STANDARDS FOR DIGITAL AND COMPUTER

FORENSICS IN NIGERIA

DRAFT
PREPARED BY:

FIRST DIGITAL & TECHNO-LAW FORENSICS CO. LTD.

FOR
NATIONAL TECHNICAL COMMITTEE (NTC) MEETING
ON STANDARDS FOR DIGITAL AND COMPUTER FORENSICS

MARCH 2014

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

TABLE OF CONTENTS
1. Introduction
..
1.1 Background
..
1.2 Objectives
..
1.3 Methodology

1.4 Scope of Assignment

3
3
5
5
5

2. Digital and Computer Forensic Investigation..

3. Data Recovery ..

16

4. Establishing a Digital and Computer Forensics Laboratory .

4.1 Needs Statement
4.2 Scope of Work

4.3 Design of a Laboratory (New Building)

4.4 Starting a Laboratory in an Existing Building
4.5 Suggested Digital and Mobile Forensics Equipment, Software,
Tools and Supplies ...

20
20
20
20
29

5. Training and Professional Qualifications of Digital and Computer

Forensics Examiners ..
5.1 Training

5.2 Profile/Qualifications of a Digital and Computer Forensics Examiner

5.3 Profile/Qualifications of Digital and Computer Forensics
Consultants for the Implementation of Laboratory Implementation
5.4 Skill Sets Required by Digital and Computer Forensics Examiner .
5.5 Job Description: Computer Forensics Examiner/Investigator ..
5.6 Computer Forensics Examiner/Investigator Salary .
APPENDICES
A
B

Forensics Portals
Glossary of Terms

..
.

FIGURES
2.1 Sample of a Single-evidence Form ..
2.2 Sample of a Multi-evidence Form ..
SELECTED REFERECES

30

34
34
34
35
37
39
39
40
43
12
13

.46

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

1. INTRODUCTION
1.1 BACKGROUND
Today, virtually every business and personal document is prepared on a computer and
mobile, hand-held devices. E-mail records and pages visited on the Internet yield even
more critical information about our daily lives. More importantly, the information stored on a
computer can make or break a business or a person or a group of people or a court case.
Computer and digital forensics is the science of retrieving and chronicling evidence located
on a computer's hard drives and other sources of Electronically Stored Information (ESI)
such as floppies, CDs and DVDs, external drives, thumb drives and voice mail servers, so
that it can be presented as evidence in a court of law. It is the use of specialized techniques
for recovery, authentication and analysis of electronic data when a case involves issues
relating to reconstruction of computer usage, examination of residual data, and
authentication of data by technical analysis or explanation of technical features of data and
computer usage.
Computer and digital forensics is useful for the detection and investigation of crime
committed on computers, computer networks, the internet and other digital devices with the
intent of giving digital evidence in law courts and tribunals. It is also the professional
extraction and handling of potential electronic evidence from any digital device or digital
storage media to assist investigators, prosecutors, and the trier of fact (Judges, magistrates
and members of tribunals) in a criminal justice system in arriving at the right judgment in
litigation.
The practice of computer and digital forensics includes the use of formal, accepted
techniques for collecting, analyzing, and presenting suspect data in court, concentrating on
rules of evidence, the legal processes, the integrity and perpetuity of evidence, reporting of
facts, and the preparation and presentation of expert testimony. It requires the use of
specialized techniques for recovery, authentication, and analysis of computer data, typically
of data which may have been deleted or destroyed.
Similar to all forms of forensic science, computer and digital forensics comprises of the
application of the law to computer technology. Computer and digital forensics deals with the
preservation, identification, extraction, and documentation of computer evidence. Like
many other forensic sciences, computer forensics involves the use of sophisticated
technological tools and procedures that must be followed to guarantee the accuracy of the
preservation of evidence and the accuracy of results concerning computer evidence
processing.
Computer forensics requires specialized expertise that goes beyond normal data collection
and preservation techniques available to end-users or system support personnel. The
applications of computer forensics require specialized training and techniques and state of
the art forensics tools and software to evaluate the potential usefulness of computer data,
to retrieve and interpret "hidden" data from computer media, and to provide chain of
custody and data accuracy with court-accepted techniques.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

Law-enforcement agencies worldwide have successfully used computer forensics experts

to investigate crimes such as fraud, murder, terrorism, hacking, cyber-warfare, money
laundering and other cases for many years. But the advent of PCs (personal computers)
used by businesses and individuals in recent years has dramatically increased the volume
of criminal acts committed with the use of computers.
Hence, digital and computer forensics can be used to investigate the following crimes
amongst others: Espionage, Terrorism and Treason; attacks against National Critical
Infrastructure; Cyber Terrorism, Cyber Warfare, Identity Theft, Hacking, Financial Fraud
e.g. e-Payment fraud, ATM fraud, etc.; Human resource/Payroll Fraud; Fraudulent
Websites and mails; Blackmails; Theft, Narcotics, Homicide, Forgery, Electoral Fraud;
Kidnapping; Threats and malicious calls; Extortion; Recovering evidence after formatting
hard drive or after evidence deletion; Corporate or Governmental internal investigation;
Law-enforcement investigation; Computer Security violations; Child Pornography;
Corporate or Governmental Policy Violation; Perjury; etc. Digital and Computer Forensics
can also be used proactively as a preventive tool against cyber-attacks.
Forensic, Digital or electronic evidence, therefore, is any data stored or transmitted using a
computer or similar electronic devices (including phones, hand-held devices) that support
or refute a theory of how an offence occurred or that address critical elements of the
offence such as intent and alibi. It is estimated that over 85 percent of all criminal cases
today have one form of digital, electronic or forensic evidence or the other.
In July, 2011, Nigeria, signed into law her Evidence Act, 2011 which recognizes electronic,
digital and computer-generated evidence. No doubt that this singular act has the capability
to transform our legal and judicial systems. As electronic evidence grows in both volume
and importance in criminal and civil courts, judges and magistrates need to fairly and justly
evaluate the merits of the offered evidence. To do so, prosecutors, investigators, judges
and magistrates need a general understanding of the underlying technologies and
applications from which forensic evidence is derived and the appropriate standards that
must be met.
Even though Nigeria now has a new Evidence Act, it should be noted that digital and
computer forensics is a new field and profession in Nigeria. Furthermore, the area of
standards for digital and computer forensics is a technical issue and not a legal issue.
Hence, the need for the development of an appropriate Standards for the implementation of
forensic platform in the new Evidence Act, 2011 in Nigeria. There is need for standards to
be set on how electronic evidence should be acquired, examined, analyzed and presented
in a manner that will be admissible in the Nigerian Law Courts and Tribunals. Not only
these, standards for laboratories where admissible forensic evidence could be extracted
and for the quality of forensic laboratory staff need to be set as well.
To demonstrate the need for the development of the Standards for Forensic Evidence, the
Federal Ministry of Justice commenced the training and certification of its Prosecutors and
Zonal Officers in Forensic Evidence in August 2012. The first batch of these prosecutors
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

were inducted by the Computer Forensics Institute, Nigeria (CFIN) at a special induction
ceremony on 29th November, 2012. The Nigeria Police Force also commenced the training
and Certification of its officers in Digital and Computer Forensics in August, 2013.
However, the lack of Standards for the implementation of digital, computer and electronic
evidence in Nigeria has left a big vacuum in the entire process.
The NITDA Act empowers NITDA to develop such Standards. Furthermore, this study is in
line with the Scope, Goals and Objectives of ICT4D Governance and Legislature generally
and Law of Evidence in particular.
1.2 OBJECTIVES:
The objectives of this Standards document are as follows:
1.2.1. To develop the Standards for the implementation of digital and computer forensics in
Nigeria in terms of electronic evidence acquisition, examination, analysis and presentation
in a manner that will be admissible in the law courts; and
1.2.2. To develop standards for: (a) forensic laboratories where admissible forensic
evidence could be extracted; and (b) develop standards for the quality of forensic
laboratory staff.
1.3 METHODOLOGY
1.3.1 Prepare a Draft of the Standards for Forensic Evidence.
1.3.2 Make the Draft Standards available to Stakeholders.
1.3.3 Review the Draft with relevant Stakeholders at the National Technical Committee
(NTC) Meeting on Standards for Digital and Computer Forensics in Nigeria.
1.3.4 Obtain comments from Stakeholders and take these into consideration in preparing a
Final Draft of the Standards for Digital and Computer Forensics in Nigeria.
1.4 SCOPE OF THE STANDARDS
This standards document, in this version, will cover all areas of digital and computer
forensic evidence obtained from computers, laptops, servers and other digital or electronic
storage devices, including phones and mobile devices, video, photo, digital fingerprints and
other biometric data, etc. This document shall be subject to review and update from time to
time in view of the dynamic nature of information technology. Appendix A shows the
forensic portals. Appendix B contains the Glossary of digital forensics terms.
This Standards document is aimed principally at police officers, law-enforcement and
security agents, military officers, prosecutors, anti-corruption agencies, regulatory
agencies, other public sector investigators and private sector investigators working for their
organizations and those working in conjunction with law enforcement. This document is
meant for all those involved in the investigation and prosecution of incidents or offences
which require the collection and examination of digital evidence in Nigeria.
This document is intended for use in the recovery of computer-based electronic evidence; it
is not a comprehensive guide to the examination of that evidence. It is a standards
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

document. It is, therefore, the responsibility of the users of this document to obtain the
necessary training required for carrying out digital and computer forensic examination and
analysis. This document was developed to ensure that in a crime which involves a hightech element the digital forensics examiner collects all relevant evidence in a timely and
appropriate manner.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

2.

