Things you should consider before choosing who will examine your data:

1. What are the examiner's qualifications?

Can the examiner testify in court for you if necessary?

Has the examiner testified in court previously?

How many forensic examinations has he or she conducted in the past?

Do they hold any certifications in computer forensic examinations?

Where did they get their training?

How long has the examiner been conducting examinations? (Not just how long has the company been in business).

2. Does the examiner understand all of the techniques/ issues described below to conduct an examination or is he or she relying on a software suite to conduct the examination?

It is the examiner who must qualify as an expert witness, not the software.

3. Is the examiner familiar with the particular operating system that you wish examined?

What type operating system are you dealing with?

- Is it a standalone computer?

- Is it Windows, Mac, Linux or Unix?

- Is it a network?

- If so, what kind of network?

4. Is the examiner knowledgeable about acquiring magnetic data and can he or she advise you about the original acquisition of the media?

Is this a voluntary or an involuntary collection of data?

What procedures does the examiner recommend to preserve the original data during acquisition?

Will the recommended procedures reduce the potential of someone trying to destroy evidence while it is being collected?

5. What does the examiner do to preserve the original media from accidental writes, viruses’, booby traps?

Will these procedures prevent the introduction of viruses and prevent the accidental destruction of data?

Does the examiner work from a forensic copy of the original media?

If so, what software do they use?

If not, completely avoid them!!!

6. Does the examiner have the knowledge, skill and software to recover deleted files?

Have them simply explain how files are stored, deleted and recovered.

Have them explain how Windows long file names are stored and recovered.

Ask them if they must be recovered?

7. Does the examiner have the knowledge, skill and software to recover a formatted drive or other media?

Have them simply explain what happens when a drive or other media is formatted and how this data is recovered.

8. Does the examiner have the knowledge, skill and software to find and recover hidden files?

Have them explain some common methods used to hide files.

9. Does the examiner have the knowledge, skill and software to recover password protected files?

Have them explain the two basic methods used to password protect files or data.

Do they use software solutions?

If so, what software?


How do they approach RSA, PGP or other difficult to break password protection schemes?

10. Does the examiner have the knowledge, skill and software to find, access and translate the Windows swap, temporary, cache and similar files?

What is the exact file name of the Windows swap file for the various versions of Windows?

Is the swap file dynamic and how big can it become?

Have them explain what general types of applications keep temporary files.

Have them discuss Internet cache files.

Have them explain cookies.

11. Does the examiner have the knowledge to provide sound opinions on file creation, access, deletion dates and similar topics?

What dates and times are stored in all Windows file entries?

12. Does the examiner have the knowledge, skill and software to recover data in unallocated space that cannot be linked to a directory entry? How does the examiner do this?

What software is used?

How thorough is this search and recovery of data from unallocated space?

13. How will the data be presented to you?

Printouts?

CD ROM?

Can the examiner convert the format of the data to a format that will be useful to you? (i. e., convert proprietary database or spreadsheet data into something like Microsoft EXCEL?)

14. What controls will be in place to ensure the proper “chain of custody” of any potential evidence recovered?

The examiner should fully understand the "Rules of Evidence" as they relate to storage of evidence and "chain of custody". Your case could be lost here, if the "Rules of Evidence" are not followed.

15. How long will it take to get your data?

16. Is this a large company that considers you one of many clients or will you get personal attention?

17. Will the report be clear and explain any technical issues in a manner that are understandable by all parties involved?