Over the years the question of how to store digital forensic evidence has been raised many times. Forensic examiners often ask how to properly use a Storage Area Network (SAN) or Network Attached Storage (NAS) device in a digital forensic laboratory. Some of the main questions asked are: 1) How do you handle the sanitization of hard disks in a SAN/NAS array? 2) Are all hard drives periodically removed from the server, wiped, and then re-installed? 3) While spillage of classified or contraband would likely necessitate some extraordinary efforts, what would be a “best practice” for cleaning a SAN/NAS not involving classified material or child pornography? And 4) Can you use a SAN/NAS if your laboratory is ASCLD/LAB accredited?
In my experience, hard drives for SAN/NAS devices should be forensically wiped prior to being placed into service. Once they are wiped, placed in the array, initialized, formatted, and put into a RAID, that is the last time you’ll wipe them (short of some maintenance issue, etc.). Forensically imaging directly to a SAN or NAS and then processing your cases off of the network storage device is a very nice way of doing business, particularly if you have the bandwidth to do so and a good backup solution.
The key to this issue is as much administrative as it is technical. You need to have solid policies in place that define naming conventions and ensure those policies are followed to the letter. You want your policy so granular that you indicate the directories, subdirectories, file names, etc. that is used for any evidence being stored on the SAN/NAS. You also need to make sure to do periodic reviews of how examiners are naming things and ensure that everything is stored exactly where it is supposed to be. The real issue here is the potential for cross-contamination of evidence. By creating good policy and following that policy, you help defeat this issue.
Obviously you want your SAN/NAS on your forensic LAN which is not connected to the Internet, further reducing the chances of malware, intrusion, or exfiltration of sensitive data. These steps further help you show the protection of data and reduce the likelihood of data contamination.
Other suggested technological controls would be to create separate partitions on your network storage device for each examiner and then use Access Control Lists (ACLs) to ensure that only the examiner and their supervisor/manager can access their respective partition. This again limits the scope of the issue and the potential for cross-contamination.
As for the question regarding sensitive or classified data – I think these are two different issues. For classified cases, generally you have a completely separate set of forensic computers and networking equipment that is accredited to operate in classified space. For example, you may have another LAN located within a limited area that only Secret/TS cleared individuals can physically access. This LAN is used to conduct forensics only on classified systems or classified material. You could have a SAN/NAS in the classified area as well, but it would only be used for the storage of classified information and the system would probably need a Certification & Accreditation package depending on your agency’s procedures. This should eliminate your classified spillage concern.
For unclassified but sensitive matter (Official Use Only, child exploitation images, etc.) those could still reside on your unclassified SAN/NAS. I would recommend having a partition for your forensic images (.dd, E01, etc.), partitions for your evidence files (Encase, FTK, exports, exhibits, etc.), and partitions for your forensic reports.
One area I was experimenting with a while managing a law enforcement digital forensics laboratory was a Data Classification process for exactly this situation. This wasn’t on a classified system, but an unclassified law enforcement network that processed a lot of child exploitation and other sensitive data. The idea is to place all of the sensitive data in a specific location (partition, physical disk, a separate SAN/NAS on the same LAN, etc.) and then monitor the usage and flow of traffic from that location. In addition to putting ACLs in place, this would provide you with alerting anytime data was placed in or removed from the sensitive location. This is also a great way for management to ensure information being accessed is on a need-to-know basis.
As far as the ASCLD/LAB question, I was a laboratory director for an ASCLD/LAB accredited LE forensics lab and can tell you that using a SAN is perfectly acceptable. ASCLD/LAB is more about making sure you have policies that match industry best practices and then following your own policy vice telling you how you must do business.