Copyright (c) 2009 Ed Opperman
A computer forensic examination consists of the preservation, identification, extraction, and interpretation of documents that have been at one point stored on a computer. Whether you are looking for evidence from a crime or are simply looking to find information about your spouse, a Certified Computer Forensic Examiner can perform such an examination with six steps.
The first step the examiner will take is establishing some chain of custody. It is important that examiner knows where any items related to the investigation will be located at all times. Many times places like a safe or cabinet is best to secure the items.
Next, the examiner will catalog all relevant information including active, archival and latent data. Any kind of information that has been deleted can be recovered if at all possible and any encrypted information or information that is password-protected will be identified. During this process, an exact copy of the hard drive image will be made and the image is then authenticated against the original to ensure it is the exact copy.
From there, additional sources of information will be obtained depending on how the computer forensic examination is going and what the circumstances are. Some additional sources of information that may need to be obtained include firewall logs, proxy servicer logs, Kerberos server logs or sign-in sheets.
The fourth step during the examination is analyze and interpret all of the information in order to determine what can be used as evidence. The examiner will look for both exculpatory and inculpatory evidence to solidify a decision. In order to ensure the accuracy of the decision, encrypted files and password protected files will be identified.
After collecting all of the necessary information and evidence needed with the case, a written report will then be submitted to the client with whatever findings and comments the investigators have.
Finally, the investigator will provide expert witness testimony at a deposition, trial, or some other form of legal proceeding. Keep in mind that you cannot perform a computer forensic examination on your own. A certified examiner uses licensed equipment that will prevent tainting the evidence and ultimately ensure its validity in court.
When looking for a computer forensic examination, make sure you look for help from a certified examiner. They will be able to help you with whatever problem or evidence you are looking to attain. When performing the examination, the examiner will go through the six steps listed in this article in order to do so legally and efficiently.
No comments:
Post a Comment