DIGITAL AND COMPUTER FORENSIC INVESTIGATION

According to the Association of Chief Police Officers (ACPO), as information technology

is ever developing and as each new development finds a greater role in our lives, the
recovery of evidence from electronic devices has now become firmly part of investigative
activity in both public and private sector domains.
According to the Association (ACPO), in its Good Practice Guide for Computer-Based
Electronic Evidence (www.acpo.police.uk), electronic evidence is valuable evidence and
it should be treated in the same manner as traditional forensic evidence - with respect and
care. The methods of recovering electronic evidence, whilst maintaining evidential continuity
and integrity may seem complex and costly, but experience has shown that, if dealt with
correctly, it will produce evidence that is both compelling and cost effective.
The ACPO went further to give four Principles of Computer-Based Electronic Evidence.
These are listed and explained below:
Principle 1:
No action taken by law enforcement agencies or their agents should change data held on a
computer or storage media which may subsequently be relied upon in court.
Principle 2:
In circumstances where a person finds it necessary to access original data held on a
computer or on storage media, that person must be competent to do so and be able to give
evidence explaining the relevance and the implications of their actions.
Principle 3:
An audit trail or other record of all processes applied to computer-based electronic evidence
should be created and preserved. An independent third party should be able to examine
those processes and achieve the same result.
Principle 4:
The person in charge of the investigation (the case officer) has overall responsibility for
ensuring that the law and these principles are adhered to.
The ACPOs explanation of the principles:
Computer-based electronic evidence is subject to the same rules and laws that apply to
documentary evidence. The doctrine of documentary evidence may be explained thus: the
onus is on the prosecution to show to the court that the evidence produced is no more and no
less now than when it was first taken into the possession of police.
Operating systems and other programs frequently alter and add to the contents of electronic
storage. This may happen automatically without the user necessarily being aware that the
data has been changed. In order to comply with the principles of computer-based electronic
evidence, wherever practicable, an image should be made of the entire target device. Partial
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

or selective file copying may be considered as an alternative in certain circumstances e.g.

when the amount of data to be imaged makes this impracticable. However, investigators
should be careful to ensure that all relevant evidence is captured if this approach is adopted.
In a minority of cases, it may not be possible to obtain an image using a recognized imaging
device. In these circumstances, it may become necessary for the original machine to be
accessed to recover the evidence. With this in mind, it is essential that a witness, who is
competent to give evidence to a court of law makes any such access.
It is essential to display objectivity in a court, as well as the continuity and integrity of
evidence. It is also necessary to demonstrate how evidence has been recovered, showing
each process through which the evidence was obtained. Evidence should be preserved to
such an extent that a third party is able to repeat the same process and arrive at the same
result as that presented to a court.
The Nature of Computer-Based Electronic Evidence
Digital and Computer Forensics is the application of science and technology to law in the
search for truth in civil, criminal, and social behavioral matters to the end that injustice shall
not be done to any member of society.
It can also be defined as the acquisition, preservation, identification, extraction,
documentation, and interpretation of computer media for evidentiary and/or root cause
analysis using well-defined and approved methodologies and procedures.
It is also the study of network traffic to search for truth in civil, criminal, and administrative
matters to protect users and resources from exploitation, invasion of privacy, and any other
crime fostered by the continual expansion of network connectivity.
Goal: To determine the evidential value of crime scene and related evidence.
Computer-based electronic evidence is information and data of investigative value that is
stored on or transmitted by a computer. As such, this evidence is latent evidence in the
same sense that fingerprints or DNA (deoxyribonucleic acid) evidence is latent.
In its natural state, we cannot see what is contained in the physical object that holds our
evidence. Equipment and software are required to make the evidence available. Testimony
may be required to explain the examination and any process limitations. Computer-based
electronic evidence is, by its very nature, fragile. It can be altered, damaged, or destroyed
by improper handling or improper examination. For this reason, special precautions should
be taken to document, collect, preserve and examine this type of evidence. Failure to do so
may render it unusable or lead to an inaccurate conclusion.
Functions of the Digital and Computer Forensic Examiner:
The functions of the forensic examiner are:
(a) Analysis of Physical / Electronic Evidence
(b) Provision of Expert Opinion/ Testimony
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

(c) Furnishes training in the proper Recognition, Collection, Analysis and Preservation of
physical / electronic evidence.
Methodology:
(a) Acquire the evidence without altering or damaging the original.
(b) Authenticate that the recovered evidence is the same as the original seized.
(c) Analyze the data without modifying it.
(The methodology is discussed in full later in this section)
Categories of Digital Evidence:
Hardware
Software:
o Data
o Programs
Digital Evidence:
Digital data that can establish that:
a crime has been committed or
can provide a link between a crime and its victim or
provide a link between a crime and its perpetrator.
Categories:
Text
Audio
Image
Video
Where Forensic Evidence Resides:

Computer systems, Laptops, Phone and Mobile devices, etc.

o Logical file system
o File system
o Files, directories and folders, FAT, Clusters, Partitions, Sectors
o Random Access memory
o Physical storage media: HDD, CD, Flash-Drives, etc.
o Slack space: space allocated to file but not actually used due to internal
fragmentation.
o Unallocated space

Computer Networks:

Application Layer:
Web pages, Online documents.
E-Mail messages.
News group archives.
Archive files.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

Chat room archives.

Transportation Layer
Network Layer
Data Link Layer

TAKING A SYSTEMATIC APPROACH:

Steps for problem solving:
Make an initial assessment about the type of case you are investigating
Determine a preliminary design or approach to the case
Create a detailed design
Determine the resources you need
Obtain and copy an evidence disk drive
Identify the risks
Mitigate or minimize the risks
Test the design
Analyze and recover the digital evidence
Investigate the data you recovered
Complete the case report
Critique the case
Systematically outline the case details:
Situation
Nature of the case
Specifics about the case
Type of evidence
OS
Known disk format
Location of evidence.
Based on case details, you can determine the case requirements:
Type of evidence
Computer forensics tools
Special OSs
A basic investigation plan should include the following activities:
Acquire the evidence
Complete an evidence form and establish a chain of custody
Transport evidence to a computer forensics laboratory
Secure evidence in an approved secure container.
Prepare a forensics Workstation
Obtain the evidence from the secure container
Make a forensic copy (image copy) of the evidence
Return the evidence to the secure container
Process the copied evidence with computer forensics tools

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

10

 An evidence custody form helps you document what has been done with the original
evidence and its forensics copies.
There are two types:
Single-evidence form (see Figure 2:1
Multi-evidence form (Figure 2:2)

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

11

Nigeria Yzx Dept.

Forensics Investigations Unit
This form is to be used for only one piece of evidence
Fill out a separate form for each piece of Evidence.

Case No:

Unit Number:

Investigator:
Nature
of
Case:
Location
where
evidence was
found:
Item # ID

Description of
evidence

Vendor Name

Evidence recovered
by:

Date &
Time

Evidence placed in
Locker by:
Evidence processed
by

Model No./ Serial No.

Date &
Time
Disposition of Evidence

Date & Time

Page
____

__of

Figure 2-1: A single-evidence form

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

12

Nigeria Xyz Dept.

Forensics Investigations Unit
This form is to be used for one to ten pieces of evidence
Investigating
Organization:

Case No:
Investigator:
Nature of
Case:
Location
where
evidence
was found:
Description of Evidence

Vendor Name

Model No./ Serial No.

Item #1
Item #2
Item #3
Item #4
Item #5
Item #6
Item #7
Item #8
Item #9
Item #10
Evidence
recovered by:

Date &
Time

Evidence placed
in Locker by:
Item #

Evidence processed by

Date &
Time
Disposition of Evidence

Date &
Time

Page__ of__
__

Figure 2-2 A sample Multi-evidence form

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

13

 Securing your Evidence:

o
o
o
o
o
o

Use evidence bags to secure and catalog the evidence

Use computer safe products
Antistatic bags
Antistatic pads
Use well-padded containers.
Use evidence tape to seal all openings
Floppy disk or CD drives
Power supply electrical cord
o Write your initials on tape to prove that evidence has not been tampered
o Consider computer-specific temperature and humidity ranges.

Data-Recovery Workstations and Software

o Investigations are conducted in a computer forensics lab (or data-recovery
lab)
o Computer forensics and data-recovery are related but different
o Computer forensics workstation:
Specially configured personal computer
o To avoid altering the evidence, use:
Write-blocker devices.

