Our DFIR blog series continues with the need for a forensic investigator and legal issues topics. We started our journey with the introduction of DFIR. Our second forensic blog is about forensics readiness. The digital forensic investigator is a technical professional investigating the findings during a cyber incident. The investigator’s primary tasks are collecting the evidence, analyzing the image, and reporting the results. We will dive into the details of DFIR in the following blog posts. We will explain why we require a forensic investigator in the following paragraphs.
Need for Forensics Investigator
A forensic investigator performs the following tasks:
Evaluates the damages of a security breach
Identifies and recovers data required for the investigation
Extracts the evidence in a forensically sound manner
Ensures proper handling of the evidence
Acts as a guide to the investigation team
Creates reports and documents about the investigation required to be present in a court of law
Reconstructs the damaged storage devices
Uncovers the information hidden on the computer
Updates the organization about various methods of attack and data recovery techniques and maintains a record of them (following a variant of ways to document) regularly
Addresses the issue in a court of law and attempts to win the case by testifying in court
One point is that a forensic examiner differs from a forensic investigator. The former only analyzes evidence as part of the forensic investigation process, while the latter relates it to the crime.
Roles and Responsibilities of Forensics Investigator
Determines the extent of any damage done during the crime.
Recover data of investigative value from computers involved in crimes.
Gathers evidence in a forensically sound manner.
Ensures that the evidence is not damaged in any way.
Creates an image of the original evidence without tampering with it to maintain the initial evidence’s integrity.
Guides the officials in carrying out the investigation. At times, it is required that the forensic investigator produce the evidence, describing the procedure involved in its discovery.
Reconstructs the damaged disks or other storage devices and uncovers the information hidden on the computer.
Analyzes the evidence where data are found.
Prepares the analysis report.
Informs the organization about various attack methods data recovery techniques and maintains a record of them (following a variant of ways to document) regularly.
What makes a Good Computer Forensics Investigator?
Interviewing skills to gather information.
Researching abilities to know the background.
Maintains perfect accuracy of the tests performed and their records.
Patience and the willingness to work long hours.
Excellent writing skills to detail findings in the report.
Strong analytical skills to find the evidence and link it to the suspect.
Excellent communication skills to explain their findings to the audience.
Be updated with new methodologies and forensic technology
Well-versed in more than one computer platform (including Windows, Macintosh, and Linux).
Knowledge of various technologies, hardware, and software
Develops and maintains contact with computing, networking, and investigating professionals
Be honest, ethical, and law-abiding.
Knowledge of the laws surrounding the case.
Ability to control emotions when dealing with issues that induce anger.
Multi-discipline expertise related to both criminal and civil cases.
Computer Forensics: Legal Issues
Digital evidence is fragile. It is susceptible to changes during the investigation.
The legal system differs from one jurisdiction to another.
Every legal system has a slightly different approach to the issues related to authenticity, reliability, and completeness.
Investigation techniques and methods change and evolve in accordance with the technology. On the other hand, legal systems might not address those technological advances.
Computer Forensics: Privacy Issues
During the acquisition step, investigators must be cautious to avoid unlawful search and seizure charges.
When dealing with evidence related to Internet usage, investigators must preserve other users’ anonymity while determining the identity of the few involved in illegal activities.
Code of Ethics
This section provides a code of ethics according to the EC-Council, CHFI curriculum. You can access the details about CHFI here.
Computer Forensic Investigator should:
Computer Forensic Investigator should not:
Perform investigations based on well-known standard procedures. Conduct assigned tasks with high commitment and diligence. Act with the utmost ethical and moral principles. Examine the evidence carefully within the scope of the agreement. Ensure the integrity of the evidence throughout the investigation process. Act under federal statutes, state statutes, and local laws and policies. Testify honestly before any board, court, or trial proceedings.
Refuse any evidence because that may cause failure in the case. Expose confidential matters without having any authorized permission. Exceed assignments beyond their skills. Perform actions that significantly lead to a conflict of interest. Present the training, credentials, or association membership in a wrong way. Provide personal or prejudiced opinions. Reserve any evidence relevant to the case.
We hope this post helps you understand the details of being a forensic investigator. We started our journey about DFIR by asking about the meaning of the DFIR and understanding the evidence categories and investigation process. We finalized our introduction to DFIR/Computer forensics with this post. If you want to learn more about DFIR, you can read our DFIR topics.