Cyberforensics: The Ultimate Investigative Tool

The right way and the wrong way to run a computer investigation


If you do not have the staffing or interest to train an internal employee, you can hire an expert to assist with your computer forensics needs. When hiring a third-party expert, be sure to verify their credentials. Many firms and individuals think they can buy a piece of software, take one computer forensics class and suddenly be an expert. To identify these people, ask what software they use for investigations. If they respond with the name of a single software product, move on. Not all software performs perfectly all the time. If a firm relies on one piece of software, what will they do when the software hangs or fails? The expert's reply to this question should be along the lines of, “We use multiple tools and choose the tool best suited to each project.”

Look for involvement in the High Technology Crime Investigation Association (HTCIA). This organization comprises both law enforcement and private-sector computer forensics examiners. The knowledge shared at monthly meetings is invaluable, but more important, HTCIA-sponsored training conferences provide some of the most cost-effective training opportunities available. Their annual conference includes hands-on labs and training programs by industry experts. Locally sponsored regional conferences are also a good value, such as the Southeast Cybercrime Summit sponsored annually in March by the Atlanta Chapter.

Also look for established certifications. One certification is the Certified Forensic Computer Examiner, which is sponsored by the International Association of Computer Investigative Specialists. This certification is only available to law enforcement personnel, but retired personnel can generally recertify. This is an extremely challenging certification to achieve.

Arguably, the most established computer forensics software in use is EnCase by Guidance Software. Experts using this program should hold the EnCase Certified Examiner Certification (EnCE). AccessData recently developed the AccessData Certified Examiner (ACE) certification for the users of its products.

A popular certification maintained by the International Society of Forensic Computer Examiners is the Certified Computer Examiner certification. If a computer forensics examiner has this vendor neutral certification combined with any of the previously mentioned certifications, he or she is well trained and experienced.

When evaluating certifications, you may see people offering the Certified Information Systems Security Professional (CISSP) certification as an indication of their computer forensics capabilities. While the CISSP is an excellent information technology security certification, it is not a computer forensics certification.


New Tools

Historically, computer forensics has been used reactively, to determine the activities of someone suspected of some form of misconduct. The normal procedure is to seize the computer of the person in question, make an exact copy of their hard drive (maintaining data integrity) and then search the image for relevant materials. This can be cumbersome and can notify the person in question that they are under investigation.

There are now computer forensics tools that allow an examiner to image and examine a live system across a network. These tools, like EnCase Enterprise, provide the opportunity to examine live systems, which means it is possible to capture volatile data such as memory, open ports and running processes. This expands the computer forensics realm into the world of incident response, capturing data from a system after it has been compromised. In addition to EnCase Enterprise, other products for “across the wire” examinations include Online Digital Forensics Suite from ATC-NY (www.atc-nycorp.com /Products.html) and Pro Discover Incident Response by Technology Pathways (www.techpathways.com/ProDiscoverIR.htm).

Most investigations will be incomplete if they don't include the use of computer forensics tools and experts. Don't neglect to follow proper procedures and protocols, and use properly trained examiners to ensure your investigation will uncover every bit of hidden information.

John Mallery is a managing consultant for BKD, LLP, one of the 10 largest accounting firms in the United States . He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. Mr. Mallery is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at jmallery@bkd.com.