Chapter 3 Notes
Popular in Cyber Forensics
Popular in Department
This 11 page One Day of Notes was uploaded by Matt Curtis on Thursday January 29, 2015. The One Day of Notes belongs to IST 454 at Pennsylvania State University taught by Chao Chu in Spring2015. Since its upload, it has received 475 views.
Reviews for Chapter 3 Notes
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 01/29/15
Matthew Curtis 29 January 2015 IST 454 CHAPTER 3 NOTES Understanding Forensic Lab Certification Reauirements 0 Computer Forensic Lab 0 Workstation to conduct investigations 0 Store Evidence 0 House your equipment softwareCurrent and legacy and hardware Make sure to define policies processes and procedures before beginning any casework to ensure the integrity of the analysis 0 American Society of Crime Laboratory Directors ASCLD offers guidelines for 0 Managing a forensics lab 0 Acquiring crime and forensic lab certifications l Certifies labs that analyze digital evidence as they do other criminal evidence ie Fingerprints and DNA samples 0 Specific audits that ensure proper lab procedures are being performed Identifvin2 Duties of the Lab Manager and Staff I Lab Manager Duties Set up processes for managing cases I Reviews them regularly 0 Promote group consensus in decision making Maintaining fiscal responsibility for lab needs Enforce ethical standards among staff members Plan updates for the lab I ie New hardware and software purchases Establish and promote quality assurance processes for staff to follow ie outlining procedures for a new case logging evidence specifying O 0 access in lab and establishing guidelines for filing reports Set reasonable production schedules Creates and monitors lab policies Provide a safe and secure workplace Tracks all activities Can help justify funds spent on a lab 39Staff Member Duties 0 Knowledge and Training IHardware and Software 39Operating OS and File types IDeductive Reasoning 39Continue technical training IMaintain records of training completed ICheck ASCLD Web site for online manual and information Lab Budget Planning I Break costs down into daily quarterly and annual expenses I Use past investigation expenses spreadsheet to extrapolate future costs 0 Computer hardwaresoftware 0 Facility Space 0 Trained personnel I Estimate the number of computer cases your lab expects to examine 0 Identify types of computers you re likely to examine I Take into account any changes in technology I Use statistics to determine the type of computer crimes occurring the most frequently 0 Uniform Crime Report Identifies number of harddisk types IDE or SCSI and the OS used to commit the crimes I Use this information to plan ahead lab requirements and costs I Setting up labs for private companies check 0 Hardware and software inventory 0 Problems reported last year 0 Future developments in computing technology I Time management is a major issue when purchasing software or hardware Acquiring Certification and Training I Upgrade skills through appropriate training 0 Organizations have developed programs to train you after you have successfully completed one or more sessions 0 All programs charge fees for certifications 0 Research requirements costs and acceptability before enlisting into a certification program International Association of Computer Investigative Specialists gIACIS I Created by police who wanted to formalize credentials in computing investigations 0 IACIS is one of the oldest professional computer forensics organizations 0 Restricts membership to sworn law enforcement or government employees working as computer forensics examiners 0 Students must interpret and trace email acquire evidence properly identify OS recover data and understand encryption theory Certified Electronic Evidence Collection Specialist CEECS O The certification students receive when passing the IACIS exam Certified Forensic Computer Examiner CFCE 0 The certification students receive when completing all IACIS tests 0 Requires recertification every 3 years as technology changes HighTech Crime Network HTCN 0 Certified Computer Crime Investigator Basic and Advanced Level 0 Certified Computer Forensic Technician Basic and Advanced Level 0 Open to any who meet the criteria in computing investigations profession EnCase Certi ed Examiner EnCE Certification Open to public and private sectors OIOIO 0 Specific use and mastery of EnCase computer forensics analysis Candidates are required to have a licensed copy of EnCase AccessData Certi ed Examiner ACE Certi cation 0 Open to public and private sectors 0 Specific use and mastery of AccessData Ultimate ToolKit 0 Required to complete AccessData BootCamp and Windows forensic courses Other Training and Certi cations 0 High Technology Crime Investigation Association HTCIA SysAdmin Audit Network Security SANS Institute Computer Technology Investigators Network CTIN NewTechnologies Inc NTI Southeast Cybercrime Institute at Kennesaw State University Federal Law Enforcement Training Center FLETC