Gathering the Evidence:

Take all necessary measures to avoid damaging the evidence
Place the evidence in a secure container
Complete the evidence custody form
Transport the evidence to the computer forensics lab
Create forensics copies
Secure evidence by locking the container

Image Copy or Bit-Stream Copy:

Bit-by-bit copy of the original storage medium

Exact copy of the original disk
Different from a simple backup copy; backup software only copies known
files; it cannot copy deleted files or e-mail messages, or recover file fragments
A bit-stream image file contains the bit-stream copy of all data on a disk or
partition
If possible, copy the image file to a target disk that matches the original disks
manufacturer, size, and model.
Use a Write-blockers to ensure that the Operating System (OS) does not
write to the source and target disks.
Verify the integrity of the image copy, that is, it is the exact replica of the
source disk by obtaining a set of Hash Values. Three (3) most common
types of Hash Values are:
o MD5 Hass

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

14

o SHA1 Hass
o SHA256 Hass

Analysing your Digital Evidence:

Your job is to recover data (digital evidence) from:

Deleted files
File fragments
Complete files
Encrypted files
Passworded files

Completing the Case:

Prepare a draft report

State what you did and what you found
Include logs from the forensic tools you used
If required, use a report template
The report should show conclusive evidence that the suspect did or did not
commit a crime or violate a company/government policy
Forward draft report to a Solicitor/Prosecutor/Investigator or requesting party
for review
Produce a final report

Critiquing the Case:

Ask yourself the following questions:
How could you improve your participation in the case?
Did you expect the results you found?
Did the case develop in ways you did not expect?
Was the documentation as thorough as it could have been?
What feedback has been received from the requesting source?
Did you discover any new problems? What are they?
Did you use new techniques during the case or during research?

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

15

3. DATA RECOVERY
3.1 INTRODUCTION
Data recovery is the process of retrieving or recovering or salvaging either a deleted or a
damaged or inaccessible data from a failed electronic media such as computer Hard Disk
Drives, RAIDs, Removable Media (Flash Drives, Zip Drives, Memory Cards, etc.), Optical
Devices (CDs, DVDs),Tape Cartridge, Phones and mobile devices, and other storage
media.
One of the most important functions of a Digital and Computer Forensics Examiner is
recovery of data that has been deleted maliciously or intentionally for criminal purposes or
to conceal evidence. Data recovery is also useful in discovering digital action(s) of the
suspect that could link him or her to a crime, e.g. homicide where all physical evidence
regarding a suspected murder case has been neatly concealed but electronic evidence
found on the suspects laptop showed that the suspect ordered a substance used in
poisoning the victim.
Therefore, in order to effectively handle this aspect of the job, the examiner must have at
least an elementary technical knowledge of Data Recovery and how the data storage
media work. The hard disk (HD) drive will be used for this purpose in this document. This
part is divided into five parts: data, the essence of data recovery, scope of data recovery,
elementary knowledge of hard disk, and steps in data recovery.
3.2. DATA
Data, as used here includes not only multi-media files such as data documents, images,
voices that stored in file system or data base, but also hardware information, network
addresses and network services, which are used to store and manage those information.
3.3 THE ESSENCE OF DATA RECOVERY
Data recovery means retrieving lost, deleted, unusable or inaccessible data that lost for
various reasons. Data recovery not only restores deleted or lost files but also recovers
corrupted data and data maliciously deleted for criminal intent. On the basis of different lost
reason, we can adopt different data recovery methods.
3.4 THE SCOPE OF DATA RECOVERY
There are two purposes of data recovery:
for forensic investigation and
for disaster recovery.
We can also divide the scope of data recovery according to different symptoms, namely:
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

16

3.4.1 Files loss: If files are lost because of deletion and formating (malicious, intentional
and unintentional, criminal intention), format or Ghost clone error. files recovery tools such
as FTK, EnCase, etc. can be used to recover data.
3.4.2 System problem: The main symptom is that you cannot enter the system or the
system is abnormal or computer closes down. There are complex reasons for this, thus we
need adopt different processing methods. Reasons for this symptom may be the key file of
system is lost or corrupted, there is some bad track on hard disk, the hard disk is damaged,
MBR or DBR is lost, or the CMOS setting is incorrect and so on.
3.4.3 Bad track of hard disk: There are logic and physical bad track. Logic bad track is
mainly caused by incorrect operation, and it can be restored by software. While physical
bad track is caused by physical damage, which is real damage, we can restore it by
changing the partition or sector.
3.4.4 Partition problem: If partition cannot be identified and accessed, or partition is
identified as unformatted, partition recovery tools such as Partition Table Software can be
used to recover data.
3.4.5 Password loss: If files, system password, database or account is lost, some special
decryption and password cracking tools can be used.
3.4.6 Files repair: For some reasons, some files cannot be accessed or used, or the
contents are full of corrupted characters, in which the contents are changed and thus
become unreadable.

3.5 METHODOLOGY OF DATA RECOVERY

Taking a perfect image of a computer suspected of containing incriminating data is critical
to all ensuing investigative work. Its significance must not be underestimated. When an
imperfect image is used to gather suspect data, the resulting evidence will be found
inadmissible in court.
In most cases, "hidden," "deleted," or "lost" data cannot be located with the assistance of
the limited software tools available to most users. However, sophisticated computer
forensic tools allow specialists to find and restore missing data.
Using specialized forensic tools and software, the technician will:

Inspect all hard drives, floppy drives, and other available electronic media using
methods that will allow the data to be preserved and exhibited in court.
Explore and recover deleted files.
Explore unallocated space and file slack for data, including hidden data.
Explore areas of the media for fragmented data.
Explore swap files.
Locate and document current and deleted e-mail (sent and received).

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

17

Extract e-mail and e-mail conversations, identify all e-mail addresses and Web
URLs.

Our focus in this document is on approved methodology for data recovery for forensic
evidence. Data recovery, in most cases, may require exhaustive, detailed work to recover
the data. However, any data recovery case for forensic purpose typically involves the same
general process for recovering such lost data for disaster recovery.
The steps are stated below:
1. Make a Log Book Entry: Make a log book entry as to date and time, details of the
suspect HD or device to be recovered, Case number, Name of Suspect, etc.
2. Evaluate the media and provide an initial determination of the extent of the damage,
potential for recovery, and work involved to recover the data.
3. Estimate how much work will be involved, how much data can be recovered, what steps
will need to be taken, and what the cost will be to recover the data.
4. Mirror or Image the suspect HDD. In this step, the forensic examiner perform an image
copy or bit-stream copy of the HDD, using Write-blockers to protect the original HD from
being written to by the Operating System (OS). If possible, make two (2) copies for
yourself as the Examiner and one (1) copy ready for the defense (or the prosecutor)
depending on which side you are. (If this process fails due to hardware problem or physical
damages to the HD, then perform step 5 before returning to perform step 4. If you can
perform this step without any problem, then skip step 5.)
5. Repair any electrical or physical damage that may be preventing the media from
accessing the data. (A suspect may have deliberately smashed the HD or the computer
system or device on the floor to prevent possible data recovery). This step 5 must be
carried out in a Clean Room and with the appropriate tools since Hard Drives and finely
tuned and sealed tightly to protect it from dust.
6. Recover the data through "logical" (software) processes that work with the raw data or
image of the data on the disk or drive. World class software such AccessData FTK,
EnCase, Belkasoft Evidence Centre are examples of software that can be used for this
purpose. You must ensure that the software you are using is properly licensed to you or
your organization, and that the updates/upgrades are up-to-date.
7. Examine the recovered (imaged) data to be sure it is intact and usable and extract a list
of the results of the recovery (what data was recovered, etc.).
8. Return the original media (HD, etc.) to the appropriate authority from where you
collected the HD for data recovery.
9. Analysis: Conduct a detailed analysis of the recovered data based on the scope of your
assignment (or charges brought against the suspect): e.g. MS-Office Document files, PDF
files, Photos (JPEG, etc.), Videos, SMS, MMS, Emails, Contact Book, Databases, Apps,
Call logs, GPS data, etc. Restrict yourself to the scope of your assignment.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

18

10. Report Writing: Prepared a detailed report of your findings and digital evidence found
during your examination in respect of the examination. Review the draft copy and submit a
final draft.
3.6 COMPRESSED, ENCRYPTED OR PASSWORD-PROTECTED FILES
Compressed file archives such as zip, rar, tar, cab, 7z, etc. will be extracted and examined
to determine if they contain relevant file types. The processing must be able to recursively
extract files from the archive because a compressed archive can be included in another
compressed archive.
Encrypted or password-protected files must be identified and a log generated. Once it is
clear that this is the situation, attempts will be made to crack the password. Whatever
actions are taken, must be well-documented in the report (including name(s) of tools used).

