You are on page 1of 8


Computer forensics is the collection, preservation, analysis and court presentation of

computer-related evidence. In addition to civil and criminal jury trials, computer evidence
often is presented in arbitration, administrative and mediation proceedings,
congressional/government hearings and presentations to corporate management.
Accordingly, the proper collection and analysis of computer evidence through accepted
computer forensic protocols is a critical component to any internal investigation or audit
where the results have at least the potential to be presented in legal proceedings.
Improperly handled computer evidence is likely to be excluded or limited by the trial court.

Choosing an Expert
Computer Forensics requires specialized expertise that generally goes beyond normal data
collection and preservation techniques available to end-users or system support personnel.
As with choosing any other expert, it is crucial that Mega-Corp scrutinizes the computer
forensic experts qualifications and experiences. The expert must have the proper
experience and training to successfully identify and attempt to retrieve possible evidence
that may exist on a computer system.

The Problem
In the field of digital forensics, there is no governing body at the national or state level that
accredits examiners as being competent in their field. The industry does not have a bar
exam or other accreditation system to ensure that experts have even the minimum
qualifications necessary to practice in this field. This means that anyone can call themselves
a digital forensics examiner regardless of their capabilities, experience, or competence. This
is why the selection process of a digital forensics expert is so critical.

Some guidelines

Investigation firms that truly specialize in computer forensic investigations are few and far
between. Most private investigators don't have the experience or understand the sensitive
legal issues involved in dealing with situations that could result in costly litigation. Here are
some crucial guidelines for finding a qualified investigation firm to perform computer
forensic investigations:
Agreements and Fees: Experienced and reputable firms provide proposals and contracts
prior to accepting cases. If one is not provided, request a projected budget estimate at the
very least. It's common to pay a retainer at the start of the case. However, it's perfectly okay
to ask the firm for references before making a payment.
Attorney and Law Enforcement Involvement: Experienced investigators understand the
relevance of involving qualified counsel in the investigation. Firms that do not seek to
involve your legal counsel should not be retained to conduct your investigation. The decision
to prosecute the illegal acts of your current or past employees lies between you and your
legal counsel and, ultimately, the District Attorney's or United States Attorney's office.
Prosecution can be quick and easy or time consuming, complicated and expensive,
depending on certain variables. A competent Private Investigation firm can let you know in
advance the probable amount of time your case would require if prosecuted. Generally, the
better job your investigator does, the faster your case will go through the court system. In

fact, less than 5% of people prosecuted as a result of our investigations actually go to trial.
Instead, they opt to "cop a plea" in the face of a bewildering amount of solid evidence.
Experience: Ensure the firm, as well as the employees assigned to your case, have the
experience and qualifications necessary to conduct the investigation. Very few investigation
firms specialize in workplace-related investigations. Choose a firm that is familiar with
employment law-related investigations, who knows criminal law and is familiar with civil
torts and union environments. The firm must know how to navigate areas that present a
legal minefield--one wrong move can lead to unwanted litigation.
Insurance: All reputable private investigation firms carry general liability insurance. Some
states require insurance prior to issuing a license. Ask for a Certificate of insurance and
ensure the coverage is "per occurrence," not "claims-made."
Proof of License: Private investigators are required to be licensed in all but eight states
(Alabama, Alaska, Colorado, Idaho, Mississippi, Missouri, South Dakota, Wyoming). Florida,
Georgia, Louisiana and Oregon have limited reciprocity agreements with California. When
going to another state for investigative services, request a copy of their license, or their
required permits or business licenses. Perform your own due diligence to avoid vulnerability
to litigation.
References and Reputation: Reputations vary widely in our industry. Quality investigation
firms are well known in the business community and are active in their professional trade
associations. Require no less than three references, and check them thoroughly. Ask about
their litigation and claims history and experience.
Reports: Detailed reports should immediately follow all investigative assignments. A report
should be submitted prior to the invoice unless a retainer is required. The information
provided in a report should be concise and accurate. Don't hesitate to ask for report or
statement samples.
Willingness to Testify: You should verify the willingness of all private investigators to testify in
court in criminal, civil, unemployment hearings or arbitrations, if necessary before the
investigation begins. If the investigator is subject to subpoena or deposition, the firm hiring
investigators is generally expected to pay the investigator's fees and expenses for time
spent in trial testimony and preparation for trial, even if the Company did not ask the
investigator to be in court.
Certifications and Training: Certified Computer Examiners (CCEs) may hold multiple
certifications in a variety of disciplines, the most prestigious of which is the Certified
Forensic Computer Examiner (CFCE). Less than 10% of applicants actually attain this.
Another respected certification you may consider is that of a Certified Electronic Evidence
Collection Specialist (CEECS). This speaks to credibility and involvement in the computer
forensics community. In short, only hire a professional person with the qualifications to do
the job.
Leading Computer Forensic Certifications The following four credentials represent the most
popular and well-respected computer forensic certifications, which we list along with their
websites: Certified Computer Examiner (CCE):
Computer Forensic Computer Examiner (CFCE): Computer Hacking Forensic Investigator
(CHFI) hacking_forensic_investigator.aspx
Professional Certified Investigator (PCI):

