Scribd Logo
Upload

Welcome to Scribd!

  • InfraGard IGTV Session - Display

    Uploaded by

    kbvision
    16 views12 pages
    The purpose of using a forensic expert is so that the evidence will hold up in a court of law. An examiner will create a forensic image and work with the copy of the data. The examiner must advise how to preserve evidence giving "best practice" instructions.

    Original Description:

    Original Title

    InfraGard IGTV Session_display

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The purpose of using a forensic expert is so that the evidence will hold up in a court of law. An examiner will create a forensic image and work with the copy of the data. The examiner must advise how to preserve evidence giving "best practice" instructions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views12 pages

    InfraGard IGTV Session - Display

    Uploaded by

    kbvision
    The purpose of using a forensic expert is so that the evidence will hold up in a court of law. An examiner will create a forensic image and work with the copy of the data. The examiner must advise how to preserve evidence giving "best practice" instructions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    InfraGard IGTV Session

    How to Assess a Computer Forensic Examiner

    Biography
    I am a certified computer forensic examiner who has been practicing in the field since 2001. I have worked on both criminal and civil cases ranging from child pornography to Intellectual Property theft. As I go through the talk you will find that although there are some different constraints between civil and criminal work in seizing evidence, as regards Forensic Process and Procedure there is only one right way.

    Expert Computer Forensic Examiner


    The purpose of using a Forensic expert is so that the evidence will be able to hold up in a court of law. The evidence must be "trustworthy" and the person that collects and examines the evidence must be seen as "trustworthy". In order for this to happen an experienced Computer Forensic Examiner must be the one to complete this task.
    An expert will never work directly on the original data. The examiner will create a forensic image and work with the copy of the data.

    Information Gathering What are the first steps in selecting a Forensics Examiner?

    The examiner should be asked for a current CV and references. If you have any contacts at HTCIA or if you know anyone on the ISFCE or established forensic group, your contact can send out an email to the group as is customary and a local examiner will respond.

    II. Strategic Questions you should be asked by the Forensic Examiner


    Is there a protection order in effect?

    Is this a civil, criminal, or pre-emptive action? Will this be a hostile collection?


    Are there any unusual physical circumstances that you are aware of (i.e. different buildings, no elevators, limited parking, or strict working hours?) How many machines are targeted for collection? How many servers are involved? a. Is email requested? b. How many custodians?

    Revamp
    These are basic questions that help the examiner to assess and if necessary, advise the client on possible preliminary action. For example, from the beginning stages, the expert must advise how to preserve evidence giving best practice instructions to avoid anyone tampering with the evidence. The examiner must use state-of-the-art forensic tools. Be able to determine if a forensic examination is necessary,

    the scope of the examination, and if the examination will aide in your case.

    How to collect/preserve evidence until an expert arrives Your responsibility


    Do you need a search warrant, letter of preservation? Maintain the Chain of Custody Once a computer is seized, a list of who comes in contact with the evidence is maintained.

    This should include only members of the investigative unit or law enforcement.
    All distinguishing characteristics of the media such as make, model and serial number of the computer should be included on the document. If the computer was on, A picture of what was on the screen and the surrounding area should be photographed..

    Why cant I take a copy of the files or preview the original?


    Two reasons - If you copy data or open files without using forensic techniques and proper software, you will alter the metadata and possibly contaminate the evidence. At that point you have damaged your own case.

    The second reason involves missing possible valuable information. A simple example of why expertise is needed to preview evidence:

    So the process must be:


    verifiable repeatable documented

    So what could go wrong?


    If the COC is broken the entire case is thrown out

    A trained examiner understands that there are legal constraints, i.e., search warrant, who owns the computer individual or company, proving who was sitting behind the computer, what is the computer attached to, such as system, or device. Avoid spoilage of evidence

    This process has to be repeated anytime the control of evidence is changed.

    Why does it matter how you shutdown the computers during an investigation?

    Conclusion
    Successfully recovering any form of data is a cooperative effort between lawyers and technical experts. The lawyer needs to understand the process. get authorization to access the data and supporting information to assist the investigator in narrowing the scope of the investigation. The technical experts need to examine the data while preserving the Chain of Custody and following best practice to authenticate what will be presented at the outcome of the investigation.

    You might also like