Brett's Ramblings
How to Start a Digital Forensic Lab in Your Police Department
So, you want to start a brand new, right-out-of-the-box, digital forensics lab in your police department? Want some tips?
If you (1) work for a large-sized department, you probably already have a digital forensic lab staffed with full-time, commissioned examiners. But if you (2) work for a small to mid-sized agency, your department may either farm out forensic work to an outside agency (OSA) or simply doesn’t even do any forensic work on any seized electronic device. Hard to believe, but yeah, it still happens.
If you fit the second situation, the first question that I have for you is, does your department want a digital forensic lab or is it just you? This is a crucial question, because if your department is behind implementing a forensic lab, then you have a gravy meal ticket to get it done, within whatever budgetary means allowed. For this scenario, there’s not a whole lot I can tell you, other than congrats! You have it easier than most. I’m not going to talk about that scenario since the hard part is done, that is, having pre-approval to build out a lab.
Now, for the rest of you, where your department doesn’t even know it needs a digital forensics lab, or refuses to consider it, or may not have a penny in the budget to spare, this blog post is for you 😊. If you want a lab, you can have it by you doing what needs to be done, in a manner that works with your agency, not against it.
Let’s picture the lab you want before we get started. Given an unlimited budget, what would you want? Would it look something like this?
Enjoy that moment you had with your dream lab, because unless you control the checkbook, dream on….your dream lab isn’t going to be even close to this. But, you can still start a lab using a few tips and tricks. Think big and accept you most likely will start out small…very very small..
Common obstacles
Staffing
There is no ‘free’ person to be assigned to a new forensic position. Staffing is already (always) short.
Budget
The mysterious budget is never enough to cover the basics as it is, let alone build out a forensic lab.
Space
We have no room to spare to create a forensic lab.
Time
Spending months to train someone on department time probably won’t happen when the department doesn’t see the benefit.
Examiner selection
Maybe you won’t be the person selected for the position that you suggested ☹
Opinions
We need cops on the street, not on a computer. Plus, we’ll send out any evidence to an OSA and accept the length of time it takes for someone else to do our forensic work.
Examples of not the best methods to try (not just my agency)
I have seen a detective take one basic course in forensics, come back and demand that the agency spend $30,000+ on gear and training to create a forensic lab. The agency agreed to spend a little, but the detective said “all or nothing” and the result was nothing. The detective never did get into forensics…
I have also seen detectives who were selected for forensic spots turn down training and gear because of the strings attached to it, such as sharing with another agency, or sharing forensic work with other agencies, or having to attend (free) training that didn’t fit the detective’s personal schedule (even one turned down a conference because lunch wasn't being paid by the agency..). If you turn down something free, like a two-week forensic course or a conference out of spite or whatever else, you probably set yourself back a year. Not the best idea. Plus, if you have someone like me working in your agency, I'm coming for your spot because I'll do whatever I can to get it.....keep that in mind.
Some ways that I have seen work
The mobile lab
Before I started a forensic lab in my agency, I first saw a ‘mobile lab’ that a patrol officer created, and I was both impressed and inspired. The patrol officer took a lot of training on his own time (vacation) and own dime (he paid out of his own pocket). He even bought the basic gear needed for the most basic of forensic work with his own money. He carried around the gear in the trunk of his patrol car, ie, a “mobile lab”.
Whenever there was an electronic evidence item seized, if he could do the work, he did it in addition to his handling calls. It took several exams of the most basic nature before his agency took notice and eventually, crowned him the department forensic examiner. However, he was still in patrol. The good news was that he had the title of 'forensic examiner' as an added duty. The better news was that the tab for his continuing education training and gear was picked up by his agency.
The closet lab
My personal example is the closet lab. Having seen how the mobile lab example worked, I took this route to start a forensic lab in my department. At the time, my department was sending out any forensic work to either the state lab, agencies that would take the work as their time allowed, and sometimes even hired private sector examiners. I figured the path of least resistance would be best, where making an offer that can't be refused to be the goal.
Here are some of the things I did in preparation:
- * Took vacation and paid out-of-pocket for training courses
- * Joined the local high-tech crime association
- * Gathered FOSS tools, paid for some basic software (WinHex, etc…)
- * Became certified in the basic of tech (A+, etc…)
- * Hosted forensic courses for a free seat in the courses
- * Visited every lab within driving distance for tips, guidance, and ideas
- * Wrote an entire policy on forensics (merely customized what others had done in other agencies)
- * Wrote a proposal for the implementation of a digital (computer) forensics lab
- * Created a list of every ‘free’ training and gear available (coming back to this list later…)
- * Found a closet full of junk that I could fit a small desk and chair
- * Made friends with the IT department (important!)
- * Joined the local ICAC
- * I did a lot of little things too, like read books, talk to anyone/everyone in forensics that would talk to me, etc...
All of this took my personal time and my own money. It took a lot of time. I don't even know how long I worked on it before I even proposed it.
A personal point on spending your own money. I am a believer in that if I want something to use in my job, that I feel best fits me or helps me, and my job doesn’t provide it, I will buy it. This is a personal decision based on personal factors and your opinion may vary.
Then I waited for a case. As soon as I saw one, I jumped on it and helped the case detective with the forensic part. I did that what I knew how to do. Easy things at first. I did this as much as I could and luckily, I was in a position where I could do it in between other work I was assigned. As a side note, I carried over 100 cases at a time, including major casework, and undercover assignments...and more. It can be done if you want to do it.
