing and Managing a Computer Forensics Laboratory. The chapter will provide the reader with a discussion of the "basic how-to" of establishing and managing a computer forensics laboratory based on real-world experience.
NOTE: It's based on the authors' many years of hands-on, real-world experiences in conducting computer-related crime investigations and establishing and managing computer forensics laboratories. It is not a theoretical discussion as has been the case by some inexperienced authors who have never conducted computer-related investigations nor established and managed computer forensics laboratories.
Chapter 9. Scoping the requirement for the Laboratory. This chapter will draw upon the experience of the authors to provide guidance on how to scope out the requirement for the laboratory. This will include guidance on the potential throughput and the number of staff and the quantity and type of equipment that will be required to satisfy the anticipated workload. This chapter will also discuss how to identify computer forensics laboratory requirements and establishing the required budget to support the development of the laboratory.
Chapter 10. Developing the Business Plan. This chapter will cover the development of the business plan for the creation and running of the computer forensics laboratory.
Chapter 11. The location and size of the Laboratory. This chapter will address a range of issues that must be considered when deciding on the location of the laboratory. This will include the location of the laboratory in terms of the geographic location, the location with regard to the owning organisation and the location of the laboratory within a building.
Chapter 12. Selecting the staff. This chapter will discuss a range of the issues that are related to the selection of the right staff for the laboratory. The chapter will include assessment of the suitability of staff, their qualifications and experience, their references and, if required their background checks and security vetting. The chapter will also deal with the requirement for the provision of support for staff including counseling and psychiatric assessment.
Chapter 13. Training. This chapter will address the requirement for staff training and the achieving the balance between enough training to create and maintain an effective laboratory and excessive training, which is likely to cause unnecessary costs and to leave the organisation vulnerable to poaching of staff by rival companies or organisations. It will also address a strategy for the development of specialist areas within the teams. Specific entities will be addressed where staff members can get the needed training both online and through a number of identified lectures and conferences; as well as a sample staff training needs identification and project plan to address deficiencies and maintain currency in all aspects of the profession of computer forensics laboratory specialist.
Chapter 14. Quality Assurance. This chapter will address the vitally important issue of Quality Assurance and will describe when it should be carried out, who should do it and to what standards.
Chapter 15. Legislation, Regulation and Standards. This chapter will look at a range of the International, national and local legislation and regulations that must be addressed if the Laboratory is to fulfill its role and be credible and efficient. The chapter will also look at issues such as Data protection and Human rights laws and the impact that this may have on the resources and methods used to carry out investigations.
SECTION III: Managing a Computer Forensics Laboratory and Computer-Related Crime Investigative Support
This Section gives an overview of the management issues related to a computer forensics laboratory and the investigations profession. The section looks at the roles within the laboratory and why and how to develop credible plans for the Laboratory at all levels. It also examines a number of methods for the measurement of the effectiveness of the laboratory -- figures that will be vital in workload management and supporting the plans that are put forward. The section also looks at the wider issues of information sharing and sources of valuable information that can enhance the capability of the laboratory.
Chapter 16. Understanding the Role of the Computer Forensic Laboratory Manager. The objective of this chapter is to describe and discuss the major functions of the Computer Forensics laboratory Manager that need to be carried out and a description of the flow processes that can be used to establish the baseline in performing the computer forensics laboratory functions.
Chapter 17. The Computer Forensics Laboratory Strategic, Tactical, and Annual Plans. The objective of this chapter is to establish the plans for the Computer Forensics Laboratory that provide the subsets of the parent organization's Strategic, Tactical, and Annual Plans. These plans will set the direction for the organization's high technology anti-crime program while integrating the plans into organization's plans, thus indicating that the high technology anti-crime program is an integral part of the organisation.
Chapter 18 Sources of information, Networking and Liaison. The objective of this chapter is to identify, describe and discuss a range of information sources of various types, joining and establishing networks with your peers, and liaison with outside agencies.
Chapter 19. Computer Forensics Investigation Laboratory Metrics Management System. The objective of this chapter is to outline and discuss the identification, development and use of suitable metrics to assist in managing a high technology crime investigations laboratory and high technology crime prevention program. The chapter will look at a number of initiatives such as those at the National E Crime Prevention Centre and the UK Met Police/ ACPO initiative and the Internet Watch Foundation that have been undertaken around the world, but specifically in the USA, Europe and Australia.
Chapter 20. Workload Management and the Outsourcing option. Having the right level of resources to meet the demands that will be put on the Laboratory not always be achievable, but should be planned for. Outsourcing is a management tool that can help in balancing the workload and can also help to save money. This chapter will look at the possibilities of outsourcing this function and a process that can be used to make that determination.
SECTION IV: Future Computer Forensic Investigation Challenges.
This Section looks at the challenges in computer forensic investigations and their management that are expected to affect the people involved in the future. The section looks at the needs of the staff for a career path in the relevant disciplines and also looks at the changing importance of computer forensics in the criminal justice system and the technological developments that are likely to affect our ability to support investigations. The section finishes with some final thoughts by the authors.
Chapter 21. Developing a Career in Computer Forensics Management. The objective of this chapter is to provide the computer forensic investigator with a career development plan outline that can be used in developing a career as a computer forensic laboratory manager.
Chapter 22. The Future of Computer Forensics, its supporting laboratory needs and its role in crime investigations. This chapter looks at the effect that changes in the technologies and the ways in which they are used will affect computer forensics and the role that this plays in an increasing range of criminal investigations. As computing devices become more ubiquitous, so the range of crimes that will potentially involve computers will increase. This chapter will look at the implications of these changes and give advice on the issues that will need to be considered,
Chapter 23. The Future of Computer Forensics in the Criminal Justice Systems. This chapter takes a look at the role of computer forensics and its laboratory in the criminal justice system and the issues that will arise as technologies and crime change and legislation is modified to keep pace.
Chapter 24. A Summary of Thoughts, Issues and Problems. This chapter discusses what might happen in a dynamic organisation that drastically changes the computer forensics laboratory, the crime prevention program and the laboratory manager's role.
Chapter 25. Conclusions. This chapter will summarize the book and provide a few final thoughts and pieces of advice from the authors.
Appendices: This will include Computer Forensics related references and bibliography; and biographies of the authors.
What People are Saying About This
Fills the need of the growing number of IT and law enforcement professionals looking for information on digital forensics