Building a Digital Forensic Laboratory
Establishing and Managing a Successful FacilityBy
- Andrew Jones
- Craig Valli
The need to professionally and successfully conduct computer forensic investigations of incidents and crimes has never been greater. This has caused an increased requirement for information about the creation and management of computer forensic laboratories and the investigations themselves. This includes a great need for information on how to cost-effectively establish and manage a computer forensics laboratory. This book meets that need: a clearly written, non-technical book on the topic of computer forensics with emphasis on the establishment and management of a computer forensics laboratory and its subsequent support to successfully conducting computer-related crime investigations.
Corporate security directors, law enforcement high-technology crime investigators, other security professionals and private investigators. The secondary audiences will be IT professionals and academics.
Paperback, 312 Pages
Published: October 2008
"This book is designed to get at the heart of the matter." -- Dave Kleiman, computer forensics expert and security software developer
- SECTION I: Computer Related Crime Investigations and Computer Forensics Management Support.This section provides a background to computer crime and addresses the Computer Forensics management issues related to Computer Forensic Incidents and Crime Investigations. It looks at how investigations are carried out, what needs to be considered in the planning of an investigation and the conduct of the investigation including the collection and storage of evidence. The section finishes with a number of case studies to highlight how things can go well if they are done properly and how they can go wrong if they are not.Chapter 1. A Short History of Computer-Related Crimes and the Developing Need for Computer Forensics. This chapter will provide an overview of computer-related crimes from the less sophisticated and localized dial-up computer crimes to today's sophisticated, global, network attacks; as well as the history of the development of the computer forensics profession and increasingly formal computer forensics laboratories. Chapter 2. An Introduction to Computer Forensics. This chapter provides an overview of the important concepts associated with "computer forensics." It describes the potential sources of evidence available in the typical microcomputer, how to conduct a search for evidence, and a method of conducting a search in a systematic and effective manner.Chapter 3. Types of Forensic Investigation. This chapter will include the reasons for carrying out the investigation and the type of investigation that is being undertaken, for example single computer, network or mobile devices.Chapter 4. Responding to Crimes requiring Computer Forensic Investigation. This chapter will talk about what actions are required, the management considerations and just as importantly, what should not be done when responding to a high tech crime scene. It will deal with the differing requirements that must be considered for the range of types of investigation that the laboratory may be called on to take part in including; stand alone PCs, Servers, Networks, Live Acquisition and wireless and will discuss the management issues that relate to the use of function specific tools.Chapter 5. Management of the Collections of Evidence. As the title states, this chapter will talk about the management issues that relate to the collection of high technology crime scene evidence, a crucial part of any high technology investigation. It will also deal with issues such as continuity of evidence in of custody.Chapter 6. Management of evidence storage. This chapter will address the issues that relate to the storage of evidence and the management issues that need to be considered to ensure that it is carried out effectively and to meet the relevant rules and legislation. We will also address the difficult question of long term storage periods, a particular problem for Law Enforcement.Chapter 7. High Technology Crimes: Case Summaries. This chapter gives a range of cases that illustrate the types of incidents that may be encountered under the general grouping of high technology crimes. There are examples of cases that have been successful and other examples that highlight that a lack of good procedures can lead to considerable expense, loss of credibility and embarrassment. This chapter will also address the specific roles that the computer forensics laboratory and staff play in each of the cases cited. SECTION II: Creating a Computer Forensics Laboratory. This Section will provide a background explanation of Computer Forensics and address management issues related to the creation of a laboratory and a computer forensic investigations laboratory. The section will include an introduction to computer forensics and the types of investigation that may be encountered and will give advice on things that need to be considered when establishing a laboratory. The section will give advice on how to develop a workable business plan and an insight into where to locate the lab and how big it should be. The section also deals with the vitally important issue of quality assurance so that the efforts and risks taken are not wasted and the organisation gains and maintains a good reputation. Finally the section looks at staff selection, training and support and the regulations, standards and legislation that will need to be complied with if the lab is to be credible and successful.Chapter 8. Establishing and Managing a Computer Forensics Laboratory. The chapter will provide the reader with a discussion of the "basic how-to" of establishing and managing a computer forensics laboratory based on real-world experience.NOTE: It's based on the authors' many years of hands-on, real-world experiences in conducting computer-related crime investigations and establishing and managing computer forensics laboratories. It is not a theoretical discussion as has been the case by some inexperienced authors who have never conducted computer-related investigations nor established and managed computer forensics laboratories.Chapter 9. Scoping the requirement for the Laboratory. This chapter will draw upon the experience of the authors to provide guidance on how to scope out the requirement for the laboratory. This will include guidance on the potential throughput and the number of staff and the quantity and type of equipment that will be required to satisfy the anticipated workload. This chapter will also discuss how to identify computer forensics laboratory requirements and establishing the required budget to support the development of the laboratory.Chapter 10. Developing the Business Plan. This chapter will cover the development of the business plan for the creation and running of the computer forensics laboratory. Chapter 11. The location and size of the Laboratory. This chapter will address a range of issues that must be considered when deciding on the location of the laboratory. This will include the