Computer Forensics Lab Requirements

Computer Forensics Lab Requirements

[Total: 21    Average: 3.2/5]


Nowadays Forensics investigation is a very important science in the information security field. With the increasing rate of attacks in our world, Computer Forensic investigation is  very highly needed to prove and establish strong evidences that incriminate a person in a digital crime.

Whether the computer forensic examiner investigates the evidence in his lab or he works directly at the crime scene, he needs a lot of tools and a well prepared location to go,through analysis and fully investigate the digital evidence. This prepared location, the Computer Forensics Lab, must be equipped with the all needed tools and hardware to analyze, identify, preserve, recover, and present facts and opinions about the information at hand.

First of all, the Computer Forensics Lab’s security and location is a very important point. Maintaining the safety of the evidence and the tools is the first thing to think about. The following requirements determine the best practice for this issue:

• It must be in a secure place

• It must have only one door for entrance

• It must not have windows or any openings in the walls, ceilings, and floors

• It must have an intrusion alarm system in the entrance

• It must have a monitoring Camera, placed at the entrance of the lab

• The entrance must have a biometric device to handle the access to the lab

• Every computer must have Uninterrupted Power Supply (UPS)

• A good lighting in the lab is highly recommended

Also the lab should be large in size, with a good cooling system to overcome excess heat generated by work stations; finally it needs to have a possibility for growth.

The big issue in any forensic lab is the budget .it may cancel a lot of useful tools, in fact there are a few forensic labs that have unlimited budget but consider that purchasing from one source may reduce the total cost after you got appropriate discount.


Computer Forensics Lab Equipments:

• Forensic Tower

To activate Parallel Forensic Technology, the lab must have a centralized Forensic Tower which provides data duplication, parallel analysis, operating systems emulation and integration with some forensic analysis software. The forensic tower is a very rich asset in the forensic lab. For example, it is write blocked by default which makes it an all-in-one solution.

• Forensic Toolkit
It is a comprehensive mobile toolkit which contains everything needed to perform a complete Forensic Acquisition such as Write Blockers, wipers, Hard Drive Duplicators, Power Adapters, imaging hardware… etc.

The computer forensic examiner needs a hardware write blocker to avoid any altering in the main evidence. The write blocker has many connection types such as USB, FireWire, SATA and IDE.

• Hard Disk Duplicators
The hard disk duplicator copies the source hard disk which contain evidence to another hard disk or more. In some cases, the speed during the imaging process is critical. The hard disk duplicator speed is between 4 GB to 9 GB per minute. In addition, some duplicators copy to more than one hard disk at a time.

• Mobile Devices and chargers
The examiner must have various cables and chargers for Mobile Devices. This area can be further elaborated in another article about mobile forensic devices especially Paraben which has very attractive products.

• Password Recovery tools
Regular users can use any software for password recovery but when it comes to professionals, the matter is totally different. There are a lot of hardware devices from various providers to recover passwords from encrypted files using dictionary and bruteforce attack methods. Also you must have a DNA (Distributed Network Attack) application if you need to use the power of machines across the network.

• Data Recovery
In Forensic labs, it is preferred to have hardware for data recovery which can fix the bad sectors that were partially corrupted and cannot be imaged through  normal software. It can bypass the operating system or the bios if it tries to prevent you from imaging the corrupted data thus you will reduce the time and effort when using Data Recovery Hardware.

• Wipers 

If you need to use the same hard disk in another forensic case you must wipe the data using wipers (Software or Hardware) to erase the all data from hard disk media.

• Spare Parts
The forensic lab must have spare RAM, network cards, hard disks, CD/DVD writers,  removable memory and different types of cables.

• Forensic Software
In real world, the examiner must have a deep knowledge in one of the most widely known software in computer forensic world such as Forensic Toolkit (FTK) or Encase   Forensic. The latest versions for FTK and for Encase



About The Author









Ahmed Fawzy, Information Security Manager at Raya Contact Center

Leave a Reply

Your email address will not be published. Required fields are marked *