3.7 WHEN THERE IS SUSPICION OF POTENTIAL EVIDENCE TAMPERING

The following forensic questions must be answered and documented for each computer or
electronic device:
3.7.1 Was a data destruction tool used on the hard disk drive?
3.7.2 Is there evidence that the user of the suspect computer copied files to a network
drive or external drive and deleted the files?
3.7.3 Is there evidence that someone may have tampered with the system clock?
3.7.4 Is there evidence that there was a massive destruction of files prior to imaging?

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

19

4.0

ESTABLISHING A
LABORATORY

DIGITAL

AND

COMPUTER

FORENSIC

4.1 Needs Statement

The emerging problem of terrorism, cybercrime, cyber-terrorism, cyber-warfare, kidnapping,
financial fraud, money-laundering and other crimes in Nigeria places new responsibilities
on law-enforcement agencies, regulatory agencies, financial institutions, corporate
organizations, and governments at all levels. Furthermore, the passage of the Nigerias
Evidence Act, 2011 further requires law-enforcement, regulatory bodies and other
organizations in the country to build capacity to address issues of digital forensics and
electronic-based evidence.
4.2 Scope Of Work
What is a Computer Forensics Lab?
A Computer Forensics Lab or CFL is a designated location (permanent or mobile) for
conducting computer based investigations. The lab should be securable in order to prevent
unauthorized access.
The scope of the work for a digital forensics laboratory are:
4.2.1 Planning and Design (including integration with existing systems);
4.2.2 Implementation: including supply and installation of computer/digital/mobile forensics
laboratory equipment/software and tools, and moving into the laboratory, etc.;
4.2.3 Training and Capacity Building (including Certification);
4.2.4 Digital Forensics Best Practices Documentation; and
4.2.5 Post-Implementation Support.
4.3 Design of a Laboratory (New Building)
Although the laboratory building presents some very complex and challenging design
issues, elements of the site design must also be addressed in order to ensure a
successfully designed forensic laboratory facility. Issues such as site access, proximity of
secured and unsecured parking areas, and even landscaping have implications regarding
the efficiency and security of the overall site and building design.
Site Design

Site access.
o It is desirable that the site be designed with access from at least two
directions to ensure access to the site despite traffic conditions, street
maintenance work, acts of sabotage, or other unforeseen site disruptions.
Emergency and service access.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

20

o Coordinate with laboratory staff and local authorities to ensure emergency

access for fire department and other emergency vehicles. Access for shipping
and receiving must comply with code requirements without compromising site
security.
Site lighting.
o The site lighting should be designed to enhance security and discourage
vandalism and unauthorized entry. Lighting comparable to that of a college
campus offering night classes might serve as a guideline.
Landscape design.
o Landscaping should be designed to enhance site security by preventing
potential vandals, burglars, and saboteurs from hiding in the landscaping until
after dark.
The following types of landscape design should be avoided:

Dense shrubbery within 3.048 m (10 ft) of the building or any security fence.
Large clusters of shrubbery, 0.61 m (2 ft) to 1.83 m (6 ft) high.
Tall evergreens with branches less than 1.52 m (5 ft) above grade.

Parking design:.
o Like landscaping, the design of parking areas should consider site security
requirements.

The following are recommended levels of security for parking:

Level 1, unsecured. Visitor parking located near the visitors entrance to the building
allowing entry and departure without security barriers.
Level 2, partially secured. Fenced area for use by persons having business at the
facility. For example, shipping and receiving, biological and toxic waste pickup,
dumpster replacement, and evidence delivery. The area should be gated, and the
gate may be left open during business hours and locked after hours. Access might
be through the level 1 parking area.
Level 3, secured. Staff parking area secured 24 hours, surrounded by a security
fence, and accessible by use of a proximity or card key device. Depending on
security policy, this level might be eliminated, and staff could park in the level 2
parking area.
Level 4, high security. Vehicle impound parking with limited personnel access and
monitored security systems.
General Building Design

Exterior walls.
o Materials. Bullet-resistant, such as concrete.
o Windows. Reflective and/or bullet-resistant glazing where exposed to public
view.
o Window sill design. Windows should be installed flush with the exterior
surface of the wall, or if recessed, provide a sloped exterior sill to prevent the
placement of explosives at the window.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

21

o
HVAC intakes.
o Locate in areas inaccessible to the public, such as in secured fenced areas.
Design to prevent the possibility of someone introducing a tear gas canister
into the intake.
o If located in parking areas, design to prevent introduction of vehicle exhaust.
o Locate away and upwind from fume hood exhaust.
Visitor access protection.
o Administrative or security receptionist at visitors access should be protected
behind bullet-resistant glazing with adjacent walls of similar bullet-resistive
construction.
Duress alarms.
o Call assistance or duress/panic alarms should be installed in key areas
throughout the facility and concealed as appropriate. Locations might include
visitor reception desk, bulk chemical storage spaces, weapons ranges,
parking garages, and clandestine lab storage and exam spaces.
Laboratory tours.
o If the facility is to be designed to accommodate guided tours, tour groups
should not be allowed into the laboratory spaces. Guided tours should be
conducted through the main corridor system with viewing through strategically
placed windows in the corridor walls providing viewing into the laboratory
spaces.
Interior glazing.
o It is recommended that the use of windows between laboratory spaces be
maximized.
o This is a feature designed to enhance safety of personnel by allowing those in
one laboratory space to view the activities of those in other spaces that might
be of a more hazardous nature.
Equipment and systems service and maintenance.
o Equipment and systems that are part of the building and might require
periodic service and maintenance should be located outside of the laboratory
spaces, and particularly outside of any space where evidence are stored.
Such equipment and systems might include, but are not limited to, electrical
panels, walk-in cooler compressors, and water purification filters.
Corridors.
o Primary circulation and exit corridors: 1.83 m (6 ft) wide, minimum.
o Secondary circulation and non-exit corridors: 1.37 m (41/2 ft) wide, minimum.
Doors.
o Double doors to all laboratory sections and spaces that are expected to
receive oversized evidence or equipment. Double doors shall consist of a
0.914 m (36 in) wide active leaf and an 0.457 m (18 in) wide inactive leaf.
o Freight elevator doors minimum 1.22 m (48 in) wide.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

22

Security Design

Security Strategy Meeting.

o Although this is not a design guideline, it is recommended that a security
strategy meeting take place upon completion of an approved schematic
design of the building and the site. This meeting should be attended by
representatives of the building owner, building users, security staff, the
architect, the electrical engineer, and a security design consultant.
o The purpose of this meeting is to establish and document a comprehensive
security strategy for the new facility. This security strategy will act as a
guideline for the design of passive and electronic security systems. This
strategy should include, but not be limited to, security policy and procedural
issues, site and building access as related to security, types of security
electronics systems, performance requirements for security access systems,
and any other special security needs that might be identified by the users.
Specific considerations regarding hardening the laboratory against terrorist
attack may be important, depending on the location and function of the lab.
Escort only design.
o The design of the building should incorporate a security perimeter within
which unauthorized persons may enter under an escort only policy. This
security perimeter should be defined during the Security Strategy Meeting.
o The sign-in and badging area should be located at the visitors entrance.
Door access systems.
o Access to and circulation throughout the facility, as well as key zones of the
building, should be provided with controlled access through the use of
proximity or card-key access systems. The system should be capable of
programming access devices for specific areas and times, and should fully
document all access attempts.
o The system must prevent unauthorized entry while maintaining safe and legal
exiting. This security must be maintained in multistory buildings having shared
elevator access.
Door status monitoring.
o Key doors throughout the building, particularly exterior doors and doors to
evidence storage spaces, should be electronically monitored for open/closed
status.
Closed circuit television (CCTV) systems.
o Key areas of the building, both interior and exterior, should be kept under
video surveillance. Key areas might include, but are not limited to, exterior
doors, lobby/reception areas, parking lots, and evidence delivery areas.
Placement of CCTV cameras and features (pan, zoom, tilt, constant sweep,
time lapse recording, etc.) should be defined during the Security Strategy
Meeting.
Special security design features.
o The security design of the facility should include consideration of such special
features as: Motion detection in evidence storage spaces, circulation
corridors, or other key areas.
o Additional security protection for storage of high-value evidence items such
as money and jewelry.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

23

Electrical Systems Design Checklist:

Emergency generator.

Recommend emergency power and lighting for the following spaces:

o Entire evidence section.
o All refrigerators and freezers, including walk-in units.
o Photography darkroom(s).
o Entire security section, including electronic security systems and telephones.
o All computer-driven systems and equipment including, but not limited to,
laboratory instrumentation, Automated Fingerprint Identification System
(AFIS), Combined DNA Identification System (CODIS), Laboratory
Information Management System (LIMS), Integrated Ballistic Imaging System
(IBIS), and LAB Network.
Central UPS system is preferred, but local UPS units are acceptable.

