Chapter 5 Forensic Analysis

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Planning and quality control are two critical aspects of any forensic investigation. Proper documentation and reporting are also essential skills any forensic analyst needs. You may wonder why we are covering these topics before delving into the specifics of how to conduct forensic examinations. The answer is simple. These principles should guide everything else you do in cyber forensics. If you master every technique in this book but don’t have proper documentation or quality control, your forensics investigations will be unsuccessful.

Planning

Prior to conducting a cyber forensics investigation, it is important that you plan the investigation. This can be one of the most important parts of your investigation. Your plan should include how to collect the evidence, safeguard the evidence, and analyze the evidence. It is completely inappropriate to simply decide these elements as the case progresses.

Collecting the Evidence

The first question to ask is usually how you will acquire the evidence. This may seem like an odd question, but there are different approaches to seizing evidence, depending on the nature of the evidence and the conditions where it is located.

If this is a cell phone or laptop, you may be able to simply transport the suspect equipment to your lab and work with it there. Of course, it must be transported in a manner that not only preserves the chain of custody, but also ensures that there is no contamination of the evidence. For example, a cell phone should be transported in a container that blocks any signals.

In the case of an e-commerce server that is perhaps part of an identity theft investigation, it may not be possible to just take the server offline. That would disrupt normal business for the e-commerce site. In that case, you have two options. The best is to switch over to a backup server and then image the suspect server on the site. If there is no backup server, you will have to temporarily take the server down, just long enough to image the server, and then put it back in operation.

There are also cases where remote gathering of evidence will be required. This is not the preferred method and should only be used if there simply is no other choice. One example might be a case involving military personnel stationed overseas or perhaps employees of an embassy. It would take time to get to the scene and to extract the evidence. It may be necessary to remotely image the suspect drive in order to preserve evidence. Keep in mind that this is the least preferred method and should be used only when there is no other viable option.

Analyze the Evidence

As you probably suspect, much of this book is focused on specific techniques for analyzing evidence, and you will see several such techniques in subsequent chapters. However, there are general guidelines for evidence analysis that should be part of your standard operating procedure. Each is discussed in the sections that follow.

Validation of Findings

It is always important to validate whatever findings you have. There are two major reasons for this. The first reason is that you are a human and capable of making mistakes. Given the possibility of error, validation allows you to lessen the chance of this happening and to catch errors when they do occur. Another reason is that if a case does go to court, it is likely that the opposing counsel will hire a forensic expert who will question your findings. If you validate all findings, that will help address any questions.

Images
NOTE My experience in court cases is that opposing counsel and their expert will disagree with virtually everything you state. They will find some nuance, some technicality, on which to base their disagreement. So I make it a policy to back up everything I say with not only multiple tests where appropriate, but multiple references. For example, if I state in my report a certain fact about how NTFS operates, I like a minimum of two reputable sources to support my view.

So how do you validate your findings? The answer is actually simple. Repeat the test with a different tool. For example, if you use Disk Digger to find deleted files, also see if another tool such as NTFS Undelete will find the same files. It may be possible for someone to claim the tool was in error or you made a mistake with one test. But if two tests, done with two different tools, find the same results, it would be very difficult for anyone to claim error.

It is important that your forensic lab make a standard practice of validating all evidence, or at least the most key pieces of evidence. It is also best, when possible, that a different investigator validate the evidence. Having two different tests, using two different tools, conducted by two different investigators yield the same results makes it almost ridiculous for opposing counsel to claim a mistake was made.

Proper Evidence Handling

In the first four chapters of this book, we discussed how to transport, store, and secure evidence. This is what we mean by proper evidence handling. However, the specific techniques and procedures used in your lab should be documented in your standard operating procedure and then adhered to in each and every investigation.

One concept you will see throughout this chapter is the documentation of procedures, the codifying of good forensic practices, as standard operating procedures (SOPs). One cannot assume that all forensic analysts will have the same level of skill and knowledge. Therefore, it is important to have very clear and detailed standard operating procedures that tell every investigator exactly what to do in any given situation. These SOPs also provide a benchmark for quality control measures, which we will discuss later in this chapter.

Completeness of Investigation

We have discussed previously in this book at some length the problem with improper evidence handling. It can lead to evidence being excluded. But an equally problematic issue is that of incomplete investigations. Too often, forensic investigators have a very large caseload, and as soon as evidence of the accused crime is found, they stop the investigation. This is wrong for multiple reasons.

The first reason is that you must acquire all relevant evidence related to an incident. If you stop at the first piece of evidence you find, what happens if opposing counsel is able to get that evidence dismissed, or to at least address it at trial and cast doubt on the case? It is important to have all the evidence possible.

The second issue involves getting an incomplete picture. A common claim by those accused of child pornography is that some virus or other malware must have put that on their computer. If you simply stop investigating when child pornography is discovered, you will have difficulty countering this claim. However, if you continue your investigation, you will determine how often the images were accessed, when they were downloaded, any websites visited, if there was malware on the machine, if the malware is capable of surreptitiously downloading images, etc. All of these facts will lead to a complete picture that will either clearly demonstrate the suspect’s guilt or exonerate him or her.

Images
NOTE In my entire career, I have not yet encountered a virus that downloads child pornography. I can certainly envision one being created—it would not be overly difficult. But the lack of one existing in the wild makes these claims by accused child pornographers very doubtful.

Legal Compliance

Legal issues have already been addressed in this book too and need not be revisited in detail here. However, it should be pointed out that your standard operating procedure must address all relevant legal issues. These may include federal and state laws, standards for a specific industry, or standards set by a government agency.

The critical issue is to ensure that your SOP addresses all relevant guidelines. So ensure that you consult all laws and regulations applicable to your industry and geographical area. It is also important to monitor changes in these laws to ensure you continue to comply.

Case Notes and Reports

Obviously, case notes and reports are related. In fact, the case notes should lead to the creation of the report. However, they are still two separate items, each of which should be handled differently. Both are discussed in this section.

Case Notes

Case notes are a bit more informal than expert reports. They are your own notes as you progress through a case. However, saying they are a bit more informal does not mean these are personal notes with no structure or standards. These notes can be subpoenaed for court. They are certainly subject to review by other analysts in your lab as part of the normal quality control procedure. However, they are not a formal report of findings. Case notes are thorough and should be created as you conduct your examination. The U.S. Department of Justice defines what should be found in case notes¹:

Documentation should be contemporaneous with the examination, and retention of notes should be consistent with departmental policies. The following is a list of general considerations that may assist the examiner throughout the documentation process.

• Take notes when consulting with the case investigator and/or prosecutor.

• Maintain a copy of the search authority with the case notes.

• Maintain the initial request for assistance with the case file.

• Maintain a copy of chain of custody documentation.

• Take notes detailed enough to allow complete duplication of actions.

• Include in the notes dates, times, and descriptions and results of actions taken.

• Document irregularities encountered and any actions taken regarding the irregularities during the examination.

• Include additional information, such as network topology, list of authorized users, user agreements, and/or passwords.

• Document changes made to the system or network by or at the direction of law enforcement or the examiner.

• Document the operating system and relevant software version and current, installed patches.

• Document information obtained at the scene regarding remote storage, remote user access, and offsite backups.

I believe this list can be summarized a bit more briefly as follows:

• Take notes of any conversation you have.

• Keep copies of all relevant documents, including warrants, requests to investigate, etc., along with the notes.

• Everything you do should be documented, including the method, tool, date, time, results, and any irregularities.

• Document as much information as you can about the target system, including hardware, operating system, etc.

The notes should be clear enough that any competent forensic analyst could take your notes and re-create your entire examination. This is important for court, and important for quality control. Thorough notes would allow another examiner to check your process for any irregularities or errors. I find it useful to think of case notes as a diary of your progress through the case. It is also helpful to conceive of case notes as lab notes. If you ever took chemistry courses in college, you will recall that your lab notes had to detail all the steps of your experiment in such detail that anyone else could take those notes and repeat the experiment. This is a good guide for writing case notes, too.

Reports

A forensic report is a formal document that represents the tests performed and the results obtained. In some cases, particularly civil trials, there may be a specific expert report that is filed with the court. Let’s address each of these separately.

The Forensic Report

In most cases, forensic labs require you to create a report of your forensic process. This report will detail what tests you conducted and the results. If you took adequate and complete case notes, you should be able to use those as the basis for your forensic report. Your forensic report is essentially a summary of the case notes. The SANS Institute recommends three sections in your report²:

Overview/Case Summary: This is a general summary of what the case is about and what the goal of the investigation is.

Forensic Acquisition and Exam: In this section, you will discuss what you did, starting with acquiring the forensic evidence and then your actual tests.

Findings and Report: This section has your conclusions.

The popular forensic tool EnCase actually has forensic report templates and will generate a basic report for you. This is shown in Figure 5-1.

Images

Figure 5-1 EnCase reports

Notice the body of the report is broken down into sections covering e-mail evidence, documents found, etc.

AccessData’s Forensic Toolkit (FTK) asks you to input case information when acquiring a drive image, shown in Figure 5-2. This information will be used to create the report header, preloaded with case information, including the investigator’s name.

Images

Figure 5-2 FTK case information

The free forensic tool Autopsy also generates reports. In Figure 5-3, a report for an unprocessed case is shown. You can see even without processing evidence that this report gives you basic case information.

Images

Figure 5-3 Autopsy report

All the major forensics tools provide some level of reporting. However, automated reports can only document what tests you conducted with a given tool. They cannot document what you may have done with other tools or the processes you used prior to using this tool, for example, in acquiring the evidence. I recommend you use the reports generated by these tools as attachments to a report you create yourself. Of course, you can manually create a report if you wish, or if you are not using one of the tools that generate its own reports. Let’s look at an example report for a fictitious case.

Overview/Case Summary On January 2, 2014, I began the process of imaging and processing a laptop suspected of containing stolen intellectual property. I began by photographing the laptop (Dell Inspiron 17 with Intel Pentium Processor 2127U, 4 gigabytes of RAM [Single Channel DDR3L 1600MHz], running the Windows 8.1 operating system, Serial number SN 292929292). Detective Racheal Smith of the Metropolis Police Department requested I perform an investigation of this laptop.

Forensic Investigation The laptop was delivered to me by Detective Smith along with copies of the warrant to seize the laptop and an affidavit detailing how she seized the laptop (see attachments). My first step was to use the AccessData Forensic Toolkit Image to create two images of the laptop hard drive. I then created an MD5 hash of the original disk and the two images and compared them to see that all hashes were the same.

At that point, I placed the original disk and one of the images in our forensic safe and began my examination of one of the images. My first step was to search for all PDFs, Word documents, or Excel spreadsheets to determine if any were related to the stolen intellectual property. I found two PDFs that were company documents, marked confidential, and contained details of the intellectual property (those e-mails are printed and attached to this report). I then used the Disk Digger tool to search for deleted files. I discovered two additional files, both Excel spreadsheets, and they appeared to contain data relating to the value of the intellectual property. Those files are printed and attached to this report.

Next, I searched the machine for all e-mail files (i.e., Outlook .pst files). I found a .pst file marked private.pst located in C:IllegalStuff that was not attached to the running copy of Microsoft Outlook. Upon examining that file, I found four e-mails discussing the sale of the intellectual property to various third parties (those e-mails are printed and attached to this report).

Findings and Report Conclusions: My examination demonstrated that the suspect laptop contained the intellectual property that had been stolen (i.e., the PDF documents). It also contained spreadsheets estimating the value of the intellectual property and e-mails discussing the sale of this property to third parties.

Consider our report for this fictitious case. Although it is a bit brief, it contains all the elements needed, and we wish to be brief for the sake of including the report in this book. Notice in the introduction we provide the basic allegation in the case, the specifics of what we are examining, and who asked us to examine it. Also notice that throughout the report we reference attachments. We attach the warrant, the request to investigate, and later we attached printouts of what we found. This allows anyone reading the report to immediately understand what was done and why.

In the next section, we tell what we did, beginning with the imaging of the drive and the validation of that image. We also tell what tests we conducted, tools used, and results of those tests. Again, we reference attachments showing what we found. Finally, in the conclusions we summarize what we found. Notice we did not make an assessment of guilt or innocence. We simply summarized what we found. A forensic report is not an assessment of guilt or innocence; it is an unbiased examination of the facts that we can find as a result of applying forensic science. Simply factual conclusions, not opinions.

Scientific accuracy is also critical in your forensic report. Every conclusion you document should be well supported by accepted forensic and computer science. I find it useful to cite standards that support my conclusions.

The Expert Report

An expert report is a bit different from a forensic report. Usually, civil cases use this format. To begin with, an expert report will have the same data and the same exhibits/attachments as a forensic report, but will be much more detailed. Expert reports generally start with the expert’s qualifications. This should be a complete curriculum vitae (CV) detailing education, work history, and publications. This needs to be as thorough as possible. List all education, work experience, publications, etc. In many cases, one also lists past expert witness work.

Images
NOTE Many professionals have worked their entire career under the belief that a resume should be kept as brief as possible. Some even recommend keeping it to a single page. That may be appropriate for a job hunting resume, but for your CV, you need to put everything in. If you would like to see an example, my own CV is posted on my website: www.ChuckEasttom.com. As of this writing, it is already 15 pages long.

After the CV, you move into the topic at hand. It is much like the forensic report; however, you should include every single detail. There is no such thing as too much detail. I also personally make it a practice to use numerous citations from various sources to support even basic factual assertions. For example, if I make the statement that undeleting from a FAT-based system simply removes the item from the File Allocation Table, I will cite at least one or two reputable sources. Yes, this is a commonly known fact, and any computer professional would know that (or at least should), but it is always a good idea to support your assertions.

If you did a validation of your tests, particularly with another round of testing, detail that as well. Note that we will be discussing validating results in detail later in this chapter. If you have any additional evidence, including documents produced, statements from the accused, officer statements, deposition transcripts, anything at all, it should go into this report. You want as many lines of evidence as you can. Evidence from sources outside the case is called extrinsic evidence; evidence from the case itself is called intrinsic evidence.

The next issue with an expert report is its completeness. The report must cover every item the expert wishes to opine on, and in detail. Nothing can be assumed. In some jurisdictions, if an item is not in the expert report, then the expert is not allowed to opine on it during testimony. Whether or not that is the case in your jurisdiction, it is imperative that the expert report be very thorough and complete. And, of course, it must be error free. Even the smallest error can give opposing counsel an opportunity to impugn the accuracy of the entire report and the expert’s entire testimony. This document should be carefully proofread by the expert and by the attorney retaining the expert. Of course, an expert report is inclusive of all exhibits/attachments. One such exhibit should be a list of all items you considered in forming your opinions.

Finally, an expert report is not a neutral document. You have formed an opinion and your report should clearly state what it is. For example, if you believe the accused did steal intellectual property, your report should first demonstrate that via evidence and then clearly state your conclusion. Whereas a forensic report has conclusions only, the expert report will also have your expert opinions.

As you can see, an expert report can quickly become a rather long document. Even small cases often involve expert reports that are in excess of 30 pages. In more complex cases, expert reports that are 200 or more pages long are not unusual. The largest I have personally seen was over 600 pages, not counting attachments/exhibits. However, this is not meant to indicate that one should be unnecessarily verbose in a report. Quite the contrary. Be as concise and clear as possible. However, the necessity of explaining all the testing and analysis done and defining terms is likely to increase the size of the report.

Images
NOTE One critical factor in case notes, forensic reports, and expert reports is clarity in your writing. It is important that anyone reading your report knows exactly what you are trying to document. Avoid ambiguities, colloquial phrasing, unnecessary abbreviations, or anything that is not completely clear to anyone reading the document.

