Computer forensics is the field of gathering, analyzing and producing reports of digital information in a manner that satisfies legal admissibility requirements. It can be applied in cases of crime detection and prevention and in other disputes where available evidence is digitally stored (Francia & Clinton, 2005).
Computer forensics as a discipline is undertaken in forensic crime labs to find, analyze and report on evidence based on digital data and subsequent safe storage.
This paper seeks to analyze the basic operations of a computer forensics laboratory and considers a number of factors including: National standards that certify forensic testing labs, lab components, working conditions, standard lab equipment, and selected tools for computer memory analysis.
National standards that certify forensic testing labs
Senft & Gallegos (2010) argued that there is a question as to what best practices or standards are put in place in computer forensics field to address complexities in evidence collection, storage and presentation while adhering to controls that protect the evidence from accidental or malicious loss or change. There exist documented, appropriate and validated standards that govern accreditation of computer forensics crime laboratories. The American Society of Crime Laboratory Directors/Laboratory Accrediting Board (ASCLD/LAB) has been the forensics crime laboratories accrediting board since 1982. Such bodies have established standards that must be met in order to be accredited. Specifically, a stand-alone forensics testing unit have to extensively document and show its compliance with approximately stated set of standards.
According to Senft & Gallegos (2010), these standards are:
- A training program extended to all employees to develop essential technical skills in all applicable functional units.
- Technical procedures and toolkits must be validated in order to demonstrate their efficiency and effectiveness in examining forensic evidence before being applied on casework.
- Equipments and instruments must be adequate for investigation procedures used and be maintained in good working condition. In addition, control samples should be used and be well documented in the record to maintain validity of the forensic testing parameters, and consequently the conclusion.
- Documented procedures and policies for identification, collection, and protection of digital evidence from potential loss, alteration or contamination.
- Equipments and instruments should be appropriately calibrated and records of calibration maintained for future reference. Sampling equipment must be checked to ensure that they meet the laboratory requirements relevant to investigations.
- Forensic examiners stationed at a lab must undergo a competency test successfully covering a diverse set of forensics disciplines and maintain proficiency through constant training.
- Acceptable conformance to marking and sealing of forensic evidence.
- Ensure that forensic testing can be adequately supported by legally sound and forensically sufficient digital evidence.
- The lab must demonstrate practical personnel health and safety measures.
These standards according to Nelson, Amelia & Steuart (2009) ensures that lab operations, management, staff, equipment, personnel, procedures, security, plant, safety and health measures meet laid down national requirements.
Forensic laboratory components are the tools and procedures that aid in detection, collection, and analysis of evidence samples for further determination and reporting. The components include but not limited to (Francia & Clinton, 2005):
- Architectural design covering special concern to environmental and personnel health and safety.
- In addition, labs should have a physical facility that can preserve the correctness of the digital evidence and operations done there.
- Elements for safeguarding exposure to hazardous substances or devices.
- Computing and communication components.
- Elements that provide operational efficiency and adaptability.
- Procedures and devices for securing digital evidence to ensure preservation in an untainted condition. An example is an evidence container – heavy-duty safe or file cabinet.
- Workbenches and conference rooms as well as shelves for internal reading library.
- Special purpose units with integrated forensic crime processing tools capable of effectively handling of challenging computer crime cases.
Francia & Clinton (2005) asserted that computer forensics lab environment depends on the nature of cases under investigation, for instance the level of confidentiality of the forensic investigation.
Occupational health and safety procedures must be put in place to protect personnel and lab facility from risks (Giannelli, 2007). Furniture and equipment must be appropriate for work done with relation to occupational safety. Ergonomic considerations are a must at labs and workplaces must be adjustable and have adequate lighting (Nelson et al., 2009).
Special air conditioning is necessary in lab environments to ensure that personnel feel comfortable while working in the lab. In addition, personnel must be provided with preventive equipment to safeguard against personal injury. This includes: Latex gloves, ear protection, coats, and protective eyewear at minimum (Francia & Clinton, 2005).
Proper signage is necessary to provide quick directions to eye or face wash, first aid toolkit, emergency telephone contacts, safety showers, fire extinguishers, fire evacuation directions and warning to forensic investigators. As a safety precaution, Senft & Gallegos (2010) noted that corridors, exit ways and hallways should always be kept clear for easy movement in case of an incident.
Standard lab equipment
Digital forensics involves a number of equipments capable of assisting in deriving evidence that can be used in a court of law. Standard lab equipment includes (Francia & Clinton, 2005; Senft & Gallegos, 2010):
- Computer hardware and software and digital peripherals. Forensics investigations and analysis software such as EnCase Forensic.
- Write blockers that provide forensically sound view of almost all storage devices without possibility of accidental damage to drive contents.
- Digital audio and video devices, for example, iPods, MP3 players, video surveillance devices, digital cameras, scanners, and facial and audio recognition devices.
- A combination of audio and video devices, for example, CDs, DVDs, USB drives and hard drives.
- Computer and drive interface connectors and adapters, such as IDE, SATA, MicroSATA, ZIF and SCSI interface adapters.
- Microprobe equipment to investigate damaged tiny elements.
- Digital communication devices, for example, iPhones and cell phones.
- Anti-static toolkit.
Selected tools for computer memory analysis
With increased popularity and accomplishments in computer forensics, memory forensics tools have greatly proliferated and their capability have improved (Giannelli, 2007). Recent tools have made memory analysis feasible to forensic crime examiners as a result of better interfaces, detection heuristics and documentation. Memory analysis is important because it allows examiners to provide a clearer image of memory by including the systems page file (Sanderson, 2006).
Sanderson (2006) highlighted the following memory analysis tools include:
- Mandiant Memoryze: A free software that perform live memory analysis and among the first tools in the field.
- PTFinder: Searches the memory dump of systems running on Windows for bits of threads and processes and places results into a text editor such as Notepad.
- Volatility Framework: An open set of tools under free software for extraction of forensic artefacts from RAM samples. In addition, it supports third party plug-in.
- MemGator: A memory file audit tool that automatically extract memory file data and compile a report.
- Redline: Designed to ease memory forensics and attract larger audience. It audits system memory to provide live analysis.
It is evident that computing technology may amount to a crime scene, for example, denial of service attacks and hacking among others or it may hold tangible evidence in form of digital files, emails or internet history which are relevant to criminal activities such as fraud, drug trafficking, or even murder. Digital evidence is mainly galvanized in computer forensics labs where examination is well supported to ensure that the data achieved is legally admissible.
This paper has discussed basic operations of a computer forensics lab by focusing on national standards that govern implementation of labs, lab components, working conditions such as occupational health and safety, typical lab equipment and memory analysis tools.
Francia, G.A., & Clinton, K. (2005). Computer forensics laboratory and tools. Journal of Computing Sciences in Colleges. 20(6): 142-149.
Giannelli, P.C. (2007). Forensic Science. Journal of Law, Medicine & Ethics. 33(3): 535-545.
Nelson, B., Amelia, P., & Steuart, C. (2009). Guide to Computer Forensics and Investigations. Cengage Learning.
Sanderson, P. (2006). Mass image classification. Digital Investigations. 3(4): 191–196.
Senft, S., & Gallegos, F. (2010). Information Technology Control and Audit (3rd ed.). CRC Press.