I am a computer forensics student working on a paper regarding the need for training for those who work closely with forensic technicians, but may not have any actual training or knowledge in forensics (ie IT managers that may first respond to an incident or the prosecutors who will prosecute the case). My personal feeling is that this training is sorely lacking and that can put cases in jeopardy.
I have found some information online and do not expect anyone to do my research for me, however I am interested in any thoughts or information those who have been in the field might have on the topic.
Thanks!
As a student myself however I've done some E-discovery acquisitions. I personally feel that this field is still so new & is currently exploding in growth that what is really needed are more academic & federal standards of computer forensics. For example if you were to take a regular criminal forensics class they basically all follow the same principles, curriculum, etc. We cant expect to start really preparing our IT staff unless we ourselves have some sort of standard practice that is recognized across the board in school, business, Government, & court. This field will get there though, it just takes time. =)
The NIJ put out a guide in 2001 entitled Electronic Crime Scene Investigation; A guide for first responders.
They also put out a Digital Evidence Field Guide;What every peace officer must know.
I may have gotten them off this forum? But you could do a Google search and find them in a pdf format. If you have any trouble let me know and I'll send them to your e-mail address.
Cheers
My Masters thesis was very much on this topic.
"The Role of Computer Forensics in Incident Response With Recommendations on Implementation"
HSCO… those are both very good documents. I have read them both and I'm sure I will use them both in my research.
Beetle… would you be willing to share any or all of your paper on the topic? I would greatly appreciate it!
I have a scenario you might want to play around with for your paper. I have mentioned it at my department, but have yet to add it to our training.
An officer responds to a wife complaining about finding CP on the family computer. One would hope that she has not looked at all the photos, which we know would change the last accessed date.
Now if the officer had a legal right to be there (he did because he received a call) he could seize the computer based upon the statement of the wife and get a Warrant later. He could ask her to explain in detail what she saw, but it would not be required for the officer to actually see an image.
Now if the wife starts scrolling through the CP photos the officer should have her to stop immediately. If one image would establish probable cause why the heck would one need to see more? We all know about the cat and curiosity.
The officer should never touch the computer!
The last accessed dates on the photos could be worth their weight in gold. They could easily be used to corroborate some sort of sort of activity. Maybe the wife says she was out of town, on vacation, or he stayed up late one night.
Loosing that data could be crucial to the case.
What I would like to do at my unit is take a series of photos. Once taken I would transfer them to disk and save the photo data. Then I would transfer the file to my computer. Once I had my target audience in place I would show them the photos on the disk and the photo data. Then I would open the file on my computer and show them how the photo data changes when you access the photos.
We can tell someone all day not to look at the photos, but if you explain to them and show them what it may do to your case I think they would understand much better and be less tempted to try and view files on the system
Cheers.