COS/PSA 413

1
COS/PSA 413

• Day 6

2
Agenda

• Questions?
• Assignment 2 Due
• Lab 1 Write-ups Corrected
• 1 A, 1 B, 2 Cs and 1 F
• Lab 2 Write-ups Due tomorrow
• Pay more attention to detail, answer the
  question!
• Lab tomorrow at N105
• Using Linux tools
• Project 4-2, Project 4-5
• Individual labs, no teams required
• http//www.lowfatlinux.com/
• Discussion on The Investigators Office and
  Laboratory
• Chapter 5 in 1e and Chapter 3 in 2e

3
The Investigators Office and Laboratory

• Chapter 5

4
Learning Objectives

• Understand Forensic Lab Certification
  Requirements
• Determine the Physical Layout of a Computer
  Forensics Lab
• Select a Basic Forensic Workstation
• Build a Business Case for Developing a Forensics
  Lab
• Create a Forensic Boot Floppy
• Retrieve Evidence Data Using a Remote Network
  Connection

5
Understand Forensic Lab Certification Requirements
American Society of Crime Laboratory Directors
(ASCLD) A national society that sets the
standards, management, and audit process for labs
used in crime analysis including
computing-forensics labs used by the police, FBI,
and similar organizations.
6
Understand Forensic Lab Certification Requirements

• Identify the duties of the lab manager and staff
• Set up the guidelines for managing cases.
• Promote group consensus for decision making.
• Establish and promote quality assurance.
• Create and monitor lab policies.
• Evaluate hardware and software needs.
• Balance costs and needs.

7
Understand Forensic Lab Certification Requirements
Uniform Crime Report Information collected at
the federal, state, and local levels to determine
the types and frequencies of crime
committed. Federal Reports http//www.fbi.gov/uc
r/ucr.htm Regional Summaries http//fish
er.lib.virginia.edu/crime
8
Understand Forensic Lab Certification Requirements
9
Understand Forensic Lab Certification Requirements
Acquiring Certification and Training
International Association of Computer
Investigative Specialists (IACIS) One of the
oldest professional computing-forensics
organizations, IACIS was created by police
officers who wanted to formalize credentials in
computing investigations. IACIS restricts
membership to only sworn law enforcement
personnel or government employees working as
computer forensic examiners. High Tech Crime
Network (HTCN) A national organization that
provides certification for computer crime
investigators and computing-forensics
technicians.
10
Understand Forensic Lab Certification Requirements
Certified Electronic Evidence Collection
Specialist (CEECS) A certificate awarded by
IACIS upon completion of a written
exam. Certified Forensics Computer Examiners
(CFCE) A certification awarded by the IACIS
upon completion of the correspondence portion of
testing.
11
Understand Forensic Lab Certification Requirements

• Certified Computer Crime Investigator, Basic
  Level
• Candidates have two years of law-enforcement or
  corporate-investigative experience or a
  bachelors degree and one year of investigative
  experience.
• Eighteen months of the candidate's experience
  directly relates to the investigation of
  computer-related incidents or crimes.
• Candidates have successfully completed 40 hours
  of training from an approved agency,
  organization, or training company.
• Candidates must provide documentation of at least
  10 cases in which they participated.

12
Understand Forensic Lab Certification Requirements

• Certified Computer Crime Investigator, Advanced
  Level
• Have three years of investigative experience in
  any area or a bachelors degree and two years
  experience.
• Four years of direct experience with the
  investigation of computer crimes.
• Complete 80 hours of related training from an
  approved source.
• Candidates served as lead investigator in at
  least 20 cases during the past three years and
  were involved with at least 40 cases as a lead
  investigator, supervisor, or in a supportive
  capacity.

13
Understand Forensic Lab Certification Requirements

• Certified Computer Forensic Technician, Basic
  Level A certificate awarded by the HTCN upon
  successful completion of their requirements. Same
  requirements for Certified Computer Crime
  Investigator, Basic Level, but all experience
  must be related to computer forensics.
• Certified Computer Forensic Technician, Advanced
  Level A certificate awarded by the HTCN upon
  successful completion of their requirements. Same
  requirements for Certified Computer Crime
  Investigator, Advanced Level, but all experience
  must be related to computer forensics.

