Beruflich Dokumente
Kultur Dokumente
Setup
Requirements.
COMPUTER FORENSICS
By
Dangut, Maren David
Abstract
The process of constructing a new forensic laboratory revolves around four general activities: planning,
design, construction, and moving. Specific activities vary within each phase of the process, and each
stage is discussed in detail in the following pages. Throughout the process, from conception through
opening day, careful planning and excellent communication among those involved are critical to
success.
Planning. The key to a successful planning stage is the preparation of a Needs Assessment/Design
Program, two documents frequently combined into one that form the baseline for the project. The
Needs Assessment documents user and facility needs, evaluates the existing facility, defines space
requirements, and provides project cost data. The Design Program provides a guide to design the
project, translating and expanding the Needs Assessment into a form that will be used by architects and
engineers in the design process. The Needs Assessment/Design Program may initially be an idealized
statement of requirements that will later need to be reconciled to the actual budget or resources
available.
Design. There is not one universally correct plan for forensic laboratory design. Design will vary with
each laboratorys specific needs. Functional requirements of specific scientific disciplines, equipment,
and instrumentation are a few of the variables that generate space, dimension, and adjacency
requirements that impact the overall design. Hazardous materials handling and preservation of evidence
are just two of the many variables that need to be considered. The future also needs to be considered. A
forensic laboratory must be designed with the flexibility to change along with the needs of its
occupants, technology, or scientific methodologies.
Construction. Following acceptance of bids and contract negotiation, construction can begin in earnest.
The construction stage offers a last chance before occupancy to make changes to the proposed lab
structure that were missed in the construction documents or during the planning and design stages.
Every change has a potential financial consequence. Some changes may be too costly to make. Each
laboratorys situation is unique. Changes to local and State regulations may also affect each
construction project. Be ready for unforeseen issues that may affect construction such as subsurface
conditions or obstructions. Fixtures, furnishings, and equipment will also need to be budgeted for and
purchased. An evaluation process and criteria to ensure that the contractors are qualified to complete
the job as specified must be established.
Moving. Laboratory work must continue even as the shift is made from the old facility to the new.
Develop a strategic plan for the move. Phase and schedule move activities so that routine daily events
occur as smoothly and efficiently as possible. Consider the tasks and activities, the order in which they
need to be accomplished, and who is going to be responsible for them. The plan can be divided into
premove, move, and post move activities. Always keep in mind the date that the move needs to be
completed.
Introduction
A forensic laboratory consists of a number of separate and distinct laboratories, each with its own
specific function, spaces, and equipment. For accreditation purposes, each laboratory section must be
designed as a separate and secure entity. Although different crime labs will likely not have identical
organizational structures, some typical forensic laboratory sections include:
Biology section - for the examination of biological evidence and the development of DNA
profiles. This section must be designed as a biological sciences laboratory and is also responsible
for assisting in the maintenance of an international DNA database.
Chemistry section - usually for the examination of narcotics, narcotics paraphernalia, and other
forensic examinations involving wet chemistry procedures. This section also relies on substantial
numbers of instrumentation units, such as GC/MSs, FTIRs, ICP/MSs, and other computer-driven,
diagnostic instrumentation.
Toxicology section - for the examination of blood and urine for the presence of drugs, alcohol,
or other foreign substances. This section frequently provides laboratory support for medical
examiners by examining tissue samples from decedents in order to determine cause of death, and it
must be designed to include features of wet chemistry and biological sciences laboratories. Like the
chemistry section, the toxicology section uses various types of gas-consuming, heat generating,
noise-producing instrumentation requiring isolation and special design considerations.
Latent fingerprint section - for the examination of evidence for the presence of fingerprints,
using various chemical and nonchemical procedures. Responsibilities also include fingerprint input
and searches in an international fingerprint database.
Firearms section - for the examination of any evidence pertaining to firearms, including
weapons, bullets, bullet projectiles, and bullet casings. This is primarily a physical properties
analysis laboratory, but does include some elements of a wet chemistry lab. This section also
includes instruments designed to access an international database of bullet components.
Trace evidence section - for the identification of any substances that cannot be identified in the
chemistry section. Typical substances include microscopic particles known as trace evidence and
can include, but are not limited to, paints, glass, food products, and building products. This section
relies heavily on instrumentation and microscopy, including scanning electron microscopes, FTIR
microscopes, and comparison microscopes.
These are just a few examples of the laboratory section organizational structure of a crime lab. Other
spaces within a crime lab might include an arson examination lab, a forensic garage for the processing
of impounded vehicles, and a questioned documents lab for the examination of any evidence that
includes paper, inks, and forged documents.
