Digital Forensics Processing and Procedures by Watson, David -- Read -- Imperial Library of Trantor

Index

Cover image Title page Table of Contents Copyright About the Authors Technical Editor Bio Acknowledgments Preface Chapter 1. Introduction

Abstract 1.1 Introduction Appendix 1 Some Types of Cases Involving Digital Forensics Appendix 2 Growth of Hard Disk Drives for Personal Computers Appendix 3 Disk Drive Size Nomenclature

Chapter 2. Forensic Laboratory Accommodation

Abstract 2.1 The Building 2.2 Protecting Against External and Environmental Threats 2.3 Utilities and Services 2.4 Physical Security 2.5 Layout of the Forensic Laboratory Appendix 1 Sample Outline for a Business Case Appendix 2 Forensic Laboratory Physical Security Policy

Chapter 3. Setting up the Forensic Laboratory

Abstract 3.1 Setting up the Forensic Laboratory Appendix 1 The Forensic Laboratory ToR Appendix 2 Cross Reference Between ISO 9001 and ISO 17025 Appendix 3 Conflict of Interest Policy Appendix 4 Quality Policy

Chapter 4. The Forensic Laboratory Integrated Management System

Abstract 4.1 Introduction 4.2 Benefits 4.3 The Forensic Laboratory IMS 4.4 The Forensic Laboratory Policies 4.5 Planning 4.6 Implementation and Operation 4.7 Performance Assessment 4.8 Continuous Improvement 4.9 Management Reviews Appendix 1 Mapping ISO Guide 72 requirements to PAS 99 Appendix 2 PAS 99 Glossary Appendix 3 PAS 99 Mapping to IMS Procedures Appendix 4 The Forensic Laboratory Goal Statement Appendix 5 The Forensic Laboratory Baseline Measures Appendix 6 Environment Policy Appendix 7 Health and Safety Policy Appendix 8 Undue Influence Policy Appendix 9 Business Continuity Policy Appendix 10 Information Security Policy Appendix 11 Access Control Policy Appendix 12 Change or Termination Policy Appendix 13 Clear Desk and Clear Screen Policy Appendix 14 Continuous Improvement Policy Appendix 15 Cryptographic Control Policy Appendix 16 Document Retention Policy Appendix 17 Financial Management Policy Appendix 18 Mobile Devices Policy Appendix 19 Network Service Policy Appendix 20 Personnel Screening Policy Appendix 21 Relationship Management Policy Appendix 22 Release Management Policy Appendix 23 Service Management Policy Appendix 24 Service Reporting Policy Appendix 25 Third-Party Access Control Policy Appendix 26 Acceptable Use Policy Appendix 27 Audit Committee Appendix 28 Business Continuity Committee Appendix 29 Environment Committee Appendix 30 Health and Safety Committee Appendix 31 Information Security Committee Appendix 32 Quality Committee Appendix 33 Risk Committee Appendix 34 Service Delivery Committee Appendix 35 Whistle Blowing Policy Appendix 36 Management Review Agenda Appendix 37 Document Control Checklist Appendix 38 Document Metadata Appendix 39 File-Naming Standards Appendix 40 Watermarks in Use in the Forensic Laboratory Appendix 41 Document Review Form Appendix 42 IMS Calendar Appendix 43 Audit Plan Letter Appendix 44 Audit Reporting Form Appendix 45 CAR/PAR Form Appendix 46 Opening Meeting Agenda Appendix 47 Closing Meeting Agenda Appendix 48 Audit Report Template Appendix 49 Root Causes for Non-Conformity

Chapter 5. Risk Management

Abstract 5.1 A Short History of Risk Management 5.2 An Information Security Risk Management Framework 5.3 Framework Stage 1 — ISMS Policy 5.4 Framework Stage 2: Planning, Resourcing, and Communication 5.5 Framework Stage 3: Information Security Risk Management Process 5.6 Framework Stage 4: Implementation and Operational Procedures 5.7 Framework Stage 5: Follow-up Procedures Appendix 1 Sample Communication Plan Appendix 2 Sample Information Security Plan Appendix 3 Asset Type Examples Appendix 4 Asset Values Appendix 5 Consequences Table Appendix 6 Some Common Business Risks Appendix 7 Some Common Project Risks Appendix 8 Security Threat Examples Appendix 9 Common Security Vulnerabilities Appendix 10 Risk Management Policy Appendix 11 The IMS and ISMS Scope Document Appendix 12 Criticality Ratings Appendix 13 Likelihood of Occurrence Appendix 14 Risk Appetite Appendix 15 Security controls from CobIT and NIST 800-53 Appendix 16 Information Classification Appendix 17 The Corporate Risk Register Appendix 18 Comparison Between Qualitative and Quantitative Methods Appendix 19 Mapping Control Functions to ISO 27001 Appendix 20 Mapping Security CONCERNS to ISO 27001 Appendix 21 SoA Template Appendix 22 The Forensic Laboratory’s Security Metrics report Appendix 23 Mapping ISO 31000 and ISO 27001 to IMS Procedures

Chapter 6. Quality in the Forensic Laboratory

Abstract 6.1 Quality and Good Laboratory Practice 6.2 Management Requirements for Operating the Forensic Laboratory 6.3 ISO 9001 for the Forensic Laboratory 6.4 The Forensic Laboratory’s QMS 6.5 Responsibilities in the QMS 6.6 Managing Sales 6.7 Product and Service Realization 6.8 Reviewing Deliverables 6.9 Signing off a Case 6.10 Archiving a Case 6.11 Maintaining Client Confidentiality 6.12 Technical Requirements for the Forensic Laboratory 6.13 Measurement, Analysis, and Improvement 6.14 Managing Client Complaints Appendix 1 Mapping ISO 9001 to IMS Procedures Appendix 2 Mapping ISO 17025 to IMS Procedures Appendix 3 Mapping SWGDE Quality Requirements to IMS Procedures Appendix 4 Mapping NIST-150 Quality Requirements to IMS Procedures Appendix 5 Mapping ENFSI Quality Requirements to IMS Procedures Appendix 6 Mapping FSR Quality Requirements to IMS Procedures Appendix 7 Quality Manager, Job Description Appendix 8 Business Plan Template Appendix 9 Business KPIs Appendix 10 Quality Plan Contents Appendix 11 Induction Checklist Contents Appendix 12 Induction Feedback Appendix 13 Standard Proposal Template Appendix 14 Issues to Consider for Case Processing Appendix 15 Standard Quotation Contents Appendix 16 Standard Terms and Conditions Appendix 17 ERMS Client Areas Appendix 18 Cost Estimation Spreadsheet Appendix 19 Draft Review Form Appendix 20 Client Sign-off and Feedback Form Appendix 21 Information Required for Registering a Complaint Appendix 22 Complaint Resolution Timescales Appendix 23 Complaint Metrics Appendix 24 Laboratory Manager, Job Description Appendix 25 Forensic Analyst, Job Description Appendix 26 Training Agenda Appendix 27 Some Individual Forensic Certifications Appendix 28 Minimum Equipment Records Required by ISO 17025 Appendix 29 Reference Case Tests Appendix 30 ISO 17025 Reporting Requirements Appendix 31 Standard Forensic Laboratory Report

Chapter 7. IT Infrastructure

Abstract 7.1 Hardware 7.2 Software 7.3 Infrastructure 7.4 Process Management 7.5 Hardware Management 7.6 Software Management 7.7 Network Management Appendix 1 Some Forensic Workstation Providers Appendix 2 Some Mobile Forensic Workstation Providers Appendix 3 Standard Build for a Forensic Workstation Appendix 4 Some Case Processing Tools Appendix 5 Policy for Securing IT Cabling Appendix 6 Policy for Siting and Protecting IT Equipment Appendix 7 ISO 20000-1 Mapping Appendix 8 Service Desk Manager, Job Description Appendix 9 Incident Manager, Job Description Appendix 10 Incident Status Levels Appendix 11 Incident Priority Levels Appendix 12 Service Desk Feedback Form Appendix 13 Problem Manager, Job Description Appendix 14 Contents of the Forensic Laboratory SIP Appendix 15 Change Categories Appendix 16 Change Manager, Job Description Appendix 17 Standard Requirements of a Request for Change Appendix 18 Emergency Change Policy Appendix 19 Release Management Policy Appendix 20 Release Manager, Job Description Appendix 21 Configuration Management Plan Contents Appendix 22 Configuration Management Policy Appendix 23 Configuration Manager, Job Description Appendix 24 Information Stored in the DSL and DHL Appendix 25 Capacity Manager, Job Description Appendix 26 Capacity Management Plan Appendix 27 Service Management Policy Appendix 28 Service Level Manager, Job Description Appendix 29 Service Reporting Policy Appendix 30 Policy for Maintaining and Servicing IT Equipment Appendix 31 ISO 17025 Tool Test Method Documentation Appendix 32 Standard Forensic Tool Tests Appendix 33 Forensic Tool Test Report Template Appendix 34 Overnight Backup Checklist

