Transcript Document 7722475

COS/PSA 413
Day 6
Agenda
•
•
•
Questions?
Assignment 2 Due
Lab 1 Write-ups Corrected
– 1 A, 1 B, 2 C’s and 1 F
•
Lab 2 Write-ups Due tomorrow
– Pay more attention to detail, answer the question!
•
Lab tomorrow at N105
– Using Linux tools
– Project 4-2, Project 4-5
– Individual labs, no teams required
• http://www.lowfatlinux.com/
•
Discussion on The Investigator’s Office and Laboratory
– Chapter 5 in 1e and Chapter 3 in 2e
The Investigator’s Office and Laboratory
Chapter 5
Learning Objectives
•Understand Forensic Lab Certification
Requirements
•Determine the Physical Layout of a Computer
Forensics Lab
•Select a Basic Forensic Workstation
•Build a Business Case for Developing a
Forensics Lab
•Create a Forensic Boot Floppy
•Retrieve Evidence Data Using a Remote
Network Connection
Understand Forensic Lab Certification Requirements
American Society of Crime Laboratory
Directors (ASCLD) – A national society
that sets the standards, management,
and audit process for labs used in crime
analysis including computing-forensics
labs used by the police, FBI, and similar
organizations.
Understand Forensic Lab Certification Requirements
Identify the duties of the lab manager and staff:
-Set up the guidelines for managing cases.
-Promote group consensus for decision making.
-Establish and promote quality assurance.
-Create and monitor lab policies.
-Evaluate hardware and software needs.
-Balance costs and needs.
Understand Forensic Lab Certification Requirements
Uniform Crime Report – Information collected at
the federal, state, and local levels to determine
the types and frequencies of crime committed.
Federal Reports
http://www.fbi.gov/ucr/ucr.htm
Regional Summaries
http://fisher.lib.virginia.edu/crime
Understand Forensic Lab Certification Requirements
Understand Forensic Lab Certification Requirements
Acquiring Certification and Training
International Association of Computer Investigative
Specialists (IACIS) – One of the oldest professional
computing-forensics organizations, IACIS was created by
police officers who wanted to formalize credentials in
computing investigations. IACIS restricts membership to
only sworn law enforcement personnel or government
employees working as computer forensic examiners.
High Tech Crime Network (HTCN) – A national
organization that provides certification for computer crime
investigators and computing-forensics technicians.
Understand Forensic Lab Certification Requirements
Certified Electronic Evidence Collection
Specialist (CEECS) – A certificate awarded by
IACIS upon completion of a written exam.
Certified Forensics Computer Examiners
(CFCE) – A certification awarded by the IACIS
upon completion of the correspondence portion of
testing.
Understand Forensic Lab Certification Requirements
Certified Computer Crime Investigator, Basic Level
-Candidates have two years of law-enforcement or
corporate-investigative experience or a bachelor’s degree
and one year of investigative experience.
-Eighteen months of the candidate's experience directly
relates to the investigation of computer-related incidents
or crimes.
-Candidates have successfully completed 40 hours of
training from an approved agency, organization, or training
company.
-Candidates must provide documentation of at least 10
cases in which they participated.
Understand Forensic Lab Certification Requirements
Certified Computer Crime Investigator, Advanced
Level
-Have three years of investigative experience in any area
or a bachelors degree and two years experience.
-Four years of direct experience with the investigation of
computer crimes.
-Complete 80 hours of related training from an approved
source.
-Candidates served as lead investigator in at least 20
cases during the past three years and were involved with
at least 40 cases as a lead investigator, supervisor, or in a
supportive capacity.
Understand Forensic Lab Certification Requirements
Certified Computer Forensic Technician, Basic Level A
certificate awarded by the HTCN upon successful
completion of their requirements. Same requirements for
Certified Computer Crime Investigator, Basic Level, but all
experience must be related to computer forensics.
Certified Computer Forensic Technician, Advanced
Level – A certificate awarded by the HTCN upon
successful completion of their requirements. Same
requirements for Certified Computer Crime Investigator,
Advanced Level, but all experience must be related to
computer forensics.
