Professional Documents
Culture Documents
Choosing an Expert
Computer Forensics requires specialized expertise that generally goes beyond normal data
collection and preservation techniques available to end-users or system support personnel.
As with choosing any other expert, it is crucial that Mega-Corp scrutinizes the computer
forensic experts qualifications and experiences. The expert must have the proper
experience and training to successfully identify and attempt to retrieve possible evidence
that may exist on a computer system.
The Problem
In the field of digital forensics, there is no governing body at the national or state level that
accredits examiners as being competent in their field. The industry does not have a bar
exam or other accreditation system to ensure that experts have even the minimum
qualifications necessary to practice in this field. This means that anyone can call themselves
a digital forensics examiner regardless of their capabilities, experience, or competence. This
is why the selection process of a digital forensics expert is so critical.
Some guidelines
Investigation firms that truly specialize in computer forensic investigations are few and far
between. Most private investigators don't have the experience or understand the sensitive
legal issues involved in dealing with situations that could result in costly litigation. Here are
some crucial guidelines for finding a qualified investigation firm to perform computer
forensic investigations:
Agreements and Fees: Experienced and reputable firms provide proposals and contracts
prior to accepting cases. If one is not provided, request a projected budget estimate at the
very least. It's common to pay a retainer at the start of the case. However, it's perfectly okay
to ask the firm for references before making a payment.
Attorney and Law Enforcement Involvement: Experienced investigators understand the
relevance of involving qualified counsel in the investigation. Firms that do not seek to
involve your legal counsel should not be retained to conduct your investigation. The decision
to prosecute the illegal acts of your current or past employees lies between you and your
legal counsel and, ultimately, the District Attorney's or United States Attorney's office.
Prosecution can be quick and easy or time consuming, complicated and expensive,
depending on certain variables. A competent Private Investigation firm can let you know in
advance the probable amount of time your case would require if prosecuted. Generally, the
better job your investigator does, the faster your case will go through the court system. In
fact, less than 5% of people prosecuted as a result of our investigations actually go to trial.
Instead, they opt to "cop a plea" in the face of a bewildering amount of solid evidence.
Experience: Ensure the firm, as well as the employees assigned to your case, have the
experience and qualifications necessary to conduct the investigation. Very few investigation
firms specialize in workplace-related investigations. Choose a firm that is familiar with
employment law-related investigations, who knows criminal law and is familiar with civil
torts and union environments. The firm must know how to navigate areas that present a
legal minefield--one wrong move can lead to unwanted litigation.
Insurance: All reputable private investigation firms carry general liability insurance. Some
states require insurance prior to issuing a license. Ask for a Certificate of insurance and
ensure the coverage is "per occurrence," not "claims-made."
Proof of License: Private investigators are required to be licensed in all but eight states
(Alabama, Alaska, Colorado, Idaho, Mississippi, Missouri, South Dakota, Wyoming). Florida,
Georgia, Louisiana and Oregon have limited reciprocity agreements with California. When
going to another state for investigative services, request a copy of their license, or their
required permits or business licenses. Perform your own due diligence to avoid vulnerability
to litigation.
References and Reputation: Reputations vary widely in our industry. Quality investigation
firms are well known in the business community and are active in their professional trade
associations. Require no less than three references, and check them thoroughly. Ask about
their litigation and claims history and experience.
Reports: Detailed reports should immediately follow all investigative assignments. A report
should be submitted prior to the invoice unless a retainer is required. The information
provided in a report should be concise and accurate. Don't hesitate to ask for report or
statement samples.
Willingness to Testify: You should verify the willingness of all private investigators to testify in
court in criminal, civil, unemployment hearings or arbitrations, if necessary before the
investigation begins. If the investigator is subject to subpoena or deposition, the firm hiring
investigators is generally expected to pay the investigator's fees and expenses for time
spent in trial testimony and preparation for trial, even if the Company did not ask the
investigator to be in court.
Certifications and Training: Certified Computer Examiners (CCEs) may hold multiple
certifications in a variety of disciplines, the most prestigious of which is the Certified
Forensic Computer Examiner (CFCE). Less than 10% of applicants actually attain this.
Another respected certification you may consider is that of a Certified Electronic Evidence
Collection Specialist (CEECS). This speaks to credibility and involvement in the computer
forensics community. In short, only hire a professional person with the qualifications to do
the job.
Leading Computer Forensic Certifications The following four credentials represent the most
popular and well-respected computer forensic certifications, which we list along with their
websites: Certified Computer Examiner (CCE): http://www.certified-computer-examiner.com
Computer Forensic Computer Examiner (CFCE):
http://www.iacis.com/certification/external_overview Computer Hacking Forensic Investigator
(CHFI) http://www.eccouncil.org/certification/computer_ hacking_forensic_investigator.aspx
Professional Certified Investigator (PCI):
http://www.asisonline.org/certification/pci/pciabout.xml
Solomon, Michael G., Rudolph, K., and Tittel, Ed. Computer Forensics JumpStart (2nd Edition).
Hoboken, NJ, USA: John Wiley & Sons, 2011. ProQuest ebrary. Web. 1 February 2015.
Copyright 2011. John Wiley & Sons. All rights reserved.
