Insight on designing a functional and efficient digital forensics laboratory

The science behind digital evidence forensics is the extraction of evidence from computers or other digital devices for criminal investigations. It usually involves obtaining the contents of files and interpreting their meaning as relevant to a case. To accomplish this activity one requires specialized space, equipment, and skills to stop those behind the most serious of computer intrusions and the spread of malicious code; to identify and thwart online sexual predators who use the Internet to meet and exploit children; to counteract operations that target U.S. intellectual property, endangering our national security and competitiveness; and, finally, to dismantle organized criminal enterprises engaging in Internet fraud.

Over the years designing such spaces, I’ve come to know Mr. Larry Depew, a retired digital laboratory director and ASCLD-LAB assessor,who provides accreditation consulting and digital data recovery to laboratories. So I am taking this opportunity to ask Larry a few questions about Digital Evidence Units: the space, science, and their requirements.

KM: Should DE units be in the lab space or office space?

LD: The Digital and Multimedia Evidence (DME) discipline is recognized within the scientific community as a forensic science.Gven the recent recommendations of the NAS report to Congress that includes legislative requirements for laboratory accreditation and personnel certification, I believe the appropriate place to conduct digital forensic examinations is in a laboratory environment. Accreditation is an independent evaluation of a laboratory’s quality management system that provides independent evidence that the accredited facility’s testing methods and results are competent and reliable. The standards for laboratory accreditation and personnel competency are set forth in ISO17025 and ILAC Guide 19:2002. The most common standards in the United States are established under ASCLD-LAB International. This is not to say that an office environment cannot meet the requirements for accreditation. However, the policies, procedures, and design of a traditional forensic laboratory will enhance the ability of an organization that hosts a DME lab to meet the internationally recognized standards.

KM: Is there a shift from DE staff being sworn to non-sworn trained DE staff?

LD: I believe we are seeing a very gradual shift from the sworn to non-sworn examiners. However, the vast majority of digital forensics exams continue to be conducted by sworn personnel in a law enforcement environment rather than in a laboratory. I see the demand for the level of technical competency in the discipline increasing. The result has been an increase in civilian examiners to meet the demand for advanced technical competencies, although there are many exceptionally competent sworn examiners. I believe the trend to civilian examiners is driven by several factors. First, the emergence of specific educational programs now offered at many universities throughout the United States in computer forensics. Second, the CSI factor which is driving interest in forensics in general. And third, there is a need to keep trained investigators working cases “on the streets” rather than performing laboratory examinations. Civilian examiners have brought a high degree of technical competence and ability to meet the technical challenges of digital evidence. There is a need for the proper balance of investigative experience and technical knowledge. Sworn and civilian personnel can complement each other to produce a thorough analysis of digital evidence.

KM: Examiner’s workstation in the lab: office furniture, lab furniture, or something different; and how important is flexibility?

LD: In the old days,we built our own workstations (benches) and space based upon our individual needs and preferences. My first lab was a converted storeroom which I built after hours to avoid disturbing the investigators in the adjacent space. In addition to the construction of benches, I ran new power supplies to the panel and even quietly moved the thermostat from the investigative space to my laboratory during one of those after hours construction details so that I could control the temperature as I ran three or four forensic exams simultaneously which generated tremendous heat. One thing that I could not control was humidity and electrostatic discharge which could damage electronic evidence. My daughter purchased a tabletop waterfall unit that I filled several times a day to raise the humidity level. This illustrates the need for proper laboratory design. DME lab design must include consideration of environmental conditions, including workstation ergonomics, proper power supplies, cooling, lighting, and other environmental factors that may impact the outcome or quality of test results.

As for workbench design, in my government lab we selected “Mayline”workstations. There are many workstation vendors that could adequately support a DME laboratory, however. Equally important today is planning and design that includes modeling needs for expansion/extensibility. Building a successful and effective digital forensic laboratory will result in amore educated and satisfied consumer (investigators, prosecutors, defense counsel, and judges). As digital devices have become cornerstone to every aspect of our lives, customers are seeking forensic examination of these devices at an exponentially increasing rate—doubling and tripling each year in some laboratories—driving planning and design for higher efficiency from both an administrative and technical perspective.

Effective planning and design go beyond the workstation. Efficient laboratory design must include consideration for forensic networks with significant storage capabilities (and associated power and HVAC requirements), virtual computing (and associated server architecture), and long-term data storage for cases that may take years to go to court.

