I am building a computer forensic lab which has limited access to 2 analyst and 1 supervisor. Inside the lab, we have a Wrightline cabinet to store hard drives, software dongles, etc. However, this cabinet is too small to store computers that are seized. Currently, the computers are just sitting out on a table within the lab. I believe they should be in a larger cabinet that is locked. My supervisor feels that the room is secure enough and another cabinet isn't necessary.
Is a second cabinet necessary?
Thanks!
Don't really know that anyone can tell you what you need, I can say I have 6 total safes of varying sizes and fire ratings for holding different items.
Computers sitting out are just begging for problems, theft, elements, tampering, being dropped, etc.
Hope those aren't current cases, if I was a client I sure wouldn't want the PC out even if the drive is pulled, it's still evidence.
Could also speak to proper procedure in court.
I believe its standard practice for all media/computers to be in a secure, locked environment and only moved when in control of that investigator, to prevent tampering. Otherwise, questions can be raised on the reliability of the evidence obtained, from an unsecured computer. Plus you have the possibility of cross-contamination.
Defense would have a field day on the current setup you have!
Just my 2 pence 😉
Or a party
Usually what happens in computer forensics agencies all around the country (and probably the world) is the computer gets checked out of the property room by the analyst, hard drive is removed, hard drive is imaged, computer is booted up (with the hard drive removed) to access the BIOS for date/time, hard drive is put back in the computer, and the computer is returned to the property room. That way the computer was never out of control of the person who checked it out of the property room, so the defense can never make the claim that the evidence couldn't be accounted for during some period of time.
I am not sure what sort of "cabinet" you would end up with once you get busy. We started off with a locked cage in the corner of the lab to store the carcasses once the HDDs were removed. We now have a dedicated room that houses the carcasses and several drive safes. Storage is becoming an expensive PITA. When viewed on a square-foot (square-meter?) basis, storage is very expensive commodity and very low on the ROI meter. But like insurance you have to have it.
At the agency I used to work for, I set up a single examiner branch lab. Since I was the only examiner, and there was no chance of cross-contamination from another examiner, I had the agency declare the entire room as a property point so the exhibit got logged going in, and going out. All other actions (imaging etc) were noted on the case notes. This of course only applies for a single examiner lab. As soon as you add in the extra examiner, you need the separate storage to enhance your chain of custody.
You could get away without a separate room/cabinet if you use another method we had at my old agency and bag the entire exhibit in a tamper-evident way. Yes, we'd bag an entire computer tower on the way in with signed and dated seals. Because you now have a method to show that the exhibit wasn't dealt with outside of what was required, you'd have a defensible chain of custody.
You could get away without a separate room/cabinet if you use another method we had at my old agency and bag the entire exhibit in a tamper-evident way. Yes, we'd bag an entire computer tower on the way in with signed and dated seals.
Where did you find bags that large? We run evidence tape around the outside, but that can be a sticky mess when you have to return a computer and is an even bigger PITA to clean up when you tape across removable drive bays.
We had a roll of the stuff. You'd cut and seal both ends with a heat sealer. Then you'd sign over where you sealed, and voila, one tamper evident bag. No sticky mess.
^^Thanks. That certainly bears some Googling.