Forensic Lab
Along with the increasing problems of cyber crime, digital forensics-related issues have become more and more important and serious. Digital forensics often involves the preservation, identification, extraction, documentation and interpretation of digital data. The construction of a forensics laboratory will include the objective of forensics procedure, document management, and so on. Another objective of constructing a forensics laboratory is to provide a trustworthy analysis report for each judicial investigation; however, there are no common criteria for a digital forensics laboratory so far.
The Forensic Process
The nature of electronic evidence is such that it poses special challenges for its admissibility in court. To meet these challenges, follow proper forensic procedures. These procedures include, but are not limited to, four phases: collection, examination, analysis, and reporting. The collection phase involves the search for, recognition of, collection of, and documentation of electronic evidence. The collection phase can involve real-time and stored information that may be lost unless precautions are taken at the scene. The examination process helps to make the evidence visible and explain its origin and significance. This process should accomplish several things. First, it should document the content and state of the evidence in its totality. Such documentation allows all parties to discover what is contained in the evidence. Included in this process is the search for information that may be hidden or obscured. Once all the information is visible, the process of data reduction can begin, thereby separating the “wheat” from the “chaff.” Given the tremendous amount of information that can be stored on computer storage media, this part of the examination is critical.

Analysis differs from examination in that it looks at the product of the examination for its significance and probative value to the case. Examination is a technical review that is the province of the forensic practitioner, while analysis is performed by the investigative team. A written report that outlines the examination process and the pertinent data recovered completes an examination. Examination notes must be preserved for discovery or testimony purposes. An examiner may need to testify about not only the conduct of the examination but also the validity of the procedure and his or her qualifications to conduct the examination.
Acquisition
  1. File/Mail/Application Servers
  2. System Log Files
  3. Phone Log Files
  4. Backup/Archive Systems
  5. Firewall Audit/Log Records
  6. IDS, Antivirus, Spyware
  7. logs
  8. Hard Disk/Removable Media
  9. ISP Log Files
  10. Alternative Work Place
  11. Adjacent systems persons
  12. Interviews and Paper Documents
  13. Keystroke monitoring
  14. RAM and BIOS content
  15. Collecting the Data

Step 1—Develop a Plan

  1. Likely Value Consider data sources and incident circumstances
  2. Volatility Give high priority to volatile sources
  3. Effort Consider time & complexity, outside experts, legal advisors, law enforcement, special equipment

Step 2—Collect the Data

  1. Use Certified Tools for Volatile Data
  2. Duplicate non-volatile data locally if possible
  3. Use write blockers if possible (e.g., on workstations)

Step 3—Verify the Integrity of the Data (SHA-1 and/or MD-5)

  • Source
  • Copy
  • Source Again
Examination
  • Recovery of Deleted Files
  • Slack Space (unused space in the last block of a file or memory page)
  • Free Space (unused partition, file system, or memory blocks)
  • Missing/Renamed Files/Alternate Data-streams/File Metadata
  • Exploited File/Protocol Formats (covert channels)
  • Altered Operating System Files, Partition Table, File System, File Headers, File Names, File Extensions, File Modify/Access/Create Attribute
Evidence Life Cycle
  • Collection & identification
  • Storage, preservation, and transportation
  • Presentation in court
  • Return to victim or court
Laboratory will handle the forensic examination of all evidence collected during the investigation of Hi-tech crimes. Laboratory will have facilities for preservation, collection, validation, identification, analysis, interpretation, documentation of data and preservation as digital evidence. It will also have capability to further re-construction of events in an investigation.
Necessary state of the art computer software, tools and gadgets will be provided and upgraded to cope with the fast changing techniques
NR3C Wings
© 2010 National Response Centre For Cyber Crimes Federal investigation agency Headquarters, Islamabad. All rights are reserved.