MemberWe are a Charter Member of the Cyber Lab Group
Examination Standards|Questions to Ask an Examiner|Our CV|Fees|About Us|Contact Us|Fee Estimate
Who are We?Our Self Paced Training Web SiteThe D.A.V.E. Forensic Examination MachineOur FSUITE Foresnic SoftwareForensic Examination StandardsQuestions to Ask When Selecing a Forensic ExaminerOur Qualifications StatementWhat Do We Charge?Services for AttorneysServices for Private InvestigatorsServices for Corporations or other CompaniesServices for ProsecutorsServices for Law EnforcementSome Theory on Deleted FilesOur Password Recovery ServicesFinding Lost and Hidden DataOur Data Copying ServicesOur Data Conversion ServicesEMAIL Us Things you should consider before gathering and determining who will examine your data: 

1.  What are the examiner's qualifications? 

  • Can the examiner testify in court for you if necessary? 
  • Has the examiner testified in court previously? 
  • How many forensic examinations has he or she conducted in the past?
  • Do they hold any certifications in computer forensic examinations? 
  • Where did they get their training? 
  • How long has the examiner been conducting examinations?  (Not just how long has the company been in business). 
  • Is the examiner an employee of a data recovery company who has decided to delve into forensics?  A computer forensic examination is a highly specialize form of data recovery, but merely being good at data recovery does not necessarily make them forensic examiners.  You need to check their forensic qualifications. 
2.   Does the examiner understand all of the techniques/ issues described
      below to conduct an examination or is he or she relying on a software
      suite to conduct the examination? They must understand what the
      software is doing and the core forensic procedures to be able to 
      successfully testify in court. It is the examiner who must qualify as an
      expert witness, not the software. 

3. Is the examiner familiar with the particular operating system that you wish examined? 

  • What type operating system are you dealing with? 
    • Is it a standalone computer?
    • Is it DOS, Windows, MAC or Unix?
    • Is it a network? 
    • If so, what kind of network? 
4. Is the examiner knowledgeable about acquiring magnetic data and can he or she advise you about the original acquisition of the media? 
  • Is this a voluntary or an involuntary collection of data? 
  • What procedures does the examiner recommend to preserve the original data during acquisition? 
  • Will the recommended procedures reduce the potential of someone trying to destroy evidence while it is being collected? 
5. What does the examiner do to preserve the original media from accidental writes, viruses’, booby traps? 
  • Will these procedures prevent the introduction of viruses and prevent the accidental destruction of data? 
  • Does the examiner work from a forensic or bitstream copy? 
    • If so, what software do they use? 
    • If not, completely avoid them!!! 
6. Does the examiner have the knowledge, skill and software to recover deleted files? 
  • Have them simply explain how files are stored, deleted and recovered. 
  • Have them explain how Windows long file names are stored and recovered.  Ask them if the long file name must be recovered? 
7. Does the examiner have the knowledge, skill and software to recover a formatted drive or diskette? 
  • Have them simply explain what happens when a drive or diskette is formatted and how this data is recovered. 
8. Does the examiner have the knowledge, skill and software to find and recover hidden files? 
  • Have them explain some common methods used to hide files. 
9. Does the examiner have the knowledge, skill and software to recover password protected files? 
  • Have them explain the two basic methods used to password protect files or data. 
  • Do they use software solutions? 
    • If so, what software? 
  • How do they approach RSA, PGP or other difficult to break password protection schemes? 
10. Does the examiner have the knowledge, skill and software to find, access and translate the Windows swap, temporary, cache and similar files? 
  • What is the exact file name of the Windows swap file? 
  • Where is it normally stored? (2 places) 
  • Is it dynamic and how big can it become? 
  • Have them explain what general types of applications keep temporary files. 
  • Have them discuss internet cache files. 
  • Have them explain cookies. 
11. Does the examiner have the knowledge to provide sound opinions on file creation, access, deletion dates and similar topics? 
  • What dates and times are stored in all Windows file entries? 
  • Were all of these entries stored in the DOS 6.22 (or below) file entries? 
  • Have them explain compound documents.
12. Does the examiner have the knowledge, skill and software to recover data in unallocated space that cannot be linked to a directory entry? 
  • How does the examiner do this? 
  • What software is used? 
  • How thorough is this search and recovery of data from unallocated space? 
13. How will the data be presented to you? This is extremely important because this will directly effect your ability to put the data together and "make" the evidence in your case.   
  • Printouts? 
  • CD ROM? 
  • Can the examiner convert the format of the data to a format that will be useful  to you? (i. e., convert proprietary database or spreadsheet data into something like Microsoft EXCEL?) 
14. What controls will be in place to ensure the proper physical “chain of custody” of the original media and any potential evidence recovered? 
  • The examiner should fully understand the "Rules of Evidence" as they relate to storage of evidence and "chain of custody".  Your case could be lost here, if the "Rules of Evidence" are not followed. 
15. How long will it take to get your data? 

16. Is this a large company that considers you one of many clients or will you get personal attention? 

17. Will the report be clear and explain any technical issues in a manner that are understandable by all parties involved? 
 

 

Contact us at

(305)453-7862

or


What can Computer Forensics do for Me?|About Us|Our Qualifications|Questions to Ask an Examiner|Prosecutors|Law Enforcement|Lawyers|Private Investigators| Insurance Companies| Unlocking Passwords|Deleted Files| General Protocols|CV|Fees|Our Training|Contact Us|EMAIL Us

Copyright © 2003 Key Computer Service, Inc.