Inside the mind of a computer forensics investigator
by Mirko Zorz - Tuesday, 16 November 2010.
Knowledge is the first requirement any investigator needs. Even for highly experienced network and system administrators, computer forensics is a new world, so everyone needs to undergo the appropriate training.

There are multiple resources on the Internet and books that provide very valuable information on this field. The best way to boost your knowledge is to undergo professional training such as the SANS Institute Computer Forensics Curriculum.

Computer forensics is definitely all about experience, so the only way to really learn how to do the job is actually doing it many times so you get to encounter the real world problems, you get to polish your processes, and you get to develop your investigative skills, which are different from the standard IT or Security ones.

As computer forensics is non-destructive, aspiring investigators can practice with their personal systems, corporate systems and forensic challenges that can be found on the Internet. Having a mentor by your side to lead your steps is ideal, but that's often not a possibility due to the low amount of digital investigators in our community.

An experienced forensics examiner is about to testify in court for the first time. Any suggestions about the way he talks about his work?

It is extremely important for the investigator to remember that the real world is very different from the technical world. Things are not binary, normal people are moved by situational perception, and therefore it is of the utmost importance that the investigator is able to translate technical forensic "lingo" to standard concepts people can understand. A perfect investigation with a poor presentation in court will typically not succeed. That's not an easy job and not everyone is ready for it, but with time and dedication, it can be accomplished.

People and courts don't understand concepts such as bits and bytes, unallocated, metadata, clusters, artifacts, prefetch, plist, and the million other terms we use. We need to bridge that knowledge so they can make their decisions based on a correct interpretation of the reality.

We carry a great responsibility for, if we don't do our job right the wrong people can end up in jail, and guilty people may go free.

Also, it is important to remember that a court is typically a very hostile environment for an investigator. We are not used to it. You really need to keep cool your temperament and your mind focused on the topic, and only answer what you are asked about. We tend to speak too much!

How can a forensic investigator make sure he strikes a balance between his work and a users' right to privacy?

That is a really tough question. Even the legal system and our society is struggling to find an equilibrium between protecting people's privacy and stopping bad guys from using that protection to cover their actions. I find that challenge everyday in my cases in Europe. I guess we all will have to work together to find a solution. Technology can certainly help in that sense.

How has computer forensics evolved in the past 10 years and what can we expect in the next decade?

The evolution of computer forensics in the last 10 years cannot be easily described in a few words. Thanks to the joint effort of the many professionals in this community, and investments in the industry, we can do incredible things today, things that just a few years ago were wishful thinking. And it is getting better. There are and always will be many challenges, because forensics deals with all types of technologies, and that's an ever changing environment. But our society needs forensics in order to fight the increasing wave of cybercrime that is becoming stronger and more organized.

The most difficult part will be to adapt our legal and law enforcement systems to this new scenario. I'm seeing slight movements in this direction in many countries, but the pace is too slow and we are suffering the consequences. We need to do better in this sense.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th