Call for Assistance...
 
Notifications
Clear all

Call for Assistance; Forensics Lab Build-Out

14 Posts
8 Users
0 Likes
978 Views
djtrudel
(@djtrudel)
Posts: 7
Active Member
Topic starter
 

Greetings All,

I have been tasked by my agency to develop a digital forensics section. Although I feel well qualified to take on this challenge, I have little practical experience in the forensics arena. I am currently building my skills through formal training, online resources, and making as many friends as possible from sister agencies.

My primary focus is on white collar crime. I anticipate being tasked with disk duplication, data recovery and analysis, e-mail recovery and analysis, deleted file recovery, photo and video recovery and analysis, portable media examination, etc. I do not anticipate pursuing ICAC material as a primary focus, but I need to be prepared to go down that road as necessary. Since I work in the public arena, I anticipate encountering situations where the need to capture data from an active machine and returning it to active service after the digital material is captured, without being able to remove the equipment from the scene.

Like most other agencies, we have a limited budget for this project. Although I have not been given a dollar figure to work with, I anticipate the need to justify every screaming Lincoln. I will be working alone in a room that is approximately 8’ x 12’ furnished with a desk, a folding table, a file cabinet, 2 mops and a push broom.

I greatly appreciate hearing from those who have been down this road before me and have learned from their successes and failures. Although funding is a concern, reasonable justification will trump cost. I am looking for hardware, software, and virtual/online resource solutions.

Thanks in Advance,

SA Dave Trudel

 
Posted : 19/05/2012 6:58 pm
(@jakesj425)
Posts: 2
New Member
 

Chat to the AccessData guys, they have been doing this a while and the pricing is on par.
For your on site collections, given you have time, you can use their Imager for free "http//accessdata.force.com/RegisterForDownload?redirectName=000051"

Or if you find you can not do everything yourself, have a look at AD Triage, is a great product that can be configured to collect predefined sets of information based on your case needs, it can boot into an interface or run off the USB HHD you have prepared.
This is very usefull to have when you don't have a lot of time on site and you need to involve less qualified staff to help with collections, It's a great way to get a better turn around while your staff are still building up skills.

The FTK 4 release has the capability to split PostgreSQL databases, one for every case and this is much more portable when you decide to upgrade your hardware later on. And move out of you 8x12 room.
The sizing guides for the hardware can be found on their website, http//accessdata.com/
The new Mallware add-ons and Visualization modules can greatly increase your turn around.

They support over 3500 mobile devices with their MPE Tablets for field use.
This also has Add-ons for the FTK suite to further investigate back at the lab.

They offer a collection of online training courses, The one I would recommend you go for is the full year, all access pass.

Best of luck.

 
Posted : 19/05/2012 8:10 pm
(@kyrkos)
Posts: 9
Active Member
 

I am (more or less) in the same position as you are, trying to set up a forensic lab. I came upon some guidelines in some sites and (I believe) there is a ISO guide on the matter but when you start with limited budget you must first get the bare necessities and then work your way up. I am currently trying to figure out a way to get a proper network set up. Your forensic computers should not be connected to the web for security reasons but at the same time you should have internet connection for updating your software tools. You will probably need a connection with your company/agency network but this also should not be connected to your forensic computer. Last but not least, you will soon need more storage space so it is a good idea to have LAN for your lab so as to be able to save data in a secure location (perhaps a NAS storage) that is also not connect to company network/web. So, structured cabling is very important and will need to be taken care of before you move into your room/lab.

 
Posted : 19/05/2012 9:51 pm
ChopOMatic
(@chopomatic)
Posts: 14
Active Member
 

Dave, although a couple of these points have been touched on, they bear repeating

- You're gonna need way more storage capacity than you think you are. Prepare for this at the beginning. There are a number of high-performance, high-capacity NAS providers out there now. Get familiar with them and whatever you do in this regard, do so with an eye on scalability.

- The three most common primary forensic software tools are EnCase, FTK, and X-Ways Forensic. My theory is that you need at least two of the three. My two picks at this moment in time for setting up a brand new lab would probably be XWF and FTK.

- When it comes to workstations, you can either build out your own if it's allowed in your situation and if you're comfortable with that, or you can buy pre-built forensic workstations. There are several providers out there. My personal favorite by far is one that many have never heard of www.siforce.com. Jack Su is the owner and he genuinely listens to what our industry needs and does and builds accordingly. I've never had anything other than a stellar experience and I've been dealing with him for seven years.

- You will need a host of other specialty software tools, as well as common productivity tools like Office.

- YOU WILL NEED ADDITIONAL COOLING. A ROOM FULL OF ELECTRONICS IS A ROOM FULL OF LITTLE ELECTRIC HEATERS. YOU WILL NEED ADDITIONAL COOLING UNLESS YOU WANT YOU AND YOURS TO BE A SWEATY AND MISERABLE CREW.

Do you have any idea at all as to budget? How many workstations do you want to have in your lab?

 
Posted : 19/05/2012 10:59 pm
(@snorris)
Posts: 3
New Member
 

To both posters who are putting labs together…

While the 'ways and means' of building a lab are most likely foremost in your mind, policy requirements may have to be addressed first.

If you are public entities (LEO, government, etc), you should check through channels for lab certification requirements. Another place to check is with peer agencies - what have they done? Once this is determined, you should be able to contact the certifying body and establish requirements for physical lab construction, security, personnel training and management.

In the US (and internationally), the American Society of Crime Lab Directors (ASCLD) provides support for lab certifications.

