Notifications
Clear all

Forensic Lab setup

22 Posts
9 Users
0 Likes
2,835 Views
 IanF
(@ianf)
Posts: 55
Trusted Member
 

David,

Wanted to be the first to thank you for putting together the list and sharing this information with the community. 8)

I want to add my thanks to this - much appreciated David. Especially for those of us who are angling at breaking into this field.

 
Posted : 19/05/2009 8:03 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

Ditto! Thank you very much for your list!

I think I will have some more follow-ups as things get moving.

If things work out, I would be happy to share sanitized procedures & forms, if interested.

Here are more questions - it looks feasible to have space carved out of our SAN for storing and working off of evidence.

Limited access, proper backup, etc. all there.

TrueCrypt - I am thinking of using virtual volumes (file-hosted container), one for each case.

I don't think TrueCrypt is on the NIST FIPS list.
Have any of you ran into problems using TrueCrypt form legal point?
What alternatives are out there that can do encrypted file-hosted containers, and are just as lightweight but are NIST reviewed?

 
Posted : 19/05/2009 11:27 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

Good questions jhup. Saw a similar question RE TruCrypt on another thread and have been watching out for a response and reading up on it today. If you run across something before an answer pops up please post and I will do the same.

 
Posted : 19/05/2009 11:41 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

I have other forms and documents to share, I've just not had time to write them up in a sanitized manner. Questions such as yours are a good reminder to do so.

And if you need someone to go over to Asia and help set this up, just let me know.

I've not encountered any legal objections to using TrueCrypt and I know of a lot of other security professionals using it for similar purposes. I've also not gone looking for a legal opinion.

You could use PGP instead of TrueCrypt. It isn't free, but if you want legal cover it might be worthwhile.

-David

 
Posted : 20/05/2009 12:15 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

PGP. I didn't think of them… again… (

On the FIPS list only the SDKshows up, not the actual app.

Does that cover the actual application? I figure it does since we are looking for the "validated cryptographic module". The SDK, by its nature would fall under it.

What do you use the PostIts, pill boxes, sharpies for?

I was thinking of getting pre-printed, temper evident bar-code labels. This way, I can bar code the media at collection, and do not require a printer. Any reason not to go this route?

 
Posted : 20/05/2009 9:17 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

- PostIts are for labeling drives and systems temporarily.
- Pillboxes hold screws from disassembled laptops. I had one laptop that required the removal of seven different sets of screws. The pillboxes kept them organized.
- Sharpies are for labeling evidence and for filling in the notecards.

The notecards get the following information on them
- Custodian
- Date
- System serial number

I then place the notecard for that system in each photograph taken of the system or its components. It allows me to sort a couple hundred photographs out later without too much difficulty.

You could bar code all the media before you go into the field. I often label mine when I wipe them, and set up a TrueCrypt volume up on them at the same time. It can take hours to wipe and encrypt a drive so you really want to do a number of them in the lab rather than in the field. This is another reason not to assume you can get enough drives while you're running around a foreign country, or even domestically. More than once I had multiple laptops running in my hotel room overnight doing the wipe/encrypt cycle with an alarm set to change drives out every few hours.

-David

 
Posted : 21/05/2009 10:27 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

Got it. Temporary. Pieces parts. notes.

Camera. A digital point & shoot camera. "One" more thing for the list! P

Or, would disposable film camera would do better? I am thinking from the time to create "sterile" system.

If I go with digital, I have to also get a bunch of xD/SD or whatever card the camera takes, and clean them.

So digital camera, case for camera, 6 x 2GB memory cards, case to store them…

Most likely I will end up with a set of 1TB drives for images on the field. Bring it home, and move it to our SAN. Someone made a large investment in a WORM cluster and they need some users 8) …

I would label/barcode these "transport" drives once, and never change the label again. I would also retire them after so many uses.

This list is already hitting $36K… 😯

 
Posted : 21/05/2009 10:51 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

Got it. Temporary. Pieces parts. notes.

Or, would disposable film camera would do better? I am thinking from the time to create "sterile" system.

Our firm is looking to add a case specific memory card for the camera to go into the field. We will sync the date & time with a radio or atomic clock, log, take photos, remove card acquire copy and hash to go with the rest of the evidence. We will keep the physical memory card secure and with the rest of the physical disks for the case. Small memory cards are so cheap on NewEgg now, you can keep them as "canned" photo evidence with the case files for little cost.

 
Posted : 22/05/2009 12:07 am
(@deonvj)
Posts: 8
Active Member
 

I may be way too paranoid here but you must remember a few basic disaster recover tips for your lab as well. You should fire/water proof any storage area where evidence may be kept, as well as look at a fire suppression system.

The access to this area should also include multiple access controls or be monitored in at least two ways e.g. access pad and CCTV camera.

If you are using your companies SAN for storage make sure that the backups are stored in a secure area and will not be able to be tampered with. Preserving chain of evidence.

I am also pretty new to this so if the suggestions given are a bit over the top please let me know. A friend of mine is also looking into trying to establish a lab and all the suggestions so far have been very helpful to me thanks.

 
Posted : 27/05/2009 6:06 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
Topic starter
 

douglasbrush, we have several Stratum 2 clocks distributed throughout the infrastructure. To get a synch with a point & shoot digital camera is a bigger problem. P

Thanks deonvj.

We have bunkers, or at least we call them such. They are better protected than most military facilities I have been to, both physical, IT, and DR perspective.

Thanks all again for all the insight. Right now, the budget is just below $40K, and is front of the seniors. Stay tuned. D

 
Posted : 27/05/2009 8:37 pm
Page 2 / 3
Share: