WINTER | SPRING 2014 www.DFInews.com 19
earlier, the hard drive recovery examiners have a common
work area where they can share not only equipment and
work space, but ideas on how to troubleshoot problematic
devices. Several machines are continuously running programs to recover data on corrupted hard drives. There are
also common areas for mobile and video forensics.
Takedown room: There is no room dedicated for disassembly. The fact is that most data collected by the examiners
comes from network-acquired sources. A very small number
of cases have physical devices submitted to the laboratory. As an example, during October the lab responded to
nearly 400 requests for services and only about 5% of those
involved a physical device.
What types of equipment and software does the laboratory
use to provide services: The laboratory is well equipped.
They have a wide variety of hardware and software com-
mon to any law enforcement forensic laboratory. Forensic
workstations, write blockers, disk duplicators, mobile
device equipment, and more can be observed throughout
the lab. They use
the most common
but have developed
in-house methods to
efficiently collect data
from unique sources.
Together, we tested
and validated those
in-house methods over the course of this project.
Their methodologies are quite similar to what we would
see in a sophisticated laboratory. Data is identified, securely
collected, imaged logically or physically, hashed, analyzed,
reported, and archived. Each associate has a staging drive
or server to facilitate casework. The results are provided to
the customer electronically under cover of a report. The
collected data results are archived to a storage area network
in a designated location outside of the lab.
Storage (evidence): As mentioned previously, unlike
law enforcement labs, the laboratory handles relatively
few physical devices since data collected and preserved
often resides on the Walmart internal network storage.
However, when physical devices are encountered, the
lab’s processes and evidence storage are no different
than a law enforcement facility. There are two types of
evidence storage: Long-term and short-term. Long-term
evidence storage is located in a separate data center facility which has a very high level access control procedure.
Each examiner is assigned a temporary storage locker to
store digital devices while the associated service request is
ongoing. Physical evidence is documented to a paper chain
of custody while data collected and processed virtually is
verified through process logs and hash verification throughout the process from collection to archiving.
Storage (in process evidence): When physical evidence is
undergoing examination or processing by associates and
the evidence is unattended, a warning placard is placed on
or around the evidence to ensure that other personnel are
aware and cautious when entering the examination area.
Finally, as Larry walked the halls of the facility he had
this to say “I noted the following quote on the white board
of former lab director and Senior Director Jerry Geisler:
‘We must all suffer one of two things: the pain of discipline
or the pain of regret or disappointment.’” That quote set
the tone for the project’s success.
Ken Mohr ( firstname.lastname@example.org) is a principal and
senior forensic planner with Crime Lab Design.
Larry Depew ( email@example.com), founder of Digital
Forensics.US LLC., is a retired FBI Supervisory Special Agent
and Laboratory Director of the New Jersey Regional Computer
Forensic Laboratory (RCFL).
A statement from Wal-Mart Stores, Inc. Quality
Manager Ken Gill on what he has learned:
The development of our quality management system is
best described using the analogy of painting the Golden Gate Bridge. It is never finished. When you get
to the end, you head back to the other end and start
painting again. Sure, a lot of work went into preparing
for the ASCLD/LAB assessment. But our pursuit of
improving operations doesn’t end with accreditation.
You are continually examining and re-examining your
processes and procedures. You are ensuring that the
teams remain proficient and that they are current.
New technologies arrive and they need to be vetted.
This along with pretty much verifying everything
under the sun.
The fact that we now have a well-documented and
functional mentoring program is of special importance
to us. As the demands for our services grow, our forensics and E-Discovery teams grow as well. The process
of bringing in new members to the teams and establishing their competence is very important. It is now
streamlined with an effective and efficient mentoring
program. The Mentor/Mentee pairing facilitates the
efficient development of new associates’ competencies.
Defined training goals against which achievements are
mapped and documented establish a record that our
staff has the required skillset to provide our customers
with reliable results.