Canadian Criminal Law/Appendix/Model Examinations/Computer Forensic Analyst
Background
edit- <be sure to check with judge on how much familiarity he or she has with basics of computers, may need to go into details about what a file and a directory are>
- Name / employer / duration of employment / current position
- employment on date of offence / on duty on day of offence
Qualification
edit- education and training in computers and computer analysis / name of program / time of education
- Any special training with respect to computer forensics / What is Computer Forensics?
- Go details of training:
- name of course / where is it available / who developed it / standardized program
- starting at first program, list all educational programs completed, including duration (hours/days)
- whether training involved hands on work / circumstances of this hands on work / ability to confirm results / any supervision
- Go through the analysis process involved
- success in the course / any certification / by what organization / time and duration of certification / requirements to be certified / requirements to maintain certification
- Any other relevant training
- gave training / presentations on the topic
- Admit Resume
- Experience
- number of prior cases you have performed analysis upon / # of times you have been asked to give an opinion / # of times you have testified in court / # of times qualified (when and where)
- documenting all prior evaluations / method of documenting / reviewed before court
- Seek to have computer analyst qualified as an expert in _____
Review Tools, Methodology and Terms
edit- state of computer when you first receive it
- Software tools used (FTK, EnCase, etc) / purpose of tools / preservation of data
- types of files examinable on the hard drive
- accessible documents, images, videos
- inaccessible documents, images, videos (full or partial)
- what is necessary to recover inaccessible or deleted file
- different ways files are deleted / what is preserved
- there are several programs and services to recover data (est. that it could be reckless to assume deleted files are gone for good)
- manner to make files unrecoverable / software programs that exist
Incident
editExamination of a Computer
edit- gained access to a computer / where / from whom
- type of computer / serial number / peripheral equipment / likely age of computer
- state of machine when beginning / accessing the hard drive using EnCase or similar / reason for using EnCase or similar
- identify operating system being used
Contents of the Computer
- found any files that were relevant to the case
- types of files (pictures, videos, documents)
- contents of the documents
- did you review the contents of the files / do the file names reflect the contents
- metadata and characteristics of the files:
- hash values and names of files / number of files found / total size of all the files / length of videos
- location of files found / directories / unallocated space
- dates of created, modified, and accessed / comment on accuracy of times and dates / other ways of determining date they were downloaded, opened or deleted
Signs of User's Identity
- examined files for signs of who uses the account:
- checked OS registry / registered owner’s name
- user accounts enabled on OS / whether one user can put files in another user’s directories
- images of persons or family members
- internet browsing history (including log-in information)
- documents with names on it
- connection with web log-in accounts with a certain name
Signs of User's Familiarity with Computers
- consider whether settings of P2P software were modified
- other software installed on machine, software that is generally directed at advanced user
- signs of customized operating system, desktop, etc. / how much different did set up look from the default installation out of the box
Other Potentially Relevant Information
- details on the software packages installed on the machine
- details regarding OS installation (time and date, by whom)
- synchronization of computer's clock
- other software installed (file deleting software, chat programs, viruses, spyware, or other file sharing programs)