When a computer forensic laboratory is being set up, teamwork is required to sup-port and establish a process for handling electronic data and for managing the work low of the cases that are received by who lab. Establishing this work low process will assist in identifying those team members who should be deployed within the lab. In some cases, laboratories, particularly those that are embedded within existing corporations, need to rely on outside resources. For instance, the records, such as audit or security records, in the information technology department of the company will assist in establishing clear procedures and processes for the management of electronic data and will ensure that those individuals who are brought onto the team on an ad hoc basis are properly deployed.
A typical small-size laboratory will generally consist of a lab manager and a number of forensic technicians. These technicians may have different skill sets. Some may be focused on the collection of electronic data in the field, and others may be focused on the analysis of electronic data. Still others may be focused on certain subsets of the field of analysis, such as analyzing network or dynamic data, including the data that is contained in network log files or router log files or the dynamic data that can be pulled of hard drives and lash memory while the devices are in use.
Other specialists include individuals who are familiar with e‐discovery production protocols that are focused on both keyword search data management and the production of electronic data. These protocols must be implemented in such a fashion that the data can be reviewed within the context of an online e‐discovery review tool or manually reviewed by attorneys or investigators downstream. Other individuals who may be full‐time employees (depending on the volume of work) in the lab are the investigators. Expert testimony may be required to certify and/or testify as to the findings of the lab technicians.
Processes that must be included in the lab are the manner in which electronic evidence will be received, which is covered elsewhere in this volume. Chain-of-custody and data acquisition forms, as well as evidence inventory systems, are important components of those processes. Also important is the establishment of a procedure for the physical handling of the drives and/or evidence that are brought into the lab. his includes procedures for how these items will be transported from the intake area to the analysis or collection area and then, finally, to the evidence lockup. Similarly, it is important to establish how items contained within the evidence lockup are to be distributed to analysts, when data review takes place, and whether the evidence is to be destroyed or sent to clients at the conclusion of a matter.
