Answer

A Computer Forensics Examiner should follow forensically sound investigative standards. All cases should be treated as if they will result in litigation. If even the slightest misstep occurs your evidence could be thrown out of court. The Department of Justice and The International Association of Computer Investigative Specialists both have basic standards to follow to ensure that the evidence that is acquired will hold up in court. The guiding principles behind these standards are as follows:

A. Document the receipt and handling of all evidence. This means that each and every piece of evidence should be examined on site and photographed if necessary. Documentation of the physical examination including irregularities and numbering of the evidence. Documentation of all the individuals who had access to the evidence. Documentation for the release of evidence to the examiner. Documentation of the evidence inventory and chain of custody.

B. Date and time of the computer should be recorded preferably from the BIOS set-up.

C. Conduction of searches on the original media should be avoided. The data should be acquired using industry accepted software combined with the use of write-blocking devices. Analysis of the media should be done on an exact copy of the computer hard drive and should be authenticated prior to analysis.

D. When creating the duplicate copy of the computer hard drive properly prepared media should be used by the examiner to ensure that no co-mingling of data occurs. The storage media used by the examiner should be sanitized and void of any other electronic data.

E. Analysis of the data should be done systematically and following the legal parameters of the case. The investigation should start with a collaborative meeting with the client and attorney to determine the search terms and guidelines.

F. At the conclusion of the examination proper documentation should be produced detailing standard procedures used, a list of evidence found, the search parameters, etc.