Study
Hardware requirements
A number of computers is required, including a network server with large storage capacity (preferably
configured for the standard removable hard drives). This server will be used to manage, document and
administer cases, store various software tools, and manage one-off specialist hardware. The hardware
that must be managed will include, for example, devices like Rimage CD production units, CopyPro
floppy disk readers, printers, etc. The evidentiary copy of seized data is usually written to CD or DVD
and, because of the large capacity of current hard drives, this can be a time-consuming process. The
Rimage, and other units like it, make it possible to create, number and label the media unattended,
producing as many as 50 CD/DVDs without intervention. Capturing the contents of floppy disks is
even more time consuming, and devices like the CopyPro can acquire as many as 50 floppy disks
withoutv intervention. The capabilities of these types of devices may vary from model to model; the
two mentioned above are merely examples with specific capacities.
There should also be separate Internet connection(s). (NEVER connected to the forensics server). The
Internet will be useful for finding and sharing forensics information and techniques and for
communicating with other forensics professionals. Staying abreast of developments in this field is a
vital part of staying viable in the forensics arena. The Internet provides one source to help accomplish
this need.
There should be a number of workstations that connect to the internal network. This number will
depend on how many forensics people are employed. The workstations will enable them to work on
individual cases simultaneously and have access to the shared devices and resources.
Portable acquisition computers (the kit) will be required. Ideally, each should be configured identically
with the standard forensics suite of tools and removable hard drives (the same standard hard drives as
above) of various capacities. Each kit should have a robust carrying case that can accommodate extra
hard drives, an array of associated connection plugs and converters, and a hard drive write blocker such
as FastBlock. The forensic kits will be used for on-site acquisition and/or seizure. It is
conditions must not invalidate the results or otherwise adversely affect the required quality of any
measurement. Specific considerations must be given to
environmental factors such as:
Biological sterility (e.g., a DNA profiling laboratory must have a separate
room for PCR amplification and a one-way path through the room; Mitochondrial DNA (mt DNA)
analysis needs a clean facility separate from other DNA activities)
Dust
Electromagnetic interferences (e.g. the use of shielding, proper cable layout, proper equipment
grounding, proper rack grounding, and limiting the use of cell phones, radios and pagers in the lab is a
key requirement for DME facilities)
Radiation
Temperature and humidity
Stability of electrical supply
Sound and vibration levels
Incompatible neighbouring activities must be adequately separated, e.g.:
Drying area for bloodstained items and DNA profiling laboratory,
Firearms examination area and GSR analysis
Vehicle examination area and fire debris analysis
Measures must be in place to avoid cross-contamination, e.g.:
Clean room for examination of victims clothing must be separate from
another clean room that can be used to examine suspects clothing.
Site Design
Site access.
It is desirable that the site be designed with access from at least two directions to ensure access to the
site despite traffic conditions, street maintenance work, acts of sabotage, or other unforeseen site
disruptions.
Emergency and service access.
Coordinate with laboratory staff and local authorities to ensure emergency access for fire department
and other emergency vehicles. Access for shipping and receiving must comply with code requirements
without compromising site security.
Site lighting.
The site lighting should be designed to enhance security and discourage vandalism and unauthorized
entry. Lighting comparable to that of a college campus offering night classes might serve as a
guideline.
Landscape design.
Landscaping should be designed to enhance site security by preventing potential vandals, burglars, and
saboteurs from hiding in the landscaping until after dark.
The following types of landscape design should be avoided:
Dense shrubbery within 3.048 m (10 ft) of the building or any security fence.
Large clusters of shrubbery, 0.61 m (2 ft) to 1.83 m (6 ft) high.
Tall evergreens with branches less than 1.52 m (5 ft) above grade.
Parking design.
Like landscaping, the design of parking areas should consider site security requirements.
The following are recommended levels of security for parking:
Level 1, unsecured. Visitor parking located near the visitors entrance to the building allowing entry
and departure without security barriers.
Level 2, partially secured. Fenced area for use by persons having business at the facility. For example,
shipping and receiving, biological and toxic waste pickup, dumpster replacement, and evidence
delivery. The area should be gated, and the gate may be left open during business hours and locked
after hours. Access might be through the level 1 parking area.
Level 3, secured. Staff parking area secured 24 h, surrounded by a security fence, and accessible by
use of a proximity or card key device. Depending on security policy, this level might be eliminated, and
staff could park in the level 2 parking area.
