Computer Forensics – What the Technician Needs to Know

The field of computer forensics is becoming more popular as large amounts of data are being stored in electronic format. The more work that you do in the field of technology, the more possibility that you will have to deal with a forensics investigation at some point or another.

Perhaps you receive a computer that has illegal content on it, or you happen to have a hard drive from a client who is being investigated on criminal charges. The data that you have in your possession now becomes very important in a legal investigation; and you, as a business owner and/or technician are now part of this investigation. You need to have a basic understanding of forensics and the forensic process in order to avoid legal consequences.

What are Computer Forensics?

“Computer Forensics is the analysis of information contained within and created with computer systems, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved.”
Source

Computer forensics involves maintaining and preserving data in order to ensure its integrity. Data that is tampered with or tainted may not be admissible in court. This is very important for he technician to know should he/she come across any illegal material or data. Most of the time it will require an immediate call to the local authorities, followed by simple preservation and documentation until the data is in the hands of the authority.

Unless you are a computer forensics technician, you probably won’t be involved in the actually forensics process, aside from the initial “chain of custody” protocol. Knowing that particular data and hardware will need to be protected, and awareness of local laws could save a technician/business owner many headaches, and perhaps even legal action.

Take time to familiarize yourself (and your staff) with the necessary protocols should you come across illegal or questionable material. You may want to consult with a lawyer regarding written waivers in your documentation should you accidentally delete or corrupt potentially incriminating data.

General Considerations

Individual countries have there own set of rules and standards regarding proper handling of forensic material. With that in mind, here are a few general questions that would normally be asked as to the how permissible computer forensic evidence is in a court of law:

• Was the evidence corrupted regarding how or where it was collected or stored?
• Is the chain-of-custody record for the digital data accurate?
• How are the forensic computers maintained?
• Are all the software tools used during an analysis legitimate (licensed copies, authorized copies, etc.) and were they validated and verified prior to use?
• Did the software tools (a) contain bugs? (b) alter or change the evidentiary data?
• Were scientific principles followed during the analysis of the data?

Source

Please consult your local standards to ensure proper handling of forensic data. In the USA there is NIST (National Institute of Standards and Technology). Here is a link to their computer forensics portal The NIST site may also provide information or links to different worldwide standards.

In Europe there is ENISA (European network and Information Security Agency), though local sovereigns may have separate standards.

If you know about specific computer forensics regulations in your part of the world please share them with us!

Resources and further reading:
http://en.wikipedia.org/wiki/Computer_forensics