Solomon, Michael G., Rudolph, K., and Tittel, Ed. Computer Forensics JumpStart (2nd Edition).
Hoboken, NJ, USA: John Wiley & Sons, 2011. ProQuest ebrary. Web. 1 February 2015.
Copyright 2011. John Wiley & Sons. All rights reserved.
Tools of the Trade: Determine whether your potential investigators really have a full-scale
computer forensics laboratory. Some purported experts simply "make do" with whatever
equipment they have. As new technology is always emerging, state of the art labs include
frequent software and equipment updates.
The primary federal law enforcement agencies that investigate domestic crime on the
Internet include: the Federal Bureau of Investigation (FBI), the United States Secret Service,
the United States Immigration and Customs Enforcement (ICE) , the United States Postal
Inspection Service, and the Bureau of Alcohol, Tobacco and Firearms (ATF) . Each of these
agencies has offices conveniently located in every state to which crimes may be reported.
Contact information regarding these local offices may be found in local telephone
directories. In general, federal crime may be reported to the local office of an appropriate
law enforcement agency by a telephone call and by requesting the "Duty Complaint Agent.
Each law enforcement agency also has a headquarters (HQ) in Washington, D.C., which has
agents who specialize in particular areas. For example, the FBI and the U.S. Secret Service
both have headquarters-based specialists in computer intrusion (i.e., computer hacker)
Internet-related crime, like any other crime, should be reported to appropriate law
enforcement investigative authorities at the local, state, federal, or international levels,
depending on the scope of the crime. Citizens who are aware of federal crimes should report
them to local offices of federal law enforcement.
To determine some of the federal investigative law enforcement agencies that may be
appropriate for reporting certain kinds of crime, please refer to the following table:

Type of Crime

Appropriate federal investigative law enforcement


Computer intrusion (i.e.


FBI local office

U.S. Secret Service
Internet Crime Complaint Center

Password trafficking
Counterfeiting of currency

FBI local office

U.S. Secret Service
Internet Crime Complaint Center
U.S. Secret Service

Internet fraud and SPAM

Internet harassment

FBI local office

U.S. Secret Service
Federal Trade Commission (online complaint)
if securities fraud or investment-related SPAM emails, Securities and Exchange Commission (online
Internet Crime Complaint Center
FBI local office

Internet bomb threats

FBI local office

ATF local office

Copyright piracy (e.g.,

software, movie, sound

FBI local office

U.S. Immigration and Customs Enforcement (ICE)
Internet Crime Complaint Center

Trademark counterfeiting
Theft of trade secrets
/Economic Espionage

FBI local office

U.S. Immigration and Customs Enforcement (ICE)
Internet Crime Complaint Center
FBI local office

Other Cybercrime Reporting Resources

The Internet Crime Complaint Center (IC3)
The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of
Investigation (FBI) and the National White Collar Crime Center (NW3C). IC3's mission is to
serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly
expanding arena of cybercrime. The IC3 gives the victims of cybercrime a convenient and
easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil
violations. For law enforcement and regulatory agencies at the federal, state, and local level,
IC3 provides a central referral mechanism for complaints involving Internet related crimes.
Department of Homeland Security's National Infrastructure Coordinating Center: (202) 2829201 (report incidents relating to national security and infrastructure issues)
U.S. Computer Emergency Readiness Team (U.S. CERT) (online reporting for technicians)
Other Government Initiatives to Combat Cybercrime
National Intellectual Property Rights Coordination Center
The IPR Coordination Center's responsibilities include:

