Although many organizations have limited computer forensic capabilities, the current trend is for organizations to integrate this discipline as an essential component in their overall security incident response program. Computer forensic investigations and supporting operations can be expensive, and the laboratories in which these services are conducted tend to be costly, as well. Effective and efficient investigations depend on establishing and maintaining a computer forensic laboratory that supports and optimizes the entire investigative process end-to-end and can withstand any evidentiary challenges. With proper planning and preparation, design considerations can support the overall computer forensic investigative process, ultimately saving money and time as well as productivity and procedural efficiencies.
The individual design needs of a computer forensic laboratory are as unique as the evidence that gets analyzed within their walls. However, there are a number of design issues, considerations and trade-offs that every organization should take into account. The following are general design requirements applicable for almost any computer forensic laboratory:
Electrical
Installing the proper electrical infrastructure can keep the sensitive equipment safe from current changes and drops in electricity. The plan should take into account the type of equipment, total amps, amps per circuit, circuit runs and future expansion needs.
Unlike other appliances, computers use an oscillating power supply that feeds back into the electrical neutral, creating an effect that is referred to as harmonics. Insufficient current causes the transformers in components such as monitors to overwork, eventually burning them out.
Consider these guidelines when designing the electrical layout:
- Place no more than two computers on each circuit.
- Keep the circuits for computer systems separate from all other equipment such as printers, copiers and coffee makers.
- Ensure the electrical plan specifies an oversized or super neutral cable and that each circuit and phase has a separate neutral cable to help with the harmonics in the overall system.
- Install a power conditioning unit (PCU) with isolated grounds if feasible and cost effective.
- Plug each computer into a surge protector if a PCU is not installed.
- Place electrical outlets at each examiner workstation to simplify cable management.
Heating, Ventilation and Air Conditioning (HVAC)
Have the building engineer compute the wattage demands from the electrical equipment to determine whether the room will require supplemental air conditioning. Remember to factor in the heat from the estimated number of people in the room when it is full. If the building’s air handling system depends on open doors or windows to the meeting room, consider this constraint against needs for acoustical privacy.
If the room will be on the standard building air handling system, then review the locations of zone thermometers. The lab will likely produce more heat than adjacent environments. Thermometers located outside the room may leave it too hot. Thermometers located inside the room may leave adjacent areas too cold. Consider placing the room in its own thermometer zone.
Acoustics
The acoustics of the lab and surrounding areas are important design considerations because of the nature of the work performed. Simply put, the lab area should be as soundproof as possible. Any discussions that computer forensic examiners have about the details of cases may violate privacy issues or be offensive if overheard by personnel outside the lab. Some noise-attenuating design considerations are to:
- Use carpeting. Hard floor coverings reflect noise and allow dust to recirculate around the room. Carpeting absorbs sound and traps dust. Carpet should be antistatic and glued directly to the floor. Carpet tiles simplify maintenance since worn or stained sections can be easily replaced.
- Use tiled ceilings to absorb sound. You may need additional sound-baffling products because air ducts and the air space above dropped ceilings can carry the sounds of conversations outside of the lab area.
- Place a noise source in the lab to muffle acoustics outside the room. This may be as simple as a radio or piped-in Muzak. You can also use a white-noise maker.
- Add soundproofing to the perimeter walls as an extra measure of privacy.
- Install a raised, tiled floor. It is not necessary but will afford flexibility, and it can be used to flush sound and heat.
Workspace
The size and layout of the lab will affect its productivity. A basic lab layout should include a workspace for each examiner and common space for storage. The following are important considerations for the examiner workspaces:
- The minimum amount of square footage for each examiner station should be 48 square feet. The recommended square footage is 64 square feet.
- Each workspace needs a tech bench or table for working on the physical computer. This area should be large enough to dismantle a computer, or approximately 34 inches deep by 48 inches wide.
- Workspaces require a processing area with a forensic workstation, admin workstation, peripherals and a printer. This work surface should be approximately 30 inches deep by 60 inches wide, or large enough to accommodate the printer, two monitors, case notes and a writing surface.
The following are considerations for the common space:
- Containers should be included for storing evidence, extra hardware and software and computer systems that are not evidence.
- At a minimum, the common area of the lab should equal approximately half the total square footage for the examiners. Depending on the caseload and additional storage requirements, the common area may need to be increased to equal the examiner area.
- Drawer safes are excellent for storing hard drives and other small peripherals. The safes should have a separate lock on each drawer for individual use.
- Evidence lockers are excellent for storing hard drives and other media while processing.
- Storage cabinets can be used to store computer systems when data storage devices are removed. These cabinets should be lockable and can be communal. Heavy-gauge steel or plastic should be used to support the weight of several computer systems. The standard cabinet of 24 by 36 by 78 inches can hold up to six computers.
- Ensure there is adequate lighting for working with small parts.
- Make sure the room is not arranged so that computer monitors face windows, which may present privacy issues or cause eye fatigue due to the glare.
Furniture
During a computer forensic investigation, an examiner may stare at a computer screen for eight or more continuous hours a day. The furniture in the lab should accommodate this. Supply the room with ergonomic chairs and workstations. For example, the chairs should allow examiners to adjust seat height and tilt as well as seat-back height and tilt. They should have armrests that can be adjusted for height or folded out of the way. Monitors should be located directly in front of the examiner and be adjustable to reduce strain on the neck and eyes.
Network
Examiners will need access to the Internet to research information they find during examinations. Since security and privacy issues are a large part of any investigation, the network connection should be as direct to the point of presence as possible. There are two main concerns:
- It may be possible for employees or insiders to sniff the network traffic and gain information from the investigation while the examiner is using the Internet.
- Examiners may need access to websites or resources that are blocked by the firewall or Web-filtering software, or that trigger alerts on the network. The easiest way to ensure privacy and eliminate false alarms is to install a dedicated line.
Security
Physical security of the lab is essential to maintaining proper control of evidence. Evidence lockers, safes and locking cabinets are important, but alone are not sufficient. There may be times when examiners will need to leave evidence out to process overnight. Take every precaution to ensure that unauthorized personnel do not have access to the evidence.
- Consider separating the examiner workspace by enclosures with lockable and controlled entry.
- Monitor the lab area with a perimeter alarm system that alerts to motion and any breach to the lab perimeter.
- Use a badge-reader system that identifies individuals and logs their entry into the lab.
- Fix a camera on each entryway into the lab, monitored by a central security desk.
- Ensure there is a point of contact for the lab that can be reached after-hours for emergencies or alarms in the lab.
Conclusion
Computer forensic laboratories are indispensable in supporting the investigative process. As the computer forensics field continues to expand, organizations need their laboratories to advance with the science upon which they depend. The measure of success is how well a laboratory meets the current and future needs of the organization. All indications point to continued advancements in technologies. Safeguards, software and investigative techniques will continue to develop, and the threat environment will acquire methods to thwart those efforts. The future will see more organizations devoting time and money toward computer forensics. As a result, computer forensic laboratories should be properly designed to keep pace.
Cloud Security and Compliance Leader, IBM Cloud