Forensics Policy: Looking for Evidence

There are many compelling reasons for employing computer forensics, but before business managers make the decision to do so, they need to understand what it is and when to use it. Risk management is the leading reason for deploying computer forensics. Any business that does not have a policy and procedure to stop malicious behavior may count on being victimized with little recourse against the perpetrator. Computer forensics is the investigative practice of collecting, examining, and analyzing evidence retrieved from computers and computer-related equipment. At times it would seem that computer forensics analysis is akin to magic in that trained, experienced professionals can find relevant evidence through sophisticated collection and restoration techniques. More than one competent analyst has been called "a miracle worker."

Collecting and analyzing computer evidence is useful for confirming or dispelling concerns about whether an unlawful act has been committed. Further, this type of work has been able to document workstation, applications, and network vulnerabilities after a critical incident.

Organizations today must have policies regarding when computer forensics examiners should be called in. Usually information-related threats involve a computer of some kind or a communication's network because they are the means by which companies conduct their business and information processes. Businesses employ computer forensics when there is a serious risk resulting from compromised intellectual property, a threat of lawsuits stemming from employee conduct, or potential damage to their reputation or brand. There are many organizations that regularly use forensic means to audit employee workstations with the idea that employees who know and recognize they are being monitored are less likely to stray from policies and procedures. When a random selection of employees' computers is made monthly, and forensic examinations are conducted, the appropriate steps are taken if unauthorized use, pornography, or abuse is discovered.

Any experienced computer forensics examiner starts and completes assignments with his or her testimony in mind. This means the examiner must always collect, analyze, and preserve evidence according to the rules of evidence. A good standard for this professional is the Federal Rules of Evidence. Basically, the examiner has three important tasks: finding, preparing, and preserving evidence.

Another aspect of forensic computer examination is the testimony of the forensics professional. This person must never attempt to perform an examination for which he or she is not trained. There are times when untrained or inexperienced persons are tempted to conduct examinations, which can corrupt or damage potential evidence. Just because a person has a detailed knowledge of computers and networks does not mean the person is qualified to conduct forensics examinations. Following is a list of what to look for when selecting forensics computer examiners:

- Prior experience in computer forensics examinations

- Specialized training

- Specialized experience in collecting, analyzing, and preserving evidence

- Experience as an expert witness

- Possession of pertinent professional certifications

- Personal and professional integrity; examiners must withstand thorough scrutiny on technical and personal levels

- A laboratory equipped with tools for evidence recovery


Another matter of significance: organizations should understand that reporting unlawful activities is required under many state statutes and is required under U.S. law. According to Title 18, USC 4, "whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years or both"

1 comments:

Anonymous said...

Thank you for the lovely post. I too agree with your points mentioned therein. Computer Forensics is the process of using the latest knowledge of science and technology with computer sciences to collect, analyze and present proofs to the criminal or civil courts. Network administrator and security staff administer and manage networks and information systems should have complete knowledge of computer forensics. The meaning of the word "forensics" is "to bring to the court". Forensics is the process which deals in finding evidence and recovering the data. The evidence includes many forms such as finger prints, DNA test or complete files on computer hard drives etc. The consistency and standardization of computer forensics across courts is not recognized strongly because it is new discipline.

Popular Posts