Some companies set up a digital forensics lab in order to carry out internal checks for workplace misconduct, to support disciplinary proceedings, to carry out incident analysis and damage assessment, or else to provide such services for profit to others. Demand for digital forensics is growing: Transparency Market Research has forecast that the digital forensics market will be worth $4.97 billion by the end of 2021, showing CAGR of 12.5%
Setting up a new digital forensics lab often involves high cost for companies, however, and forecasting this cost is not always easy – especially for smaller companies. So, I would like to share a few tips about how to build a lab on a low budget.
- Research current trends, requirements, and what other companies in your sector are doing. The infosec community is very open and, often, a request for help will result in many replies. This should help you to identify the services you are planning to provide, such as computer forensics, mobile forensics, e-discovery and so on.
- Do an overview of the proposed services you plan to provide. Evaluate your capability and availability of resources. Do a SWOT analysis to determine your strengths, weaknesses, opportunities and threats.
- Find more about digital forensics best practices standards and operating procedures from reliable sources like those listed here. This should help you to determine the requirements for your digital forensics lab and tools.
- Determine the following:
- What digital forensic services you have to provide
- What you need to have
- What you plan to have
- What you would like to have.
- Prepare a list of provisional expenses (see ‘what you need to have’, above) for your lab. List all software and hardware required for your services.
- Evaluate software/hardware by cost, reputation, support, service and so on. Check for open source tools which you could use for your needs. There are many well recognised digital forensics frameworks and tools available for free use, including:
- Prepare a shopping list based on your needs, findings and evaluation.
- Make sure that staff have necessary training, resources and qualifications. Prepare your incident response guidelines and investigation procedures documentation to incorporate your digital forensics capabilities.
- Test and review: regularly check your new lab by performing all steps of the digital forensics process. This stage is very important because you could determine some missing links in the process chain. It’s better to discover any issues with your processes during testing than in an actual case. Furthermore, remember to update your policies and procedures to reflect the findings of your testing.
- Prepare a development plan for your lab to enhance its capabilities over time. Write down goals and targets with projected dates. Having this focus will help you to improve the services you provide to the business (or to external clients) over time. It also provides you with the opportunity to review new developments in digital forensics investigation.
Good, reliable digital forensics tools are key requirements for your lab. This table shows an example of basic software requirements for a digital forensics lab, from cost-free to around €750 (NB: BH Consulting provides forensics services but we do not promote any of the tools mentioned here, nor do we earn any profit from them). In addition, you could significantly reduce your software expenses by using open source tools (so thank you to all the community developers for their hard work!)
|Raptor||Imaging tool with a write blocker that prevents the operating system from mounting the targeted
|DD (stands for Data Duplicator)||Open source tool for copying and converting data. It enables to
quickly clone or create exact raw disk images.
|Hashcat||Open source password cracking tool||FREE|
|John The Ripper||Open source password cracking tool||FREE|
|Autopsy/Sleuth Kit||Open source digital forensics tool.||FREE|
|OSForensics||Great digital forensics tool which has
multiple capabilities: the ability to recover deleted files, collect system information, extract passwords, view active memory, search files and within
files and much more.