Chapter 8. Incident Response

Abstract 8.1 General 8.2 Evidence 8.3 Incident Response as a Process 8.4 Initial Contact 8.5 Types of First Response 8.6 The Incident Scene 8.7 Transportation to the Forensic Laboratory 8.8 Crime Scene and Seizure Reports 8.9 Postincident Review Appendix 1 Mapping ISO 17020 to IMS Procedures Appendix 2 First Response Briefing Agenda Appendix 3 Contents of the Grab Bag Appendix 4 New Case Form Appendix 5 First Responder Seizure Summary Log Appendix 6 Site Summary Form Appendix 7 Seizure Log Appendix 8 Evidence Locations in Devices and Media Appendix 9 Types of Evidence Typically Needed for a Case Appendix 10 The On/Off Rule Appendix 11 Some Types of Metadata That may be Recoverable from Digital Images Appendix 12 Countries with Different Fixed Line Telephone Connections Appendix 13 Some Interview Questions Appendix 14 Evidence Labeling Appendix 15 Forensic Preview Forms Appendix 16 A Traveling Forensic Laboratory Appendix 17 Movement Sheet Appendix 18 Incident Response Report Appendix 19 Postincident Review Agenda Appendix 20 Incident Processing Checklist

Chapter 9. Case Processing

Abstract 9.1 Introduction to Case Processing 9.2 Case Types 9.3 Precase Processing 9.4 Equipment Maintenance 9.5 Management Processes 9.6 Booking Exhibits in and out of the Secure Property Store 9.7 Starting a New Case 9.8 Preparing the Forensic Workstation 9.9 Imaging 9.10 Examination 9.11 Dual Tool Verification 9.12 Digital Time Stamping 9.13 Production of an Internal Case Report 9.14 Creating Exhibits 9.15 Producing a Case Report for External Use 9.16 Statements, Depositions, and Similar 9.17 Forensic Software Tools 9.18 Backing up and Archiving a Case 9.19 Disclosure 9.20 Disposal Appendix 1 Some International Forensic Good Practice Appendix 2 Some International and National Standards Relating to Digital Forensics Appendix 3 Hard Disk Log Details Appendix 4 Disk History Log Appendix 5 Tape log Details Appendix 6 Tape History log Appendix 7 Small Digital Media Log Details Appendix 8 Small Digital Media Device Log Appendix 9 Forensic CASE WORK Log Appendix 10 Case Processing KPIs Appendix 11 Contents of Sample Exhibit Rejection Letter Appendix 12 Sample Continuity Label Contents Appendix 13 Details of the Forensic Laboratory Property Log Appendix 14 Exhibit Acceptance Letter Template Appendix 15 Property SPECIAL HANDLINg Log Appendix 16 Evidence Sought Appendix 17 Request for Forensic examination Appendix 18 Client Virtual Case File Structure Appendix 19 Computer Details Log Appendix 20 Other Equipment Details Log Appendix 21 Hard Disk Details Log Appendix 22 Other Media Details Log Appendix 23 Cell Phone Details Log Appendix 24 Other Device Details Log Appendix 25 Some Evidence Found in Volatile Memory Appendix 26 Some File Metadata Appendix 27 Case Progress Checklist Appendix 28 Meeting the Requirements of HB 171 Appendix 29 Internal Case Report Template Appendix 30 Forensic Laboratory Exhibit Log Appendix 31 Report Production Checklist

