banner ad

Share |

Abstract
Proper procedures in computer forensics must be followed in any investigation relying on computer or electronic information, regardless of an expert's underlying field of expertise.

Computer Forensics is the art and science of retrieving, validating, and analyzing information related to operation of an electronic device. Familiarity with Computer Forensics has become increasingly important for expert investigations in order to produce accurate and defensible reports and opinions. Expertise in Computer Forensics, or at least familiarity with its established policies, is therefore a valuable credential on any expert's resumé.

Data Sources: Personal computers remain the most common data source in most expert evaluations. However, electronic devices such as digital cameras, cash registers, and security systems all contain data with potentially important information. Such information is relevant to forensic examinations in a variety of technical and commercial areas. Proper retrieval, storage, and extraction of computer data is therefore important to any forensic situation involving computerized information.

Examples: a labor relations expert uses wage data from an electronic time clock; an accounting expert deciphers financial data from a damaged computer disk; or an engineering expert analyzes configuration data from an industrial automation system. As each of these cases evolve, the retrieved electronic information will foster conclusions that may later be challenged as coming from "bad data." The subject-matter experts may be well versed in labor or finance or engineering, but what are their skills in verifying computer data? Any attorney engaging an expert should address this concern long before the opposing attorney addresses it in deposition.

Traditional Solution: Verification of data sources often relied on a separate Computer Forensics Consultant to augment the subject-specific expert. This after-the-fact approach presented at least two problems: 1) engagement of the forensics team often came too late to salvage verifiable data, and 2) forensics experts typically had a narrow focus that limited their value in the non-computer matter under investigation, thereby increasing costs and time associated with data analysis.

Increased Efficiency: A more streamlined plan is engagement of a subject matter expert who also possesses credentials in Computer Forensics. Although the primary expert may not personally perform all aspects of Computer Forensics, he/she will follow proper procedures to avoid forensic pitfalls while outsourcing mundane data-recovery tasks to a properly equipped computer lab. This results in the most efficient use of time and expense while maintaining a secure and defensible data source throughout the investigation.

Why me?: The engineering example listed above is typical of my own practice area--Industrial Automation and Control Systems. Concerns about prior engagements involving automated equipment encouraged me to seek and obtain formal credentials in Computer Forensics to augment my engineering pedigree. Attorneys should realize that the seemingly unimportant computers and their vast resource of data may eventually receive more critical attention than the technical findings they produced. Basic competence in Computer Forensics is therefore a useful addition to my expert toolbox.

Formal Credentials: Although I have engineering licenses issued under various state laws, no equivalent certifications exist for Computer Forensics. This statutory void is being filled by academic organizations who set their own Computer Forensics standards, and also provide software and training to meet them. These programs generally target computer technicians in law enforcement and government, with entrance requirements based on both technical credentials and security checks. Engineers such as myself with extensive low-level computer experience and unblemished careers are welcome candidates for forensics training.

Heading West: My goal for certification wasn't to seize business computers at midnight, or catch an online pedophile. I wanted a solid foundation on the technical and legal aspects of Computer Forensics to help avoid problems in the future. I chose the certification program sanctioned by Oregon State University, and operated by New Technologies Incorporated (NTI), based on its mix of technical and procedural content. After attending the program and attaining my certification, I procured the specialized hardware and software required to support my expert work.

Applying my Certification: As an expert consultant, I no longer simply copy disks and concentrate on their content. I Instead apply proper forensic procedures to ensure that the data I obtain, and the results they produce, can withstand rigorous scrutiny long after the chance to "do it over" is gone.

Bottom line: Don't overlook Computer Forensics in any matter involving electronic data. Either engage a Computer Forensics expert on Day One, or even better, engage a subject-specific expert who can also apply and manage proper forensics procedures as part of their overall service.

Share |


Arthur Zatarain consults in technology and intellectual property through Artzat Consulting, LLC. He also is vice president of TEST Automation & Controls, a provider of industrial systems worldwide.

See Mr. Zatarain's Listing on Experts.com.

©Copyright - All Rights Reserved

DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.