General Laboratory Design

Laboratory floors.
o Chemical-resistant sheet vinyl or vinyl tiles with welded seams.
Laboratory walls.
o Epoxy in all spaces considered highly biologically or chemically hazardous,
such as examination rooms, bulk drug analysis, and bulk chemical storage.
o Semi-gloss latex enamel in all other spaces.
Laboratory ceilings.
o Epoxy in all spaces considered highly biologically or chemically hazardous,
such as examination rooms, bulk drug analysis, and bulk chemical storage.
o Suspended acoustical in all other spaces.
Non-laboratory spaces.
o Acceptable interior finish standards for offices and non-laboratory support
spaces.
Laboratory casework.
o Standard laboratory casework with utility access space behind base cabinets.
o Steel or wood preferred, plastic laminate acceptable.
o Maximize use of flexible laboratory casework systems.
Files.
o Generally, one four-drawer filing cabinet, or the equivalent file storage space,
should be provided for each forensics analyst at the area of the nonlaboratory workstation.
Special considerations.
o Acoustics.
o Reflective surfaces.
o Vibration-proof flooring.
o High-strength flooring.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

24

Technical Laboratory Sections:

General Design Comments

The forensic laboratory consists of various laboratories within the overall facility.
These various laboratories are commonly referred to as laboratory sections or units.
The recommended guidelines provided here are intended to serve as checklists for
the design of laboratory space in the technical laboratory sections. Many of the items
listed, such as laboratory workstations, are universal components of technical
sections. Other items may or may not be necessities, depending upon the needs
and size of individual laboratory sections.
In some instances area (m2, ft2) of floor space or linear footage (lin m, ft) of bench
space have been assigned to represent minimum guidelines for space requirements.
Items and areas that are not assigned measurements will vary as needed by
individual laboratories and the sections within those laboratories.
For most laboratory sections the checklist below follows a common theme. This
theme consists of the concept of a main laboratory space for each section, and
supporting spaces that are enclosed rooms with direct adjacency to the main
laboratory. The main laboratory is where each analyst will have an individual
laboratory workstation. The adjacent supporting spaces will be spaces devoted to
specific procedures or equipment items and that might be used by each analyst from
time to time during the course of his or her examinations.

Administrative Work Spaces

Each laboratory section will identify various non-laboratory work spaces. A
significant amount of the forensic analysts responsibilities include non-laboratory
tasks such as data analysis, report writing, court testimony preparation, and other
administrative responsibilities.
The design should provide the analyst with an administrative work area, away from
the hazards of the laboratory, where these tasks can be conducted in an efficient
and safe environment.
Supervisors offices, case review areas, and space for files can also be included in
this environment. With the exception of the supervisors offices, which shall be
private offices, all other spaces in the administrative work area can be designed as
open office systems workstations.
Some analysts, such as document and latent print examiners, require additional
administrative work space since a significant amount of their technical examinations
can occur outside of the laboratory environment.

Computer Evidence Section

May be designed as computer hardware space. Chemical and biological hazards will
not be present.
Main computer evidence laboratory space.
o Individual analyst laboratory workstation: 7.62 lin m (25 lin ft) bench space per
analyst.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

25

o Miscellaneous computer evidence bench: 7.62 lin m (25 lin ft) bench space
per analyst.
o Independent data line with two jacks.
Various types of telephone lines.
Evidence room.
o 9.29 m2 (100 ft2) per analyst.
Equipment room.
o 9.29 m2 (100 ft2) per analyst.
o Administrative work spaces.
o May be included as part of the main computer evidence laboratory space.
o Supervisors office: 13.935 m2 (150 ft2).
o Analysts administrative workstation: 9.29 m2 (100 ft2) per analyst.
o Independent data line with two jacks.
o Various types of telephone lines.
Dry fire-suppression system.

Universal Facility Design Components

Although no two forensic laboratories are alike, there are basic functional
components and areas that are universal to most laboratory buildings. For example,
office space, training rooms, and technical support areas are standard necessities
that must be considered for space during the design phase.
The following set of checklists serve as recommended guidelines and requirements
for universal laboratory building components, and have been divided into four
categories: administrative, building, technical support, and general technical.
Administrative areas are nontechnical and primarily consist of office space used for
evidence support.
Building areas are not directly related to evidence analysis, and needs will vary for
freestanding laboratories or laboratories occupying only part of a building.
Technical support areas are directly related to, but are not used for, evidence
analysis.
General technical areas are shared by most laboratory sections within a building,
and needs will vary depending upon laboratory size and functions.
Administrative:
Design standards for these spaces should be based on acceptable office space
design standards.
Private offices.
o Based on existing space standards, if any.
Offices for support personnel.
o Shared offices or open office systems furniture.
Files for active cases.
Clerical, administrative, and case support.
Mail, photocopy, and facsimile.
Conference room(s).
Lobby/reception.
Consultant offices.
Library.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

26

o
o
o
o
o

Book stacks.
Periodicals shelves.
Study carrel(s)
Study table(s)
Computer information terminal(s)

Building:
Mechanical.
o Heating, ventilation, and air conditioning (HVAC) equipment rooms.
o Air handling systems.
o Fume and biological hood exhaust equipment.
o Laboratory compressed air and vacuum systems.
o Central plant water treatment systems.
o Domestic hot and cold water systems.
o Fire extinguishing systems and sprinkler control rooms.
o Instrument gas manifold and distribution systems.
Communications.
o Computer rooms and/or closets.
o Telephone equipment rooms and/or closets.
o Premise wiring rooms and/or closets.
o Data line provisions
Electrical.
o Service entrance and main switch gear.
o Emergency generator.
o Uninterruptable power supply (UPS) equipment.
o Electrical closets.
o Electrical service panels.
Staff use.
o Lunch room.
o Break room(s).
o Locker rooms with showers.
o Rest rooms.
o Other.
o Janitorial closet(s).
o Passenger and/or freight elevator(s).
o Recycling.
o Lab coat cleaning.
o Shipping and receiving.
o Hazardous waste disposal.
o Compressed gas cylinder storage.
o General waste disposal.

Technical Support
Storage.
o General laboratory storage.
o General supplies storage.
o Long-term files storage.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

27

o Chemical storage.
Dry fire-suppression system.
Evidence.
o Evidence receiving and return counter from and to submitting agencies.
o After-hours secure evidence lockers.
o Evidence disbursal and return counter to and from laboratory sections.
o Evidence custodian workstations: minimum 5.95 m2 (64 ft2).
o Evidence supervisor office: minimum 11.48 m2 (120 ft2).
o Evidence storage.
General evidence storage shelving.
Refrigerated and frozen evidence storage: refrigerators and freezers or walk-in
units.
Secure narcotics storage.
Secure valuables storage.
Flammable evidence storage: fire-rated, ventilated storage room, or ventilated
flammable storage cabinets.
Bio-hazardous evidence storage.
Gun storage.
Long-term evidence storage.
o Evidence workroom.
Mail room features for packaging, sending, and receiving evidence.
Layout countertop space with sink.
Photocopy and facsimile.
o Evidence case review/triage/conference room(s).
o Evidence drying.

General Technical:
Vehicle processing.
o Securable and air conditioned/heated forensic garage bay(s).
At least one bay large enough to accommodate vans and motor homes.
o Workbench space: 3.048 lin m (10 lin ft) per bay.
o One shop sink per bay.
o Laser or remote fiber light source.
o Vehicle lift (fixed or portable).
o High-intensity lighting.
o Additional pull-down lighting.
o Tools storage.
o Evidence drying room(s).
o Compressed air.
Forensic photography.
o Can be utilized for laboratory support only or offer full services, including
public relations and graphic arts.
o Film and print for black and white and color processing.
o Chemical storage and mixing space.
o Studio.
o Finishing.
o Computer-aided design and drafting (CADD) for graphic arts.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

28

o Photographic equipment and supplies storage.

o Refrigerator.
Computer imaging.
o Video and photographic enhancement.
o General enhancement of latent prints, footprints, etc.
o Virtual reality crime scene recording.
Training.
o Classroom(s).
o Audio/visual media room.
o Exhibit storage.
o Mock crime scene room(s).
o Training laboratory.
o Breath alcohol training.
o Video conferencing.
o Computer and television networking.
Quality assurance.
o Proficiency testing/sample preparation laboratory (might be shared with
training laboratory).
o Conference/office.
o Record storage and archival facilities.
Crime scene unit.
o Equipment storage.
o Staging area.