Chapter 10. Case Management

Abstract 10.1 Overview 10.2 Hard Copy Forms 10.3 MARS 10.4 Setting up a New Case 10.5 Processing a Forensic Case 10.6 Reports General 10.7 Administrator's Reports 10.8 User Reports Appendix 1 Setting up Organisational Details Appendix 2 Set up the Administrator Appendix 3 Audit Reports Appendix 4 Manage Users Appendix 5 Manage Manufacturers Appendix 6 Manage Suppliers Appendix 7 Manage Clients Appendix 8 Manage Investigators Appendix 9 Manage Disks Appendix 10 Manage Tapes Appendix 11 Manage Small Digital Media Appendix 12 Exhibit Details Appendix 13 Evidence Sought Appendix 14 Estimates Appendix 15 Accept or Reject Case Appendix 16 Movement Log Appendix 17 Examination Log Appendix 18 Computer Hardware Details Appendix 19 Non-Computer Exhibit Details Appendix 20 Hard Disk Details Appendix 21 Other Media Details Appendix 22 Work Record Details Appendix 23 Updating Case Estimates Appendix 24 Create Exhibit Appendix 25 Case Result Appendix 26 Case Backup Appendix 27 Billing and Feedback Appendix 28 Feedback Received Appendix 29 Organization Report Appendix 30 Users Report Appendix 31 Manufacturers Report Appendix 32 Supplier Report Appendix 33 Clients Report Appendix 34 Investigator's Report Appendix 35 Disks by Assignment Report Appendix 36 Disks by Reference Number Report Appendix 37 Wiped Disks Report Appendix 38 Disposed Disks Report Appendix 39 Disk History Report Appendix 40 Tapes by Assignment Report Appendix 41 Tapes by Reference Number Report Appendix 42 Wiped Tapes Report Appendix 43 Disposed Tapes Report Appendix 44 Tape History Report Appendix 45 Small Digital Media by Assignment Report Appendix 46 Small Digital Media by Reference Number Report Appendix 47 Wiped Small Digital Media Report Appendix 48 Disposed Small Digital Media Report Appendix 49 Small Digital Media History Report Appendix 50 Wipe Methods Report Appendix 51 Disposal Methods Report Appendix 52 Imaging Methods Report Appendix 53 Operating Systems Report Appendix 54 Media Types Report Appendix 55 Exhibit Type Report Appendix 56 Case setup details Report Appendix 57 Case Movement Report Appendix 58 Case Computers Report Appendix 59 Case Non-Computer Evidence Report Appendix 60 Case Disks Received Report Appendix 61 Case Other Media Received Appendix 62 Case Exhibits Received Report Appendix 63 Case Work Record Appendix 64 Cases Rejected Report Appendix 65 Cases Accepted Appendix 66 Case Estimates Report Appendix 67 Cases by Forensic Analyst Appendix 68 Cases by Client Report Appendix 69 Cases by Investigator Report Appendix 70 Case Target Dates report Appendix 71 Cases Within “x ” Days of Target Date Report Appendix 72 Cases Past Target Date Report Appendix 73 Cases Unassigned Report Appendix 74 Case Exhibits Produced Report Appendix 75 Case Results Report Appendix 76 Case Backups Report Appendix 77 Billing Run Report Appendix 78 Feedback Letters Appendix 79 Feedback Forms Printout Appendix 80 Feedback Reporting Summary by Case Appendix 81 Feedback Reporting Summary by Forensic Analyst Appendix 82 Feedback Reporting Summary by Client Appendix 83 Complete Case Report Appendix 84 Processed Report Appendix 85 Insurance Report

Chapter 11. Evidence Presentation

Abstract 11.1 Overview 11.2 Notes 11.3 Evidence 11.4 Types of Witness 11.5 Reports 11.6 Testimony in Court 11.7 Why Cases Fail Appendix 1 Nations Ratifying the Budapest Convention Appendix 2 Criteria for Selection an Expert Witness Appendix 3 The Forensic Laboratory Code of Conduct for Expert Witnesses Appendix 4 Report writing Checklist Appendix 5 Statement and Deposition Writing Checklist Appendix 6 Non-Verbal Communication to Avoid Appendix 7 Etiquette in Court Appendix 8 Testimony Feedback Form

