Canadian Criminal Law/Appendix/Model Examinations/Computer Forensic Analyst

Background

edit
<be sure to check with judge on how much familiarity he or she has with basics of computers, may need to go into details about what a file and a directory are>
  • Name / employer / duration of employment / current position
  • employment on date of offence / on duty on day of offence

Qualification

edit
  • education and training in computers and computer analysis / name of program / time of education
  • Any special training with respect to computer forensics / What is Computer Forensics?
  • Go details of training:
    • name of course / where is it available / who developed it / standardized program
    • starting at first program, list all educational programs completed, including duration (hours/days)
    • whether training involved hands on work / circumstances of this hands on work / ability to confirm results / any supervision
    • Go through the analysis process involved
    • success in the course / any certification / by what organization / time and duration of certification / requirements to be certified / requirements to maintain certification
    • Any other relevant training
    • gave training / presentations on the topic
    • Admit Resume
  • Experience
    • number of prior cases you have performed analysis upon / # of times you have been asked to give an opinion / # of times you have testified in court / # of times qualified (when and where)
    • documenting all prior evaluations / method of documenting / reviewed before court
Seek to have computer analyst qualified as an expert in _____

Review Tools, Methodology and Terms

edit
  • state of computer when you first receive it
  • Software tools used (FTK, EnCase, etc) / purpose of tools / preservation of data
  • types of files examinable on the hard drive
    • accessible documents, images, videos
    • inaccessible documents, images, videos (full or partial)
  • what is necessary to recover inaccessible or deleted file
    • different ways files are deleted / what is preserved
  • there are several programs and services to recover data (est. that it could be reckless to assume deleted files are gone for good)
  • manner to make files unrecoverable / software programs that exist

Incident

edit

Examination of a Computer

edit
  • gained access to a computer / where / from whom
  • type of computer / serial number / peripheral equipment / likely age of computer
  • state of machine when beginning / accessing the hard drive using EnCase or similar / reason for using EnCase or similar
  • identify operating system being used

Contents of the Computer

  • found any files that were relevant to the case
  • types of files (pictures, videos, documents)
  • contents of the documents
    • did you review the contents of the files / do the file names reflect the contents
  • metadata and characteristics of the files:
    • hash values and names of files / number of files found / total size of all the files / length of videos
    • location of files found / directories / unallocated space
    • dates of created, modified, and accessed / comment on accuracy of times and dates / other ways of determining date they were downloaded, opened or deleted

Signs of User's Identity

  • examined files for signs of who uses the account:
    • checked OS registry / registered owner’s name
    • user accounts enabled on OS / whether one user can put files in another user’s directories
    • images of persons or family members
    • internet browsing history (including log-in information)
    • documents with names on it
    • connection with web log-in accounts with a certain name

Signs of User's Familiarity with Computers

  • consider whether settings of P2P software were modified
  • other software installed on machine, software that is generally directed at advanced user
  • signs of customized operating system, desktop, etc. / how much different did set up look from the default installation out of the box

Other Potentially Relevant Information

  • details on the software packages installed on the machine
  • details regarding OS installation (time and date, by whom)
  • synchronization of computer's clock
  • other software installed (file deleting software, chat programs, viruses, spyware, or other file sharing programs)