Digital forensics is a specialized area that encompasses technical, legal, and investigative knowledge. The area of computer expertise is a specialized area that encompasses technical knowledge about the planning, deployment, support, diagnosis, and repair of computers.

While the technical knowledge required to perform the two different types of work does overlap in a very limited way, the technical knowledge specific to digital forensics is focused on working within the legal system, where computer expertise is not.

The field of computer technology is very broad and can include computer hardware, software, networking, and security. Depending on the individual person’s background and training, they may be a hobbyist who “tinkers” with computers or a highly specialized information technology support professional who designs and implements large-scale storage solutions, provides network security solutions, designs and writes software, and anything in between.

There are literally hundreds of thousands of technicians out there who fit somewhere in the range between tinkerer and specialized support professional. However, bear in mind that a software expert most likely will not have any knowledge of computer hardware.

The term “software expert” refers to persons who perform functions ranging from a QuickBooks consultant who sets up and configures that financial information for a small business to a person who actually creates software applications from scratch for end users. A person who is a software expert in this sense will probably not be someone who can set up and configure a server in a network.

This has become more prevalent as the number of specialized applications and systems has increased. In a large organization you are likely to find specialists on staff who are dedicated to handling a small set of the overall infrastructure. For instance, in a large IT (information technology) department, you may have persons dedicated to supporting, maintaining, and upgrading only e-mail servers or backup servers, or maintaining the database servers. There may be another person dedicated solely to network security who maintains firewalls and remote access to the network, and who monitors the network for intrusions and malware such as viruses and Trojan horses.

Software developers are more focused on designing applications for use by end users or for middleware. Website developers are focused on the mechanics of web applications and work hand in hand with designers who determine how the website will look and feel to a visitor.

Of course there are always exceptions, and some people have the ability to become a generalist and even develop a high level of expertise in several areas.

Computer hardware maintenance has become simpler over the years at the desktop level, but more complicated at the enterprise level. In the 1990s, building a computer from component parts was complicated. In those days one had to purchase a computer mainboard, a compatible processor, and compatible memory. That part has not changed at all. However, in the mid- to late 1990s, having integrated components such as the video card, network adapter, modem, and sound card was a rarity. Today, it is the norm for a computer mainboard to have all of the components built in at the factory so all you have to do to build a computer from scratch today is purchase the mainboard, processor (CPU), the memory (RAM), a hard drive, a DVD drive, and a computer case. Assembling a computer like this takes just a few minutes from unpacking the components to first startup.

Gone are the days when the technician had to manually set jumper switches on the mainboard for the processor speed and then install a bunch of add-in cards for the video, audio, networking, and modem and hope they would all actually work.

The same goes for a networking engineer. Someone who works on personal computers may have good knowledge of the operating system software and installing applications, and knowledge about the hardware of the computer; their expertise is in making a computer work, and fixing it when it does not.

It is very easy to make the mistake of thinking that someone who provides computer support services can also provide forensic analysis services. The mindset of a computer support person is to approach a computer as to what’s wrong, versus approaching a computer as to what is of evidentiary value.

As shown in Fig. 8.1, a computer expert’s focus and knowledge base is directed toward installing, maintaining, and repairing computer systems. While a computer support person may have the skills to recover a client’s lost data, that is only one small area of computer forensics. Data recovery software is available off the shelf at most major computer stores. However, for that ability to cross over into the realm of computer forensics, the person handling the data recovery must understand and be able to explain exactly what the recovery tool is doing and how it does it.

Digital forensics examiners may or may not come from a background of working with computers. Many law enforcement examiners start out as police officers who do not have computer backgrounds, but who are selected for various reasons and then attend training for computer forensics. Others begin life as computer support people and subsequently get training in forensics.

Having in-depth knowledge of computers and software in general is not a prerequisite for a digital or computer forensics examiner. It can certainly be a plus, but it is not a requirement. A computer forensics examiner is trained to work with specialized tools to perform recovery of data and to analyze that data in a forensic manner. What that means is that a computer forensics examiner is focused on the examination of recovered data from an evidentiary standpoint. What does the evidence mean in light of the case at hand? The computer forensics examiner must be able to determine facts about the data, not just recover the data.

What matters in the training and development of a computer forensics expert is the focus on the handling of evidence, the investigation of the alleged acts, working within the law, and the ability to present findings in a legal matter.