4.4 Starting a Laboratory in an Existing Building

4.4.1 Minimum Space Requirements
The minimum space requirements for a small laboratory (for a total of eight (8) forensics
examiners) in an existing building in organizations just starting off a digital and computer
forensics laboratory are as follows:

A Reception Room
The Main Digital Forensics Lab Room

Optional (if additional space is available):

A Data Recovery/Clean Room

Office for the Head of Unit/Department

The above space is just adequate for a start and should be evaluated periodically as the
activities increase.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

29

4.4.2 FURNISHING
4.4.2.a The Reception:

1 No. Reception Table with two compartments

2 Nos. Swivel Chairs for two officers.
1 No. Four-seater visitors chair
1 No. Centre Table.

4.4.2.b

The Main Digital Forensics Laboratory Room (for six (6) Forensics
Examiners):

The Main Laboratory will contain:

1 No. Custom-built (Wall) Workstation Table with six (6) compartments, each
having a mobile, multi-coloured 3-drawer cabinet;
6 Nos. Swivel Chairs for Forensics Examiners
6 Nos. Wall-Hanging Filing Drawers/Wooden Cabinets
2 Nos. Metal Office Filing Cabinets (with Bar for padlocking).
1 No. Fire-proof Filing Cabinet.
4.4.2.c Additional Items required for the two rooms (4.4.1 and 4.4.2):

4.5

Split Unit Air-conditioners

Office Fridge for Main Lab.
2 Nos. Plasma TV 24
Burglary-proof Window Protector (Qty depends on number of windows in the two
rooms)
Secured Metal Doors (if not in place)
Curtains and accessories (Qty depends on number of windows in the two rooms)
1 No. Signboard (to identify the laboratory)

SUGGESTED DIGITAL/MOBILE FORENSICS EQUIPMENT, SOFTWARE, TOOLS,

AND SUPPLIES

4.5.1 Factors to consider:

In determining the type of forensic computer equipment needed, you should consider the
following:

Type and volume of investigations being conducted

Is the organization Law-enforcement or Corporate?
If Corporate, are investigations internal only or internal and external.
Organizations conducting external investigations may require a more broad range of
capabilities than one that only does internal investigations.
Intended use of the machine:

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

30

o Will it be used only for imaging?

o Will it be used only as an analysis platform or will it be used for everything?
Relatively few labs have an unlimited budget. So, there are a number of other things to
consider:
How many investigators/examiners are assigned to the lab?
What equipment and software are already present?
What is the expected or known volume of work?
Purchasing from one source can often save you money as the company may be
able to give larger discounts on volume purchases.
Commercially Purchased Systems Selecting a vendor

Commercial Companies like Dell, HP, IBM make good computers, but may have
restrictions on customer repair and customization. Opening the case can void all
warranties.
These companies do not design their systems with forensics in mind.
Dell recently started to partner with forensic software vendors.
Ask: Has the company actually delivered forensic systems or are they just a website
wonder?
A company which specializes in forensic workstations should have:
o The forensic experience to know what components are required, what the
methodologies are and know how to use them.
o A warranty policy that is No Hassle for the end user.
o A policy that allows forensically qualified individuals to open the system.
without voiding an warranty.
o Test the systems to ensure they are forensically sound - not all computers are
not created equal test results must be repeatable.
o The company should be responsive to customer needs and allow
configuration changes based on customer specific needs.
At the end of the day you want systems that will do the job.
How fast the job gets done will in part depend on your budget.
Is the system configured to accept the media routinely received in a investigation?
Is the hardware easy to use?
Do you need portable forensic systems?
Portables come in a variety of shapes and sizes.
Some are built specifically for mobile forensics.
Laptops can work well as long as you test before you buy or buy from a forensics
company that has tested them.
The portable solution you choose should give you the same basic capabilities as you
lab systems.

Why use Hardware Write Protection?

Do not think that if you do not use Windows, you may not a Write-blocker device.
You can never be too careful.
Linux and Mac OS X can be configured so they do not auto-mount hard drives and
other media.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

31


4.5.2

Windows OSs will mount devices you attach automatically.

Minimum Standards for Forensic Equipment, Software and Tools in a new
Digital Forensics Laboratory

The following items and the stated minimum quantities are to be provided for the kick-off
of a e-Crime and Digital Forensics Laboratory:

2 Nos. UFED Touch Ultimate Phone Forensics Solution, with Chinex and Link
Analysis (plus 2 Nos. extra batteries) Ruggedized.
2 Nos. UFED 4PC Phone Forensics Solution, with Chinex and Link Analysis.
2 Nos. Susteens Secured View 3 - svNUC Mobile Forensics Kit with the Intel Next
Unit of Computing.
2 Nos. AccessData Mobile Phone Examiner MPE+
1 No. Belkasoft Evidence Center Enterprise (multi-user) 2014 or latest
2 Nos. Belkasoft Photo Forgery Detection Plugin
Belkasoft Live RAM Capturer -- (Free of charge)
FTK Imager (Free of Charge)
2 Nos. FTK 5.0 Licenses (AccessData)
1 No. FTK Lab (10 users Licenses)
1 No. FTK CIRT 200 nodes
2 Nos. EnCase 7.09 or latest
1 No. Paraben Device Seizure
1 No. Paraben P2 Commander
4 Sets Write-Blockers
2 Nos. Image MASSter 4000PRO/WipePRO X2 IT & FORENSIC Extension Ready
(Std i7)
2 Nos. Image MASSter RAPID IMAGE Complete Solutions - IT & FORENSIC with
SCSI Cables, Image MASSter SATA Adapters, IDE Adapters, Expansion Boxes,
Accessories,
2 Nos. Encryption Tools
8 Nos. Forensic Workstations with min. of 1TB HDD, >2.5MHz speed,
4 No. Forensic Laptops (for field work) with min. of 1TB HDD, >2.5MHz speed,
Ruggedized, etc.
12 Nos. Microsoft Office Licenses
2 No. HP Deskjet 5500 or similar
2 No. LaserJet HP P2035 Printer or similar
8 Nos. UPS 650v
1 No. Scanner HP Scanjet G2710 or similar
12 Nos. Backup 2TB Hard Drives
12 Nos. Anti-Virus Software Licenses
Electrical Cabling and Extension cords
4 Nos. Internet Routers (Optional: for field use)
3 months Internet Subscription for 4 Nos. WIFI Routers (Optional)
12 Nos. Packs of Latex Gloves

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

32

Consultancy: Planning/Design, Implementation, Configuration and Setup, Support,

etc.

Tool Sets:
For the Lab a good starting list is:
High quality screwdriver set (small ones also) I like Craftsman and Wiha
Small Wire Cutters
Small Needle Nose Pliers
Assortment of Torx bits
Assortment of Hex head bits
Small flashlight
Technicians Mirror (the kind you can adjust the mirror head)
Hemostats (forceps - Radio Shack calls them as solder helpers)
Static Wrist Strap
Small Digital Multimeter
Container of computer screws
Spare Hard Disk Jumpers (large and small)
Spare Cables (Floppy, IDE, SATA, SCSI)
Assortment of Gender Changers
Assortment of Molex Male and Female Cables
Latex type gloves

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

33

5.0 TRAINING AND PROFESSIONAL QUALIFICATIONS OF

DIGITAL FORENSICS EXAMINERS
5.1 TRAINING
5.1.1 General Awareness Training in Digital/Mobile Forensics for staff in all key
departments, such as Legal, ICT, Information Security, Accounting,
Audit/Inspection, Forensics, Investigation, Prosecution, Judiciary, Admin/Human
Resources, etc.;
5.1.2 Computer Forensics Certification Training for Digital and Computer Forensics
Examiners and others officers working in the Lab who may testify as Expert
Witnesses and present electronic evidence in courts and tribunals such as:
MCFI Member, Computer Forensics Institute
CCE- Certified Computer Examiner
CCFE- Certified Computer Forensics Examiner
;
5.1.3 Application-specific Certification Training in digital/mobile forensics for officers
(i.e. for each adopted/procured forensic hardware/software/tool, training must be
provided) such as:
ACE Certification AccessData Certified Examiner
EnCE Certification- EnCase Certified Examiner
.
5.1.4 Attendance at local/national and International Digital and Computer Forensics
Conferences.
5.1.5 Provision of a Digital and Computer Forensics Library, with books, journals, and
other resources.

5.2

PROFILE/QUALIFICATIONS
FORENSICS EXAMINERS

OF

DIGITAL

AND

COMPUTER

(a) At inception, the Head of Unit/Department must have at least three (3) to five (5) years
practical experience in the field of computer and digital/mobile forensics and
particularly, in setting up new digital forensics laboratories for the detection and
investigation of electronic crime (e-Crime). Where this level of experience is not
available in-house, an organization should either arrange with its digital forensics
consultant/consulting firm to provide the necessary support, training and supervision
until such a time that capable hands are available in the unit or department or recruit
from outside your organization.
(b) Must be:
i. A Certified Forensics Examiner through any of:

MCFI - Computer Forensics Institute, Nigeria (CFIN) which offers a digital

and computer forensics program which include: Biometrics, Cryptology, Data
Recovery, Questioned Documents Examination, Hand-writing Analysis,

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

34

Nigerias Evidence Act, 2011, Evidence Acquisition, Analysis, Reporting and

Presentation.

CFCE - The International Association of Computer Investigative

Specialists offers the Certified Forensic Computer Examiner Program, which
is open to active law enforcement personnel and others who qualify for
membership in IACIS.

