Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 2-1
Chapter 2
The Investigator’s Office and Laboratory
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 2-2
Lecture Notes
Overview
Chapter 2 describes the investigator’s office and laboratory. Students will review the
certification requirements for computer forensics labs. Next, students will learn the
Chapter Objectives
• Describe certification requirements for digital forensics labs
• List physical requirements for a digital forensics lab
Teaching Tips
Understanding Forensic Lab Accreditation Requirements
1. Explain that a digital forensics lab is where you conduct investigations, store evidence,
and do most of your work.
2. Point out the American Society of Crime Laboratory Directors (ASCLD) Web site
3. Make references to the ASCLD certification program on the ASCLD/LAB Web site
Identifying Duties of the Lab Manager and Staff
1. Illustrate the tasks of a lab manager, including:
2. Mention that staff members are responsible for their knowledge and appropriate training
to perform their tasks. They should be aware of new technologies and look for training
Guide to Computer Forensics and Investigations, Fifth Edition 2-3
Lab Budget Planning
1. Explain that you should break costs down into monthly, quarterly, and annual expenses.
Use past investigation expenses to extrapolate expected future costs.
2. Illustrate different expenses that should be considered when planning a lab budget such
as: a. Purchasing hardware and software
3. Remind your students that the lab manager is responsible for planning the lab budget.
Use a Uniform Crime Report to illustrate the use of statistics when planning a lab
4. Mention that you should also identify specialized software used with certain crimes.
5. Describe the requirements for setting up a lab for a private company, including:
6. Mention that time management is a major issue when choosing software and hardware
to purchase.
Acquiring Certification and Training
1. Describe the benefits of having appropriate training and certification.
2. Point out some of the problems you may encounter when getting certification,
including:
3. Describe some of the most well-known certification programs and organizations,
including:
a. International Association of Computer Investigative Specialists (IACIS)
b. ISC² Certified Cyber Forensics Professional
Guide to Computer Forensics and Investigations, Fifth Edition 2-4
i. International Society of Forensic Computer Examiners (ISFCE) for the Certified
Computer Examiner (CCE) certification
4. Encourage your students to find the certification program that fits their needs.
Determining the Physical Requirements for a Digital Forensics Lab
1. Explain that most of the investigative process is performed at a lab. Therefore, the lab
should provide a safe and secure physical environment for you and your evidence.
2. Mention that as with any other lab, you should perform inventory controls of your
Identifying Lab Security Needs
2. Present a list with the minimum requirements for a lab:
a. Small room with true floor-to-ceiling walls
Teaching
Tip
Having a security policy that nobody knows is the same as not having a policy at
all. Your lab staff members should be briefed about the lab’s security policy and
any changes to the policy.
Conducting High-Risk Investigations
1. Mention that high-risk investigations cannot be conducted in regular forensics lab
facilities. They demand more security than the minimum lab requirements provide.
2. Describe some of the characteristics of a TEMPEST lab. Start by mentioning that the
3. Illustrate the use of low-emanation workstations as a less expensive alternative to a
TEMPEST lab.
Guide to Computer Forensics and Investigations, Fifth Edition 2-5
Using Evidence Containers
1. Explain to your students that an evidence container must be secure to prevent
unauthorized access to the evidence. Security recommendations include:
2. Describe some of the practices to follow if a combination locking system is used,
including:
a. Provide the same level of security for the combination as for the container’s
contents
3. Describe some of the recommendations if you’re using a keyed padlock, including:
a. Appoint a key custodian
b. Stamp sequential numbers on each duplicate key
5. Explain the convenience of having a built-in evidence storage room in your lab and the
security measures you should follow building and managing it.
Overseeing Facility Maintenance
1. Describe the importance of a well-maintained lab to ensure the safety and health of the
2. Explain some of the considerations for appropriate facility maintenance. You should
mention:
Dumpster diving is a technique used especially by social engineers to obtain
Considering Physical Security Needs
2. Illustrate some of the mechanisms you have to enforce your policy:
a. Sign-in logs for visitors
Auditing a Computer Forensics Lab
1. Illustrate how regular auditing processes can help you to better enforce security
policies.