Chapter 12. Secure Working Practices

Abstract 12.1 Introduction 12.2 Principles of Information Security within the Forensic Laboratory 12.3 Managing Information Security in the Forensic Laboratory 12.4 Physical Security in the Forensic Laboratory 12.5 Managing Service Delivery 12.6 Managing System Access 12.7 Managing Information on Public Systems 12.8 Securely Managing IT Systems 12.9 Information Processing Systems Development and Maintenance Appendix 1 The Forensic Laboratory SOA Appendix 2 Meeting the Requirements of GAISP Appendix 3 Software License Database Information Held Appendix 4 Information Security Manager, Job Description Appendix 5 Logon Banner Appendix 6 The Forensic Laboratory’s Security Objectives Appendix 7 Asset Details to be Recorded in the Asset Register Appendix 8 Details Required for Removal of an Asset Appendix 9 Handling Classified Assets Appendix 10 Asset Disposal Form Appendix 11 Visitor Checklist Appendix 12 Rules of the Data Center Appendix 13 User Account Management Form Contents Appendix 14 Teleworking Request Form Contents

Chapter 13. Ensuring Continuity of Operations

Abstract 13.1 Business Justification for Ensuring Continuity of Operations 13.2 Management Commitment 13.3 Training and Competence 13.4 Determining the Business Continuity Strategy 13.5 Developing and Implementing a Business Continuity Management Response 13.6 Exercising, Maintaining, and Reviewing Business Continuity Arrangements 13.7 Maintaining and Improving the BCMS 13.8 Embedding Business Continuity Forensic Laboratory Processes 13.9 BCMS Documentation and Records—General Appendix 1 Supplier Details Held Appendix 2 Headings for Financial and Security Questionnaire Appendix 3 Business Continuity Manager, Job Description Appendix 4 Contents of the Forensic Laboratory BIA Form Appendix 5 Proposed BCMS Development and Certification Timescales Appendix 6 Incident Scenarios Appendix 7 Strategy Options Appendix 8 Standard Forensic Laboratory BCP Contents Appendix 9 Table of Contents to the Appendix to a BCP Appendix 10 BCP Change List Contents Appendix 11 BCP Scenario Plan Contents Appendix 12 BCP Review Report Template Contents Appendix 13 Mapping IMS Procedures to ISO 22301 Appendix 14 Differences Between ISO 22301 and BS 25999

Chapter 14. Managing Business Relationships

Abstract 14.1 The Need for Third Parties 14.2 Clients 14.3 Third Parties Accessing the Forensic Laboratory 14.4 Managing Service Level Agreements 14.5 Suppliers of Office and IT Products and Services 14.6 Utility Service Providers 14.7 Contracted Forensic Consultants and Expert Witnesses 14.8 Outsourcing 14.9 Use of Sub-contractors 14.10 Managing Complaints 14.11 Reasons for Outsourcing Failure Appendix 1 Contents of a Service Plan Appendix 2 Risks to Consider With Third Parties Appendix 3 Contract Checklist for Information Security Issues Appendix 4 SLA Template for Products and Services for Clients Appendix 5 RFX Descriptions Appendix 6 The Forensic Laboratory RFx template checklist Appendix 7 RFX Timeline for Response, Evaluation, and Selection Appendix 8 Forensic Consultant’s Personal Attributes Appendix 9 Some Tips for Selecting an Outsourcing Service Provider Appendix 10 Areas to Consider for Outsourcing Contracts

Chapter 15. Effective Records Management

15.1 Introduction 15.2 Legislative, Regulatory, and Other Requirements 15.3 Record Characteristics 15.4 A Records Management Policy 15.5 Defining the Requirements for Records Management in the Forensic Laboratory 15.6 Determining Forensic Laboratory records to be Managed by the ERMS 15.7 Using Metadata in the Forensic Laboratory 15.8 Record Management Procedures 15.9 Business Continuity Appendix 1 MoReq2 Functional Requirements Appendix 2 Mapping of ISO 15489 Part 1 to Forensic Laboratory Procedures Appendix 3 Types of Legislation and Regulation That Will Affect Record Keeping Appendix 4 Forensic Laboratory Record keeping Policy Appendix 5 Record Management System Objectives Appendix 6 Business Case Contents Appendix 7 Outline of the ERMS Project Appendix 8 Selection Criteria for an ERMS Appendix 9 Initial ERMS Feedback Questionnaire Appendix 10 Metadata Required in the ERMS Appendix 11 Sample e-Mail Metadata Appendix 12 Forensic Case Records Stored in the ERMS Appendix 13 Dublin Core Metadata Elements Appendix 14 National Archives of Australia Metadata Standard Appendix 15 Responsibilities for Records Management in the Forensic Laboratory Appendix 16 Metadata for Records Stored Off-Site Appendix 17 Records Classification System Appendix 18 Disposition Authorization Appendix 19 Additional Requirements for Physical Record Recovery Appendix 20 Specialized Equipment Needed for Inspection and Recovery of Damaged Records

