Forensic Lab Connected To Internet?
Sorry if this has been mentioned/discussed before but I couldn't find it.
In a hypothetical lab there are a series of computers connected to a server. The server serves as a long-term storage array for case files until they are completed. My simple question is - should the server and/or workstations be connected to the Internet? There may be cases containing CSAM and/or PII in the cases and forensic copies of individual computers, so this may help in the decision.
My plan was to have the workstations and server air-gapped, with only connections for the workstations to the Internet upon disconnection from the local network and then to the Internet line. Once done that cable is removed and the local network is reconnected. I know almost all updates can be done via sneaker-net, so for the most part the computers almost never need to be connected. The IT staff says they need access via Internet for server management (which we could do, or they could come over).
My concern is the possibility of someone hacking into the network from outside (but, that's IT's problem, right? 🙄 ), or some malware on the systems we are looking at being activated by our forensic software and thus having ransomware or other nefarious programs run (our clientele is not the greatest).
What is the consensus on this type of set-up? Always air-gapped or full connection to the Internet?
By all means: isolate that lab. No outside connection. If you really need outside access to apply or renew a software license: open one address for 5 seconds and then close the connection.
Use a graphical firewall: one remote desktop enabled server is reachable and all analysts are using this server to access the evidence storage. Install your tools and forensic software on that server.