| Services
> Advanced Computer Forensics
> Procedural Guidelines |
 |
Procedural
Guidelines |
Data
Recovery UK Limited’s internal procedures for
computer forensics services are based on the principles
detailed by the Good Practice Guide for Computer based
Electronic Evidence, produced by the Association of
Chief Police Officers (ACPO), as updated in 2003.
Our General Procedural Guidelines (GPG) do not constitute
an exhaustive list of policies and procedures, but are
rather an overview designed to inform and remind the
user of the categories of procedures that are necessary
to be followed in particular situations to ensure that
our computer forensics services meet and exceed the
standards required by the legal community, law enforcement
agencies, government departments and the court system.
To summarise, DRUK’s guidelines have been developed
from the four essential principles of ACPO’s Good
Practice Guide: |
 |
Principle 1 |
No action taken by DRUK
should change data held on a computer or other media
which may subsequently be relied upon in Court. |
|
Principle 2 |
In exceptional circumstances where
a person finds it necessary to access original data
held on a target computer that person must be competent
to do so and to give evidence explaining the relevance
and the implications of their actions. |
|
Principle 3 |
An audit trail or other record of
all processes applied to computer based evidence
should be created and preserved. An independent
third party should be able to examine those processes
and achieve the same result. |
|
Principle 4 |
The Manager in charge of the case
is responsible for ensuring that the law and these
principles are adhered to. This applies to the possession
of, and access to, information contained in a computer.
They must be satisfied that anyone accessing the
computer, or any use of a copying device, complies
with pertinent law and these principles |
|
| back
to top |
DRUK’s
Procedural Guidelines are categorised as follows: |
|
1. Preliminary
Set-Up and Preparation
This category of procedures starts at the point the
company is contacted by a forensics client. They are
designed to ensure that DRUK: a) understands the situation
in its entirety and any extenuating circumstances that
must be considered and dealt with, b) the potential
use of the evidence collected and its analysis, c) the
identity of those authorised to direct the project and
with whom DRUK can communicate with and the extent of
disclosure allowed during the project, d) the time frame
required for the completion of the project, and e) all
other available information that will allow the project
to be completed in an accurate, cost-efficient manner
consistent with the practices as set out by ACPO.
The Preliminary Set-Up and Preparation procedures are
divided into six sub-categories: |
| a) |
Job
Initiation Questionnaire |
| |
This form details the
preparatory information required including: |
 |
Assignment of Job/Case
Number |
|
Interview Log |
|
Situation Analysis |
|
Technological Environment Analysis |
|
Timing/Access Analysis |
|
Authorised Contact Information |
| b) |
Team
Formation |
|
Lead Forensics Manager |
|
Senior Management Representative |
|
Team Members |
|
Office Participation Requirements |
| c) |
Investigation
Objectives and Strategies |
|
Develop Clearly-Defined Objectives
for the Investigation |
|
Obtain Client Approval |
|
Develop Strategies for Executing
Investigation |
| d) |
Tactical
Plan |
|
Develop Detailed Tactical Plan for
Initiating and Completing Investigation |
|
Obtain Client Input and Approval |
| e) |
Case
Notebook Creation |
|
Proper Forms Completed and Included |
|
Evidence Labels Provided |
|
Job Log Initiated |
|
Job Initiation Questionnaire Included
and Updated |
| f) |
Equipment
Kit Planning and Assembling |
|
On-Site or Off-Site Acquisition Requirements |
|
Hardware and Software Requirements |
|
Peripheral Equipment Requirements |
|
Photographic Equipment Requirements |
|
Administrative Requirements (including
Case Notebook) |
|
Electrical Equipment Requirements |
|
Communications Equipment Requirements |
|
Transportation Requirements |
|
Team Member Availability |
|
Office Notification |
|
| back
to top |
| 2. Evidence
Acquisition |
| During actual evidence acquisition,
procedures are focused primarily on maintaining proper
forensics techniques to ensure that any evidence acquired
will be acceptable in a court of law or other legal proceeding,
and can be duplicated, if necessary, be an independent
third party. |
|
Environmental Assessment
and Documentation |
|
Drive Assessment and Documentation
|
|
Evidence and Anti-Tampering Tagging
and Documentation |
|
Drive Removal/Imaging Documentation |
|
