Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
Computer experts without formal forensic training or experience may offer their services as<br />
experts, but just as few doctors are qualified as cor<strong>on</strong>ers, few computer experts hold forensic<br />
qualificati<strong>on</strong>s. Programming skill has little practical correlati<strong>on</strong> to skill in computer forensics.<br />
Selecting a Neutral Examiner<br />
Ideally, the parties will agree up<strong>on</strong> a qualified neutral. When they cannot, the court might:<br />
1. Require the parties to designate examiners they deem qualified, then have the<br />
partisan examiners agree up<strong>on</strong> a third party neutral examiner;<br />
2. Seek recommendati<strong>on</strong>s from other judges before whom well-qualified examiners have<br />
appeared; or,<br />
3. Review the curriculum vitae of examiner candidates, looking for evidence of training,<br />
experience in court, credible professi<strong>on</strong>al certificati<strong>on</strong>, publicati<strong>on</strong>s, bench references<br />
and other customary indicia of expertise. Checking professi<strong>on</strong>al references is<br />
recommended, as CV embellishment is a great temptati<strong>on</strong> in an unregulated<br />
envir<strong>on</strong>ment.<br />
A computer forensic analyst must be able to grasp the issues in the case and, where<br />
indicated, possess a working knowledge of privilege law.<br />
What Can Computer <strong>Forensics</strong> Do?<br />
Though the extent and reliability of informati<strong>on</strong> gleaned from a forensic examinati<strong>on</strong> varies,<br />
here are some examples of the informati<strong>on</strong> an analysis can uncover:<br />
1. Manner and extent of a user’s theft of proprietary data;<br />
2. Timing and extent of file deleti<strong>on</strong> or antiforensic (e.g., wiping software) activity;<br />
3. Whether and when a thumb drive or external hard drive was c<strong>on</strong>nected to a machine;<br />
4. Forgery or alterati<strong>on</strong> of documents;<br />
5. Recovery of e-mail and other ESI claimed not to exist or to have been deleted;<br />
6. Internet usage, <strong>on</strong>line research and e-commerce transacti<strong>on</strong>s;<br />
7. Intrusi<strong>on</strong> and unauthorized access to servers and networks;<br />
8. Clock and calendar manipulati<strong>on</strong>;<br />
9. Image manipulati<strong>on</strong>; and<br />
10. Sec<strong>on</strong>d-by-sec<strong>on</strong>d system usage.<br />
What Can’t It Do?<br />
Notwithstanding urban legend and dramatic license, there are limits <strong>on</strong> what can be<br />
accomplished by computer forensic examinati<strong>on</strong>. To illustrate, an examiner generally cannot:<br />
1. Recover any informati<strong>on</strong> that has been completely overwritten—even just <strong>on</strong>ce—by<br />
new data;<br />
2. C<strong>on</strong>clusively identify the hands <strong>on</strong> the keyboard if <strong>on</strong>e pers<strong>on</strong> logs in as another;<br />
3. C<strong>on</strong>duct a thorough forensic examinati<strong>on</strong> without access to the source hard drive or a<br />
forensically-sound image of the drive;<br />
4. Recover data from a drive that has suffered severe physical damage and cannot spin;<br />
5. Guarantee that a drive w<strong>on</strong>’t fail during the acquisiti<strong>on</strong> process; or<br />
6. Rely up<strong>on</strong> any software tool to aut<strong>on</strong>omously complete the tasks attendant to a<br />
competent examinati<strong>on</strong>.<br />
<strong>Page</strong> 92