When you hear about recent organizations who have achieved ASCLD/LAB accreditation, you may not expect to hear a Fortune 500 company named: Wal-mart Stores, Inc. Ken Mohr, a principal at Crime Lab Design, heard about the project Larry Depew and his company, Digital Forensics.US, LLC was doing with Walmart’s E-Discovery and Forensic Services Laboratory and wanted to learn more about the trend for convergence of E-Discovery and digital forensic services.
Larry and his team guided Walmart’s Lab through the following planned phased activities on the road to ASCLD/LAB accreditation:
Phase 1: Conduct an off-site analysis of their quality management system manuals (quality, technical, operations) against ISO/IEC 27015:2005 and the ASCLD/LAB 2011 Supplemental Standards.
Phase 2: Conduct an on-site analysis of operations against the standards.
Phase 3: Develop a roadmap and project schedule that incrementally establishes operational rigor that conforms to the International and ASCLD/LAB standards.
Phase 4: Draft policies and procedures into quality, technical, and operations manuals that describe how the laboratory will meet the International Standards.
Phase 5: Define the knowledge, skills, and abilities required for examiners to establish competency through an effective training program and documented to a training manual.
Phase 6: Mentor the implementation of the system in conformance with the standards.
Phase 7: Measure performance through such activities and internal audits and management reviews and make adjustments through formalized management review processes in an effort to improve the laboratory’s level of performance in a Plan-Do-Check-Act continuous cycle.
These phases continued over two years. Depew had three certified technical examiners all with ASCLD/LAB assessor experience working on this project. The laboratory is located in Bentonville, Arkansas. The lab is staffed with a Lab Director, a Quality Manager, an E-Discovery Manager, 20 E-Discovery Specialists (examiners), and 19 Forensic Examiners. Lab services include data collection, preservation, analysis, and reporting for internal investigations, such as employee misuse or investigation of false injury claims (e.g., staged “slip and fall”). They also collect and analyze video for law enforcement when a criminal event occurs in an area surveyed by Walmart cameras both in the stores and the parking lots. So, E-Discovery is the civil litigation side of data collection, preservation, analysis, and reporting. The E-Discovery unit uses the same tools/software/methods that law enforcement examiners use, but in response to ongoing or anticipated civil litigation.
How did a private company such as Walmart decide to seek accreditation?
I received a telephone call from the Lab’s Quality Manager Ken Gill. He explained their desire to earn ASCLD/LAB accreditation having recently visited an FBI-sponsored Regional Computer Forensic Laboratory (RCFL). Their goal was to establish operational rigor that an external accreditation assessment would help establish, thus increasing confidence in the work product delivered to their customers.
What trends in the Digital Forensic industry is Walmart following or improving?
In my opinion, Walmart is leading rather than following the private sector industry in two ways. First, they recognized that the baseline technical processes and requirements for quality management are essentially the same for both their digital forensics and E-Discovery teams. Thus, unlike most organizations that have separate components for these services, Walmart has combined their services into the E-Discovery and Forensic Services Laboratory. By encouraging cross-training between the teams, they have established an extensive set of resources that can be leveraged when work surges on one team. Second, Walmart is investing in their in-house forensic and E-Discovery program, rather than outsourcing, which saves an enormous amount of money. In addition to developing a hard drive recovery capability, they are building capacities for reverse engineering SSD devices and chip off multiple mobile devices found in business-issued equipment or BYOD. Third, Walmart is one of a few private sector companies that have sought accreditation as a component of the quality management system that establishes their results as reliable and defensible. It will be the first laboratory to achieve ASCLD/LAB accreditation under the international program for an E-Discovery laboratory.
Describe the existing conditions in the laboratories and the changes that have occurred over time through your recommendations?
The first thing that was evident during my first visit to the lab was management’s desire to ensure operations met best practices and accreditation standards.
The lab personnel associates were exceptionally talented and competent. Lab space was at a premium with each associate being assigned a 6′ x 6′ cubicle. They maximized the space by placing forensic equipment on shelves above the workbench. This was challenging for the examiners since access to the forensic machine is a routine requirement. Further, it reduced productivity since it made multi-tasking difficult. Over the course of the past two years, the laboratory has expanded and there are plans for a much larger expansion. Associates are working smarter; maximizing space usage more efficiently. For example, they merged common technical procedures into one common area.
Walk us through the experience of entering the facility and getting into the lab.
The security of the building in which the laboratory is housed is very good. It is manned with uniformed personnel and each person entering the building must badge in through an electronically secured door. Visitors must register and are escorted. The laboratory itself is secured with a dual-authentication hand-geometry scanner combined with a password created by each authorized associate. I considered the overall security to be exceptional. Procedurally, we had to make adjustments such as logging visitors into the lab.
Describe some of the enhancements that have occurred in the lab.
The laboratory’s policies and technical procedures, generally maintained on an internal Wiki, were formalized into Quality, Technical, Operations, and Training Manuals that map to the international standards and industry best practices. We identified the core knowledge, skills, and abilities that each associate would be required to establish to be internally certified as being competent to conduct independent casework. During our first year, we focused on evolving those policies and procedures into the routine of the laboratory’s work. At the end of the first year of the project, my staff conducted a mock ASCLD/LAB assessment with recommendations for continuing process improvements.
The physical plant expansion offered opportunities for more workspace. With expansion, the original space was reconfigured so that the hard drive recovery team could build a mini-lab within the lab. This allows for microscopes and soldering equipment to be set up in a single area with adequate room to disassemble and repair hard drives for data recovery. Previously, this equipment was located in three areas of the laboratory. Conference rooms and training rooms are at a premium and shared with other Wal-Mart Stores, Inc. business units, but are carefully managed to ensure that training is afforded on a regular basis.
The following list of spaces is important for Digital Forensic Labs. Can you tell us a bit about these spaces in this project?
Secure entry and leave your personal cell phone behind: For security of the Walmart facility and its employee’s privacy, photographs are prohibited. While relinquishing cell phones is not required, visitors cannot help but be cognizant that just about every area of the work space is monitored by video cameras.
Main exam/workstation area: Each examiner has his or her own cubicle for conducting examinations. As I mentioned earlier, the hard drive recovery examiners have a common work area where they can share not only equipment and work space, but ideas on how to troubleshoot problematic devices. Several machines are continuously running programs to recover data on corrupted hard drives. There are also common areas for mobile and video forensics.
Takedown room: There is no room dedicated for disassembly. The fact is that most data collected by the examiners comes from network-acquired sources. A very small number of cases have physical devices submitted to the laboratory. As an example, during October the lab responded to nearly 400 requests for services and only about 5% of those involved a physical device.
What types of equipment and software does the laboratory use to provide services: The laboratory is well equipped. They have a wide variety of hardware and software common to any law enforcement forensic laboratory. Forensic workstations, write blockers, disk duplicators, mobile device equipment, and more can be observed throughout the lab. They use the most common forensic software, but have developed in-house methods to efficiently collect data from unique sources. Together, we tested and validated those in-house methods over the course of this project.
Their methodologies are quite similar to what we would see in a sophisticated laboratory. Data is identified, securely collected, imaged logically or physically, hashed, analyzed, reported, and archived. Each associate has a staging drive or server to facilitate casework. The results are provided to the customer electronically under cover of a report. The collected data results are archived to a storage area network in a designated location outside of the lab.
Storage (evidence): As mentioned previously, unlike law enforcement labs, the laboratory handles relatively few physical devices since data collected and preserved often resides on the Walmart internal network storage. However, when physical devices are encountered, the lab’s processes and evidence storage are no different than a law enforcement facility. There are two types of evidence storage: Long-term and short-term. Long-term evidence storage is located in a separate data center facility which has a very high level access control procedure. Each examiner is assigned a temporary storage locker to store digital devices while the associated service request is ongoing. Physical evidence is documented to a paper chain of custody while data collected and processed virtually is verified through process logs and hash verification throughout the process from collection to archiving.
Storage (in process evidence): When physical evidence is undergoing examination or processing by associates and the evidence is unattended, a warning placard is placed on or around the evidence to ensure that other personnel are aware and cautious when entering the examination area.
Finally, as Larry walked the halls of the facility he had this to say “I noted the following quote on the white board of former lab director and Senior Director Jerry Geisler: ‘We must all suffer one of two things: the pain of discipline or the pain of regret or disappointment.’” That quote set the tone for the project’s success.
Ken Mohr (kenm@crimelabdesign.com) is a principal and senior forensic planner with Crime Lab Design which provides full architectural and engineering services for forensic and medical examiner facilities worldwide.
Larry Depew (larry@larrydepew.com), founder of Digital Forensics.US LLC., is a retired FBI Supervisory Special Agent and Laboratory Director of the New Jersey Regional Computer Forensic Laboratory (RCFL). He was certified by the FBI in computer and mobile forensics. He is a certified ASCLD/LAB and A2LA assessor. He is a graduate of the University of Maryland. He later attended George Washington University earning a graduate certification in Project Management and undertook management training at Northwestern University, Kellogg School of Management. He is a certified PMP through the Project Management Institute. He has guided many laboratories internationally to accreditation.
A statement from Wal-Mart Stores, Inc. Quality Manager Ken Gill on what he has learned:
The development of our quality management system is best described using the analogy of painting the Golden Gate Bridge. It is never finished. When you get to the end, you head back to the other end and start painting again. Sure, a lot of work went into preparing for the ASCLD/LAB assessment. But our pursuit of improving operations doesn’t end with accreditation. You are continually examining and re-examining your processes and procedures. You are ensuring that the teams remain proficient and that they are current. New technologies arrive and they need to be vetted. This along with pretty much verifying everything under the sun.
The fact that we now have a well-documented and functional mentoring program is of special importance to us. As the demands for our services grow, our forensics and E-Discovery teams grow as well. The process of bringing in new members to the teams and establishing their competence is very important. It is now streamlined with an effective and efficient mentoring program. The Mentor/Mentee pairing facilitates the efficient development of new associates’ competencies. Defined training goals against which achievements are mapped and documented establish a record that our staff has the required skill-set to provide our customers with reliable results.
Leave A Comment