Chapter 16. Performance Assessment

Abstract 16.1 Overview 16.2 Performance Assessment

Chapter 17. Health and Safety Procedures

Abstract 17.1 General 17.2 Planning for OH&S 17.3 Implementation and Operation of the OH&S Management System 17.4 Checking Compliance with OH&S Requirements 17.5 Improving the OH&S Management System Appendix 1 OH&S Policy Checklist Appendix 2 The Forensic Laboratory OH&S Policy Appendix 3 Health and Safety Manager Job Description Appendix 4 Some Examples of OH&S Drivers Appendix 5 The Forensic Laboratory OH&S Objectives Appendix 6 Sample Hazards in the Forensic Laboratory Appendix 7 Hazard Identification Form Appendix 8 Some Areas for Inspection for Hazards Appendix 9 Inputs to the Risk Assessment Process Appendix 10 OH&S Risk Rating Appendix 11 DSE Initial Workstation Self-Assessment Checklist Appendix 12 DSE Training Syllabus Appendix 13 DSE Assessors Checklist Appendix 14 Measurement of OH&S success Appendix 15 Specific OH&S Incident Reporting Requirements Appendix 16 OH&S Investigation Checklist and Form Contents Appendix 17 OH&S Incident Review Appendix 18 OHSAS 18001 Mapping to IMS Procedures

Chapter 18. Human Resources

Abstract 18.1 Employee Development 18.2 Development 18.3 Termination Appendix 1 Training Feedback Form Appendix 2 Employee Security Screening Policy Checklist Appendix 3 Employment Application Form Appendix 4 Employment Application Form Notes Appendix 5 Some Documents That Can Verify Identity Appendix 6 Document Authenticity Checklist Appendix 7 Verifying Addresses Appendix 8 Right To Work Checklist Appendix 9 Reference Authorization Appendix 10 Statutory Declaration Appendix 11 Employer Reference Form Appendix 12 Employer’s Oral Reference Form Appendix 13 Confirmation of an Oral Reference Letter Appendix 14 Qualification Verification Checklist Appendix 15 Criminal Record Declaration Checklist Appendix 16 Personal Reference Form Appendix 17 Personal Oral Reference Form Appendix 18 Other Reference Form Appendix 19 Other Reference Form Appendix 20 Employee Security Screening File Appendix 21 Top Management Acceptance of Employment Risk Appendix 22 Third-Party Employee Security Screening Provider Checklist Appendix 23 Recruitment Agency Contract Checklist Appendix 24 Investigation Manager, Job Description Appendix 25 Forensic Laboratory System Administrator, Job Description Appendix 26 Employee, Job Description Appendix 27 Areas of Technical Competence Appendix 28 Some Professional Forensic and Security Organizations Appendix 29 Training Specification Template Appendix 30 Training Proposal Evaluation Checklist Appendix 31 Training Supplier Interview and Presentation Checklist Appendix 32 Training Reaction Level Questionnaire Appendix 33 The Forensic Laboratory Code of Ethics Appendix 34 Termination Checklist

Chapter 19. Accreditation and Certification for a Forensic Laboratory

Abstract 19.1 Accreditation and Certification 19.2 Accreditation for a Forensic Laboratory 19.3 Certification for a Forensic Laboratory Appendix 1 Typical Conditions of Accreditation Appendix 2 Contents of an Audit Response Appendix 3 Management System Assessment Non-conformance Examples Appendix 4 Typical Closeout Periods

Chapter 20. Emerging Issues

Abstract 20.1 Introduction 20.2 Specific Challenges

Appendix. Acronyms Bibliography

International Standards National Standards Guidance from Authoritative Sources

Index Glossary

← Prev
Back
Next →

← Prev
Back
Next →