Understand Forensic Lab Certification Requirements
EnCE – Certification program sponsored by
Guidance Software. EnCE certification is open to
both the public and private sector, and is specific
to the use and mastery of EnCase computer
forensic analysis.
Understand Forensic Lab Certification Requirements
Other Training and Certifications
-High Technology Crime Investigations Association
(HTCIA)
-SysAdmin, Audit, Network, Security Institute (SANS)
-Computer Technology Investigators Northwest (CTIN)
-New Technologies, Inc. (NTI)
-National Cybercrime Training Partnership (NCTP)
-National White Collar Crime Center (NW3C)
Determine the Physical Layout of a Computer Forensics Lab
Secure Facility – A facility that can be locked
and provides limited access to the contents.
TEMPEST – An unclassified term that refers to
facilities that have been hardened so that
electrical signals from computers, the computer
network, and telephone systems cannot be easily
monitored or accessed by someone from outside
the facility.
Determine the Physical Layout of a Computer Forensics Lab
Identify Security Need Requirements
-Small room with true floor to ceiling walls.
-Door access with a locking mechanism, which can be
either a regular lock or combination lock; the key or
combination must be limited to you and your manager.
-Secure container such as a safe or file cabinet with a
quality padlock that prevents the drawers from opening.
-Visitors log listing all persons who have accessed your
lab.
Determine the Physical Layout of a Computer Forensics Lab
Ergonomics – The study of designing equipment
to meet the human need for comfort while
allowing for productivity.
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab
Environmental Conditions
-How large is the room, and how much air moves through
it per minute?
-Can the room handle the increased heat generated by
the workstation?
-What is the maximum number of workstations the room
can handle?
-How many computers will be located in this room?
-Can the room handle a small RAID server’s heat output?
Determine the Physical Layout of a Computer Forensics Lab
Recommended Eyestrain Considerations
-Chair height needs to bring the eye level to monitor.
-Ensure proper distance from monitor.
-Place material to be viewed while looking at the monitor
at the same level as the monitor.
-Use zoom when reading small font.
-Make sure monitor is clear of glare. Use a filter screen if
necessary.
-Use lighting.
-Eliminate direct light on the computer monitor.
Determine the Physical Layout of a Computer Forensics Lab
Continued...
-Have regular eye exams and if necessary, buy a
pair of prescription glasses.
-Take breaks often and let your eyes focus at
distant objects.
Determine the Physical Layout of a Computer Forensics Lab
Structural Design Considerations
- Ensure the lab is a secure room.
-Use heavy construction materials if possible.
-Look for large opens in walls, ceilings, and floors.
-Avoid windows in lab exterior.
-Verify computer systems are facing away from
any internal or external windows.
Determine the Physical Layout of a Computer Forensics Lab
Electrical Needs
-Ensure enough amperage is supplied to the lab.
-Organize outlets for easy access.
-Install an Uninterruptible Power Supply (UPS) for
important computer systems.
Determine the Physical Layout of a Computer Forensics Lab
Communications
-Dedicated ISDN is preferred for computer network and
voice communications.
-Dial-up Internet Access should also be available.
-Do not keep forensic workstations attached to the
Internet.
-Consider installing a dedicated network for the computer
forensics computers.
Determine the Physical Layout of a Computer Forensics Lab
Fire-Suppression Systems
-If necessary, install a dry chemical firesuppression system.
-Verify lab has a sprinkler system installed.
-Install dry chemical fire extinguishers.
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab
Evidence Locker Recommendations
-The evidence locker should be located in a
restricted area that is only accessible to lab
personnel.
-The number of people authorized to open the
evidence container should be kept to a minimum.
-All evidence containers should remain locked
when they are not under the supervision of an
authorized person.
Determine the Physical Layout of a Computer Forensics Lab
Evidence Locker Combination Recommendations
-Provide the same level of security for the combination as
the content of the container.