Quality Control

It should be obvious that maintaining quality in forensics investigations is necessary and, in fact, critical. This means the lab maintains quality in equipment and processes, the individual examiners maintain quality in their skillset, and each examination and analysis maintains a level of quality.

Lab Quality

Obviously part of quality control is the quality of the lab itself. Beyond the skill of the individual examiners and what skill is used in a specific forensic test, the lab itself must maintain quality. Fortunately there are some standards to guide you on this issue.

FBI RCFL

RCFL, or Regional Computer Forensics Laboratory,³ is a “one stop, full service forensics laboratory and training center devoted entirely to the examination of digital evidence in support of criminal investigations.” This means a lab that is involved in forensics and training. These labs offer a great deal of training options, including continuing education courses⁴ such as

• Case Agent Investigative Review

• Image Scan Training

• Social Media Evidence

• Capturing a Running Computer System

• Mobile Forensics

These labs provide an excellent source for continuing education. They also provide a model for how a forensic lab should ideally be set up. If your laboratory meets the standards,⁵ you can apply to enter into a Memorandum of Understanding with the FBI to become a participating agency in the RCFL.

American Society of Crime Laboratory Directors

The American Society of Crime Laboratory Directors (ASCLD)⁶ provides guidelines for forensics labs of all types, not just cyber forensics. It also provides standards for certifying forensics labs. ASCLD offers voluntary accreditation to public and private crime laboratories in the United States and around the world. The ASCLD/LAB certification regulates how to organize and manage crime labs. Achieving ASCLD accreditation is a rigorous process, and there are literally a few hundred criteria that must be met. This can often take more than two years to fully prepare for accreditation. The lab spends this time developing policies, procedures, document controls, analysis validations, and so on. Then, the lab needs another year to go through the process. The ASCLD does have courses to help prepare one for lab accreditation.⁷ This course is described as follows:

This course has been designed to assist crime laboratory personnel to prepare for ASCLD/LAB−International. ISO 17025:2005 and ASCLD/LAB−International Supplemental Requirements for Testing Labs will be reviewed and preparation exercises will be provided. This program will serve to provide the attendees with a better understanding of the types of planning and activities which may be considered in order to prepare for the formal application and external assessment process. This program is designed to supplement internal management practices which a laboratory should have in place to support ASCLD/LAB−International preparation activities. Attendees familiar with the ASCLD/LAB Legacy program will be provided with opportunities to compare internal laboratory activities involved with each program. An attendance certificate will be mailed to the student.⁸

The assessment team begins by reviewing the application and documentation showing the lab’s policies and procedures. This is done before they actually visit the lab to conduct the assessment. The assessment takes about a week. Typically, the assessment team generates 5 to 15 findings that require corrective action. The lab requires several months to make corrections to the satisfaction of the lead assessor. Once the facility has made all corrections, the lead assessor recommends the lab to the board of directors for accreditation. Finally, the ASCLD/LAB board of directors votes on whether to accredit the lab.

The ASCLD/LAB program also provides for periodic audits to ensure that forensic specialists are performing lab procedures correctly and consistently for all casework. The society performs these audits in computer forensics labs to maintain quality and integrity. Pursuing ASCLD accreditation is a very good way to ensure the lab maintains quality standards.

Images
TIP The standard ISO/IEC 17025:2005 covers “requirements for the competence of testing and calibration laboratories.” This standard is common to all forensics labs, not just cyber forensics. The test will simply ask you to identify what the standard is, not details about the requirements.

Tool Quality Control

It is also important to ensure your tools are up to standard. This begins with selecting only tools that have been widely used and accepted in the cyber forensic community. But it is maintained by testing tools. There are two primary ways to test a given tool.

The first method is to conduct a test on a known item with preset properties. In other words, if you are testing a tool that searches for images with certain characteristics, you set up a drive image that has some specific type of image on it. For testing purposes, you might use anything, such as images with elephants. Then run the tool and test how many of those images it was able to find. Since you put the images there, you know exactly how many should be discovered.

The second method is to test against a known good tool. For example, if you are evaluating the use of an undelete tool you have not previously used, compare that tool’s results against those of one or two tools you have used and that you know to be quality tools.

Both of these methodologies allow you calibrate your forensic tools and ensure they meet quality standards. It is impossible to perform quality forensic investigations without quality tools. It is also important that you document the testing and calibration of these tools. Furthermore, you should periodically recalibrate any and all tools you use. A common challenge to any forensic examination is for opposing counsel to inquire if the tools have been calibrated.

Investigator Quality Control

Just as the laboratory must maintain quality, you have to maintain the quality of your individual analysts and investigators. Quality of forensics personnel includes ensuring they have the appropriate training and education. It also involves ensuring that they have a clean background.

Training and Education

Obviously, you need to ensure that all investigators are properly trained, but what exactly does that mean? Unfortunately, the field of cyber forensics is not as clearly defined as other fields, for example, medicine. If you are seeking a registered nurse, there is a state licensing requirement that clearly defines the qualifications and even mandates continuing education requirements. That is not the case for forensic personnel. So there is some ambiguity as to what is required. In this section, we will discuss various training, educational, and certification qualifications one might seek in a cyber forensic analyst. However, the analyst does not need to have all of these. You should look for a combination of factors that indicate competence.

The first issue is college education. Until recently, there were no college majors for cyber forensics. Now, many universities have such degrees.⁹^,¹⁰^,¹¹^,¹² Obviously, having such a degree would be a good sign that the analyst was competent. However, there are a few issues with such degrees. The first is that there are so few accredited universities offering such degrees and they are so new, that it is unlikely many of your prospective analysts will have one. The second is that since these programs are so new, it is difficult to tell which ones are of the best quality.

Images
NOTE Cyber security and cyber forensics are hot topics. This has led to a number of unaccredited institutions offering related degrees. In the United States, regional accreditation is the accreditation that is needed for any school. Claims of national or international accreditation are of little use. I cannot recommend acquiring a degree from any school that is not regionally accredited.

Usually, a computer-related degree or a degree with a significant amount of computer-related courses is desired. For example, it is common for business majors to take a number of computer courses. You may also find someone who has majored in criminal justice but also took computer science courses.

In addition to degrees, the computer industry is replete with certifications. This book is designed to help one study for the (ISC)²’s Certified Cyber Forensic Professional exam. Obviously, that is one certification that is desirable in a cyber forensic specialist. But there are others. It would be impossible to discuss all relevant certifications here, so we will only mention the most widely recognized.

• CISSP The Certified Information Systems Security Professional, also from the (ISC)², is one of the oldest and most widely recognized security-related certifications. It is a general certification and is not specific to forensics.

• CompTIA Security+/CASP The Computer Technology Industry Association has their Security+ certification. Many experts regard this as CISSP Lite. It covers the same domains as CISSP, but with less depth. It is appropriate for those with about two years of experience. They have also added their Advanced Security Practitioner (CASP) certification test, which is very thorough.

• EC Council Certifications The EC Council has two relevant certifications. The first is their Certified Ethical Hacker certification. This teaches the basics of hacking. If a forensic investigation involves allegations of hacking, it is always good if the investigator has a working knowledge of hacking techniques. They also have their Certified Hacking Forensic Investigator certification, which is a general forensic certification.

• Vendor Certification If an investigation involves a specific product, it is never a bad thing to have training in that product. For example, if you are certified in Microsoft Windows Server 2012, that knowledge would be useful when investigating a Windows Server. Similarly, if an investigation involves a Cisco router, then having some level of training in Cisco products is desirable.

• EnCase Certified Examiner Certification Guidance Software, the creator of the EnCase software, sponsors the EnCase Certified Examiner (EnCE) certification program. This certification is open to the public and private sectors. It focuses on the use and mastery of system forensics analysis using EnCase. For more information on EnCE certification requirements, visit www.guidancesoftware.com.

• AccessData Certified Examiner AccessData is the creator of Forensic Toolkit (FTK) software. This company sponsors the AccessData Certified Examiner (ACE) certification program. ACE certification is open to the public and private sectors. This certification is specific to use and mastery of FTK. Requirements for taking the ACE exam include completing the AccessData boot camp and Windows forensic courses. For more information on ACE certification, visit www.accessdata.com.

