Insight on designing a functional and efficient digital forensics laboratory

The science behind digital evidence forensics is the extraction of evidence from computers or other digital devices for criminal investigations. It usually involves obtaining the contents of files and interpreting their meaning as relevant to a case. To accomplish this activity one requires specialized space, equipment, and skills to stop those behind the most serious of computer intrusions and the spread of malicious code; to identify and thwart online sexual predators who use the Internet to meet and exploit children; to counteract operations that target U.S. intellectual property, endangering our national security and competitiveness; and, finally, to dismantle organized criminal enterprises engaging in Internet fraud.

Over the years designing such spaces, I’ve come to know Mr. Larry Depew, a retired digital laboratory director and ASCLD-LAB assessor,who provides accreditation consulting and digital data recovery to laboratories. So I am taking this opportunity to ask Larry a few questions about Digital Evidence Units: the space, science, and their requirements.

KM: Should DE units be in the lab space or office space?

LD: The Digital and Multimedia Evidence (DME) discipline is recognized within the scientific community as a forensic science.Gven the recent recommendations of the NAS report to Congress that includes legislative requirements for laboratory accreditation and personnel certification, I believe the appropriate place to conduct digital forensic examinations is in a laboratory environment. Accreditation is an independent evaluation of a laboratory’s quality management system that provides independent evidence that the accredited facility’s testing methods and results are competent and reliable. The standards for laboratory accreditation and personnel competency are set forth in ISO17025 and ILAC Guide 19:2002. The most common standards in the United States are established under ASCLD-LAB International. This is not to say that an office environment cannot meet the requirements for accreditation. However, the policies, procedures, and design of a traditional forensic laboratory will enhance the ability of an organization that hosts a DME lab to meet the internationally recognized standards.

KM: Is there a shift from DE staff being sworn to non-sworn trained DE staff?

LD: I believe we are seeing a very gradual shift from the sworn to non-sworn examiners. However, the vast majority of digital forensics exams continue to be conducted by sworn personnel in a law enforcement environment rather than in a laboratory. I see the demand for the level of technical competency in the discipline increasing. The result has been an increase in civilian examiners to meet the demand for advanced technical competencies, although there are many exceptionally competent sworn examiners. I believe the trend to civilian examiners is driven by several factors. First, the emergence of specific educational programs now offered at many universities throughout the United States in computer forensics. Second, the CSI factor which is driving interest in forensics in general. And third, there is a need to keep trained investigators working cases “on the streets” rather than performing laboratory examinations. Civilian examiners have brought a high degree of technical competence and ability to meet the technical challenges of digital evidence. There is a need for the proper balance of investigative experience and technical knowledge. Sworn and civilian personnel can complement each other to produce a thorough analysis of digital evidence.

KM: Examiner’s workstation in the lab: office furniture, lab furniture, or something different; and how important is flexibility?

LD: In the old days,we built our own workstations (benches) and space based upon our individual needs and preferences. My first lab was a converted storeroom which I built after hours to avoid disturbing the investigators in the adjacent space. In addition to the construction of benches, I ran new power supplies to the panel and even quietly moved the thermostat from the investigative space to my laboratory during one of those after hours construction details so that I could control the temperature as I ran three or four forensic exams simultaneously which generated tremendous heat. One thing that I could not control was humidity and electrostatic discharge which could damage electronic evidence. My daughter purchased a tabletop waterfall unit that I filled several times a day to raise the humidity level. This illustrates the need for proper laboratory design. DME lab design must include consideration of environmental conditions, including workstation ergonomics, proper power supplies, cooling, lighting, and other environmental factors that may impact the outcome or quality of test results.

As for workbench design, in my government lab we selected “Mayline”workstations. There are many workstation vendors that could adequately support a DME laboratory, however. Equally important today is planning and design that includes modeling needs for expansion/extensibility. Building a successful and effective digital forensic laboratory will result in amore educated and satisfied consumer (investigators, prosecutors, defense counsel, and judges). As digital devices have become cornerstone to every aspect of our lives, customers are seeking forensic examination of these devices at an exponentially increasing rate—doubling and tripling each year in some laboratories—driving planning and design for higher efficiency from both an administrative and technical perspective.

Effective planning and design go beyond the workstation. Efficient laboratory design must include consideration for forensic networks with significant storage capabilities (and associated power and HVAC requirements), virtual computing (and associated server architecture), and long-term data storage for cases that may take years to go to court.

Digital forensics is time consuming, and the proper design and furniture are important not only to avoid fatigue or repetitive strain injuries, but to increase efficiency. Properly designed workstations should include integrated power sufficient to operate equipment with surge protection and backup power sources (universal power supplies and backup generators). Workbenches and chairs should be designed ergonomically to ensure computer monitors and keyboards are at proper heights (or adjustable to individual examiners’ needs). I also recommend a cleaning area for disassembly. I’ve seen some very disgusting computers come to the lab, including one that was torched and another hosting a rat’s nest. The solution? Design and install a central vacuum cleaner system with ports at examiners’workstations that exhausts outside.

Generally, the DME space should be designed, engineered, and built the same way as a traditional laboratory, from a requirements defining phase, architecture and design, through final construction. DME subject matter experts must be included in the process.