14
Understand Forensic Lab Certification Requirements
EnCE Certification program sponsored by
Guidance Software. EnCE certification is open to
both the public and private sector, and is
specific to the use and mastery of EnCase
computer forensic analysis.
15
Understand Forensic Lab Certification Requirements

• Other Training and Certifications
• High Technology Crime Investigations Association
  (HTCIA)
• SysAdmin, Audit, Network, Security Institute
  (SANS)
• Computer Technology Investigators Northwest
  (CTIN)
• New Technologies, Inc. (NTI)
• National Cybercrime Training Partnership (NCTP)
• National White Collar Crime Center (NW3C)

16
Determine the Physical Layout of a Computer
Forensics Lab
Secure Facility A facility that can be locked
and provides limited access to the
contents. TEMPEST An unclassified term that
refers to facilities that have been hardened so
that electrical signals from computers, the
computer network, and telephone systems cannot be
easily monitored or accessed by someone from
outside the facility.
17
Determine the Physical Layout of a Computer
Forensics Lab

• Identify Security Need Requirements
• Small room with true floor to ceiling walls.
• Door access with a locking mechanism, which can
  be either a regular lock or combination lock the
  key or combination must be limited to you and
  your manager.
• Secure container such as a safe or file cabinet
  with a quality padlock that prevents the drawers
  from opening.
• Visitors log listing all persons who have
  accessed your lab.

18
Determine the Physical Layout of a Computer
Forensics Lab

• Ergonomics The study of designing equipment to
  meet the human need for comfort while allowing
  for productivity.

19
Determine the Physical Layout of a Computer
Forensics Lab
20
Determine the Physical Layout of a Computer
Forensics Lab
21
Determine the Physical Layout of a Computer
Forensics Lab

• Environmental Conditions
• How large is the room, and how much air moves
  through it per minute?
• Can the room handle the increased heat generated
  by the workstation?
• What is the maximum number of workstations the
  room can handle?
• How many computers will be located in this room?
• Can the room handle a small RAID servers heat
  output?

22
Determine the Physical Layout of a Computer
Forensics Lab

• Recommended Eyestrain Considerations
• Chair height needs to bring the eye level to
  monitor.
• Ensure proper distance from monitor.
• Place material to be viewed while looking at the
  monitor at the same level as the monitor.
• Use zoom when reading small font.
• Make sure monitor is clear of glare. Use a filter
  screen if necessary.
• Use lighting.
• Eliminate direct light on the computer monitor.

23
Determine the Physical Layout of a Computer
Forensics Lab

• Continued...
• Have regular eye exams and if necessary, buy a
  pair of prescription glasses.
• Take breaks often and let your eyes focus at
  distant objects.

24
Determine the Physical Layout of a Computer
Forensics Lab

• Structural Design Considerations
• - Ensure the lab is a secure room.
• Use heavy construction materials if possible.
• Look for large opens in walls, ceilings, and
  floors.
• Avoid windows in lab exterior.
• Verify computer systems are facing away from any
  internal or external windows.

25
Determine the Physical Layout of a Computer
Forensics Lab

• Electrical Needs
• Ensure enough amperage is supplied to the lab.
• Organize outlets for easy access.
• Install an Uninterruptible Power Supply (UPS) for
  important computer systems.

26
Determine the Physical Layout of a Computer
Forensics Lab

• Communications
• Dedicated ISDN is preferred for computer network
  and voice communications.
• Dial-up Internet Access should also be available.
  
• Do not keep forensic workstations attached to the
  Internet.
• Consider installing a dedicated network for the
  computer forensics computers.

27
Determine the Physical Layout of a Computer
Forensics Lab

• Fire-Suppression Systems
• If necessary, install a dry chemical
  fire-suppression system.
• Verify lab has a sprinkler system installed.
• Install dry chemical fire extinguishers.

28
Determine the Physical Layout of a Computer
Forensics Lab
29
Determine the Physical Layout of a Computer
Forensics Lab

• Evidence Locker Recommendations
• The evidence locker should be located in a
  restricted area that is only accessible to lab
  personnel.
• The number of people authorized to open the
  evidence container should be kept to a minimum.
• All evidence containers should remain locked when
  they are not under the supervision of an
  authorized person.

30
Determine the Physical Layout of a Computer
Forensics Lab

• Evidence Locker Combination Recommendations
• Provide the same level of security for the
  combination as the content of the container.
• Destroy any previous combinations after setting
  up a new combination.
• Allow only authorized personnel to change lock
  combinations.
• Change the lock combinations every six months and
  when an authorized person leaves the organization.

