Forensics lab secur...
 
Notifications
Clear all

Forensics lab security

9 Posts
7 Users
0 Likes
581 Views
Agent47
(@agent47)
Posts: 32
Eminent Member
Topic starter
 

Hey,

I am interested in how you take care for the safety of your forensic lab.
Do you have a lab connected to the external network?

Thank you and best regards.

 
Posted : 21/03/2016 2:14 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Do you have a lab connected to the external network?

Extremely inadvisable.

 
Posted : 21/03/2016 6:01 am
HughJEON
(@hughjeon)
Posts: 1
New Member
 

Even logical network separation is also imperfect and risky.

 
Posted : 21/03/2016 10:27 am
Agent47
(@agent47)
Posts: 32
Eminent Member
Topic starter
 

At the moment I have my forensics lab without connected to the outside world. But I would like to connect two computers to be able between them to access hard drives. Any idea how to solve this problem?

 
Posted : 21/03/2016 5:11 pm
(@sgreene2991)
Posts: 77
Trusted Member
 

For physical security we have smartlocks which tell us who is coming and going (only two people have unlimited access to the lab so unauthorized access is easy to track), alarm system and security cameras at each entrance door and in front of the vault.

Digital security we have one lab machine hooked up to the internet for searches, downloads, research, and any other outside world needs. It sits behind two heavily modified firewalls with alarms for anything even remotely out of the ordinary. Evidence is encrypted and stored in a vault with an independent security system.

 
Posted : 21/03/2016 8:51 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Little I am allowed to bring into light but the material flow of all sort of physical refills like paper, toner, cable and hardware in general we check like being a prison as we (years ago had an incident somebody tried to bring in a switched-on mobile hidden in materials I above mentioned was a wake-up call.

Since we collaborate with people in charge in a domestic prison we work with to learn from all sorts of unattended risks. They have the order to test us twice a year - if we reveal the attack they pay - otherwise we pay BBQ.

Malware and tests with we run completely in AWS triple-sandboxed (VMware-based).

Search for friendly-minded externals to hack and break your lab -)

 
Posted : 21/03/2016 11:56 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

At the moment I have my forensics lab without connected to the outside world. But I would like to connect two computers to be able between them to access hard drives. Any idea how to solve this problem?

One idea If your forensics lab is fully stocked, you'll have a writeblocker. Go with that thought.

 
Posted : 22/03/2016 3:02 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

I think a lot of the controls in place will depend on the type of work your doing. For many government or public-sector you need to go that extra mile.

Most of my involvements have been within corporate forensics where having everything physically separate will not be in budget capability so thoughtful VLANs with firewall other access controls can be very effective and useful for your needs.

You can't have everything, but you can have a level of security with strategic planing and enforced policy and procedures.

 
Posted : 23/03/2016 12:13 am
azrael
(@azrael)
Posts: 656
Honorable Member
 

The answer to any computer security question is never "yes" or "no" - it is about risk management.

What are the potential risks that you have of connecting your lab or examination machine to the internet ?
- Possibly it could be directly attacked and specifically targeted by someone with malicious intent. ( Looking for you specifically )
- Possibly it could be indirectly attacked by someone with malicious intent ( Looking for any vulnerable machine … )
- Possibly it could be attacked my automated software ( malware ) scanning against it
- You could accidentally download and run something that you shouldn't ( malware again )
- You could accidentally send out something you shouldn't ( confidential or illicit material )

The advantages to connecting to the internet ?
- Ease of patch management / updates
- Ease of research
- Ease of tool installation
- Possible ease of license administration for tooling

What mitigations can you put in place to reduce the risk ?
- Firewalls
- Intrusion Detection / Prevention Systems
- Anti Malware
- Hardened Configurations
- Proxy Servers
- Data Diodes (yes, really - https://en.wikipedia.org/wiki/Unidirectional_network )
- Email scanning and DLP ( data loss prevention )

At the end of the day, if your advantages, risks and mitigations reach a point where it is acceptable to you or your management - both in terms of residual risk and cost - then that's fine. It is by far cheaper to _not_ connect a machine than it is to apply all of the possible mitigations !

Bear in mind the implications of one of the risks coming to happen - at best the credibility of your evidence is shot at worst …

Connected to a network and connected to the internet are different things though - it looks like your question might be about connecting a machine to a network so that it can share data with another machine. In this regard, a hub or a switch is all that you need ( or, strictly speaking for two machines - a crossover Ethernet cable ) - this is pretty much absolutely fine provided that neither of the machines is connected to any other networks ( wireless for example ). You can then either share from machine to machine or invest in a small NAS to store drive images.

For the record in the UK anything that was classified up to the old Protective Marking of RESTRICTED was acceptable to connect to the internet ( with mitigation ! ) - anything above that tended to be better segregated require a specific risk case - with some sort of air-gap or heavily hardened/specific gateway device to mitigate attack vectors. ( https://www.thalesgroup.com/sites/default/files/asset/document/thales-accessing-and-sending-data-securely-across-security-domains.pdf - for reference, various cross domain solutions )

 
Posted : 23/03/2016 3:40 pm
Share: