InfraGard IGTV Session

How to Assess a Computer Forensic Examiner

As I go through the talk you will find that although there are some different constraints between civil and criminal work in seizing evidence. I have worked on both criminal and civil cases ranging from child pornography to Intellectual Property theft. as regards Forensic Process and Procedure there is only one right way.Biography I am a certified computer forensic examiner who has been practicing in the field since 2001. .

‡ An expert will never work directly on the original data. . The examiner will create a forensic image and work with the copy of the data. In order for this to happen an experienced Computer Forensic Examiner must be the one to complete this task.Expert Computer Forensic Examiner ‡ The purpose of using a Forensic expert is so that the evidence will be able to hold up in a court of law. The evidence must be "trustworthy" and the person that collects and examines the evidence must be seen as "trustworthy".

. your contact can send out an email to the group as is customary and a local examiner will respond. If you have any contacts at HTCIA or if you know anyone on the ISFCE or established forensic group.Information Gathering What are the first steps in selecting a Forensics Examiner? The examiner should be asked for a current CV and references.

different buildings. Is email requested? b. How many custodians? ‡ ‡ ‡ . Strategic Questions you should be asked by the Forensic Examiner ‡ ‡ ‡ ‡ Is there a protection order in effect? Is this a civil.e. or pre-emptive action? Will this be a hostile collection? Are there any unusual physical circumstances that you are aware of (i. or strict working hours?) How many machines are targeted for collection? How many servers are involved? a.II. no elevators. limited parking. criminal.

the expert must advise how to preserve evidence giving ³best practice´ instructions to avoid anyone tampering with the evidence. and if the examination will aide in your case. advise the client on possible preliminary action. For example. ‡ The examiner must use state-of-the-art forensic tools. from the beginning stages. ‡ Be able to determine if a forensic examination is necessary. .Revamp ‡ These are basic questions that help the examiner to assess and if necessary. ‡ the scope of the examination.

A picture of what was on the screen and the surrounding area should be photographed. If the computer was on. model and serial number of the computer should be included on the document. ‡ ..How to collect/preserve evidence until an expert arrives Your responsibility ‡ ‡ ‡ ‡ ‡ Do you need a search warrant. This should include only members of the investigative unit or law enforcement. letter of preservation? Maintain the Chain of Custody Once a computer is seized. a list of who comes in contact with the evidence is maintained. All distinguishing characteristics of the media such as make.

If you copy data or open files without using forensic techniques and proper software. At that point you have damaged your own case. you will alter the metadata and possibly contaminate the evidence. ‡ The second reason involves missing possible valuable information.Why can¶t I take a copy of the files or preview the original? ‡ Two reasons . A simple example of why expertise is needed to preview evidence: .

So the process must be: ‡ ‡ ‡ verifiable repeatable documented .

i.So what could go wrong? If the COC is broken the entire case is thrown out ± ± ± ± ± A trained examiner understands that there are legal constraints. Avoid spoilage of evidence This process has to be repeated anytime the control of evidence is changed. who owns the computer individual or company. or device. such as system.e. what is the computer attached to.. . proving who was sitting behind the computer. search warrant.

Why does it matter how you ³shutdown´ the computers during an investigation? .

‡ get authorization to access the data and ‡ supporting information to assist the investigator in narrowing the scope of the investigation. . ‡ The technical experts need to examine the data while preserving the Chain of Custody and following best practice to authenticate what will be presented at the outcome of the investigation. ‡ The lawyer needs to understand the process.Conclusion ‡ Successfully recovering any form of data is a cooperative effort between lawyers and technical experts.

Sign up to vote on this title
UsefulNot useful