Forensics Lab
Chad Henning
May 13th, 2014
Computer forensics is a career that most people get interested in to stop the bad guys from doing things that are illegal. They can find anything and everything that’s ever been done on a person’s computer in most cases. Surprisingly, 80-90% of a computer forensic examiners job is to stop child pornography. “Child pornography is insidious on its face, as a relationship between the possession of child pornography and child molestation has been well document both in the academic literature and judicial opinions” (Britz 95). In order to stop these criminals a good forensics expert needs to create a good computer forensics lab. To create a good forensics lab finding the right place is necessary, having all the right tools, and storing the evidence correctly.
When trying to find a good computer forensics lab one needs to find a place that is private and secure. This place should have good physical access controls which will let the right people in and the wrong people out. This place will need to have the proper electrical system in order to maintain all the power you will need to have a well run computer forensics lab; the expert will want at least one dedicated circuit just for their lab. Also needing to focus on having the proper cooling to keep the heat created from all that electricity from destroying all the evidence. Many computer forensics experts use a dual hose portable air conditioner to keep it the proper temperature and to reduce the risk of a system meltdown (K Rudolph). One of the biggest things to focus on is privacy; it is the highest objective of any computer forensics lab to keep everything private. This is why there are so many physical access controls to ensure that you don’t have people around when you are examining evidence and so no one can tamper with any evidence. Privacy means that anybody that is not authorized can see what the forensics experts are doing at any time.
Carefully protecting the privacy of the victims is key to maintaining credibility in this industry. The information of all that are involved must be protected absolutely with any of investigations. They say that a forensic lab is similar to a business in the way that one bad situation can cost an expert their reputation. This means that the forensics expert won't be able to work any serious cases. That will also limit the amount of money they can make in this industry and because it costs so much money to buy everything that is necessary to run a forensics lab, the forensics expert will have to shut it down.
There have been a number of cases where a forensic examiner has misplaced serious evidence letting a criminal go free. In some cases, those same criminals continue to do their crimes and potentially harm more individuals. This should be prevented at all costs as it is very important. This is the reason the idea of security is vital. We have previously talked about all the different access controls that are necessary to prevent such a situation, but it's very important to stress again. Many people may think they have lost evidence if they are new to computer forensics because they accidentally formatted a drive or deleted the evidence by mistake, but that is not the case. The forensics expert can absolutely still recover many documents that have been erased or overwritten. This does require some skills at data recovery, but at least the expert will be able to have an opportunity to recover evidence that may have cost the expert their career. Any proper computer forensics lab will have someone that specializes in data recovery, it's a big part of the job.
Some of the best tools for a computer forensics lab are expensive. This is not something to go into if a potential forensics expert is tight on money to start out with. One of the main tools used are write blockers, which let a person go into the data stored on a drive but block the computer from writing to that drive. The write blocker tricks the computer into thinking that the write has taken place, but blocks it so that all evidence remains the same. “If you choose to use a software write blocker, drive kits will become your best friends” (Cowen 41). Drive kits are used to connect easily to an internal drive using USB or something else that is convenient rather than having to haul a huge computer around and try to put the internal drive into it. An expert must have external storage, using USB 3.0 is the best external storage available at this time (EC-Council). USB 3.0 has a high transfer rate to expedite any file transfers that are needed. Screwdriver kits are used to remove drives from laptops. This may sound like something simple, but if an expert tries to remove one without a screwdriver soon see the screwdriver kit is a clear necessity. Antistatic bags are not expensive, but are a high priority item. Static discharge can destroy a drive and that means destroying evidence. “Electrostatic discharge (ESD) is the release of static electricity when two objects come into contact. Familiar examples of ESD include the shock we receive when we walk across a carpet and touch a metal doorknob and the static electricity we feel after drying clothes in a clothes dryer" (Rouse). Adapters are used to adapt new hardware with old hardware very quickly. The biggest piece to a computer forensics expert’s tool box will always be there forensic software and that can cost thousands of dollars. There are free options available such as SIFT (Sans Investigate Forensics Toolkit). One of the most expensive options for forensics software would be Encase, which is not only difficult to use but can run you around $3,000. There are some experts who have most of the software available because they find that if one program can’t find the issues then another one will.
Storing all cases evidence can be pricy because the size of the files a forensics expert needs to store can exceed 1 TB and in some cases be even more than that. If you have priced out hard drive space recently than you probably realized how much it would cost to have 30 cases that averaged 1 TB each. Something like that would easily run into the thousands, but that’s one of the reasons computer forensics experts are paid well. When it comes to storing all your evidence, an expert again needs to make sure that they have the proper electrical with a UPS(uninterruptible power supply) to make sure none of their data is ever lost. Experts might keep their labs and their evidence in the same room which can be fine as long as they keep it secure. If the forensics expert does not plan to keep them in the same room then they must make sure to use the same precautions in the data room as they did with the computer forensics lab. It doesn’t matter if they are currently working on something or if it is 5 years old, all evidence must be secured. The expert may consider using locks, security guards, keypads, or anything used to keep the wrong people out. “Privacy may be the most practical requirement for your lab” (Cowen 37). Maintaining privacy is something that becomes a habit, so if an expert practices making all the right moves all the time, keeping all the security measures in place will become easy. This is what all the top forensic labs have in common because they understand the value in privacy as well as maintaining a chain of custody. All experts must know exactly who has access to the evidence at all times. If something is to go wrong with the evidence or it is to come into question, the court will take a look at the chain of custody to see who had access to the evidence. This is usually bad for anyone on the chain of custody sheet because best case scenario, they are said to have done their job correctly, but worst case scenario all the blame falls onto them and their careers could be over. The computer forensics career path can be a very unforgiving one. This is something to take into consideration before an expert ever makes their first computer forensics lab. There are not too many jobs out there that require this much start up money, as well as big money to maintain your forensics lab. Then to top it all off they have a high risk of destroying their own career and having all of their income gone in the time it takes to make one serious mistake. The risk, of course, is reduced based on the experts commitment to following all the rules of access controls.
When creating a computer forensics lab an expert needs to understand the importance of security and privacy. The forensics expert must have the best available tools so that they can do the best possible job to stop bad people from doing bad things. Making sure they store their data/evidence properly is very important so that once you catch the criminals, they remain in jail where they belong. Computer forensics can be very costly, but in the long run it is very much worth it to help put bad people behind bars where they belong.
Works Cited
Britz, Marjie T. Computer forensics and cyber crime. Prentic Hall, 2009.
Cowen, David. INFOSEC PRO GUIDE COMPUTER FORENSICS. Mcgraw Hill, 2010.
EC-Council. Computer Forensics: Hard disk and Operating Systems. Cengage Learning, 2009.
K Rudolph, Neil Broom, Diane Barrett. Computer Forensics Jumpstart 2nd Edition. Wiley, 2011.
Rouse, Margaret. March 2011. <<http://whatis.techtarget.com/definition/electrostatic-discharge-ESD>.>.
