Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

DFIR, need for an investigator

Forensics Investigator, Roles and Responsibilities and DFIR Legal Issues, Code of Ethics

We will dive into the details of DFIR in this blog posts. Initially, we will explain why we require a forensic investigator and discuss legal issues, code of ethics in DFIR.

Our DFIR blog series continues with the need for a forensic investigator and legal issues topics. We started our journey with the introduction of DFIR. Our second forensic blog is about forensics readiness. The digital forensic investigator is a technical professional investigating the findings during a cyber incident. The investigator’s primary tasks are collecting the evidence, analyzing the image, and reporting the results. We will dive into the details of DFIR in the following blog posts. We will explain why we require a forensic investigator in the following paragraphs.

Need for Forensics Investigator

A forensic investigator performs the following tasks:

  • Evaluates the damages of a security breach
  • Identifies and recovers data required for the investigation
  • Extracts the evidence in a forensically sound manner
  • Ensures proper handling of the evidence
  • Acts as a guide to the investigation team
  • Creates reports and documents about the investigation required to be present in a court of law
  • Reconstructs the damaged storage devices
  • Uncovers the information hidden on the computer
  • Updates the organization about various methods of attack and data recovery techniques and maintains a record of them (following a variant of ways to document) regularly
  • Addresses the issue in a court of law and attempts to win the case by testifying in court

One point is that a forensic examiner differs from a forensic investigator. The former only analyzes evidence as part of the forensic investigation process, while the latter relates it to the crime.

Roles and Responsibilities of Forensics Investigator

  • Determines the extent of any damage done during the crime.
  • Recover data of investigative value from computers involved in crimes.
  • Gathers evidence in a forensically sound manner.
  • Ensures that the evidence is not damaged in any way.
  • Creates an image of the original evidence without tampering with it to maintain the initial evidence’s integrity.
  • Guides the officials in carrying out the investigation. At times, it is required that the forensic investigator produce the evidence, describing the procedure involved in its discovery.
  • Reconstructs the damaged disks or other storage devices and uncovers the information hidden on the computer.
  • Analyzes the evidence where data are found.
  • Prepares the analysis report.
  • Informs the organization about various attack methods data recovery techniques and maintains a record of them (following a variant of ways to document) regularly.

What makes a Good Computer Forensics Investigator?

  • Interviewing skills to gather information.
  • Researching abilities to know the background.
  • Maintains perfect accuracy of the tests performed and their records.
  • Patience and the willingness to work long hours.
  • Excellent writing skills to detail findings in the report.
  • Strong analytical skills to find the evidence and link it to the suspect.
  • Excellent communication skills to explain their findings to the audience.
  • Be updated with new methodologies and forensic technology
  • Well-versed in more than one computer platform (including Windows, Macintosh, and Linux).
  • Knowledge of various technologies, hardware, and software
  • Develops and maintains contact with computing, networking, and investigating professionals
  • Be honest, ethical, and law-abiding.
  • Knowledge of the laws surrounding the case.
  • Ability to control emotions when dealing with issues that induce anger.
  • Multi-discipline expertise related to both criminal and civil cases.

Computer Forensics: Legal Issues

  • Digital evidence is fragile. It is susceptible to changes during the investigation.
  • The legal system differs from one jurisdiction to another.
  • Every legal system has a slightly different approach to the issues related to authenticity, reliability, and completeness.
  • Investigation techniques and methods change and evolve in accordance with the technology. On the other hand, legal systems might not address those technological advances.

Computer Forensics: Privacy Issues

During the acquisition step, investigators must be cautious to avoid unlawful search and seizure charges.

When dealing with evidence related to Internet usage, investigators must preserve other users’ anonymity while determining the identity of the few involved in illegal activities.

Code of Ethics

This section provides a code of ethics according to the EC-Council, CHFI curriculum. You can access the details about CHFI here.

Computer Forensic Investigator should:Computer Forensic Investigator should not:
Perform investigations based on well-known standard procedures.
Conduct assigned tasks with high commitment and diligence.
Act with the utmost ethical and moral principles.
Examine the evidence carefully within the scope of the agreement.
Ensure the integrity of the evidence throughout the investigation process.
Act under federal statutes, state statutes, and local laws and policies.
Testify honestly before any board, court, or trial proceedings.
Refuse any evidence because that may cause failure in the case.
Expose confidential matters without having any authorized permission.
Exceed assignments beyond their skills.
Perform actions that significantly lead to a conflict of interest.
Present the training, credentials, or association membership in a wrong way.
Provide personal or prejudiced opinions.
Reserve any evidence relevant to the case.


We hope this post helps you understand the details of being a forensic investigator. We started our journey about DFIR by asking about the meaning of the DFIR and understanding the evidence categories and investigation process. We finalized our introduction to DFIR/Computer forensics with this post. If you want to learn more about DFIR, you can read our DFIR topics.

Emre Caglar Hosgor