Level 4, high security. Vehicle impound parking with limited personnel access and monitored security
systems.
Interior glazing.
It is recommended that the use of windows between laboratory spaces be maximized. This is a feature
designed to enhance safety of personnel by allowing those in one laboratory space to view the activities
of those in other spaces that might be of a more hazardous nature.
Equipment and systems service and maintenance.
Equipment and systems that are part of the building and might require periodics ervice and
maintenance should be located outside of the laboratory spaces, and particularly outside of any space
where evidence or drug standards are stored. Such equipment and systems might include, but are not
limited to, electrical panels, VAV boxes, VAV controls, walk-in cooler compressors, and water
purification filters.
Corridors.
Primary circulation and exit corridors: 1.83 m (6 ft) wide, minimum.
Secondary circulation and non-exit corridors: 1.37 m (41/2 ft) wide, minimum.
Doors.
Double doors to all laboratory sections and spaces that are expected to receive oversized evidence or
equipment. Double doors shall consist of a 0.914 m (36 in)wide active leaf and an 0.457 m (18 in) wide
inactive leaf. Freight elevator doors minimum 1.22 m (48 in) wide.
Fig: EMI/RFI Shield proof doors are required to examine the device that send and receive radio signal
Security Design
Security Strategy Meeting.
Although this is not a design guideline, it is recommended that a security strategy meeting take place
upon completion of an approved schematic design of thevv building and the site. This meeting should
be attended by representatives of thev building owner, building users, security staff, the architect, the
electrical engineer, and a security design consultant.
The purpose of this meeting is to establish and document a comprehensive security strategy for the new
facility. This security strategy will act as a guideline for the design of passive and electronic security
systems. This strategy should include, but not be limited to, security policy and procedural issues, site
and building access as related to security, types of security electronics systems, performance
requirements for security access systems, ASCLD/Laboratory Accreditation Board (LAB) accreditation
issues related to security, and any other special security needs that might be identified by the users.
Specific considerations regarding hardening the laboratory against terrorist attack may be important,
depending on the location and function of the lab.
Escort only design.
The design of the building should incorporate a security perimeter within which unauthorized persons
may enter under an escort only policy. This security perimeter should be defined during the Security
Strategy Meeting. The sign-in and badging area should be located at the visitors entrance.
Door access systems.
Access to and circulation throughout the facility, as well as key zones of the building, should be
provided with controlled access through the use of proximity or card-key access systems. The system
should be capable of programming access devices for specific areas and times, and should fully
document all access attempts. The system must prevent unauthorized entry while maintaining safe and
legal exiting. This security must be maintained in multistory buildings having shared elevator access.
Door status monitoring.
Key doors throughout the building, particularly exterior doors and doors to evidence storage spaces,
should be electronically monitored for open/closed status.
Closed circuit television (CCTV) systems.
Key areas of the building, both interior and exterior, should be kept under video surveillance. Key areas
might include, but are not limited to, exterior doors, lobby/reception areas, parking lots, and evidence
delivery areas. Placement of CCTV cameras and features (pan, zoom, tilt, constant sweep, time lapse
recording, etc.) should be defined during the Security Strategy Meeting.
Special security design features.
The security design of the facility should include consideration of such special features as:
- Motion detection in evidence storage spaces, circulation corridors, or other key areas.
- Additional security protection for storage of high-value evidence items such as money and jewelry.
- DEA guidelines for the storage of narcotics.
Mechanical Systems Design Checklist
Isolation of various spaces.
Biologically hazardous spaces.
PCR amplification room(s).
Mitochondrial DNA room(s).
Firing range.
HEPA filtered exhausts.
10
11
12
13
Biovestibules.
Locate between clean and dirty spaces, for example, between main circulation corridor and
entrance to a laboratory section that potentially contains hazardous airborne contaminants. Shall be
designed as an interlock between clean and dirty spaces with air handled through differential
pressurization to prevent exfiltration of contaminated air. Shall contain all the features of the clean sink
areas described above.
Minimum size: 5.95 m2 (64 ft2).
Bulk chemical and clandestine lab evidence storage rooms.
Exhaust system to expel both heavier- and lighter-than-air vapors.
Explosion-proof electrical fixtures.
Blowout panel.
Chemical spill containment.
Finishes.
Laboratory floors.
Chemical-resistant sheet vinyl or vinyl tiles with welded seams.
Laboratory walls.
Epoxy in all spaces considered highly biologically or chemically hazardous, such as examination
rooms, bulk drug analysis, and bulk chemical storage.