2. Describe some of the items your audits should include:
a. Ceiling, floor, roof, and exterior walls of the lab
b. Doors and doors locks
Determining Floor Plans for Computer Forensics Labs
1. Computer forensics labs come in a variety of setups and arrangements. Use Figures 2-2
through 2-4 to illustrate different computer forensics lab setups based on their sizes.
You should mention characteristics such as:
a. Number of workstations
Guide to Computer Forensics and Investigations, Fifth Edition 2-7
Quick Quiz 1
1. The _____ provides guidelines to members for managing a forensics lab and acquiring
crime and forensics lab accreditation.
2. The ____ identifies the number of hard disk types, such as IDE or SCSI, and the OS
used to commit crimes.
3. True or False: To ensure a forensics lab’s efficiency, the lab manager sets reasonable
production schedules for processing work.
4. To preserve the integrity of evidence, your lab should function as an evidence locker or
safe, making it a(n) ____ or a secure storage safe.
5. Certain kinds of equipment can intercept _____, which can be used to determine the
data the device is transmitting or displaying.
Selecting a Basic Forensic Workstation
1. Explain to your students that workstations should be selected according to your budget
Selecting Workstations for a Lab
2. Describe how to create a lightweight, mobile forensic workstation, which can be
Selecting Workstations for Private and Corporate Labs
1. Explain that this process is usually easier than for police labs since you deal with a
Stocking Hardware Peripherals
1. Explain what other items you should have in your lab besides workstations and
software, including:
a. 18-inch and 36-inch IDE cables, both ATA-33 and ATA-100
b. Ribbon cables for floppy disks
Guide to Computer Forensics and Investigations, Fifth Edition 2-8
Maintaining Operating Systems and Software Inventories
1. Present your students with a list of operating systems and application software to keep
licensed copies of in a forensics lab, including:
a. Microsoft Office (current and older versions)
b. Quicken
Using a Disaster Recovery Plan
1. Outline a good disaster recovery plan that includes:
a. Recovering from catastrophic situations
Planning for Equipment Updates
1. Explain that risk management involves determining how much risk is acceptable for
any process or operation.
3. Explain how to identify equipment you can replace when it fails.
Guide to Computer Forensics and Investigations, Fifth Edition 2-9
4. Remember that computing equipment is meant to last 18 to 36 months under normal
conditions, so you should schedule upgrades accordingly.
Building a Business Case for Developing a Forensics Lab
2. Show your students good arguments to include when preparing a business case for
3. Share some examples in which a forensics investigation will help reduce costs.
Preparing a Business Case for a Computer Forensics Lab
1. Outline the different stages you need to follow when preparing a business case:
a. Justification
b. Budget development
c. Facility cost
2. Mention that the better you plan for your case, the more likely it will be accepted and
funded.
Quick Quiz 2
1. One way to investigate older and unusual computing systems is to keep track of ____
that still use these old systems.
2. A(n) ____ ensures that you can restore your workstations and investigation file servers
to their original condition in the presence of a catastrophic failure.
Guide to Computer Forensics and Investigations, Fifth Edition 2-10
Answer: disaster recovery plan
3. ____ involves determining how much risk is acceptable for any process or operation,
such as replacing equipment.
4. A(n) ____ is a plan you can use to sell your services to your management or clients.
5. When determining how much floor space is needed for your lab, a good rule of thumb is
Class Discussion Topics
2. Compare a business case to a Return of Investment (ROI) plan. Are they the same? If
not, what are the differences?
Additional Projects
1. Have students perform a risk evaluation of the equipment in the computer lab that they
are working in right now and write a report with their findings.
Additional Resources
1. Helix Live CD:
2. International Association of Computer Investigative Specialists (IACIS):
4. Forensic evidence container:
5. Serial ATA:
6. Disaster recovery planning Web sites:
7. Risk Management:
Key Terms
➢ American Society of Crime Laboratory Directors (ASCLD) — A national society
that sets the standards, management, and audit procedures for labs used in crime
➢ Certified Forensic Computer Examiner (CFCE) — A certificate awarded by IACIS
at completion of all portions of the exam.
➢ configuration management — The process of keeping track of all upgrades and
patches you apply to your computer’s OS and applications.
➢ digital forensics lab — A computer lab dedicated to computing investigations;