Hardware/Software Tools Documentation |
|
Procedural Documentation |
|
| 3. Analysis |
| The Analysis Phase is typically
customised to the requirements of each project and can
involve a multitude of processes, each with their own
procedural requirements. In general, however, as with
the Evidence Acquisition phase, the driving factor is
to maintain proper forensics techniques to prevent any
legal challenges in court proceedings and to ensure the
techniques and results can be duplicated by an independent
third party. |
|
Team Members |
|
Hardware/Software Tools Documentation
|
|
Process and Timing Documentation |
|
Drive Copying Documentation |
|
Results Documentation and Secure
Storage |
|
| back to top |
| 4. Reporting |
| The Reporting of the Results
of a forensics investigation will tend to follow certain
templates, customised as required by the client and the
specific circumstances of each project. In general, the
report will be organised as follows: |
|
Title |
|
Contents page |
|
What is required of the report, who
asked for it and when (this must be agreed upon
before the analytical stage is initiated with both
the client and the Forensic Manager) |
|
The equipment involved along with
a description on how it is referred to throughout
the report |
|
How the imaging process was undertaken |
|
What was found during the analytical
stage |
|
What if any conclusions can be made |
|
Appendices |
|
DRUK maintains templates
of reports on a secure server to facilitate the reporting
process. Once completed, report access is restricted
to the Team Manager and the Team Senior Manager Representative
and may only be distributed to those authorised to receive
the report as determined by the Initial Job Questionnaire.
Interim reports may be generated by DRUK depending
on the requirements of the client and the investigation.
Specific procedural guidelines for each of the above
are maintained and included as part of the training
of forensics technicians and engineers. |
| back to top |
| 5. Privacy,
Confidentiality, Security |
| DRUK maintains high standards
of security: |
|
in the lab facility |
|
throughout the forensics process |
|
with all lab personnel |
|
| The lab is fitted with
an ADT Intruder Alarm system that conforms to the requirements
of British Standard 4737 and NARCOSS. Monitored 24/7
through BT’s Redcare Security system, the system
has Police Preferred Specifications status and meets
the highest grade (Grade 4) of European Standard 50131.
The lab is secured with 2 zones: one zone covers the
general office and lab area and one zone covers the
switch, server and client work-in-progress digital media
room. Each zone is set separately when the premises
are vacated and must be disarmed when entering the facility.
Full-time DRUK employees are issued with security ‘key
tags’ and security codes that are recorded with
a distinct ID number. Each entry or vacate, including
time and ID number, are recorded for monitoring purposes.
The lab facility is a first floor operation in a high
traffic area of Butler’s Wharf in London. Porter
service covers security during extended business hours
and on weekends and CCTV camera’s are located
in clear view of both entrance areas to the lab for
24/7 surveillance. All windows and doors into the lab
are reinforced and fixed with multiple locking systems,
for added protection against break-ins and unauthorised
access. Each employee is well versed in the requirements
of securing the lab after business hours.
The Forensic imaging and analysis systems are separate
from DRUK’s main domain and require different
passwords to access. Only authorised forensics engineers
can log-on to the systems. During the analysis phase
of an investigation or if the system is online the forensic
system is protected by additional stand alone firewalls.
The DRUK global network is a Virtual Private Network
(VPN) between different satellite labs and connected
through a dedicated network connection. From 1 January
2004 as part of a stricter set of security procedures,
stronger encryption algorithms will be used to encrypt
data between different network nodes.
DRUK employees are required to sign a stringent employment
contract that covers all aspects of business related
communications (telephone, fax, E-mails, Internet use,
post, etc.), confidentiality and data protection. Complying
with the Data Protection Law 1998, each employee has
agreed to the monitoring and recording of all activity
related to their business functions and personal data.
Confidentiality compliance extends to all business related
materials and does not have a time limitation, post
employment. There are no exceptions to these requirements. |
| back to top |