Semi-gloss latex enamel in all other spaces.
Laboratory ceilings.
Epoxy in all spaces considered highly biologically or chemically hazardous, such as examination
rooms, bulk drug analysis, and bulk chemical storage.
Suspended acoustical in all other spaces.
Nonlaboratory spaces.
Acceptable interior finish standards for offices and non laboratory support spaces.
Laboratory casework.
Standard laboratory casework with utility access space behind base cabinets Steel or wood preferred,
plastic laminate acceptable. Maximize use of flexible laboratory casework systems.
Files.
Generally, one four-drawer filing cabinet, or the equivalent file storage space, should be provided for
each analyst at the area of the nonlaboratory workstation.
Special considerations.
Acoustics.
Reflective surfaces.
Vibration-proof flooring.
High-strength flooring.
Universal Facility Design Components
Although no two forensic laboratories are alike, there are basic functional components and areas that
14
are universal to most laboratory buildings. The following set of checklists serve as recommended
guidelines and requirements for universal laboratory building components, and have been divided into
four categories: administrative, building, technical support, and general technical.
Administrative
Design standards for these spaces should be based on acceptable office space design standards.
Private offices.
Based on existing space standards, if any.
Offices for support personnel.
Shared offices or open office systems furniture.
Files for active cases.
Clerical, administrative, and case support.
Mail, photocopy, and facsimile.
Conference room(s).
Lobby/reception.
Consultant offices.
Library.
Book stacks.
Periodicals shelves.
Study carrel(s)
Study table(s)
Computer information terminal(s)
Building
Mechanical.
Heating, ventilation, and air conditioning (HVAC) equipment rooms. Air handling systems.
Fume and biological hood exhaust equipment.
Laboratory compressed air and vacuum systems.
Central plant water treatment systems.
Domestic hot and cold water systems.
Fire extinguishing systems and sprinkler control rooms.
Instrument gas manifold and distribution systems.
Communications.
Computer rooms and/or closets.
Telephone equipment rooms and/or closets.
Premise wiring rooms and/or closets.
Data line provisions.
Electrical.
Service entrance and main switch gear.
Emergency generator.
Uninterruptable power supply (UPS) equipment.
Electrical closets.
Electrical service panels.
15
Staff use.
Lunch room.
Break room(s).
Locker rooms with showers.
Rest rooms.
Other
Janitorial closet(s).
Passenger and/or freight elevator(s).
Recycling.
Lab coat cleaning.
Shipping and receiving.
Hazardous waste disposal.
Compressed gas cylinder storage.
General waste disposal.
Technical Support
Storage.
General laboratory storage.
General supplies storage.
Long-term files storage.
Chemical storage.
Dry fire-suppression system.
Evidence.
Evidence receiving and return counter from and to submitting agencies. After-hours secure evidence
lockers.
Evidence disbursal and return counter to and from laboratory sections.
Evidence custodian workstations: minimum 5.95 m2 (64 ft2).
Evidence supervisor office: minimum 11.48 m2 (120 ft2).
Evidence storage.
General evidence storage shelving.
Refrigerated and frozen evidence storage: refrigerators and freezers or walk-in units.
Secure narcotics storage.
Secure valuables storage.
Flammable evidence storage: fire-rated, ventilated storage room, or ventilated flammable storage
cabinets.
Biohazardous evidence storage.
Gun storage.
Long-term evidence storage. Evidence workroom.
Mail room features for packaging, sending, and receiving evidence.
Layout countertop space with sink.
16
17
Methodology
How to Set Up a Computer Forensics Lab?
Computer forensics laboratories are tightly controlled areas for various levels of computer examination.
18
Professional computer forensic examiners divide computer forensics labs into two domains: activesystem analysis and static media examination. Active-system analysis deals with forensic information,
user activity and log reports based off an actively running operating system stored in volatile memory:
erased on shutdown or restart. Static media examinations focus on removable flash drives, external and
internal hard disks and other types of storage media that persists after a computer is shut down.
Comprehensive forensic laboratories situate both of these capabilities in a collaborative environment to
gather the whole picture of host activity.
Things You'll Need
Office space
Clean desks
Desk chairs
Desk lighting
Computers for forensic analysis
2 or more blank hard drives
Forensic analysis software
Hard drive cables
Computer hardware toolkit
Instructions
i.
Design your forensic laboratory layout. Partition the room into three
sections --- one for volatile memory data analysis, static media duplication and archival, and static
media analysis. Set up network and Internet connections so that all forensic analysis computers and
data archives are networked together for ease of access. Ensure the layout of the room is conducive
to a logical flow of the forensic process: data preservation, capture, verification and analysis.
ii.