location of the laboratory in terms of the geographic location, the location with regard to the owning organisation and the location of the laboratory within a building.Chapter 12. Selecting the staff. This chapter will discuss a range of the issues that are related to the selection of the right staff for the laboratory. The chapter will include assessment of the suitability of staff, their qualifications and experience, their references and, if required their background checks and security vetting. The chapter will also deal with the requirement for the provision of support for staff including counseling and psychiatric assessment.Chapter 13. Training. This chapter will address the requirement for staff training and the achieving the balance between enough training to create and maintain an effective laboratory and excessive training, which is likely to cause unnecessary costs and to leave the organisation vulnerable to poaching of staff by rival companies or organisations. It will also address a strategy for the development of specialist areas within the teams. Specific entities will be addressed where staff members can get the needed training both online and through a number of identified lectures and conferences; as well as a sample staff training needs identification and project plan to address deficiencies and maintain currency in all aspects of the profession of computer forensics laboratory specialist.Chapter 14. Quality Assurance. This chapter will address the vitally important issue of Quality Assurance and will describe when it should be carried out, who should do it and to what standards.Chapter 15. Legislation, Regulation and Standards. This chapter will look at a range of the International, national and local legislation and regulations that must be addressed if the Laboratory is to fulfill its role and be credible and efficient. The chapter will also look at issues such as Data protection and Human rights laws and the impact that this may have on the resources and methods used to carry out investigations.SECTION III: Managing a Computer Forensics Laboratory and Computer-Related Crime Investigative SupportThis Section gives an overview of the management issues related to a computer forensics laboratory and the investigations profession. The section looks at the roles within the laboratory and why and how to develop credible plans for the Laboratory at all levels. It also examines a number of methods for the measurement of the effectiveness of the laboratory -- figures that will be vital in workload management and supporting the plans that are put forward. The section also looks at the wider issues of information sharing and sources of valuable information that can enhance the capability of the laboratory. Chapter 16. Understanding the Role of the Computer Forensic Laboratory Manager. The objective of this chapter is to describe and discuss the major functions of the Computer Forensics laboratory Manager that need to be carried out and a description of the flow processes that can be used to establish the baseline in performing the computer forensics laboratory functions.Chapter 17. The Computer Forensics Laboratory Strategic, Tactical, and Annual Plans. The objective of this chapter is to establish the plans for the Computer Forensics Laboratory that provide the subsets of the parent organization's Strategic, Tactical, and Annual Plans. These plans will set the direction for the organization's high technology anti-crime program while integrating the plans into organization's plans, thus indicating that the high technology anti-crime program is an integral part of the organisation.Chapter 18 Sources of information, Networking and Liaison. The objective of this chapter is to identify, describe and discuss a range of information sources of various types, joining and establishing networks with your peers, and liaison with outside agencies.Chapter 19. Computer Forensics Investigation Laboratory Metrics Management System. The objective of this chapter is to outline and discuss the identification, development and use of suitable metrics to assist in managing a high technology crime investigations laboratory and high technology crime prevention program. The chapter will look at a number of initiatives such as those at the National E Crime Prevention Centre and the UK Met Police/ ACPO initiative and the Internet Watch Foundation that have been undertaken around the world, but specifically in the USA, Europe and Australia.Chapter 20. Workload Management and the Outsourcing option. Having the right level of resources to meet the demands that will be put on the Laboratory not always be achievable, but should be planned for. Outsourcing is a management tool that can help in balancing the workload and can also help to save money. This chapter will look at the possibilities of outsourcing this function and a process that can be used to make that determination.SECTION IV: Future Computer Forensic Investigation Challenges.This Section looks at the challenges in computer forensic investigations and their management that are expected to affect the people involved in the future. The section looks at the needs of the staff for a career path in the relevant disciplines and also looks at the changing importance of computer forensics in the criminal justice system and the technological developments that are likely to affect our ability to support investigations. The section finishes with some final thoughts by the authors.Chapter 21. Developing a Career in Computer Forensics Management. The objective of this chapter is to provide the computer forensic investigator with a career development plan outline that can be used in developing a career as a computer forensic laboratory manager. Chapter 22. The Future of Computer Forensics, its supporting laboratory needs and its role in crime investigations. This chapter looks at the effect that changes in the technologies and the ways in which they are used will affect computer forensics and the role that this plays in an increasing range of criminal investigations. As computing devices become more ubiquitous, so the range of crimes that will potentially involve computers will increase. This chapter will look at the implications of these changes and give advice on the issues that will need to be considered,Chapter 23. The Future of Computer Forensics in the Criminal Justice Systems. This chapter takes a look at the role of computer forensics and its laboratory in the criminal justice system and the issues that will arise as technologies and crime change and legislation is modified to keep pace.Chapter 24. A Summary of Thoughts, Issues and Problems. This chapter discusses what might happen in a dynamic organisation that drastically changes the computer forensics laboratory, the crime prevention program and the laboratory manager's role.Chapter 25. Conclusions. This chapter will summarize the book and provide a few final thoughts and pieces of advice from the authors.Appendices: This will include Computer Forensics related references and bibliography; and biographies of the authors.