IOCE Laboratory Management Draft

Contents

Customer Identification
Investigator v. Technical Support
Organization: Service Delivery Models: Independence and Objectivity
Outsourcing
Facility Design
Equipment Modules
Training
Personnel: Selection: Burnout: Stress
Performance Measures
Quality Assurance: Performance Testing: Accreditation: Validation
Archives: Data Retention Policies
Examination Tools
Health and Safety
Secure Executive Level Support
Procurement Philosophy/Strategy
Evidence Handling


  1. Customer Identification
    1. Needs to be updated on a regular basis.
    2. Agents/Investigators are principal customers.
    3. Mission creep can undermine your main mission. Everyone wants support.
    4. Need to have priority system for cases, e.g. murder, internal affairs, due in court, etc.
    5. Priority system is a lab specific issue.
    6. Customer base may include investigators as well as Internal Affairs and others.


  2. Investigator v. Technical Support
    1. Emphasis should be on the quality (competency) of examination personnel.
    2. Closer scrutiny of functions needs to be considered:
      1. Who does collection of evidence;
      2. Who gathers basic investigation facts (subscriber checks);
      3. Who performs detailed examinations.
    3. Accreditation standards will apply for anyone doing examination work.
    4. Management should insure the examiner is neutral.
    5. Argument for sworn investigator/examiner personnel is ability to retain them.
    6. Ideal is to separate the investigative role from the forensic/evidence role.
    7. Technical sophistication in computer systems is creating strong need for very specialized/trained personnel or teams of examiners to perform the examinations.


  3. Organization: Service Delivery Models: Independence and Objectivity
    1. Most organizations use either a central or distributed model.
    2. Service model should fit your agencys operational need. Determining factors can be geographic area of coverage, national laws, and agency size.
    3. Decentralized organizational structures require strong central program management.
    4. Service model needs to reflect case workload, case priorities, and operational economics.
    5. Legal system, search warrant rules, and scope of warrant are the most significant determining factors on how service delivery models are designed.


  4. Outsourcing
    1. Two forms of outsourcing:
      1. On-site (at the forensic lab) examiner support, and
      2. Sending evidence to outside businesses/contractors.
    2. Outsourcing must maintain chain of custody and be performed in accordance with forensic science principles, current best practices, and comply with the organizations quality standards.
    3. Outsourcing can provide scarce technical expertise, or supplemental manpower support.
    4. Outsourcing is used as supplemental staffing strategy at several computer forensic laboratories.


  5. Facility Design
    1. Facility proposals should be comprehensive and have growth options. A good business plan is essential to securing recurring and expansion funding.
    2. Good facility design enhances evidence control and minimizes evidence cross contamination.
    3. Good facility design should take into consideration employee health and safety and the local building code.
    4. Laboratories must have an access control system.
    5. Lighting, AC power supplies, ground fault circuits, and uninterruptible power supplies are key issues for computer forensic laboratory design.


  6. Equipment Modules
    1. Equipment modules are a standardized set of equipment and software that is assigned to individual or groups of examiners.
    2. Equipment modules are good budget techniques to secure financial resources. Both individual and laboratory or group modules are used.
    3. Equipment modules promote hardware and software standardization.
    4. Equipment modules are an effective means to schedule replacement lifecycles.
    5. Equipment modules may simplify equipment and software validation.
    6. Equipment modules are useful in medium to large-scale organizations.


  7. Training
    1. Good leverage technique is to use academia, private industry or software vendors.
    2. In-house R and D is an effective means to have advanced training.
    3. Trainers need to communicate better so that curriculums are not re-invented. Training methodologies and simulated cases (or exercises) should be shared at the international level. This is a matter of efficiency and duplication avoidance.
    4. Independent training sources are very basic. In-house training is used at all laboratories and seems to be fairly effective.
    5. Core training requirements need to be identified in US. Australia has a central program consisting of curriculums and qualification tests.
    6. Law Enforcement needs to articulate more detailed requirements (network forensics, volatile memory forensics, etc.).
    7. Training needs to be linked to laboratory accreditation and individual examiner certification.


