Friday, May 07, 2010


Many readers of this column have asked me what it takes to become a computer forensic investigator. I will mention the attributes and skills required. Though not exhaustive I hope they paint a sketch of who a computer forensic is.

One early point to make is that it is very short on glamour and long on hard slogging. It basically requires you to solve an investigative puzzle with some of the pieces are missing. You must therefore have an idea of how these devices work, how data in them is saved in various operating systems and how to describe this to someone else in simple language.

Understanding computer hardware and how a normal operating system works is essential. Formal training is therefore recommended because it will enhance your credibility and accord you the time to test different forensic tools.

As any investigator will tell you, experience counts. Experience will show how things should look so that you can start seeing what should or should not be there. You should know that files can be renamed, what file headers and extensions are associated with a particular file and how application files can masquerade as operating system files.

Working from Standard Operating Procedures (SOP) is a crucial element of computer forensics. They should be followed religiously when handling an incident. These procedures allow you to be absolutely sure you have not contaminated the case with your own data.

Your SOP should have the acronym PPAD as its pillars. This stands for Preserve the data to ensure the data is not changed, Protect the evidence to ensure no one else has access to the evidence, Analyze the data using forensically sound techniques, and Document everything.

You must be a stickler for documentation. Document everything you do including a log of all your investigative actions. You can’t always rely on your memory after a year, when the case makes it to court, on how you conducted the investigation. Legal defense prefers to poke holes in the procedures and documentation you used than the fact that evidence was found in the device.

You must be thorough. Checking and count-checking all aspects of your investigation is a must. For example there are various password cracking, imaging and investigative tools in the market. It is very important to personally test and evaluate your tools irrespective of positive testimonies from professional quarters. It is better to be aware of bugs in your tools than be told about them in court.

No comments: