Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

8.4 Investigation of Digital Evidence > 8.4.1 What does it mean to "investigate... - Pg. 64

64 CHAPTER 8 Difference between Computer and Digital Forensics Experts Table 8.2 Legal Expertise Comparisons Forensics Expert l l l l l Computer Expert l l l l l l Chain of custody Search warrant affidavits Discovery motions and subpoenas Assist with trial preparation Can qualify as a computer forensics expert in court Adheres to ethics guidelines for forensics examiners Unlikely None None Unlikely May qualify as a computer expert in court Not applicable l training in forensic analysis techniques to examine file data, file system metadata, operating system artifacts, and discrete file evidence. Table 8.2 begins to show the gap between the expertise of a computer expert and a digital forensics expert. This is a critical distinction when dealing with digital evidence in legal matters where your case may hinge on adhering to proper chain of custody, evidence handling, and whether or not evidence was obtained within the scope of a warrant or court order. The reason this is so important is that during the voir dire proc- ess of qualifying someone as a computer forensics expert, these areas will be addressed by the court through examination of the expert's work history, specific forensics train- ing, specific forensic certifications, prior testimony, and prior publications. 8.4 INVESTIGATION OF DIGITAL EVIDENCE Computer experts do not have a need to understand examination of digital evidence. No computer training course deals with this type of knowledge, nor should it. If you attend computer training courses, you will find that the focus is on a spe- cific topic such as using Windows, or writing applications, installing server soft- ware, or implementing network security. Whether the course is covering software development or installation and maintenance of a server, the ultimate goal is always to provide a service to end users. Once a person begins to attend courses related to obtaining electronic evidence and subsequently examining that evidence, they are now crossing over into the forensics side. For example, taking courses in network security normally progresses from simply setting up perimeter devices such as firewalls, to analyzing the logs of the firewalls and intrusion detection systems, as well as server logs, to determine attack vectors, culpability, and remediation of a breach. This is network forensics. 8.4.1 What does it mean to "investigate"? To the layman, investigating a computer might include determining what someone has been doing on the Internet; for example, has my employee been surfing porn