In addition to industry certifications, there are professional development and continuing education courses. We already mentioned the ASCLD continuing education courses. Most colleges and universities offer some continuing education or professional development short courses in a variety of computer science−related topics. The popular online site EdX offers online courses from major universities such as MIT and Harvard. Many of these courses are related to computer science, engineering, and even law. Clearly, such courses should also be considered when evaluating a potential investigator.

Also, many organizations provide training to their staff. I have on more than one occasion conducted such courses for government agencies such as the U.S. Secret Service. These courses are not college courses, or even certification courses, but do serve to increase the knowledge and skillset of the students. Similarly, many vendors such as Microsoft, AccessData, etc., provide training in their specific products.

So who is the ideal forensic investigator? Obviously, one who combines all of these elements. However, that is unrealistic. For example, you might have an investigator with an unrelated degree, or even no degree, but who has had extensive professional training and has multiple certifications, including CISSP and CCFP. This person should at least be considered for the position of forensic analyst. What you are seeking is a clear indication that the individual possesses two things:

• A working basic knowledge of relevant computer science topics such as operating systems, networking, hardware, etc. This could be demonstrated by a computer science−related degree or a related minor. It could also be demonstrated by industry certification or years of experience in a related job such as technical support.

• A solid understanding of cyber forensics. This can also be demonstrated by appropriate college courses, corporate training, or certifications such as the CCFP.

Background Checks

When your forensic analysts are law enforcement personnel, the issue of a background check is a moot point. However, there are more and more civilian labs. It is important you conduct the same level of scrutiny that would be conducted by either a military clearance, such as a secret clearance, or a law enforcement background check.

Obviously, you would prefer someone with no issues in their past. And any felonies, any computer-related crimes, and any financial crimes should be automatic disqualifiers. But are there “gray areas”? Yes, there are. For example, simple possession offenses, trespassing, etc., may be something you can accept, provided

• The incident was several years ago

• It was a misdemeanor charge

• There have been no other crimes

Some organizations also perform a credit check. It is not necessary that a forensic analyst have perfect credit. The theory behind the check is twofold. First, someone in extremely dire financial problems might be susceptible to bribery. In addition, someone with habitual credit issues might be irresponsible. Whether or not you agree with those two statements, credit checks are often part of background checks.

The other issue involves updating the background check. Just because someone had a clear background when you hired them ten years ago does not mean their background is still clear. The federal government uses the following standard for background checks on personnel with security clearances:¹³

An individual is normally subject to periodic reinvestigation at a minimum of every 5 years for a Top Secret level clearance and every 10 years for a Secret level clearance.

This is a good model to follow. Periodic rechecks, whether it be every five years or every ten, can help avoid difficult situations.

You may wonder why a background check is so important. The answer involves two reasons. First, someone who has committed serious crimes should not be trusted to investigate crimes. That should be fairly obvious. Another reason is that any issues in your analyst’s background can be used by opposing counsel to damage that investigator’s credibility.

Depending on how thorough a background check you need, you have a number of options when conducting one. Usually, a private investigator is hired to do a background check, and the person you are checking signs a release authorizing the investigator to gather criminal and other records. Any reputable private investigator in your area can do this for you. You can even conduct one yourself:

• Most counties now have court records online. Run the analyst’s name through all the counties they state they lived in on their resume.

• Check using search engines such as Google, as well as social media like Facebook.

• Call all references, past jobs, colleges, etc.

Images
NOTE From time to time, I work with law firms as an expert witness in computer-related cases. When a law firm is considering hiring me, one of the first steps is to ask about my background, including criminal, drug, mental health, etc. They want to know that their witness is credible and won’t be made to look untrustworthy on the stand. If you want to work in forensics, it is important that your conduct be above reproach.

Examination Quality Control

If the laboratory has maintained quality standards and the investigator is a competent, qualified person with a clean background, does this automatically mean the individual examination is of sufficient quality? The answer is no. Anyone can make an error. This is why you also need to apply quality standards to each and every investigation your lab performs.

