Digital Forensics - Winter/Spring 2014

WINTER | SPRING 2014 www.DFInews.com 19 earlier, the hard drive recovery examiners have a common work area where they can share not only equipment and work space, but ideas on how to troubleshoot problematic devices. Several machines are continuously running programs to recover data on corrupted hard drives. There are also common areas for mobile and video forensics.

Takedown room: There is no room dedicated for disassembly. The fact is that most data collected by the examiners comes from network-acquired sources. A very small number of cases have physical devices submitted to the laboratory. As an example, during October the lab responded to nearly 400 requests for services and only about 5% of those involved a physical device.

What types of equipment and software does the laboratory use to provide services: The laboratory is well equipped.

They have a wide variety of hardware and software com-
mon to any law enforcement forensic laboratory. Forensic
workstations, write blockers, disk duplicators, mobile
device equipment, and more can be observed throughout
the lab. They use
the most common
forensic software,
but have developed
in-house methods to
efficiently collect data
from unique sources.

Together, we tested and validated those in-house methods over the course of this project.

Their methodologies are quite similar to what we would see in a sophisticated laboratory. Data is identified, securely collected, imaged logically or physically, hashed, analyzed, reported, and archived. Each associate has a staging drive or server to facilitate casework. The results are provided to the customer electronically under cover of a report. The collected data results are archived to a storage area network in a designated location outside of the lab.

Storage (evidence): As mentioned previously, unlike law enforcement labs, the laboratory handles relatively few physical devices since data collected and preserved often resides on the Walmart internal network storage. However, when physical devices are encountered, the lab’s processes and evidence storage are no different than a law enforcement facility. There are two types of evidence storage: Long-term and short-term. Long-term evidence storage is located in a separate data center facility which has a very high level access control procedure. Each examiner is assigned a temporary storage locker to store digital devices while the associated service request is ongoing. Physical evidence is documented to a paper chain of custody while data collected and processed virtually is verified through process logs and hash verification throughout the process from collection to archiving.

Storage (in process evidence): When physical evidence is
undergoing examination or processing by associates and
the evidence is unattended, a warning placard is placed on
or around the evidence to ensure that other personnel are
aware and cautious when entering the examination area.

Finally, as Larry walked the halls of the facility he had this to say “I noted the following quote on the white board of former lab director and Senior Director Jerry Geisler: ‘We must all suffer one of two things: the pain of discipline or the pain of regret or disappointment.’” That quote set the tone for the project’s success.

Ken Mohr ( kenm@crimelabdesign.com) is a principal and senior forensic planner with Crime Lab Design.

Larry Depew ( larry@larrydepew.com), founder of Digital Forensics.US LLC., is a retired FBI Supervisory Special Agent and Laboratory Director of the New Jersey Regional Computer Forensic Laboratory (RCFL).

A statement from Wal-Mart Stores, Inc. Quality Manager Ken Gill on what he has learned: The development of our quality management system is best described using the analogy of painting the Golden Gate Bridge. It is never finished. When you get to the end, you head back to the other end and start painting again. Sure, a lot of work went into preparing for the ASCLD/LAB assessment. But our pursuit of improving operations doesn’t end with accreditation. You are continually examining and re-examining your processes and procedures. You are ensuring that the teams remain proficient and that they are current. New technologies arrive and they need to be vetted. This along with pretty much verifying everything under the sun.

The fact that we now have a well-documented and functional mentoring program is of special importance to us. As the demands for our services grow, our forensics and E-Discovery teams grow as well. The process of bringing in new members to the teams and establishing their competence is very important. It is now streamlined with an effective and efficient mentoring program. The Mentor/Mentee pairing facilitates the efficient development of new associates’ competencies. Defined training goals against which achievements are mapped and documented establish a record that our staff has the required skillset to provide our customers with reliable results.