CCE - Certified Computer Examiner certification through the International

Society of Forensic Computer Examiners.

and any other two of ii. to v:

ii. A Certified Live Wire Examiner;
iii. ACE or EnCase Certification;
iv. Phone/Mobile Forensics Certification;
v. Membership of High Technology Crime Investigation Association (HTCIA) (for Lawenforcement Officers);
(c) Working knowledge of operating systems, communication and application systems;
A good knowledge of Nigerias Evidence Act, 2011 as it relates to the Rules of
Evidence, and Electronic Evidence in particular.
(e) Good experience of the Nigerian environment;
(d)

(f) Ability to image and use the recommended digital forensics hardware/software and
tools, following sound digital and computer forensics approved methodology;
(g) For those who will act as Expert Witnesses in the courts, a minimum of Bachelors
degree or HND in any field and success in an aptitude test is mandatory. For
Laboratory Assistants, a minimum of OND in any field plus (b)i. are minimum
requirements;
(h) Must have an analytical and investigative mind; and
(i) Must be ready to work long and odd hours.

5.3

PROFILE/QUALIFICATIONS OF DIGITAL AND COMPUTER

FORENSICS CONSULTANT FOR LABORATORY IMPLEMENTATION

(a) The Consultant for digital and computer forensics laboratory implementation assignment
(individual or company) must have at least seven (7) years experience in the field of
computer/digital/mobile forensics;
(b) Must have previous experience in setting up new digital forensics laboratories for the
detection and investigation of electronic crime (e-Crime);
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

35

(c) Experience in the management and implementation of large scale computerization and
infrastructural development in the public sector;
(d) Ability and experience in providing training in computer/digital/mobile forensics;
(e) Must be:
i. A Certified Forensics Examiner through any of:

MCFI - Computer Forensics Institute, Nigeria (CFIN) which offers a digital

and computer forensics program which include: Biometrics, Cryptology, Data
Recovery, Questioned Documents Examination, Hand-writing Analysis,
Nigerias Evidence Act, 2011, Evidence Acquisition, Analysis, Reporting and
Presentation.

CFCE - The International Association of Computer Investigative

Specialists offers the Certified Forensic Computer Examiner Program, which
is open to active law enforcement personnel and others who qualify for
membership in IACIS.

CCE - Certified Computer Examiner certification through the International

Society of Forensic Computer Examiners.

and any other two of ii. to v:

ii. A Certified Live Wire Examiner;
iii. ACE or EnCase Certification;
iv. Certification in Phone/Mobile Forensics;
v. Membership of High Technology Crime Investigation Association (HTCIA);
(f) Good knowledge of operating systems, communication and application systems;
(g) A good knowledge of Nigerias Evidence Act, 2011 as it relates to the Rules of
Evidence, and Electronic Evidence in particular.
(h) Good experience of the Nigerian environment;
(i) Ability to provide local support for forensic hardware, software and tools proposed.
(j) Ability to manage a large-scale digital and computer forensics laboratory;
(k)

A minimum of Bachelors degree with post-graduate qualifications as an added

advantage.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

36

5.4 SKILL SETS REQUIRED BY DIGITAL AND COMPUTER FORENSICS

EXAMINERS
Who is a Certified Computer/Digital Forensics Examiner?
Computer and digital forensics is still a relatively new field, so defining what a forensic
examiner does can sometimes be difficult to understand for new comers to the field.
Basically, the certified computer and digital forensics examiner applies reliable investigation
and analysis techniques in order to discover potential electronic or digital evidence for legal
purposes. Normally, the forensic examiner will inspect storage media such as hard drives,
flash drives, CDs/DVDs, phone and mobile devices and other electronic components.
The basic responsibilities are:
To acquire the digital evidence by carefully extracting the data.
Preserve the data/evidence
Analyze the data/evidence using proper protocol and specialized tools
Present and report on the findings
Digital and computer forensic investigations involve three (3) distinct scenarios:
1. The computer was used to commit a crime or involved in inappropriate use.
2. The computer was the target of a crime, such as being hacked for information, or
used as a zombie in a botnet.
3. The computer was a container of electronic evidence required in a legal matter.
Forensic examiners are responsible for extracting and preserving three types of data from
these computers:
1. Active data is the information clearly visible. Files, folders, programs, etc.
2. Archival data is data that has been backed up and/or stored. This could consist of
backup tapes, CD/DVDs, floppies, or hard drives.
3. Latent data is the data that has been deleted or formated, usually requiring
specialized software tools.
Skills and Knowledge Required:
The key aspect to being a certified digital forensic examiner is being able to protect
evidence from intentional or accidental modification. In the information technology world,
this means protecting and preserving data. The forensics field has its own set of software
and hardware tools for this specific purpose. The digital forensics examiner will need to be
familiar with these tools.
The following is not an exhaustive list but should cover the basic skills that a computer
forensic examiner should acquire, and which may also differ according to type of
employment situation and environment:

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

37

Understanding of forensic methodologies

Hardware imaging systems;
Computer skills-hardware and software
Legal concepts of criminology
Familiarity with local, region, domestic, and international laws on Rules of Evidence
and procedure
Advanced knowledge of the Windows registry
Experience with computer forensics processes and tools
Using the Forensic Toolkit by AccessData
Using Encase forensic software or any other top class forensic software
Using Cellebrites UFED or AccessData MPE+ or Paraben Solutions or other top
class solutions
Questioned Document Examination
Hand-writing Analysis
Biometrics including Fingerprinting, face-recognition systems, etc.
Network forensics
Incident response skills
Investigative skills
Ability to work long hours
Knowledge of finance and accounts
Malware Analysis expertise or Malicious Code Examination
Experience in full life cycle investigations
Strong communication and interpersonal skills
Ability to establish positive relationships with law enforcement professionals
Ability to document evidence and complete investigation reports
Ability to handle live incidents with appropriate responses
Forensic analysis skills including hardware, media storage, data storage, forensic
imaging, and file system analysis
Investigation skills
Personal interviewing skills
Familiarity with the use of rootkits, monitoring mechanisms, remote control services
Experience with unauthorized access methods and exploitation of known
vulnerabilities, such as SQL injection, Mobile Instant Messaging (MIM), buffer
overflows, and others
Excellent written and verbal skills
Ability to communicate complex technical information in non-technical staff and
clients.
Ability to lead presentations
Investigative experience, i.e. military or law enforcement or private investigation

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

38

5.5

JOB DESCRIPTION:
COMPUTER FORENSICS EXAMINER/INVESTIGATOR

Duties of Computer Forensics Examiners and Investigators:

Computer and Digital Forensics specializes in examining digital media to identify, recover,
preserve, analyze, and present facts and opinions in a forensically sound manner. The
need for such examination and analysis is needed not only for computer crime, but in other
criminal and civil cases as well, and also where an electronic audit trail may be created
from the information on the computer.
There are many duties a computer forensics examiner performs. Some of these are:

Conduct forensic and security investigations related to:

o financial crime
o breach of policy
o standards of conduct
o hacks
o leaks
o information security
o corporate compliance
o terrorism
o cyber warfare
o homicide and other crimes
Provide technical guidance to upper level management
Provide policy recommendations
Develop and implement security policies and procedures for information technology
infrastructures
Conduct witness interviews
Perform forensic analysis on electronic storage media and mobile devices
Document evidence findings and prepare briefings
Communicate investigation findings with law enforcement personnel
Testify in court (when applicable)
Research new forensic technologies
Stay up-to-date with the most recent malicious technologies and evolving technology
platforms

5.6 COMPUTER FORENSICS EXAMINER/INVESTIGATOR SALARY

In 2014, the average annual salary of a Computer Forensics Examiner in the United States
is between $50,000 and $70,000.00. There is a need to design and pay a special salary
scale and allowances for digital and computer forensics specialists outside of the civil
service salary scale. In the private sector, it is recommended that the pay be negotiated
appropriately.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

39

APPENDIX A
FORENSIC PORTALS

Art forensics concerns the art authentication cases to help research the work's
authenticity. Art authentication methods are used to detect and identify forgery,
faking and copying of art works, e.g. paintings.
Computational forensics concerns the development of algorithms and software to
assist forensic examination.
Criminalistics is the application of various sciences to answer questions relating to
examination and comparison of biological evidence, trace evidence, impression
evidence (such as fingerprints, footwear impressions, and tire tracks), controlled
substances, ballistics, firearm and toolmark examination, and other evidence in
criminal investigations. In typical circumstances evidence is processed in a Crime
lab.
Digital forensics is the application of proven scientific methods and techniques in
order to recover data from electronic / digital media. Digital Forensic specialists work
in the field as well as in the lab.
Forensic accounting is the study and interpretation of accounting evidence
Forensic aerial photography is the study and interpretation of aerial photographic
evidence
Forensic anthropology is the application of physical anthropology in a legal setting,
usually for the recovery and identification of skeletonized human remains.
Forensic
archaeology is
the
application
of
a
combination
of archaeological techniques and forensic science, typically in law enforcement.
Forensic astronomy uses methods from astronomy to determine past celestial
constellations for forensic purposes.
Forensic botany is the study of plant life in order to gain information regarding
possible crimes.
Forensic chemistry is the study of detection and identification of illicit drugs,
accelerants used in arson cases, explosive and gunshot residue.
Forensic dactyloscopy is the study of fingerprints.
Forensic document examination or questioned document examination answers
questions about a disputed document using a variety of scientific processes and
methods. Many examinations involve a comparison of the questioned document, or
components of the document, with a set of known standards. The most common
type of examination involves handwriting, whereby the examiner tries to address
concerns about potential authorship.
Forensic DNA analysis takes advantage of the uniqueness of an individual's DNA to
answer forensic questions such as paternity/maternity testingand placing a suspect
at a crime scene, e.g. in a rape investigation.
Forensic engineering is the scientific examination and analysis of structures and
products relating to their failure or cause of damage.
Forensic entomology deals with the examination of insects in, on and around human
remains to assist in determination of time or location of death. It is also possible to
determine if the body was moved after death using entomology.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