To give an example, suppose that your client is accused of deleting data from a hard drive after a preservation hold has been put in place. Furthermore, add in the fact that when the computer is examined, a file-wiping software program is discovered to have been on the computer.

Examiner 1, who is a computer support person with no forensics training, examines the hard drive, runs a file recovery software application against the hard drive, and recovers hundreds of deleted files. Then in his report, he states that because the computer had file-wiping software installed on the computer, he was not able to open all of the recovered files. During his examination, he also operates the client’s computer.

In his report Examiner 1 states the opinion that the computer owner had last run the file-wiping software two days after the court hearing. He also states that the file-wiping software permanently deletes files. Lastly, he states that because the file-wiping software was run two days after the court hearing, he could not open some of the files he recovered.

Examiner 2, who is a trained forensics examiner, also examines the hard drive from the client’s computer. However, Examiner 2 first removes the hard drive and makes a forensic copy without ever turning the computer on. He then examines the hard drive forensic copy and also recovers hundreds of deleted files. He notes that the only evidence of a file-wiping program is the empty directory where the file-wiping software was installed. Inside that folder, he notes that the only file remaining is a system file with a date that is two days after the court hearing on the preservation order.

Next he locates and downloads a copy of the same version of the file-wiping program onto a clean test computer and then runs the software and subsequently uninstalls the software to determine how it works and what it does when it is uninstalled. He also determines that while the computer was in the custody of Examiner 1, over ten thousand files were accessed on the client’s computer.

Examiner 2 determines that the file-wiping software is designed to permanently delete files by overwriting them with zeroes. By examining the raw data on the hard drive forensic copy, he notes that sets of zeroes are not found on the hard drive—that would be evidence of overwritten files.

Examiner 2 concludes that the file-wiping program was removed from the computer two days after the court hearing. He also concludes that the file-wiping software, while present, did not prevent the recovery of thousands of files, indicating that the software was never run against the client’s drive to remove files of interest. He also concludes that if the file-wiping program were run against the drive, the evidence of such would be the presence of a known overwrite character repeated in sections in the raw data on the hard drive, and this was not present.

Examiner 2 notes that the conclusions of Examiner 1 are directly contradictory to one another.

Figure 8.2 illustrates the focus of digital forensics experts on the areas of technical knowledge, investigative techniques, and the legal system.

While both the computer expert and the forensics expert will both need technical knowledge, they differ markedly in the type and scope of the technical expertise needed to perform their functions.

Table 8.1 is a very small sampling of the technical differences between computer expertise and digital forensics expertise. The take-away from this is that while both disciplines have a technical foundation, they are not the same. Computer expertise begins with establishing a technical foundation of knowledge needed to provide and maintain computer infrastructure for computer users and does not have a requirement for the needed technical expertise specific for forensic handling and analysis of digital evidence. Computer forensics expertise requires technical training in forensic analysis techniques to examine file data, file system metadata, operating system artifacts, and discrete file evidence.

Table 8.2 begins to show the gap between the expertise of a computer expert and a digital forensics expert. This is a critical distinction when dealing with digital evidence in legal matters where your case may hinge on adhering to proper chain of custody, evidence handling, and whether or not evidence was obtained within the scope of a warrant or court order. The reason this is so important is that during the voir dire process of qualifying someone as a computer forensics expert, these areas will be addressed by the court through examination of the expert’s work history, specific forensics training, specific forensic certifications, prior testimony, and prior publications.

Computer experts do not have a need to understand examination of digital evidence. No computer training course deals with this type of knowledge, nor should it.

If you attend computer training courses, you will find that the focus is on a specific topic such as using Windows, or writing applications, installing server software, or implementing network security. Whether the course is covering software development or installation and maintenance of a server, the ultimate goal is always to provide a service to end users.

Once a person begins to attend courses related to obtaining electronic evidence and subsequently examining that evidence, they are now crossing over into the forensics side. For example, taking courses in network security normally progresses from simply setting up perimeter devices such as firewalls, to analyzing the logs of the firewalls and intrusion detection systems, as well as server logs, to determine attack vectors, culpability, and remediation of a breach. This is network forensics.

This chapter examined the differences between computer experts and digital forensics experts, delving into the technical, legal, and investigative aspects of their training and experience. Information in this chapter also touched on the basics of the examination of digital evidence.