National White Collar Crime Center NW3C OOOOO Determining the Physical Requirements for a Computer Forensics LEE Most of your investigation is conducted in a lab Lab should be secure so evidence is not lost corrupted or destroyed Provide a safe and secure physical environment Keep inventory control of your assets 0 Know when to order more supplies Identifyin2 Lab Security Needs Secure facility 0 Should preserve integrity of evidence data Minimum requirements 0 Small room with true oortoceiling walls 0 Door access with a locking mechanism 0 Secure container O Visitor s log 0 People working together should have same access level 0 Brief your staff about security policy Conducting HighRisk Investigations Highrisk investigations demand more security than the minimum lab requirements 0 TEMPEST facilities Electromagnetic Radiation EMR proofed O TEMPEST facilities are very expensive 0 You can use lowemanation workstations instead Using Evidence Containers 0 Known as evidence lockers 0 Must be secure so that no unauthorized person can easily access your evidence 0 Recommendations for securing storage containers 0 Locate them in a restricted area 0 Limited number of authorized people to access the container 0 Maintain records on who is authorized to access each container 0 Containers should remain locked when not in use 0 If a combination locking system is used 0 Provide the same level of security for the combination as for the container s contents 0 Destroy any previous combinations after setting up a new combination 0 Allow only authorized personnel to change lock combinations 0 Change the combination every six months or when required 0 If you re using a keyed padlock O Appoint a key custodian Stamp sequential numbers on each duplicate key Maintain a registry listing which key is assigned to which authorized person Conduct a monthly audit Take an inventory of all keys Place keys in a lockable container Maintain the same level of security for keys as for evidence containers 0 Change locks and keys annually 0 Container should be made of steel with an internal cabinet or external padlock o If possible acquire a media safe 0 When possible build an evidence storage room in your lab 0 Keep an evidence log 0 Update it every time an evidence container is opened and closed OOOOOO Overseeing Facility Maintenance 0 Immediately repair physical damages 0 Escort cleaning crews as they work 0 Minimize the risk of static electricity 0 Antistatic pads 0 Clean oor and carpets 0 Maintain two separate trash containers 0 Materials unrelated to an investigation 0 Sensitive materials 0 When possible hire specialized companies for disposing sensitive materials Considering thsical Securitv Needs 0 Create a security policy 0 Enforce your policy 0 Signin log for Visitors 0 Anyone that is not assigned to the lab is a Visitor O Escort all Visitors all the time 0 Use Visible or audible indicators that a Visitor is inside your premises 0 Visitor badge 0 Install an intrusion alarm system 0 Hire a guard force for your lab Auditing a Computer Forensics LE 0 Auditing ensures proper enforcing of policies 0 Audits should include 0 Ceiling oor roof and exterior walls of the lab Doors and doors locks Visitor logs Evidence container logs At the end of every workday secure any evidence that s not being processed in a forensic workstation O O O 0 Selecting a Basic Forensic Workstation 0 Depends on budget and needs 0 Use less powerful workstations for mundane tasks 0 Use multipurpose workstations for highend analysis tasks Selecting Workstations for Police Labs 0 Police labs have the most diverse needs for computing investigation tools O Specialinterest groups SIG 0 General rule 0 One computer investigator for every 250000 people in a region 0 One multipurpose forensic workstation and one generalpurpose workstation Selectin2 Workstations for Private and Corporate LE 0 Requirements are easy to determine 0 Identify the environment you deal with 0 Hardware platform 0 Operating system 0 Gather tools to work on the speci ed environment Stocking Hardware Periphera 0 Any lab should have in stock 0 IDE cables 0 Ribbon cables for oppy disks 0 SCSI cards preferably ultrawide 0 Graphics cards both PCI and AGP types 0 Power cords 0 Hard disk drives 0 At least two 25inch Notebook IDE hard drives to standard IDEATA or SATA adapter 0 Computer hand tools Maintaining Operating Svstem nd Software Inventories 0 Maintain licensed copies of software like 0 Microsoft Office 2007 XP 2003 2000 97 and 95 O Quicken 0 Programming languages 0 Specialized viewers O Corel Office Suite 0 StarOfficeOpenOffice O Peachtree accounting applications Using a Disaster Recoverv PIE 0 Restore your workstation and investigation files to their original condition 0 Recover from catastrophic situations Virus contamination and reconfigurations 0 Includes backup tools for single disks and RAID servers 0 Configuration management 0 Keep track of software updates to your workstation Planning for Equipment Upgrades 0 