In the civilian sector, D63, Inc (www.d63.us, CEO is Tom Baer) has been building digital forensic labs both for US agencies and internationally for a number of years.

Regards,

Samuel Norris, CFCE
Center for Digital Forensic Research, Inc

 
Posted : 20/05/2012 5:43 pm
(@snorris)
Posts: 3
New Member
 

Sa Trudel,

A little closer read of your request reveals that you are, indeed, in the US (re screaming Lincolns) - additional sources for you would be

A technical assistance request with the National White Collar Crime Center (NW3C). They are an excellent source for both answers to technical questions and free-to-LEO basic, intermediate and advanced computer forensic training. If memory serves, there was research on lab development when I worked there.

In addition, feel free to contact me if you have questions (samuelnorris2@gmail.com)

Best of luck,

Sam Norris, CFCE

 
Posted : 20/05/2012 5:52 pm
(@miket065)
Posts: 187
Estimable Member
 

Seeing how you are in MS, check this out

http//msu-nftc.org/labs/

I am next door in Bama if you need assistance, shoot me a PM.

Mike

 
Posted : 20/05/2012 6:31 pm
djtrudel
(@djtrudel)
Posts: 7
Active Member
Topic starter
 

Thanks to all who have replied so far! Please, keep your comments and ideas coming. I need all the help I can get.

jakesj425 I did not consider asking the AD folks for assistance spec’ing out the infrastructure. That is a great idea! I’ve been in touch with a rep from AD, but it was only for questions regarding FTK. I will definitely call him back and involve him in my infrastructure design. The triage option appears to be geared more toward multimedia and probably more of an interest to the ICAC folks than my current concentration; but, I have it in mind as we expand. I have also heard about the All Access Pass and I have that on my training resource list.

kyrkos Let’s keep in touch and learn from each other as we go through developing these projects. There are many options out there to consider. You are right about the network consideration. I intend to <<beg>> for space in a network closet to install a securable rack system where I plan to install a SOHO switch and router, along with a NAS device. The lab room already has a network drop, so I plan to attach another 4-port switch to it for external access.

ChopOMatic You’re right, storage appears to be king. I’ve seen different setups ranging from a modest shop to an elaborate lab with all the bells and whistles and they all say the same thing. I am exploring different avenues for storage now, but I think the rack mount NAS is the way to go. I took a look at the www.siforce.com site. You’re right, there appears to be some reasonable alternatives to the FRED systems. I will spec out two identical systems and see what happens. As far as WS, I plan to have the forensic box, a dedicated LINUX box, and a beater I rescued from salvage that will host VM and will serve as a test bed for different tools and techniques to experiment with. All devices will be connected through a KVM.

snorris You bring up a good point. I never considered researching lab standards and inspections. The security aspect should not be a problem since the room has a solid door with adequate security mechanisms in place. I will definitely research state requirements.

miket065 Thanks, neighbor! I will give you a shout on the PM side. I’ve been in touch with the MSU folks and I am waiting for them to update their schedule for the summer/fall classes. My calendar is booked through the end of June, but I’ve been checking the web site every couple days. I am also registered for some IW3C classes to check off the boxes, but you can’t beat the MSU offer.

Best Regards,

SA Dave Trudel

 
Posted : 20/05/2012 6:40 pm
(@tomesk)
Posts: 2
New Member
 

Dave

First my disclaimer…after 28+ years in local LEO, I now am a partner with HTCI, and amongst other things we build the EDAS FOX series of Forensic Computers www.edasfox.com

You will need a number of forensic boxes. These can be purchased from Digital Intelligence, Siclicon Forensics or us. Once up and running at least 2, and perhaps 3 boxes per examiner. There is a lot of hurry up and wait time for processing. Look for fast really fast machines and lots of RAM. Upgrade to the biggest monitors your budget will support.

If you are headed to CEIC this week, you can see all the top tier forensic box vendors.

FTK, Encase, X-ways…they all have their place. A lot is based on what you are trained on. With that said, also look at Paraben P2 Commander. Not as powerful as the above, but IMHO, for basic LEO cases (ID Theft, fraud and such) Paraben more than fits the bill at about 1/3 the price of FTK or Encase. So while you may want to buy a FTK or Encase or 2, think about most of your forensic licenses being Paraben. X-ways is also very good and less expensive than FTK or Encase, but not as new user friendly, while Paraben is very user friendly.

As for cell phones…and I resell FTK..stay away from their Cell tool….you will need cell tools, as these are huge in today's criminal environment. Explore the phones your agency has seen in the past 180 days, and then research which tool supports not only the most phones, but also the most data on your phones. If you are seeing 30 phones over and over, the fact that product A supports 6,000 phones means nothing if they don't support YOUR relevant phones.

Storage…While I would love to sell you a nice big NAS…..I often wonder for basic leo why this is needed. We all know that 99 % of the cases plea out. Why have all these cases in "ready reserve" on a NAS? Once you have your doc's, spreadsheets and pictures, why not archive the case, getting it out of your life. For the odd case, take it out of archive and reload it.

My 2 cents…feel free to reach out to me for any questions. Or, stop by and say hello at CEIC this week if you are going.

v/r

Tom Eskridge
813-343-0766 x101

 
Posted : 20/05/2012 7:04 pm
(@tomesk)
Posts: 2
New Member
 

Dave

Look at the TAD from Tableau for imaging drives. Also save some ready cash for a supply of target drives and shareware's you will need year to year.

v/r

tom eskridge

 
Posted : 20/05/2012 7:07 pm
Page 1 / 2
Share: