1.What is Computer Forensics?
Computer Forensics is the use of specialized techniques for discovery, recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer information, usage and examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized tools and expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. Computer Forensics generally requires strict adherence to chain-of-custody protocols.
2.What is the cost of a Computer Forensics investigation?
The cost of a Computer Forensics investigation is normally based upon an hourly rate plus expenses incurred. There are some examiners who charge using flat rates for extended services. The total cost will depend upon the complexity of the issues and the time involved. More time is usually required in the analysis and interpretation phase than in the initial acquisition of the data.
3.When Should Computer Forensics be employed?
Computer Forensics may be employed in cases of: unauthorized copying or disclosure of sensitive business data, such as customer databases, company trade secrets, price lists and employee payroll records. Whether by accident or by intent, fraud, or deception, Internet abuse by employees including downloading of pornography, industrial espionage by hackers or crackers, recovery of data thought to be deleted, to reveal data that has been hidden or included in temporary or swap files and access to encrypted or password-protected data.
4.What should I do if I think that computer evidence will be involved in a legal matter?
Do not attempt to conduct any sort of review or analysis yourself. In other words, leave any review or analysis to an expert in computer/digital evidence forensics. This will avoid the inadvertent writing of data to the hard drive, potentially overwriting evidence that may exist on the drive. Also, keep a manifest log of who is in the possession of the computer at all times. Never try to search for the evidence yourself. This can possibly get your case thrown out of court.
5.How do I know if an examiner is qualified to perform the investigation on my hard drive for my specific case?
Certifications and accreditations alone do not necessarily assure you that a particular examiner has the experience necessary to work on your specific case. Such credentialing merely means that the examiner has passed certain examinations, most of those exams concentrate on the use of a particular brand of software. Request a Curriculum Vitae (C/V) from the examiner with references. Inquire of the examiner the types of cases that he/she has worked and the results of any that have gone to court. Ask the examiner of their most complex case, their most recent case, the total number and types of cases the examiner has personally worked on and provided Expert Witness Testimony, a Deposition, or report after the examination. Look for a balance between certification and experience.