I have been taught and heard a lot of discussion that beat practice states that a computer forensic examiner should be a neutral party to a case. The examiner should not be both the lead investigator and forensic examiner on a case. What are your thoughts on this and where can I reference this?
For corporate/HR investigations, the investigation is usually run by HR or the company's attorneys and the examiner is either in IT or an outside consultant.
In law enforcement, it can vary. Some departments have civilian forensic examiners. In others, the examiner is detective/sworn officer who may also have other investigative duties such as interviewing witnesses, conducting physical searches, and arresting suspects.
The examiner should not have a stake in the outcome and should be able to remain objective. I don't think this precludes using internal examiners in the corporate world or detectives as examiners in law enforcement. But, examiners and their supervisors need to be alert to conflicts of interest. e.g. if a corporate examiner knows the suspect employee, it might be better to have someone else do the examination to prevent their conclusions being swayed one way or the other.
In this case it's a law enforcement investigator who is also the forensic examiner for the department. The forensic examiner is assigned a case and serves as the investigator and does the forensics for his own case.
During my training, I was told that this is not best practice, an investigator should not do his own forensics because the examiner is supposed to be a neutral party. However, I cannot find where this is referenced.