Then came the big ask.
Remember what I mentioned about creating a list of free training/gear? Get it ready. There are plenty of federal grants for free software, hardware, and training. Print out the forms, fill them out, and bring it along with your proposal and policy to whomever can crown you the forensic examiner. At that point, your agency will have not spent any money (sorry, but you had to), they will have a basically trained examiner at the ready (turnkey, on the spot), and be able to sign an agreement for free stuff that you already put together.
Hopefully, you kept stats on what you have done in forensic casework, the results of the cases (plea deals, convictions otherwise not have happened, etc…), plus records of any and all training you have done on your own. Maybe have some recommendations from detectives that you have helped in their cases. You’ll be amazed at how happy a detective becomes when you find all the PC they need for their case on a hard drive…
Remember that closet you found earlier? If at this point you aren’t given a ‘lab’, point out that as long as you have a locked room, like that unused closet in the basement, you are happy and good to go. I was given my closet, which became the "Computer Forensic Lab". I tossed out the garbage, put in a desk, chair, and all the scraps from IT to build out a lab. The grant gear came in piece by piece until I had it all. The goal is to get your foot in a door, any door. You can expand everything in time.
Excuses and roadblocks
I believe that an excuse is merely giving up. I also believe that some roadblocks can’t be overcome easily, and a few cannot be overcome at all. It is difficult to know which is in front of you. Sometimes you work hard on one of the insurmountable roadblocks and other times you may give up on something that you could have gotten with a little more time and effort. You just never know. Also, government work is different than the private sector. In most instances, it is not merit that is rewarded or compensated in government work. That is just the way it is. In the private sector, if an employee comes up with an idea that makes money, that employee is given a whole lot more leeway in doing things. In government, not so much. Sometimes, it is just the opposite.
I have seen more people in police work try to get into forensics and give up than I have seen succeed, due to both personal reasons and the office roadblocks. Politics plays a part. Staffing plays a part. Even personability plays a role. But if you want it, prepare yourself for lots of work, a long period of time, and possible rejection at every step. As for me, I was getting into forensics one way or another, in or out of government service.
The short story of this guidance is simply:
- Become a forensic examiner on your own time and own dime.
- Prep everything your department needs to start a lab.
- Be the only person fit and competent to carry out the position when you ask for it.
I’m sure other methods work too, but as for me, I rather plan it out, prep everything up front, become the only person for the position (at least the only turnkey ready person), be happy with what I get, and work forward from there. The negative in doing nothing more than asking to be sent to training and be given everything up front probably will result in either a terse ‘No’ or a ‘Good idea!. We’ll need a committee to discuss, request for next year’s budget, and then the following year open the position up to everyone in the department’.
Getting in is the hard part. It’s a cakewalk after that.
If you read this far and already have a forensic lab in your agency, they probably went through something like this in the beginning just to get started in a small closet 😊
If you have done something like this, or especially if you did it differently, let me know. I'm curious to the innovators in police work in this field. By the way, if you can get something like this done in police work, you are extremely marketable outside of police work.
About the author
Comments 2
By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/
Posts List
Tag Cloud
Search Blog
Most popular posts
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
More posts
-
COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.
The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…
Saturday April 25
14519 hits / 0 comments
-
Mini-WinFE 10 and WinFE 10 Updated
The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for…
Sunday April 05
8975 hits / 2 comments
-
Eat your broccoli first
Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…
Saturday January 18
30154 hits / 0 comments
-
The Second Decade of the 2000s is almost over!
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
Thursday December 26
9816 hits / 0 comments
-
Public Records
I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…
Thursday December 12
4689 hits / 0 comments
-
The Five Stages of the DFIR Career Grief Cycle
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
Tuesday September 10
34886 hits / 0 comments
-
Our World is Going to Turn Upside Down with DeepFakes
The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…
Sunday September 01
3038 hits / 0 comments
-
If you are comfortable in DFIR, you might be doing it wrong
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
Thursday August 29
3991 hits / 0 comments
-
Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
Saturday August 17
4934 hits / 0 comments
-
Personality of a computer
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
Wednesday July 31
3936 hits / 0 comments
-
Add a Dab of Balance in your DFIR World
Jessica Hyde’s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I see her…
Monday June 24
14607 hits / 0 comments
-
The Easy Way to Learn DFIR
SummaryThere is no easy way to learn DFIR. You can stop reading from here if you want.Longer versionOk. Since you are still reading, you probably…
Saturday June 08
13904 hits / 0 comments
-
Game of Thrones, DFIR Style
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little…
Thursday April 25
31813 hits / 0 comments
-
Puking in DFIR
Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in,…
Wednesday April 17
5765 hits / 0 comments
-
The #1 Reason that DFIR practitioners don’t post opinions
Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner…
Tuesday April 09
5858 hits / 0 comments
-
If USB flash drives were shaped like spiders, we wouldn’t have these problems
I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was…
Monday April 08
2306 hits / 0 comments
-
Working in DFIR is glamorous, but mostly only to those not working in DFIR...
Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and…
Friday April 05
3844 hits / 0 comments
-
Overcommitted in DFIR
I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not…
Friday March 22
19018 hits / 0 comments
-
'You're guilty unless you can prove it'
Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that…
Saturday March 09
21290 hits / 0 comments
-
“I've answered questions, responded to emails, and been on phone calls...when asked.” – Harlan Carvey
I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions (https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html). I agree with everything he…
Tuesday March 05
3456 hits / 0 comments
© 2020 Brett Shavers