Computer Forensics Training in Digital Forensics & Electronic Discovery

Background and Use

• Digital forensics and related discovery training provide critical benefits to both government agencies and private businesses. Anyone can be litigated or pursue litigation in both criminal and civil arenas. And many cases are won on the evidence gathered.

  A typical example case usually involves an employee fired for misusing a business computer. The examiner not only needs to prove the inappropriate activity occurred via signs of behavior, he or she also needs to find and preserve resulting proof, usually in the form of files or data. If the activity cannot be linked to the fired employee and if the resulting proof doesn't exist (i.e., the file), then an attorney who knows how electronic forensics works could win a wrongful termination action for the fired employee. The defense in such a lawsuit relies on the examiner doing his or her job successfully.

Prerequisites

• Training in digital forensics with a focus on discovery practices requires applicants to already have specific technical training. Students need to be familiar with all forms of generally used digital media. They need to have an above average comprehension of how computers work, both software and hardware. Students also need to understand how productivity software, email systems and networks operate as these constitute the foundation on which to build techniques for finding hidden or "deleted" evidence.

The Legal Relationship

• Computer forensics for the purpose of discovery traces its origins to criminal law, as pursued by federal prosecutors. The foundations of the related discovery approaches stem from white-collar investigations and evidence preserved on early computers. Early training courses were slanted toward criminal investigations, with civil investigations being pursued by civil lawyers, who sought to take advantage of new information sources.

  Discovery training today is built around two areas: pursuing civil actions and proving crimes. Whether a student proceeds to work as a law enforcement employee or as a corporate system expert for defense, the training rules are the same, namely, to find the evidence, preserve it from corruption and have a methodology to defend the whole process from being thrown out in court.

Specific Course Training

• Many forensic courses start with a general approach in outlining how computer crime occurs in the first place. This then leads to study of storage techniques used to save data. Understanding these two concepts moves a student into basic computer forensics and methodologies to preserve evidence from tainting. Then the forensics student advances to study of digital discovery approaches and evidence from a legal perspective and how it is used by attorneys. Tools for searching and seizure approaches come next, with data recovery from intentional destruction closing out the search topics. The final phases deal with how to break encrypted files, or those locked with passwords, and pursuing specialty cases, such as cyber-terrorism. The closing module involves training in preparing and presenting in court the findings obtained.

The General Examiner Role

• Once trained, an examiner will be expected to operate frequently in an investigatory capacity. This will require the examiner to regularly rely on and practice electronic discovery methodologies in anticipation of being challenged on the findings in court. A good examiner will perform two actions with every successful examination: he will either find and preserve the material dealing with suspected inappropriate activity or clear the reviewed system of any suspicion, and he will also follow all necessary procedures to the letter to be able defend his examination steps in court under questioning.