Determining what is an acceptable level of competency in order to present computer forensic evidence in a court has always been a complex question that has many jurisdictional implications. Acceptance of evidence from expert witnesses varies widely across jurisdictions and the complexity of computer forensic examination is exacerbated by the lack of international standards as described previously. Fortunately, the IOCE and SWGDE have risen to the challenge and are attempting to address this inadequacy. The issue of acceptable training and more to the point, certification, is much more complex than just the lack of an international standard of practice. Key Computer Service in Florida, a computer forensic training and examination company has come up with a series of questions to ask to determine the level of competency of a computer forensic examiner to undertake a commercial litigation examination [70]. The questions that they deem relevant are as follows (permission by John Mellon, Key Computer Service Inc. to reproduce this material is gratefully acknowledged):
What are the examiner’s qualifications?
1. Can the examiner testify in court as an expert if necessary?
2. Has the examiner testified in court previously?
3. How many forensic examinations have they conducted in the past?
4. Does the examiner hold any certifications in computer forensic examina-
tion?
5. Where did the examiner receive his training?
Does the examiner understand all of the techniques and issues described below to conduct an examination or is he/she relying on one software suite to conduct the examination?
1. It is the examiner who must qualify as an expert witness, not the software.
Is the examiner familiar with the particular operating system that you wish to be examined?
1. What type of operating system are you dealing with?
2. Is it a standalone computer?
3. Is it MS-DOS, Microsoft Windows or UNIX?
4. Is it a network?
5. If so, what kind of network?
Is the examiner knowledgeable about acquiring magnetic data and can the individual advise about processes to be followed during the original acquisition of the media?
1. Is this a voluntary or an involuntary collection of data?
2. What procedures does the examiner recommend to preserve the original
data during acquisition?
3. Will the recommended procedures reduce the potential of someone trying
to destroy evidence while it is being collected?
What does the examiner do to preserve the original media from accidental writes, viruses, and booby traps?
1. Will these procedures prevent the introduction of viruses and prevent the
accidental destruction of data?
2. Does the examiner work from a forensic duplicate or bit stream copy?
3. If so, what software is used?
4. If not, completely avoid them!!!
Does the examiner have the knowledge, skill, and software to recover deleted files?
1. Has the individual simply explained how files are stored, deleted, and
recovered?
2. Has the examiner explained how Microsoft Windows long file names are stored and recovered. Ask them if they must be recovered?
Does the examiner have the knowledge, skill, and software to recover a formatted drive or diskette?
1. Has the individual simply explained what happens when a drive or diskette
is formatted and how this data is recovered?
Does the examiner have the knowledge, skill, and software to find and recover hidden files?
1. Has the individual explained some common methods used to hide files?
Does the examiner have the knowledge, skill, and software to recover password- protected files?
1. Has the individual explained the two basic methods used to password
protect files or data?
2. Does the individual use software solutions?
3. If so, what software?
4. What approach is adopted for RSA, PGP, or other difficult to break password
protection schemes?
Does the examiner have the knowledge, skill, and software to find, access, and translate the Microsoft Windows swap, temporary, cache, and similar files?
1. What is the exact file name of the Microsoft Windows swap file?
2. Where is it normally stored? (two places)
3. Is it dynamic and how big can it become?
4. Has the examiner explained what general types of applications keep
temporary files?
5. Has the individual discussed Internet cache files?
6. Has the individual explained cookies?
Does the examiner have the knowledge to provide sound opinions on file creation, access, deletion dates, and similar topics?
1. What dates and times are stored in all Microsoft Windows file entries?
Does the examiner have the knowledge, skill, and software to recover data in unallocated space that cannot be linked to a directory entry?
1. How does the examiner do this?
2. What software is employed?
3. How thorough is this search and recovery of data from unallocated space?
How will the data be presented?
1. Printouts?
2. CD-ROM?
3. Can the examiner convert the format of the data to a format that will be
useful in legal proceedings (i.e., convert proprietary database or spreadsheet data into something like Excel)?
What controls will be in place to ensure the proper chain of custody of any
potential evidence recovered?
1. The examiner should fully understand theRules of Evidenceas they relate to
storage of evidence andchain of custody. The case could be lost here, if the
Rules of Evidenceare not followed.
3.7.1 Training courses
There are many computer forensic courses offered these days and unfortunately it is very much a case of caveat emptor (buyer beware), particularly with respect to those courses that propose a complete forensic methodology around only one tool. A computer forensic examiners training course should be broad and encompass core technology and forensic methodology training which is not specific to any one tool, particularly those with just a point and click interface. The questions above can be equally applied to a computer forensic training course curriculum to determine whether it adequately covers the necessary material.
To address the training issues in the context of increasing law enforcement and national security requirements, the U.S. government set up the National Cybercrime Training Partnership (NCTP) to provide guidance and assistance to local, state, and federal law enforcement agencies in an effort to ensure that the law enforcement community is properly trained to address electronic and high-technology crime. NCTP sponsors free computer forensic training for U.S. law enforcement through the National White Collar Crime Center (NWC3). Other U.S. organizations involved in
training for law enforcement include FLETC, SEARCH (The National Consortium for Justice Information and Statistics), and the High-Tech Crime Investigation Association (HTCIA).
In Europe, NATO’s Lathe Gambit Information Security program has a computer forensic program that is open to NATO member countries, military, national security, and law enforcement personnel. Interpol has similarly conducted training programs under the auspices of its regional working parties.
In the Asia – Pacific region, the Australasian Center for Policing Research (ACPR, previously the National Police Research Unit, NPRU) has conducted a number of seminars and training courses for state and federal law enforcement from Australia and New Zealand. A number of academic institutions are also looking at collaborative, tertiary recognized forensic training programs.
3.7.2 Certification
With respect to certification, other than tool specific certifications offered by software vendors, there are currently only two independent computer forensic certifications, the IACIS Certified Forensic Computer Examiner (CFCE) and the High-Tech Crime Network (HTCN) Certified Computer Forensic Technician. The IACIS certification is the oldest but is unfortunately restricted to law enforcement only.