Digital forensics can be described as an investigativeanalysis of digital data to extract the presence of the cyber activities.
Manyorganizations are integrating digital forensics capabilities in their securityincident management process.Establishing and maintaining a digital forensicsfacility enhances effectiveness and efficiency of investigations. It alsosupports and optimizes the security incident investigation process and supportsto withstand the evidences in legal proceedings.
Having digital forensics capability by founding aforensics lab can be expensive but with proper design considerations andplanning, it can support investigation process, saving money and time andimproving procedural efficiencies. American Society of Crime Laboratory Directors (ASCLD)recommends the guidelines about lab management, getting certified for thestandards like ISO/IEC 17025 and also getting lab functions and proceduresaudit. In this report, the considerations for creating andmaintaining a digital forensics lab within organization in the aspects of Environmental,Equipment, Security, Malicious programs and ongoing costs on hardware andsoftware are discussed.Considerationsfor Digital Forensics LabDigital Forensics Lab is a designated location forconducting forensics investigation of collected digital evidences and storingof evidences seized.As most of the investigations are performed in thelab, it must be secure so that the evidences and the results of investigationsare preserved and not lost or corrupted. So, the design needs of the forensicslab must be unique to the evidences going to be handled with in the lab.There are number of design considerations andtrade-off needs to be taken in to account.
The effectiveness of the lab isdirectly proportional to the amount of dollars the organization is willing toinvest.The following are general considerations applicable toall forensics laboratory, relevant to above-mentioned aspects.EnvironmentalIn nutshell, Digital Forensics Lab has to be treated similaras a data-centre facility. The facility must have secured facility, with accessto emergency services etc. Special consideration must be given to followingareas· PhysicalDigital Forensics Labmust be housed in secured facility. The lab must have floor to ceiling walls.If organization wants to house the lab within office building then it must beplaced in the central part of the building rather than corner or extreme endand the facility does not need have windows.
It must be closed structure. Thedoors of the labs must be secured and locked at all time.The access to the labmust be given to only the professionals cleared to work in the lab. Thefacility must be well lit and monitored by CCTV at all times.· Electrical The lab must have properand adequate electrical infrastructure which can keep the sensitive equipment safefrom variations in electrical supply. The electrical infrastructure plan mustbe designed, in consideration with the number and type of equipment to behoused in the lab along with total power requirement and probable future expansionneeds.Power interruptions canaffect ongoing forensics so the lab must have backup options such asUninterruptable Power Supply (UPS) and generators.Being involved in digitalforensics, most of the equipment will be computers so it must be ensured thateach circuit and phase must have a separate neutral cable to help harmonics inthe overall system.
Also, use of Power Conditioning unit (PCU) must beconsidered.· Environmental controlThe lab facility musthave controlled environmental entities such as temperature, humidity,ventilation, air-conditioning for optimal working of systems and equipmenthoused in the facility.As the facility must beclosed one, special consideration must be given to ventilation and Airconditioning. It must be adequate for current proposed lab configuration butalso cater the foreseeable future demand.
The design can considerthe environment control as per standards e.g. American Society for Heating,Refrigerating and Air-conditioning Engineers (ASHRAE) recommends temperaturerange of 18-27°C and relative humidity 60%.In case the facility isin the proximity of airports, electric-railway, power stations, transmittersites, the controls must be in place to manage Electro-magnetic interferences(EMI) as the evidences can be susceptible to EMI.· Workspace layoutThe main tasks to beperformed in the lab are investigation of the evidence seized and storage ofthe evidences.
So, the workspace lay out must be designed to cater that as wellas in proportion to the budget available. The productivity of the lab dependson the size and layout of the lab.The lab space primarily dividedinto two areas i.e. workspace area and evidence storage.· Workspace area In this area, allforensics activities are to be performed.
This is the place for work-stationsfor research, forensics activities, imaging activities and special purposeactivities like password cracking.This area must be wellplanned and scaled as per work load. The work area must cater the proposednumber of cases which are to be processed by the lab.
The access to this aremust be controlled and given only to the lab professionals. the workstationused for research must be separate and only those work station can haveintranet / internet access.There must a workbenchfor each forensics examiner to work on the evidence which normally be aphysical computer, So the area must be large enough so that an examiner canable to dismantle it. Minimum amount of area for each examiner work station is48 square feet, but the recommended area is 64 square feet.· Evidence StorageThis area is forforensics archives and must be always locked and monitored. It must be locatedin a restricted area and only accessible to lab personnel.
The access toevidence lockers must be given to limited persons and also recorded. The chainof custody documents must be updated during the evidence access recordingprocess.If possible, always builda separate evidence room in the lab so the it can be isolated and securedproperly. It would be advisable to deploy security personals along with moresecured access e.
g. dual key etc for evidence storage room.The must be also commonspace for storing extra hardware and computer systems which are not evidences.Also, ensure that the labmust be well lit and have adequate lighting to work with small parts.Here are some examples ofworkspace layout which can be considered based on the budget available for thelab.