Cyberforensics: The Ultimate Investigative Tool

The right way and the wrong way to run a computer investigation

Last, IT professionals often gravitate to their industry because they get to spend the majority of their time with technology and not with people. Many IT professionals lack good communication skills, and they may not be able to present themselves well in the courtroom, where they will be grilled by lawyers who are often expert wordsmiths. Internal IT staff members' neutrality will also be questioned, since they are paid by the corporation asking them to conduct the forensics examination.

One only has to look at the case of Gates Rubber Co. v. Bando Chemical Industries Ltd. to understand the problems inherent in using IT staff for computer forensics. In this case one side used an internal IT staff member to examine a computer. The employee was not properly trained in computer forensics and actually destroyed seven to eight percent of the information on the computer. This caused the court to issue sanctions in the amount of 10 percent of attorney fees—not a small sum.


Develop the Skills with Training

This is not to say that corporations should not develop their own computer forensics capabilities. Many large corporations have computer forensics examiners or departments, but they work outside of the IT department—a good idea, because IT staff members can be the target of an investigation. A logical place for them is either in the security or legal departments.

Anyone involved in computer forensics should receive the correct training and be given the opportunity to continue learning. There is never a point at which a computer forensics examiner has learned all there is to know about examining computers. Constant training and research and development time are needed to keep a computer forensics examiner's skills sharp. There are numerous training options, but the following series of classes would create a well rounded entry-level computer forensics examiner.

CompTIA A+ Training and Certification. Requiring that an established IT professional pursue A+ training and certification will be a tough sell, since this is a basic IT certification. However, it is a requirement for examiners at the FBI's Regional Computer Forensics Labs, and it ensures that the forensics examiner has a good understanding of hardware. For organizations that have non-technical staff interested in pursuing computer forensics, this is a great foundation class and can be used to determine if the person has the technical aptitude to pursue a career in computer forensics. If they are unable to pass the certification tests after completing the training, then they are probably not suited to the computer forensics profession.

Vendor-Neutral Training. Vendor-neutral training provides information on the concepts behind computer forensics, not just how to use a specific computer forensics tool. The Southeast Cybercrime Institute at Kennesaw State University offers an excellent program that also prepares attendees for the Certified Computer Examiner (CCE) certification. In addition to classroom study, they offer an excellent online program. Visit their Web site for more information: ( Many colleges and universities are beginning to offer cybercrime and computer forensics-related programs. When selecting a program like this, be sure it is designed and taught by experienced computer forensics experts, and not simply by a professor reading out of a book.

Vendor-Specific Training. Once the basic concepts are understood, it is appropriate to move on to vendor-specific training. These classes explain how to conduct computer forensics examinations using specific tools. Well known tools include EnCase Forensic by Guidance Software
(, SMART (for Linux) by ASR Data (, and the Forensic Tool Kit by AccessData ( These are excellent tools, and their developers offer top-notch training programs.

Network Training. Because it is extremely rare to find a stand-alone computer, it is important to have a basic understanding of networking concepts. Programs like CompTia's Network + or a similar college-level program would be extremely helpful.

After this series of training programs, staff should pursue advanced and specialized training to handle complex investigations and additional devices, such as personal digital assistants and cell phones.


Hire an Expert