Tools of the Trade: Determine whether your potential investigators really have a full-scale
computer forensics laboratory. Some purported experts simply "make do" with whatever
equipment they have. As new technology is always emerging, state of the art labs include
frequent software and equipment updates.
The primary federal law enforcement agencies that investigate domestic crime on the
Internet include: the Federal Bureau of Investigation (FBI), the United States Secret Service,
the United States Immigration and Customs Enforcement (ICE) , the United States Postal
Inspection Service, and the Bureau of Alcohol, Tobacco and Firearms (ATF) . Each of these
agencies has offices conveniently located in every state to which crimes may be reported.
Contact information regarding these local offices may be found in local telephone
directories. In general, federal crime may be reported to the local office of an appropriate
law enforcement agency by a telephone call and by requesting the "Duty Complaint Agent.
Each law enforcement agency also has a headquarters (HQ) in Washington, D.C., which has
agents who specialize in particular areas. For example, the FBI and the U.S. Secret Service
both have headquarters-based specialists in computer intrusion (i.e., computer hacker)
cases.
Internet-related crime, like any other crime, should be reported to appropriate law
enforcement investigative authorities at the local, state, federal, or international levels,
depending on the scope of the crime. Citizens who are aware of federal crimes should report
them to local offices of federal law enforcement.
To determine some of the federal investigative law enforcement agencies that may be
appropriate for reporting certain kinds of crime, please refer to the following table:
Type of Crime
Password trafficking
Counterfeiting of currency
Trademark counterfeiting
Theft of trade secrets
/Economic Espionage
Information
CERT Coordination Center http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Computer Forensics, Cybercrime and Steganography Resources http://www.forensix.org/links
Department of Defense Cyber Crime Center http://www.dc3.mil/home.php Department of
Defense, National Industrial Security Program Operating Manual (clearing and sanitizing
standard) DoD 5220.22-M http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf
Department of Justice Computer Crime and Intellectual Property Section
http://www.cybercrime.gov/ FBI National Computer Crime Squad
http://www.tscm.com/compcrim.html Federal Guidelines for Searching and Seizing
Computers http://www.knock-knock.com/federal_guidelines.htm National Institute of Justice
Forensic Sciences http://www.ojp.usdoj.gov/nij/topics/forensics/welcome.htm National
Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC).
(CSRC is maintained by the Computer Security Division of the NIST.)
http://csrc.nist.gov/groups/SMA/ate/ National White Collar Crime Center
http://www.nw3c.org/ National Institute of Standards Technology (NIST) Computer Forensic
Tool Testing Program http://www.cftt.nist.gov/ SANS Information Security Reading Room
http://www.sans.org/reading_room/ Scientific Working Group on Digital Evidence
http://www.swgde.org/documents/current-documents/ United States Secret Service
http://www.forwardedge2.com/pdf/bestPractices.pdf U.S. Secret Service Electronic Crimes
Task Forces and Working Groups http://www.secretservice.gov/ectf.shtml
Organizations
Digital Forensic Research Workshop (DFRWS 2011) http://www.dfrws.org/ High Tech Crime
Consortium http://www.hightechcrimecops.org/ High Technology Crime Investigation
Association (HTCIA) http://htcia.org/ International Association for Identification (IAI) Scientific
Working Group on Digital Evidence
http://www.theiai.org/disciplines/digital_evidence/index.php International Association of
Computer Investigative Specialists International Information Systems Forensic Association
(IISFA) http://www.iisfa.info/certification.htm International Organization on Computer
Evidence (IOCE) http://www.ioce.org/
Publications
Digital Forensics Magazine: Supporting the Professional Computer Security Industry
http://www.digitalforensicsmagazine.com/ Digital Investigation: The International Journal of
Digital Forensics and Incident Response (Elsevier)
http://www.elsevier.com/wps/find/journaldescription.cws_home/702130/description Forensic
Examination of Digital Evidence: A Guide for Law Enforcement by the National Institute of
Justice http://www.ojp.usdoj.gov/nij/pubs-sum/199408.htm International Journal of Digital
Evidence (IJDE) (Utica College) http://www.utica.edu/academic/institutes/ecii/ijde/ iPhone
Forensics by Jonathan Zdziarski http://www.zdziarski.com/blog/?page_id=213 Searching and
Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations manual;
Computer Crime and Intellectual Property Section Criminal Division of the United States
Department of Justice http://www.cybercrime.gov/ssmanual/index.html
Training
AccessData Group, LLC http://www.accessdata.com/training
Cyber Security Institute http://www.cybersecurityinstitute.biz/ DIBS USA, Inc.
http://www.dibsusa.com/ EC-Council iClass online learning program
https://iclass.eccouncil.org/ Global Digital Forensics, Inc.
http://www.evestigate.com/Computer_Forensic_Training.htm Guidance Software
http://www.guidancesoftware.com/computer-forensics-training.htm High Tech Crime Institute
http://www.gohtci.com/index.php?q=category/division/training Indiana Forensic Institute
http://www.ifi-indy.org/ International Association of Computer Investigative Specialists (IACIS)
http://www.iacis.com/training Key Computer Service CCE Bootcamp http://www.cce-