Things you should consider before gathering and determining who will examine your data:

1.  What are the examiner's qualifications?

        Can the examiner testify in court for you if necessary?
        Has the examiner testified in court previously?
        How many forensic examinations has he or she conducted in the past?
        Do they hold any certifications in computer forensic examinations?
        Where did they get their training?
        How long has the examiner been conducting examinations?  (Not just how long has the
        company been in business).

2.   Does the examiner understand all of the techniques/ issues described below to conduct an
      examination or is he or she relying on a software suite to conduct the examination?

        It is the examiner who must qualify as an expert witness, not the software.

3. Is the examiner familiar with the particular operating system that you wish examined?

        What type operating system are you dealing with?

            - Is it a standalone computer?

            - Is it DOS, Windows or Unix?

            - Is it a network?

            - If so, what kind of network?

4. Is the examiner knowledgeable about acquiring magnetic data and can he or she advise you
    about the original acquisition of the media?

    Is this a voluntary or an involuntary collection of data?

    What procedures does the examiner recommend to preserve the original data during
    acquisition?

    Will the recommended procedures reduce the potential of someone trying to destroy evidence
    while it is being collected?

5. What does the examiner do to preserve the original media from accidental writes, viruses’,
    booby traps?

    Will these procedures prevent the introduction of viruses and prevent the accidental
    destruction of data?

    Does the examiner work from a forensic or bitstream copy?

        If so, what software do they use?

        If not, completely avoid them!!!

6. Does the examiner have the knowledge, skill and software to recover deleted files?

    Have them simply explain how files are stored, deleted and recovered.

    Have them explain how Windows long file names are stored and recovered.  Ask them if they
    must be recovered?

7. Does the examiner have the knowledge, skill and software to recover a formatted drive or
    diskette?

    Have them simply explain what happens when a drive or diskette is formatted and how this
    data is recovered.

8. Does the examiner have the knowledge, skill and software to find and recover hidden files?

    Have them explain some common methods used to hide files.

9. Does the examiner have the knowledge, skill and software to recover password protected files?

    Have them explain the two basic methods used to password protect files or data.

    Do they use software solutions?

     If so, what software?

    How do they approach RSA, PGP or other difficult to break password protection schemes?

10. Does the examiner have the knowledge, skill and software to find, access and translate the
     Windows swap, temporary, cache and similar files?

     What is the exact file name of the Windows swap file?

     Where is it normally stored? (2 places)

     Is it dynamic and how big can it become?

     Have them explain what general types of applications keep temporary files.

     Have them discuss internet cache files.

     Have them explain cookies.

11. Does the examiner have the knowledge to provide sound opinions on file creation, access,
     deletion dates and similar topics?

    What dates and times are stored in all Windows file entries?

    Were all of these entries stored in the DOS 6.22 (or below) file entries?

12. Does the examiner have the knowledge, skill and software to recover data in unallocated space
      that cannot be linked to a directory entry?

    How does the examiner do this?

    What software is used?

    How thorough is this search and recovery of data from unallocated space?

13. How will the data be presented to you?

    Printouts?

    CD ROM?

    Can the examiner convert the format of the data to a format that will be useful  to you? (i. e.,
    convert proprietary database or spreadsheet data into something like Microsoft EXCEL?)

14. What controls will be in place to ensure the proper “chain of custody” of any potential
      evidence recovered?

        The examiner should fully understand the "Rules of Evidence" as they relate to storage of
        evidence and "chain of custody".  Your case could be lost here, if the "Rules of Evidence"
        are not followed.

15. How long will it take to get your data?

16. Is this a large company that considers you one of many clients or will you get personal
      attention?

17. Will the report be clear and explain any technical issues in a manner that are understandable
      by all parties involved?
 
 
 

Contact Key Computer Service, Inc. for fee and other information at  (305) 453-7862 or