What Is the Role of a Computer Forensic Examiner?
Computer forensics is a fairly new field. It is only a few decades old, but is growing quickly. In 1984, the U.S. Federal Bureau of Investigation (FBI) began creating software programs to collect computer evidence.5 In 1990, the International Association of Computer Investigative Specialists (IACIS) was formed. The IACIS, the oldest computer forensic professional group, was the first group dedicated to computer forensics.6
The first international conference on computer forensics was held in 1993. In 1995, the International Organization on Computer Evidence (IOCE) was formed. Although the IOCE no longer exists, it created some of the earliest guiding principles for computer forensic examiners. In the United States, the Scientific Working Group on Digital Evidence (SWGDE) was created in 1998 to participate in IOCE efforts.7
NOTE
The scientific method is a way to answer questions in a repeatable and verifiable way. It is a formal method of investigation.
Computer forensic examiners find evidence on electronic devices and collect it for both civil and criminal cases. They must collect this evidence in a scientific manner, regardless of the underlying case. They also must have a full understanding of various technologies, hardware, and software. An examiner helps answer who, what, where, when, why, and how.
A computer forensic examiner must have the following traits:
- A sound knowledge of computing technologies
- Use of the scientific method to conduct repeatable and verifiable examinations
- Understanding of the laws of evidence and legal procedure
- Access to computer forensic tools and the skill to use them
- Outstanding record-keeping skills
No matter how careful they are, people always leave traces of their activities when they interact with other people and with their surroundings. This is a basic principle of forensic science known as Locard’s exchange principle. It applies to both the digital world and the physical world. If people attempt to steal electronic information or delete incriminating files, they leave electronic traces of their activities. For example, log information can document these activities. A computer forensic examiner needs to know how to find this trace evidence material, which is used to help prove a person’s actions in a computer system.
Computer forensic examiners do more than turn on a computer and search through files. They must perform complex data recovery procedures. In particular, they must:
NOTE
Dr. Edmond Locard was a forensics pioneer who lived from 1877 to 1966. He argued that scientific methods should be applied to criminal investigations. He believed that when people or objects interact, they transfer physical evidence to one another. Forensic scientists recover that evidence, then study and learn from it.
- Protect the data on any electronic device.
- Avoid deleting, damaging, or altering data in any way on any electronic device.
- Make exact copies of electronic data without altering the original device.
- Discover normal, deleted, password-protected, hidden, and encrypted files.
- Study data to create timelines of electronic activity.
- Identify files and data that may be relevant to a case.
- Fully document all evidence-collection activities.
- Provide expert testimony on the steps taken to recover digital evidence.
Computer forensic examiners must have special skills beyond those of the traditional information security professional. The law requires that computer forensic examiners be competent at what they do. Examiners can show that they are competent by earning advanced degrees. They also can become certified. Because the profession is still relatively new and evolving rapidly, there are many computer forensic certifications to choose from. Both independent organizations and vendors offer them.
States and courts struggle with how to make sure computer forensic examinations are done only by competent examiners. Courts rely on legal principles and trial rules to screen examiners before they testify. Sometimes states create laws that govern the activities of these examiners. Often, computer forensic examiners are governed under the broad terms of a state’s private detective laws.
Many states regulate private detectives and investigators. They require a private detective to have a state-issued license before he or she can conduct investigations. These laws were created before computer forensics existed as a separate field. The broad language of these laws can pull computer forensic examiners within the scope of these regulated professions. This is not unusual.
Computer Forensic Examiner Certifications
There are many independent and vendor-specific computer forensic credentials. An examiner must weigh which credential best suits his or her career path. The following are popular credentials:
- Certified Computer Examiner (CCE)—The International Society of Forensic Computer Examiners (ISFCE) offers the CCE. The ISFCE has offered the CCE, a vendor-neutral certification, since 2003. CCE holders have basic knowledge of forensic examination procedures. You can learn more at http://www.isfce.com/.
- Certified Computer Forensics Examiner (CCFE)—The Information Assurance Certification Review Board (IACRB) offers the CCFE, which is also vendor neutral. CCFE candidates must take a written exam and a practical application test. There are nine subject-matter areas in the CCFE exam. You can learn more at http://www.iacertification.org/index.htm.
- Certified Forensic Computer Examiner (CFCE)—The IACIS offers the CFCE. However, only law enforcement personnel may earn it. It is vendor neutral. CFCE candidates must pass an intensive practical exam. You can learn more at http://www.iacis.com/.
- GIAC Certified Forensic Analyst (GCFA)—The Global Information Assurance Certification (GIAC) program offers the GCFA. Similar to the CCE and CCFE, this certification also tests practical knowledge. It is vendor neutral. GIAC offers several certifications related to digital forensics. You can learn about GIAC at http://www.giac.org/.
Some forensic software vendors offer certifications for their products. For example, EnCase is a popular forensic tool sold by Guidance Software. It offers the EnCase Certified Examiner (EnCE) credential. The EnCE exam has a written section and a practical section. The practical section covers use of the EnCase forensics program. You can learn more at https://www.opentext.com/products-and-solutions/services/training-and-learning-services/encase-training/examiner-certification.
Another software vendor that offers a certification is AccessData. AccessData offers a product called the Forensic Toolkit, but is better known as FTK. AccessData offers the AccessData Certified Examiner (ACE) credential, which tests knowledge of the FTK tool. The ACE exam is a multiple-choice test. You can learn more at https://accessdata.com/training/computer-forensics-certification.
Some states require computer forensic examiners to have a private detective license. Examples include Illinois,8 Michigan,9 Oregon,10 and Texas.11 In Texas, the law is interpreted very broadly. It actually includes computer technicians and computer repair personnel within the scope of its law.
Some states do not include computer forensic examiners within their private detective licensing laws. North Carolina12 and Virginia13 are examples. North Carolina law states that any person who performs computer forensic services in order to collect evidence is not a private investigator. The North Carolina law also excludes examiners who provide expert testimony, as well as any person who engages in network or system vulnerability testing.
In 2008, the American Bar Association (ABA) issued a report and resolution on computer forensic examiners. The ABA asked states to stop requiring computer forensic examiners to get a private detective license. It said that the role of private detectives is different from that of computer forensic examiners. It also stated that courts have broad discretion to make sure that digital evidence used in trials is reliable. Because the courts have that discretion, the ABA argued that there is no need to license computer forensic examiners.14