Setting up a forensics lab - recommendations?
I though the following might be a fun topic for our regulars 😀
A number of the visitors to these forums are experienced IT folk looking to expand their own businesses by offering computer forensics services. What tips or recommendations do we have for them as far as setting up a "computer forensics lab" is concerned? Let's assume that commercial software and open source solutions are both options as far as software is concerned. What might be the best choice? What hardware should they consider? What other issues should they think about?
As far as this topic is concerned let's assume that settiing up the lab is "A Good Idea" so we don't get bogged down in discussions about issues related to limited experience, liability, ROI, etc. (although these are of course valid points).
well we have done this in the past 12 months. We found an ex Police Expert and spoke to him and he agreed to join our company Audax. We then set about buying Encase and some terminals together with a lab room with work benches and then we simply netwroked around the marketplace. The combination of project management, marketing and expertise meant that we grew through the start up phase and are now going really strongly.
Technical issues include whether to offer Forensic Imaging or not, how to store data and a lot of catloging and labelling issues for exhibits. We have a stand alone room for investigations and a stand alone netwrok so only authorised staff have access.
Thanks Andy. Would you be able to expand a little on the storage and evidence handling issues (i.e. what were your main priorities when addressing these areas)? These are two subjects which those without a law enforcement background, and new to computer forensics, often worry about getting right.
Comments or questions from other members (of whatever experience level) are more than welcome!
well storage issues are important. Firstly data storage - we don't offer data storage to our clienst but what we do is provide them with a hard of evidence that they keep so if they want us to do extra work we can ask for this back and this doesn;t have any storage impact for us, in terms of insurance, liability and technical issues. On receiving equipment we catalogue and tag all equipment with record cards, which are updated every time evidence is handled and on report submission these are included along with an event timeline to show clearly that the audit trail is sound. All equipment is locked away in premises offsite so there is no chance of theft etc.
The basics we work to are document everything you do and show that your audit trail is good.
Aside from the traditional approach to a forensics lab, I was wondering if you would consider a more general approach. This approach would include those aspects already presented, but also include things such as attack machines, machines running VMWare for code analysis, etc.
"Windows Forensics and Incident Recovery"
well our next objective is to begin to set up machine terminals so that we can run various analysis at the same time so shortening investigation times. Working off 3-4 image copies of a drive will speed up the automated side of our evdience and data recovery services. Our main aim is to be quick. In the UK marlet it appears that consultancts charge exceesive fees for the hours they work so our aim is to do the job as quick as possible and thus charge the client less by running different processes on different terminals. A new approach?, not really, just good project management and a focus on customer needs. Why take 3 months when 1 week will do the job.
I like Andys' idea of the exhibit handling - sounds as if it is sorted. From an evidential point of view the best thing to do with exhibits is NOT accept them unless they are correctly packaged and sealed and then from the immediate point of reception write down in detail everything that happens to the exhibits however small or insignificant it may seem. believe me it will come to your rescue at some point. The other point i would make which is probably already done (I am not seeking to teach people to suck eggs here but some may not realise this) is to make comprehensive notes of everything you do and why you do it during the actual interrogation of the machine so that if required the other sides experts can recreate exactly what you done.
Andy - Oh to have the staff and budget to have several machines doing the same examination to save time - I am green with envy
well as I see it one has to speculate to accumulate. Luckily we have an ex Police chpa with us so setting up procedures to be very tight has been useful. Also we don;t limit ourselves to the UK market as there is work in the US. We make sure that if a client comes to us with 20 or 30 machines to exmine our service stays the same regardless of volume - it's a h**l of a balance though!
First off, I'm pretty new here but have read quite a few of the posts/resources here; looks like a great place…
Not sure if anyone is still reading this thread but I'll take a chance.
On this same subject, can anyone recommend a particular lab size when first getting started? I don't have enough space in my home office (nor security aspects probably needed/recommended) so I am looking for a place to set up shop and go out on my own. Is it normal to have clients visit your lab? (If so I suppose some sort of area outside of a secure lab area will be necessary). Of course bigger is probably better, but I certainly don't want to spend extra lease money up-front for too-big a place. I also don't want to be pleasantly surprised with too much work and facing having to move too quickly.
My plan is to have 2-3 workstations, probably using a KVM switch to limit the number of monitors needed, a printer, a safe (or do people recommend bank safety deposit boxes?) and all the other small, misceellaneous items (card readers, extra drive storage, media, etc…)
If all goes well, it would be good to team up with another 1 or 2 people but at this point, it will be just me.
Thanks for any input; I look forward to joining you all in this field and the next chapter in my career.
To add to what the previous poster mentioned.
I am under court order on at least 2 current cases to not have anyone in the office while I am working on these 2 cases. In addition to the normal COC reports and log sheets that we fill out, our floor safes require both digital code and key to enter and are bolted to the concrete floor with 6" bolts.
In addition to these measures we have a key lock and a digital keypad dead bolt that both must be keyed up to enter.
The security aspect of your lab can not be taken lightly.
You will still have people that will say you don't have enough, but as long as you satisfy the courts, clients, and yourself you are doing ok in my book.