  8. Personnel: Selection Burnout - Stress
    1. Start up work is substantial position descriptions and recruitment.
    2. Key qualities to look for: investigators attitude, interest in computer forensics, some previous IT training.
    3. Different backgrounds have advantages and disadvantages. General recruitment categories are: Law enforcement professionals, IT trained individuals, compute/cyber crime trained individuals, self-taught individuals, and civil litigation/search personnel.
    4. Interview process needs to identify personnel that have basic skills and problem solving techniques.
    5. Skill demonstration may be a valid interview technique.
    6. Child pornography investigations can cause examiner burnout, latent stress. Rotational assignments and professional monitoring are recommended.
    7. Examination backlogs and never ending case support requests cause stress and forced annual leave can be in the best interest of the employee if allowable.
    8. Managers must observe and recognize burnout in employees and use training, conferences, meetings, and professional development to help pace employees.


  9. Performance Measures
    1. Experience levels do affect productivity.
    2. Hard drives and volatile memory objects are counted and individual examiners compared to the mean.
    3. Qualitative factors (training, collateral administrative duties) need to be considered in evaluations.
    4. Senior examiner performs a triage assessment and the actual examiners time expenditure is compared to the expected.
    5. A degree of difficulty system without triage is not recommended.
    6. Case type (fraud, drug, murder) does affect average processing time.
    7. Pass/Fail or rating on organizational values should also be included.
    8. Clear work plans are a fair way of setting objectives.
    9. Management information and accounting systems are recommended to track performance.
    10. Measurement items are: hard drives, CDs, diskettes, gigabytes, volatile memory objects, cases.


  10. Quality Assurance: Performance Testing: Accreditation: Validation
    1. Need to identify a quality manager.
    2. Proficiency testing is essential to quality control.
    3. Most laboratories are not doing proficiency tests at present, but its need/importance is recognized.
    4. Sharing of tests among agencies is considered an efficient test technique.
    5. ISO quality assurance concept focus is on end result.
    6. It is important to know and test your standard operating process.
    7. Results should be repeatable and valid.
    8. Quality Assurance must be consistent with accrediting bodys standards (ISO, ASCLD/Lab).


  11. Archives: Data Retention Policies
    1. Original evidence is always returned.
    2. Duplicate evidence is sometimes archived 5-10 years while other organizations return the duplicate with the original evidence.
    3. Legal rules for each jurisdiction dictate what data retention policies are appropriate.


  12. Examination Tools
    1. Management must control tools used in the laboratory.
    2. Issues are tool validity and tool license.


  13. Health and Safety
    1. Concerns are:
      1. Biological or chemical evidence contamination.
      2. Laboratory equipment/structures need to be ergonomically designed.
      3. All applicable health and safety rules and regulations need to be followed.
    2. Additional safety protocol may include cell phones and or requiring two or more employees to be present when examining evidence.


  14. Secure Executive Level Support
    1. Keep dialogue open with top management.
    2. Develop business plan (startup and recurring).
    3. Institute charge back system for large or unusual equipment or software costs.
    4. Present war story cases to keep executive level interest.
    5. Use graphs and numbers to make points in executive briefings.
    6. Use agency analogy examples to justify the direction to go in.


  15. Procurement Philosophy/Strategy
    1. Life cycle for computer forensic hardware is around 3 years and 12 months for software is recommended.
    2. Authority for emergency procurements (hardware or software) needs to be available for case support.
    3. Organizational structure can be a major factor in justifying sole source procurements to maintain compatibility.
    4. Decision maker authority to approve procurement should be in the lab.


  16. Evidence Handling
    1. Group considers that leaving digital evidence out in the lab to duplicate, keyword search work copies and password crack files is acceptable as long as the laboratory meets agency evidence storage standards.
    2. Evidence information systems are desirable to track evidence location, receipt and release.