40

Forensic geology deals with trace evidence in the form of soils, minerals and
petroleum.
Forensic geophysics is the application of geophysical techniques such as radar for
detecting objects hidden underground or underwater.[41]
Forensic intelligence process starts with the collection of data and ends with the
integration of results within into the analysis of crimes under investigation[42]
Forensic Interviews are conducted using the science of professionally using
expertise to conduct a variety of investigative interviews with victims, witnesses,
suspects or other sources to determine the facts regarding suspicions, allegations or
specific incidents in either public or private sector settings.
Forensic limnology is the analysis of evidence collected from crime scenes in or
around fresh-water sources. Examination of biological organisms, in
particular diatoms, can be useful in connecting suspects with victims.
Forensic linguistics deals with issues in the legal system that requires linguistic
expertise.
Forensic meteorology is a site-specific analysis of past weather conditions for a point
of loss.
Forensic odontology is the study of the uniqueness of dentition, better known as the
study of teeth.
Forensic optometry is the study of glasses and other eye wear relating to crime
scenes and criminal investigations
Forensic pathology is a field in which the principles f medicine and pathology are
applied to determine a cause of death or injury in the context of a legal inquiry.
Forensic podiatry is an application of the study of feet footprint or footwear and their
traces to analyze scene of crime and to establish personal identity in forensic
examinations.
Forensic psychiatry is a specialized branch of psychiatry as applied to and based on
scientific criminology.
Forensic psychology is the study of the mind of an individual, using forensic
methods. Usually it determines the circumstances behind a criminal's behavior.
Forensic seismology is the study of techniques to distinguish the seismic signals
generated by underground nuclear explosions from those generated by
earthquakes.
Forensic serology is the study of the body fluids.[43]
Forensic toxicology is the study of the effect of drugs and poisons on/in the human
body.
Forensic video analysis is the scientific examination, comparison and evaluation of
video in legal matters.
Mobile device forensics is the scientific examination and evaluation of evidence
found in mobile phones, e.g. Call History and Deleted SMS, and includes SIM Card
Forensics
Trace evidence analysis is the analysis and comparison of trace evidence including
glass, paint, fibres and hair.
Wildlife Forensic Science applies a range of scientific disciplines to legal cases
involving non-human biological evidence, to solve crimes such as poaching, animal
abuse, and trade in endangered species.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

41

Blood Spatter Analysis is the scientific examination of blood spatter patterns found at
a crime scene to reconstruct the events of the crime.
Source: http://en.wikipedia.org/wiki/Forensic_science

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

42

APPENDIX B
GLOSSARY OF TERMS
Acquisition: The process of creating a duplicate copy of digital media for the purposes of
examining it.
Agent: A person who serves the interests of an agency that has jurisdiction over criminal or
civil matters involving digital evidence. In many jurisdictions and circumstances, the agent
will be a law-enforcement officer. However, an agent may also be a non-sworn individual of
suitable qualification who is serving the interests of the parties involved in a criminal or civil
investigation or dispute.
Buddy list: A collection of screen names, usually compiled by a user for instant
messaging on his or her personal computer or cellular telephone.
Duplicate digital evidence: An accurate digital reproduction of all data objects contained
on the original physical item.
Electronic device: A device that operates on principles governing the behavior of
electrons.
Electronic evidence: Information and data of investigative value that are stored in or
transmitted by an electronic device.
Copy (v.): Accurately reproduce information contained on an original physical item,
independent of the electronic storage device (e.g., logical file copy). Maintains contents, but
attributes may change during the reproduction. Deleted files are not copied. Only the files
which the operating system (OS) can recognize are copied.
Encryption: Any procedure used in cryptography to convert plain text into cipher-text so as
to prevent anyone but the intended recipient from reading the data.
First responder: The initial responding law enforcement officer(s) and/or other public
safety official(s) arriving at the scene.
Digital evidence: Information stored or transmitted in binary form that may be relied on in
court.
Digital forensics: A branch of the forensic sciences related to the investigation of digital
devices and media. Within the field a number of "normal" forensics words are re-purposed,
and new specialist terms have evolved.
Digital media: Used within the fields to refer to the physical medium (such as a hard drive)
or data storage device.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

43

Documentation: Written notes, audio-tapes, videotapes, disc, printed forms, sketches, and
photographs that form a detailed record of the scene, evidence recovered, and actions
taken during the search of the crime scene.
Duplicate: An accurate digital reproduction of all data contained on a digital storage device
(e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip, Jaz). Maintains contents and
attributes (e.g., bit stream, bit copy, and sector dump).
EA2011: Nigerias Evidence Act, 2011.
e-discovery or eDiscovery: A common acronym for electronic discovery.
Exhibit: Digital media seized for investigation is usually referred to as an "exhibit".
Hashing: Within the field, "hashing" refers to the use of hash functions (e.g. SHA1,
SHA256 or MD5) to verify that an "image" is identical to the source media.
High-technology crime: Criminal offenses that involve computer technology, including
computer crimes, computer-related crimes, and Internet-related crimes.
Image: A duplicate copy of some digital media created as part of the forensic process.
Imaging: Synonym of "acquisition"
ISP: Internet service provider. ISPs are organizations that provide subscribers with access
to the Internet. Small ISPs provide service via modem and ISDN (Integrated Services
Digital Network), while the larger ones also offer private line hookups (e.g., T1, fractional
T1).
Live Forensics or Live Analysis: Analysis of a piece of digital media from within itself;
often used to acquire data from RAM where this would be lost upon shutting down the
device.
Metadata: Data about data.
Network: A group of computers connected to one another to share information and
resources.
Server: A computer that provides some service for other computers that are connected to it
via a network.
Slack Space: The unused space at the end of a file in a file system that uses fixed size
clusters (so if the file is smaller than the fixed block size then the unused space is simply
left). Often contains deleted information from previous uses of the block.
Sniffer: Software that monitors network packets and can be used to intercept data
including passwords, credit card numbers, etc.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2

44

Steganography: The word steganography comes from the Greek name steganos
(hidden or secret) and graphy (writing or drawing) and literally means hidden writing.
Steganography uses techniques to communicate information in a way that is hidden.
Trier of fact: The person or persons who decide the facts in legal cases. In a jury trial the
jury is the trier of fact. When there is no jury (sometimes called a bench trial or trial to the
court), the judge is the trier of fact. With or without a jury, it is the judge who determines
the law in a case.
Unallocated Space: Clusters of a media partition not in use for storing any active files.
They may contain pieces of files that were deleted from the file partition but not removed
from the physical disk
URL: Universal Resource Locator.
Verification: A term used to refer to the hashing of both source media and acquired image
to verify the accuracy of the copy.
Write Blocker: The common name used for a forensic disk controller, hardware used to
access digital media in a read only fashion.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

45

SELECTED REFERENCES
Association of Chief Police Officers (ACPO), Good Practice Guide for Computer-Based
Electronic Evidence. (Official release version). (www.acpo.police.uk)
Federal Republic of Nigeria.
Evidence Act, 2011 (HB. 214).
Greg Dominguez.
Equipping A Forensic Lab. Techno Forensics 2007
National Institute for Standards and Technology (NIST).
Guide to Integrating Forensic Techniques into Incident Response. Special
Publication 800-86.
Olayiwola, Peter O.
Digital Forensics in the Investigation and Prosecution of Criminal Cases, A Paper
presented at the Commonwealth National Workshop for Prosecutors and Investigators
on Money Laundering, Terrorism and the Financing and Recovery of Proceeds of Crime,
at Sheraton Hotel, Abuja, Nigeria, 15th-18th January, 2013.
Olayiwola, Peter O.
Evidence Collection and Crime Scene Documentation. A Paper presented at the
First West African Digital & Computer Forensics Conference (Theme: Digital Forensics:
Antidote to High-Tech Crimes in West Africa) held at the International Conference
Centre, Abuja, Nigeria, 18th April 2012.
U.S. Department of Justice, Office of Justice Programs, National Institute of Justice,
Forensic Laboratories: Handbook for Facility Planning, Design, Construction, and
Moving.
U.S. Department of Justice, Office of Justice Programs, National Institute of Justice,

Electronic Crime Scene Investigation: A Guide for First Responders.

July, 2001.

Standards for Digital and Computer Forensics in Nigeria Draft v0.2

46