These steps need to conform to an appropriate set of processes and procedures that guarantee that you do not modify the original evidence or as little as possible according to the circumstances. Careful documentation of all the steps taken, integrity hashes, and everything that can be considered relevant in that process are vital.
What advice would you give to those interested in specializing in computer forensics?
Computer forensics is a fascinating world. It is the only area in computer security that you will get to deal at the low level with all types of operating systems, network devices, CCTV cameras, VoIP/PBX systems, network traffic, etc.
Knowledge is the first requirement any investigator needs. Even for highly experienced network and system administrators, computer forensics is a new world, so everyone needs to undergo the appropriate training.
There are multiple resources on the Internet and books that provide very valuable information on this field. The best way to boost your knowledge is to undergo professional training such as the SANS Institute Computer Forensics Curriculum.
Computer forensics is definitely all about experience, so the only way to really learn how to do the job is actually doing it many times so you get to encounter the real world problems, you get to polish your processes, and you get to develop your investigative skills, which are different from the standard IT or Security ones.
As computer forensics is non-destructive, aspiring investigators can practice with their personal systems, corporate systems and forensic challenges that can be found on the Internet. Having a mentor by your side to lead your steps is ideal, but that's often not a possibility due to the low amount of digital investigators in our community.
An experienced forensics examiner is about to testify in court for the first time. Any suggestions about the way he talks about his work?
It is extremely important for the investigator to remember that the real world is very different from the technical world. Things are not binary, normal people are moved by situational perception, and therefore it is of the utmost importance that the investigator is able to translate technical forensic "lingo" to standard concepts people can understand. A perfect investigation with a poor presentation in court will typically not succeed. That's not an easy job and not everyone is ready for it, but with time and dedication, it can be accomplished.
People and courts don't understand concepts such as bits and bytes, unallocated, metadata, clusters, artifacts, prefetch, plist, and the million other terms we use. We need to bridge that knowledge so they can make their decisions based on a correct interpretation of the reality.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.