-Destroy any previous combinations after setting up a new
combination.
-Allow only authorized personnel to change lock
combinations.
-Change the lock combinations every six months and
when an authorized person leaves the organization.
Determine the Physical Layout of a Computer Forensics Lab
Evidence Locker Padlock Recommendations
-Appoint a key custodian responsible for distributing keys.
-Stamp sequential numbers on each duplicate key.
-Maintain a registry listing the assigned key.
-Conduct a monthly audit to ensure no keys were lost.
-Take an inventory of all keys.
-Leave the keys in the lab.
-Change locks and keys annually.
-Do not use a master key for several locks.
Determine the Physical Layout of a Computer Forensics Lab
Facility Maintenance
-Repair any damages immediately.
-Consider anti-static pads.
-Maintain two separate trash containers.
Determine the Physical Layout of a Computer Forensics Lab
Physical Security Needs
-Maintain a sign-in for all visitors.
-Hire a security guard, if necessary.
Determine the Physical Layout of a Computer Forensics Lab
Auditing a Computer Forensics Lab
-Inspect the ceiling, floor, roof, and exterior walls.
-Inspect doors to make sure they close and lock correctly.
-Check the locks to see if they are damaged or need to be
replaced.
-Review the visitors log.
-Review the logs for evidence containers.
-Secure any evidence at the end of the workday that is not
being processed.
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab
Determine the Physical Layout of a Computer Forensics Lab
Selecting a Base Forensic Workstation
Special Interest Groups (SIG) – Associated with
various operating systems, these groups maintain
Listservs and may hold meetings to exchange
information about current and legacy operating
systems.
Selecting a Base Forensic Workstation
Consider stocking the following hardware peripherals:
-40-pin 18-inch and 36-inch IDE cables, both ATA-33 and
ATA-100 or faster.
-Ribbon cables for floppy disks.
-Extra SCSI cards.
-Graphics cards, PSI and AGP.
-Extra power cords.
-A variety of hard disk drives.
-Laptop hard drive connectors.
-Computer handheld tools such as screwdrivers and pliers.
Selecting a Base Forensic Workstation
Maintain Operating System and Application Inventories
-Office XP, 2000, 97, 95
-Quicken
-Programming language applications such as Visual Studio
-Specialized viewers such as QuickView and ACDC
-Corel Office Suite
-StarOffice/OpenOffice
-Peachtree accounting applications
Selecting a Base Forensic Workstation
Configuration Management – The process of
keeping track of all upgrades and patches you
apply to your computer operating system and
application software.
Risk Management – Involves determining how
much risk is acceptable for any process or
operation, such as replacing equipment.
Building a Business Case for Developing a Forensic Lab
Business Case – Justification to upper
management or a lender for purchasing new
equipment, software, or other tools when upgrading
your facility.
Creating a Forensic Boot Floppy
Assemble the following tools:
-Disk editor installed on your computer
-A blank floppy disk that has been formatted
-MS-DOS operating system
-Computer that can boot to a true MS-DOS level
-Forensic acquisition tool such as DriveSpy
-Write-blocking tool to protect the evidence
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Creating a Forensic Boot Floppy
Retrieving Evidence Data Using a Remote Network Connection
Common Tools
-SnapBack
-EnCase
Chapter Summary
-A computing-forensics lab is where you conduct
investigations, store evidence, and perform most work. A
variety of computing-forensics hardware and software is
needed.
-Be sure to keep your skills up to date with plenty of
training. Plenty of schools and companies provide specific
training for computing-forensics.
-Your lab must be physically secure so that evidence is not
lost, corrupted, or destroyed. Be sure to take ergonomics
into consideration.
-Before you set up a computing-forensics lab, create a
business case. Justify acquiring new and better resources.
Chapter Summary
-Creating a bootable forensic disk is necessary to
make sure you do not contaminate digital evidence.
Be sure the boot floppy disk does not alter any files
on the suspect computer system.
-If you are working on a LAN, you can retrieve
evidence across the network if necessary.