Coordinating U.S. government domestic and international law enforcement activities

involving IPR issues.
Serving as a collection point for intelligence provided by private industry, as well as a
channel for law enforcement to obtain cooperation from private industry (in specific
law enforcement situations).
Integrating domestic and international law enforcement intelligence with private
industry information relating to IPR crime, and disseminating IPR intelligence for
appropriate investigative and tactical use.
Developing enhanced investigative, intelligence and interdiction capabilities.
Serving as a point of contact regarding IPR law enforcement related issues.

The STOP Initiative (

The website provides information to consumers and businesses on intellectual
property, including information on how to report trade in fake goods.
Those with specific information regarding intellectual property crime can submit an IPR
Coordination Center Complaint Referral Form.

CERT Coordination Center
Computer Forensics, Cybercrime and Steganography Resources
Department of Defense Cyber Crime Center Department of
Defense, National Industrial Security Program Operating Manual (clearing and sanitizing
standard) DoD 5220.22-M
Department of Justice Computer Crime and Intellectual Property Section FBI National Computer Crime Squad Federal Guidelines for Searching and Seizing
Computers National Institute of Justice
Forensic Sciences National
Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC).
(CSRC is maintained by the Computer Security Division of the NIST.) National White Collar Crime Center National Institute of Standards Technology (NIST) Computer Forensic
Tool Testing Program SANS Information Security Reading Room Scientific Working Group on Digital Evidence United States Secret Service U.S. Secret Service Electronic Crimes
Task Forces and Working Groups
Digital Forensic Research Workshop (DFRWS 2011) High Tech Crime
Consortium High Technology Crime Investigation
Association (HTCIA) International Association for Identification (IAI) Scientific
Working Group on Digital Evidence International Association of
Computer Investigative Specialists International Information Systems Forensic Association
(IISFA) International Organization on Computer
Evidence (IOCE)
Digital Forensics Magazine: Supporting the Professional Computer Security Industry Digital Investigation: The International Journal of
Digital Forensics and Incident Response (Elsevier) Forensic
Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of
Justice International Journal of Digital
Evidence (IJDE) (Utica College) iPhone
Forensics by Jonathan Zdziarski Searching and
Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations manual;
Computer Crime and Intellectual Property Section Criminal Division of the United States
Department of Justice
AccessData Group, LLC
Cyber Security Institute DIBS USA, Inc. EC-Council iClass online learning program Global Digital Forensics, Inc. Guidance Software High Tech Crime Institute Indiana Forensic Institute International Association of Computer Investigative Specialists (IACIS) Key Computer Service CCE Bootcamp http://www.cce- SANS (Sysadmin, Audit, Networking, and Security) Institute Security University Technical
Resource Center
Solomon, Michael G., Rudolph, K., and Tittel, Ed. Computer Forensics JumpStart (2nd Edition).
Hoboken, NJ, USA: John Wiley & Sons, 2011. ProQuest ebrary. Web. 1 February 2015.
Copyright 2011. John Wiley & Sons. All rights reserved.

An incident response program is a critical component for an organizations sustainability and

security in the face of a computer security incident. Computer security incidents are a
menacing threat for organizations and their information assets. These incidents are often
targeted and decisive, leaving the victim organization in complete disarray. Security
incidents are deliberate electronic attacks on the communications or information processing
systems of an organization and could be carried out by just about anyone, ranging from a
disgruntled employee to a malicious competitor or even a hacker who finds your
organizations information valuable.
Organizations should have a formal incident response program and know how to respond to
and handle a security incident to control the costs and consequences that may result. In the
event of a security incident, organizations should take immediate action to investigate the
incident and limit the exposure of confidential data such as cardholder data, banking data,
any non-public customer information, and any other sensitive information that falls under
the purview of a law. It is often at testing times like these that many organizations are
unable to respond effectively and decisively to minimize the damage and potential spread of
the impact.