We already mentioned the best way to ensure quality of individual examinations, and that is to repeat the examination. Ideally, the re-examination would be by a different examiner using different tools, completely repeating the entire examination. However, in the real world, most labs are backlogged with cases and cannot do this. There must be a balance between the need for quality control and the need to process evidence expeditiously. Usually, a compromise is made that consists of three parts.

Supervisor Review

For every examination, a supervisor should review the case notes and forensic report to ensure that the process documented matches the lab’s standard operating procedure and that no anomalies are present. If a supervisor is the one doing the initial examination, then someone else in the lab should review that supervisor’s notes and report. This type of quality control is efficient yet can be effective. These reviews are also often called administrative review.

Images
EXAM TIP The test also discusses peer review. This is similar to a supervisor review or a spot check. It simply is done by one of your colleagues rather than a supervisor or administrator. It is never a bad idea to have a colleague check your results and your methodology.

Spot Checking

In addition to supervisor review, individual tests from individual cases should be periodically retested by a colleague or supervisor. If these spot checks consistently yield the same results as the initial examination, that is a strong indicator that proper procedures are being adhered to and quality is being maintained. Any deviation would necessitate that entire case being reprocessed.

Major Case Re-examination

When a case is of preeminent importance, it may be necessary to have a complete re-examination. This could be a situation where the case is one in which mistakes, even the most trivial, are simply not acceptable. Ideally, all cases would be treated in this way, but that is usually impractical. So your lab manager may determine specific cases that are of such critical importance that a complete re-exam is required.

In all cases of examination quality control, the results should be documented. It is important for a lab to know just how effective the quality control measures are. For example, supervisor reviews might show 99.9 percent quality examinations, but spot checks show 98 percent. That could indicate some deviation between the actual examinations and the reviews, or it could simply indicate that the specific cases selected for spot check had a greater-than-average number of errors. Whatever the cause, it should be investigated.

Chapter Review

In this chapter, we discussed the importance of planning your investigation. It cannot be overstated that cyber forensic investigations need to be planned and properly executed. This is a science, not an art. We also discussed the details of case notes, forensic reports, and expert reports. While the CCFP exam does not place a great deal of emphasis on the differences between those documents, these issues will be of critical importance in your career.

We also discussed quality control standards for cyber forensics. This is a critical topic for the CCFP exam and for your career. It is important that we maintain quality in the lab, with the individual investigators, and during each and every examination.

Questions

1. Which of the following does not need to be in the forensic investigation plan?

A. How to collect the evidence

B. Who to submit the report to

C. How to safeguard the evidence

D. The procedures for analyzing the evidence

2. Which type of exam validation primarily tests to see if the case notes/report match SOP?

A. Supervisor review

B. Spot check

C. Document review

D. Intrinsic review

3. What does it mean to validate your findings?

A. To ensure they meet Daubert standards

B. To ask a colleague if they agree with your findings

C. To repeat the test

D. To re-read your notes to see if you followed SOP

4. The ASCLD is primarily concerned with:

A. Standards for forensic investigators

B. Standards for forensic training

C. Standards for forensic testing

D. Standards for forensic labs

5. Which of the following would be least likely to disqualify a forensic investigator?

A. A misdemeanor charge for hacking into a computer in college

B. A felony charge for check fraud

C. A misdemeanor charge for trespass while in college

D. Multiple recent credit issues, including repossessions and foreclosures

Answers

1. B. The plan should include how to collect the evidence, safeguard the evidence, and analyze the evidence.

2. A. The supervisor review involves reviewing all case notes and the report to see if they are in compliance with SOP.

3. C. So how do you validate your findings? The answer is actually simple. Repeat the test, preferably with a different tool.

4. D. The ASCLD is for certifying forensic labs.

5. C. A is not the right answer because any computer crime is a concern for a cyber forensics investigator. B is a felony, and these automatically disqualify forensic investigators. D involves recent and repeated financial problems, and this was specifically discussed in the chapter.