Risk management 0 Involves determining how much risk is acceptable for any process or operation ie replacing equipment 0 Identify equipment your lab depends on so it can be periodically replaced 0 Identify equipment you can replace when it fails 0 Computing components last 18 to 36 months under normal conditions 0 Schedule upgrades at least every 18 months I Preferably every 12 months Using Lanton Forensic Workstations 0 Create a lightweight mobile forensic workstation using a laptop PC 0 FireWire port 0 USB 20 port 0 PCMCIA SATA hard disk 0 Laptops are still limited as forensic workstations 0 But improving Building a Business Case for Develoning a Forensics LEE 0 Can be a problem because of budget problems 0 Business case 0 Plan you can use to sell your services to management or clients I Justify acquiring newer and better resources to investigate computer forensics cases 0 Demonstrate how the lab will help your organization to save money and increase pro ts 0 Compare cost of an investigation with cost of a lawsuit 0 Protect intellectual property trade secrets and future business plans Preparing a Business Case for a Computer Forensics Leg 0 When preparing your case follow these steps 0 Justification I What type of computing investigation service is needed for your organizations I Who are the potential customers for this service and how Will it be budgetedas an internal operation police department or company security department for instance or an external operation a forprofit business venture I How Will you advertise your services to customers I What timemanagement techniques Will you use I Where will the initial and sustaining budget for business operations come from 0 Budget development I Facility cost I How many computer forensics examiners Will you need I How much training will each examiner require per year I Will your need more than one lab I How many computer forensics examiners Will use each lab Will there be a need to accommodate other nonexaminers temporarily to inspect recovered evidence I What are the costs to construct a secure lab Is there a suitable room that can be converted into a lab Does the designated room have enough electrical power and heating ventilation and airconditioning HVAC systems Does the designated room have existing telephone lines and network cables If not how much will it cost to install these additional items Is there an adequate door lock on the designated room s door What will the furniture costs be Will you need to install an alarm system Are there any other facility costs such as fees for janitorial services and facility maintenance 39 Computer hardware requirements What types of investigations and data recovery will be performed in the lab How many investigations can be expected per month of operation Will there be any timesensitive investigations that demand rapid analysis of disk data What sizes and how many drive will be needed to support a typical investigation Will you need a highspeed backup system such as tape backup or DVD burners What is the predominate type of computer system you will investigate What will you use to store digital evidence How long do you need to store it 39 Software requirements What types of OS will be examined For less popular uncommon or older 08 such as MAC OS 9x 082 and CPM how often will there be a need to investigate them 0 What are the minimum needs for forensic software tools For example how many copies of each tool will be needed How often will each tool be used in an average week 0 What type of 08 will be needed to conduct routine examinations Will there be a need for specialized software such as QuickBooks or Peachtree 0 Is there a budget to purchase more than one forensics software tool such as EnCase FTK or ProDiscover Which diskediting tool should be selected for general data analysis I Miscellaneous costs 0 Will there be a need for errors and omission insurance for the lab s operation and staff 0 Will you need a budget for office supplies 0 Approval and acquisition 0 Management function that includes a business case to be approved by upper level management 0 Implementation 0 How are all approved items in the business case going to be processed 0 Does this have a coordination plan in place for things like delivery dates 0 Acceptance testing 0 Inspect the facility to see whether it meets the security criteria to contain and control digital evidence 0 Test all communications such as phone and network connections to make sure they work as expected 0 Test all hardware to verify that it operates correctly for example test a computer to make sure it boots to Windows 0 Install and start all software tools make sure all software can run on the computers and OS you have in the lab 0 Correction for acceptance 0 Does your business plan anticipate any problems during startup If so What are some steps to correct them to ensure smooth operation 0 Production 0 Implement lab operations procedures
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'