Jess Garcia, founder of One eSecurity, is a senior security engineer and an active security researcher in areas of incident response, computer forensics and honeynets. In this interview he introduces the reader to the world of computer forensics and talks about cyber crime scenes, how forensics experts testify in court, privacy concerns, changes in the field of forensics in the past decade and offers advice for anyone interested in learning more about computer forensics in general.

Garcia will be teaching "Forensics 508: Computer Forensic Investigations and Incident Response" at SANS London 2010.

Let's say we're looking at a cyber crime scene comprised of several still powered on computers. When the forensic investigator arrives, what does his workflow look like?

The most important first step is to do a careful analysis of the situation and use your common sense and experience to make an educated decision about the actions to take.


Even in such an apparently simple scenario, there are multiple possible variations such as type of incident or crime, corporate environment, operating systems and hardware environment which will determine your course of action. It is important to gather as much information as possible about what happened before you start making any move. So the first step typically is to perform a quick interview of anyone who can provide that information and a review of the crime scene environment.

After that, going down to the technical procedures, the first thing you will do is acquire the volatile evidence first, i.e. that evidence that may disappear or change quickly with your actions such as the information stored in memory, the network connections, running processes, etc. This may or not be easy (or at all possible) depending on the degree of access to the computer. Fortunately for us, the latest advances in forensic research have provided useful techniques that have opened new possibilities for the investigator, such as acquisition of memory through the Firewire port, acquisition of "cold" memory (Cold Boot Attack), advanced analysis of the memory and others.

Then you would do an acquisition of physical storage such as hard drives, USB drives, memory cards and removable disks. There are multiple ways and utilities, hardware and software to do the job: from forensics hard drive duplicators and write blockers, to forensically sound live CDs or software utilities. In the real world some of them will be more suitable than others depending on the situation.