31
Determine the Physical Layout of a Computer
Forensics Lab

• Evidence Locker Padlock Recommendations
• Appoint a key custodian responsible for
  distributing keys.
• Stamp sequential numbers on each duplicate key.
• Maintain a registry listing the assigned key.
• Conduct a monthly audit to ensure no keys were
  lost.
• Take an inventory of all keys.
• Leave the keys in the lab.
• Change locks and keys annually.
• Do not use a master key for several locks.

32
Determine the Physical Layout of a Computer
Forensics Lab

• Facility Maintenance
• Repair any damages immediately.
• Consider anti-static pads.
• Maintain two separate trash containers.

33
Determine the Physical Layout of a Computer
Forensics Lab

• Physical Security Needs
• Maintain a sign-in for all visitors.
• Hire a security guard, if necessary.

34
Determine the Physical Layout of a Computer
Forensics Lab

• Auditing a Computer Forensics Lab
• Inspect the ceiling, floor, roof, and exterior
  walls.
• Inspect doors to make sure they close and lock
  correctly.
• Check the locks to see if they are damaged or
  need to be replaced.
• Review the visitors log.
• Review the logs for evidence containers.
• Secure any evidence at the end of the workday
  that is not being processed.

35
Determine the Physical Layout of a Computer
Forensics Lab
36
Determine the Physical Layout of a Computer
Forensics Lab
37
Determine the Physical Layout of a Computer
Forensics Lab
38
Selecting a Base Forensic Workstation
Special Interest Groups (SIG) Associated with
various operating systems, these groups maintain
Listservs and may hold meetings to exchange
information about current and legacy operating
systems.
39
Selecting a Base Forensic Workstation

• Consider stocking the following hardware
  peripherals
• 40-pin 18-inch and 36-inch IDE cables, both
  ATA-33 and ATA-100 or faster.
• Ribbon cables for floppy disks.
• Extra SCSI cards.
• Graphics cards, PSI and AGP.
• Extra power cords.
• A variety of hard disk drives.
• Laptop hard drive connectors.
• Computer handheld tools such as screwdrivers and
  pliers.

40
Selecting a Base Forensic Workstation

• Maintain Operating System and Application
  Inventories
• Office XP, 2000, 97, 95
• Quicken
• Programming language applications such as Visual
  Studio
• Specialized viewers such as QuickView and ACDC
• Corel Office Suite
• StarOffice/OpenOffice
• Peachtree accounting applications

41
Selecting a Base Forensic Workstation
Configuration Management The process of keeping
track of all upgrades and patches you apply to
your computer operating system and application
software. Risk Management Involves determining
how much risk is acceptable for any process or
operation, such as replacing equipment.
42
Building a Business Case for Developing a
Forensic Lab
Business Case Justification to upper management
or a lender for purchasing new equipment,
software, or other tools when upgrading your
facility.
43
Creating a Forensic Boot Floppy

• Assemble the following tools
• Disk editor installed on your computer
• A blank floppy disk that has been formatted
• MS-DOS operating system
• Computer that can boot to a true MS-DOS level
• Forensic acquisition tool such as DriveSpy
• Write-blocking tool to protect the evidence

44
Creating a Forensic Boot Floppy
45
Creating a Forensic Boot Floppy
46
Creating a Forensic Boot Floppy
47
Creating a Forensic Boot Floppy
48
Creating a Forensic Boot Floppy
49
Creating a Forensic Boot Floppy
50
Creating a Forensic Boot Floppy
51
Creating a Forensic Boot Floppy
52
Retrieving Evidence Data Using a Remote Network
Connection

• Common Tools
• SnapBack
• EnCase

53
Chapter Summary

• A computing-forensics lab is where you conduct
  investigations, store evidence, and perform most
  work. A variety of computing-forensics hardware
  and software is needed.
• Be sure to keep your skills up to date with
  plenty of training. Plenty of schools and
  companies provide specific training for
  computing-forensics.
• Your lab must be physically secure so that
  evidence is not lost, corrupted, or destroyed. Be
  sure to take ergonomics into consideration.
• Before you set up a computing-forensics lab,
  create a business case. Justify acquiring new and
  better resources.

54
Chapter Summary

• Creating a bootable forensic disk is necessary to
  make sure you do not contaminate digital
  evidence. Be sure the boot floppy disk does not
  alter any files on the suspect computer system.
• If you are working on a LAN, you can retrieve
  evidence across the network if necessary.