Q: What qualifications should we look for in a computer forensic examiner?

A: There are an increasing number of people hanging out their shingle as computer forensic examiners. 

Some are among the most qualified individuals in the country; others are opportunists, lacking expertise, certification or training, who believe they can make fast money.

Some factors to consider include:

Is the person a former law enforcement, government, or military examiner? (Note: Not just a former member of one of those organizations, but someone that actually did examinations for the organization.) 

The best forensic training has historically only been available to these groups. Examiners in this group have been trained in proper evidence handling and documentation. They are accustomed to operating at a proof level of beyond a reasonable doubt.

While computer forensics requires the ability to think logically, it also requires investigative instincts. Examiners that are former law enforcement investigators have honed these skills. An examiner that does not have an investigative background may think logically, but probably lacks the investigative instincts.

Has the person been accepted in court as an expert in computer forensics?

If so, how many times? 

Can they provide references by attorneys as to their testifying abilities? What were the results of the trial? 

Another issue is the forensic processing software used by the examiner. Some firms are using dated analysis methods that result in their examinations taking significantly more time than others. Do they use state of the art methods and software? If not, remember that greater examination times mean far greater costs to you.

Q: We have computer personnel in our company, why shouldn't we let them conduct the examination?

A: Although a corporation may have an IT department that may have a considerable amount of knowledge and experience with computers, perhaps even data recovery, it is highly unlikely that they have the knowledge of the forensic protocols that must be observed to find all of the evidence, protect the data, and ensure the admissibility of evidence in civil or criminal trials. 

Forensic Examiners take extra steps to safeguard the computer data; these steps require specialized training, hardware, and software and are able to interpret what they find.

In addition to the lack of skills, hardware, and software, using a company employee can open you up to allegations of fabricating evidence and other improprieties. 

Can your employee qualify in court as an expert in the forensic examination of a computer? Probably not. 

If your concerns are strong enough to warrant the examination of a computer, then it is important to do it right. If an employee is fired or disciplined as a result of the examination, civil litigation will likely follow. 

Q: We are working with a Private Investigative company. Why can't they examine computers for us?

A: While there are many tens of thousands of Private Investigators around the country, the examination of computers is far beyond the skills and training of all but an extreme few. There are many specialties in Private Investigation‘s. Just because an investigator has excellent credentials for conducting financial investigations does not mean that they are qualified to examine computers. If you are going to pay someone to recover computer evidence, pay a professional examiner. Look for someone with the right amount of expertise and tools and is able to recover evidence that others wouldn't even know to look for. 
 

There are some unqualified individuals being passed off as qualified.

Know their credentials before you hire them or provide them with evidence that could be damaged, lost or destroyed.
 

Q - Why do I need to hire someone to search my computer for documents or email? Can't I just do that myself?

A - Most computers today hold 80 to 120 gigabytes of hard drive space. (Servers can hold more) 

To search a computer manually for a document, or a word or a phrase INSIDE of a document, could take several days. 

1 single gigabyte of storage can hold as much information as one copy of the Encyclopaedia Britannica (2,619 pages). As an example, the Dell Dimension 8250 comes with a 120 GB. hard drive as standard equipment. The 120 gb. hard drive will hold 314,280 pages of text.
 

A computer forensic expert can search the entire system, including files that have been deleted, in a few hours and can restore/print the documents in question. 

Q. - I just purchased a used computer. I reformatted the hard drive. How can I be sure that there is nothing on the hard drive that I can get in trouble for? 

A - There is a difference between deleting data and wiping the hard drive. To wipe the hard drive to department of justice standards, it must be done professionally. 

Q. - Our daughter stays in her room for hours at a time on her computer. I know she uses instant messages to talk to her friends. Is there a way to monitor what she is doing, and whom she is chatting with?
 

A - Yes. Key-logging software is available that will you to monitor her Internet usage, e-mail and chat sessions. You must have authorization to install this software and cannot monitor the e-mail while it is being transmitted. If you install this software without the proper authorization, you could be held civilly liable under the electronic privacy act.