Install physical access control devices and appropriate safety systems.
Forensic laboratories must be secured against unauthorized access with tools such as conventional
locks, security systems and surveillance cameras. Depending on the scope of the forensic facility,
adequate cooling, fire-suppression and carbon monoxide detection systems should also be in place
as necessary to maintain examiner and hardware safety.
iii.
Set up forensic workstations and computers. Clear all clutter and
unnecessary dust and grime from workstations, as these can cause damage to physical media and
target systems. Do not bring liquids or strong magnetic materials into your computer forensic
laboratory; these are major contributors in data loss or electrical shorts. Connect your forensic
analysis computers to the network, and install appropriate forensic and security software. Ensure
your network is behind a firewall to prevent hacker attacks.
iv.
Install blank forensic hard drives at your static media capture and archive
area. Connect the drives to the computer workstation and set aside to prevent damage. After each
analysis, ensure the drive storage is reformatted to provide forensic integrity for the next analysis.
19
Ensure forensic workstation areas have ample space for target computers and media to be placed.
v.
Test your workstations, computer systems, network and forensic analysis
hard drives for ease of use and proper setup. Simulate real forensic recovery operations on old hard
drives or current systems. Follow all steps of your forensic analysis methodically, and test the
layout of the laboratory for proper flow. Pay close attention to the layout of each workstation and
make necessary modifications to keep the areas open, free from clutter or debris and conducive to
careful forensic analysis.
20
Conclusion
During this phase all the facility planning and design work will be brought to fruition and the forensic
laboratory facility will be built. During the construction phase a team of individuals represents the
laboratorys interests, ensuring that all the laboratory concepts are fully implemented. Each member of
the team has a defined set of responsibilities.
The laboratory will need to rely on the team members collective expertise with respect to interpretation
of the contract documents, resolution of technical construction issues, and unforeseen construction
conditions, such as ground water or bad soil. This team often includes:
The building owners project manager or site representative, usually from facilities planning and
design, the laboratory planner, and the contracting officer.
Members of the design team, including the architect, and structural, mechanical, and electrical
engineers.
It is critical that the laboratory director monitor progress during construction and make available to the
project team an individual who is knowledgeable about all laboratory design requirements. This person
will assist and act as a resource to the project team, answering questions and responding to issues
directly affecting the forensic laboratorys functional design requirements and facilitating the exchange
of information between laboratory staff and the construction team when required.
References
1.
Forensic Laboratories: Handbook for Facility Planning, Design, Construction, and Moving -U.S.
Department of Justice
2.
Staff skill requirements and equipment recommendations for forensic science laboratoriesLaboratory and Scientific Section
United Nations Office on Drugs and Crime Vienna
3. Digital Forensics: Architectural and Engineering Facility Design Requirements
By Michael Mount, Adam Denmark
4. Setting up an electronic evidence forensics laboratory-Hank Wolfe
Associate Professor, Computer Forensics &Security, Information Science Dept.
21
22
Appendix
Category A.
SUGGESTED FORENSICS EQUIPMENT, SOFTWARE, TOOLS, AND SUPPLIES
S/no
2.
Rate/Unit
Price
Forensic PC- FRED
$7,000
Forensic Workstations with min. of 1TB HDD, Estimated
>2.5MHz speed and Laptop (for field work)
Forensic write blocker
$1,700.00
3.
4.
AccessData PRTK
5.
1.
6.
7.
8.
Items
Quantity
Total price
--
Naira
N1,400,00
0
1
2
$3, 400.00
N680,000
$3,000.00
$3,000.00
N600,000
Free
free
free
$9,000.00
N1,800,00
0
$4,000
N800,000
$3,300
N660,000
$1000.00
N200,000
$1, 000.00
Remark
9.
10.
11.
free
Free
12.
FTK Imager
free
Free
13.
14.
$200
15.
KALI Linux
free
16.
$3,000
Estimated
Category B
$100
N20,000
$100
N20,000
1
2
-- 1
$400
N80,000
Free
Free
N600,000
s/n
1
2
3
4
5.
6
Category C
Item
Price
FTK Lab (10 users
Licenses)
FTK CIRT 200
nodes
Paraben
Device
Seizure
Paraben
P2
Commander
DNA Datbase
DNA Device
Quantity
1
1
1
Total price
Remark
s/n
Item
Price
Quantity
Total price
Remark