Digital forensics is time consuming, and the proper design and furniture are important not only to avoid fatigue or repetitive strain injuries, but to increase efficiency. Properly designed workstations should include integrated power sufficient to operate equipment with surge protection and backup power sources (universal power supplies and backup generators). Workbenches and chairs should be designed ergonomically to ensure computer monitors and keyboards are at proper heights (or adjustable to individual examiners’ needs). I also recommend a cleaning area for disassembly. I’ve seen some very disgusting computers come to the lab, including one that was torched and another hosting a rat’s nest. The solution? Design and install a central vacuum cleaner system with ports at examiners’workstations that exhausts outside.

Generally, the DME space should be designed, engineered, and built the same way as a traditional laboratory, from a requirements defining phase, architecture and design, through final construction. DME subject matter experts must be included in the process.

KM: How does one control access, given the often sensitive nature of the work?

LD: A DME laboratory is no different than any other forensic discipline when it comes to facility access control and maintaining evidence integrity. The evidence under examination must be protected from unauthorized access that can cause deleterious change and impact the testing (examination) outcome. Thus, the standard controls for a forensic laboratory physical access (personnel access badges or touch pad key entry systems, key control, sign in procedures, etc.) and proper storage of evidence are essential. Some of the unique considerations for DME forensics include protecting ongoing processes. A DME exam can take many hours, days, or weeks to accomplish. If the examination is occurring in common laboratory space, the ongoing process must be clearly identified. “Evidence: Do Not Touch” placards are one example.

Another consideration is protecting victims. Digital evidence is often displayed on a computer monitor. For example, the monitor can display victims being sexually or violently assaulted, victim’s names, or details of a sensitive terrorist, organized crime, or corruption investigation. A DME laboratory must have precautions to prevent unauthorized personnel from viewing sensitive data particularly when visitors are in the laboratory. Visual warning lights can be one solution. I have observed flashing blue lights for official law enforcement visitors and red lights for non-law enforcement visitors as warning devices to examiners in larger laboratories.This is a policy issue, generally, but these considerations should be taken into account during the design phase as well.

KM: Does the DME staff require a separate office area from the lab area, or is just providing better containment of hazardous functions enough?

LD: A separate office or administrative area is important as part of the design of a functional DME laboratory for several reasons. First, it is important that we maintain the integrity of evidence. DME test items can be damaged by coffee or other liquids innocently placed on a workbench and accidently spilled onto a hard drive or tape. Second, because computers are ubiquitous in our daily lives and essential to the administration of the lab, it is important to keep physical separation between the administrative use of computers and digital evidence to avoid cross contamination. You may question whether it is possible to have cross contamination in the DME discipline. It is. I have personally witnessed such incidents caused by a lack of controls between casework and administrative work, or the lack of a quality management system relating to procedures and personnel competency.

Everything comes back to my original point that the DME discipline should be subject to the same general standards for quality management systems that all other forensic disciplines must meet. Requirements for things such as environmental control, evidence integrity, personnel competency, and access control are embodied in the international standards for testing and forensic science laboratories applicable throughout the world. Design for a DME laboratory must take into consideration the general design requirements for safety, security, and ergonomics that would be afforded a general forensic laboratory. Discipline-specific design considerations should include the items I’ve addressed as well as many other design requirements that are specifically applicable to this discipline.

Thanks again to Mr. Larry Depew for taking the time to respond to my questions and provide some insightful answers. I hope that you find the answers you’re looking for or can now better formulate your own questions that will help you plan and design your own facility.

Larry Depew is the President of Digital Forensics.US LLC which provides digital data recovery and consultant services to U.S. law enforcement, international law enforcement, and the private sector in the development and accreditation of forensic laboratories. He is retired from the federal government after 34 years, which included serving as laboratory director for the FBI-sponsored New Jersey Regional Computer Laboratory.He chaired the committee that drafted the FBI’s first standard operating procedures and quality manual for digital forensics.He is an ASCLDLAB assessor, an adjunct professor in digital forensics, and contributing author to several books on computer forensics, laboratory design, and accreditation.

Ken Mohr is a Principal and Senior Forensic Planner with Crime Lab Design which provides full architectural and engineering services for forensic and medical examiner facilities worldwide.