I have been have a disagreement with a co-worker on the documentation on computer forensic examinations. My position is that there should be adequate documentation for another computer forensic examiner to repeat the examination and conclude the same results (the position of SWGDE and ASCLD). His position is that no documentation is required. He hold a CCE certification from the The International Society of Forensic Computer Examiners. Since I do not have that certification, could anyone tell me what their training suggests as to the documentation required? I know that documentation of examinations can be restricted by agency policies, but I would like to know what the The International Society of Forensic Computer Examiners professes. Thanks
Your colleague takes a rather strange position the CCE competencies cover the need to document the examination process.
Documentation of the entire forensic process is a fundamental standard in this field, and failure to maintain this will certainly lead to some interesting questioning during cross-examination in court.
In the UK we are subject to ACPO Guidelines This is point 3-
Principle 3
An audit trail or other record of all processes applied
to computer-based electronic evidence should be created
and preserved. An independent third party should be able
to examine those processes and achieve the same result.
I was taught that taking notes was compulsory. (It also helps to make sure that nothing has been forgotten or needs to be repeated)