It is important for professionals working as Digital Forensic Experts to fully understand how operating systems manage, manipulate, store and delete data. Unfortunately, today's time pressures can force us into performing tasks without the proper technical background. And automated forensic software has played a role in enabling that to take place; just a few clicks of the mouse and you have your "answer."

But do you understand how the "answer" was derived? Well enough to defend it in court? Can you validate your data and your tools through the use of a different set of tools? Can you extend your analysis a step further, if required, going beyond automated processes? Basic Training can give you the skills to address these questions. It isn't just for beginners in the field. Sometimes it serves as a refresher or fills in a knowledge gap for current practitioners as well.

Basic Training presents an opportunity to develop sound knowledge of the forensic process, of the operating system platform being examined, and of the concepts behind the tools you are using. And the tools the other side's expert is using. It can help prepare you to defend your findings and methods against close scrutiny. Without that ability, you may have no useful evidence.

Whether you use automated applications or command line driven tools, you should obtain the same findings. In other words, the evidentiary data does not change, regardless of the tool you use. But you may need to prove that, by validating both the data and the tools you used. To do that, you have to use a separate tool or tools. If you only know how to use one tool, there can be no verification. And without verification, your findings become much harder to defend. Basic Training helps you understand the workings of forensic software so you can pick up one tool or another, as the work demands.

In addition, an expert should be able to take his examination a step beyond his initial analysis, using different tools or different strategies. Without a thorough grounding in the concepts and techniques of computer forensics, and the skills to use a variety of tools, your may find your analysis to be incomplete. Again, Basic Training can provide you with the skills to go beyond the first "answer".

Here's an analogy:

In drug cases, the street officer who finds the drugs is not usually the person who operates the drug testing equipment. That task is reserved for someone with specialized knowledge of how the equipment (and its software) works. Could the officer place the sample in the analysis machine, and read the printout? Probably so. Could he read off the report and tell the court what the substance is? Probably so. Could the officer describe and explain with technical clarity why the machine says the sample is XYZ drug? Probably not. Would the defense have a field day attacking the street officer who operates a mass spectrometer and attempts to present its output in court? You bet.

Suppose that same police officer seized a computer hoping to find evidence on it. And suppose he had just been appointed the department's "computer forensics expert", and given a week's training in how to use an automated computer forensic tool. Could this officer, without a good background in computer forensic technology, use the automated software to obtain a relevant finding? Probably so. Could he tell the court what the report generated by the software says? Probably so. Could he explore and explain any technical anomalies reported by the software? Probably not. Could he pursue a more in-depth technical investigation than the automated tools allow? Probably not. Would he know how to choose and use an alternate set of forensic tools in order to validate the findings? Probably not. Could he explain, with technical detail, "why" or "how" the software derived the information on which he based his conclusion? Probably not.

We hope we've convinced you that everyone needs to learn the basics. And this is where the danger lies in today's automated software: you can operate it without fully understanding how it works or why. We urge you to avoid that temptation. If you don't understand the technical process, you can't go deeper than the first answer; you won't know how to use alternate tools to validate your findings; and you won't be able to explain or defend your findings adequately.

We believe that every computer forensics expert should know enough to conduct his entire examination without automated software. That way he maximizes his options and works from a position of strength. He can choose to use the automated tools when it's appropriate. And to go beyond them when it's advantageous. Learn to drive a stick shift car, and the automatic transmission is a breeze. Learn on an automatic transmission, and the stick shift becomes problematic.

Top