Tips for Beginner Computer Forensics Investigators

Many career opportunities are available for those interested in cybersecurity, one being that of computer forensic investigator. A computer forensics investigator examines computers and digital devices involved in cyber crimes. Uncovered evidence may be used in legal proceedings, and investigators are often called upon to testify in criminal and civil hearings.

For those interested in a career in computer forensicsthey can read author and forensic investigator William Oettinger Learn Computer Forensics: Your One-Stop Guide to Researching, Analyzing, Acquiring, and Securing Digital Evidence.

In this interview, Oettinger explains what new examiners should expect when starting out, what certifications he earned before becoming a computer forensics investigator, and more.

Discover a excerpt from chapter 2 of Oettinger’s book, which explains what kind of computer workstation and response kit investigators should invest in to conduct a thorough examination of digital evidence.

Editor’s note: The following interview has been edited for clarity and conciseness.

What prompted you to write Learn computer forensics?

Click here to learn more about


Learn computer forensics.

William Oettinger: Lots of books explain how to do certain elements of computer forensic investigations, but there is nothing for the new examiner starting out. In addition, many textbooks cover the theoretical side. But few cover the practical side, and no one else has covered the whole process.

I wanted to provide a point of reference for those starting out in their careers, such as helping them choose equipment, as well as other hardware and software considerations.

What knowledge or experience should investigators have when starting out in computer forensics? Are there any relevant certifications?

Oettinger: They must be curious about conducting investigations and know how to ask questions while doing so. From there, they need to understand computers and how they communicate.

Even before taking courses in forensics, I took courses in Windows. From there I earned my CompTIA+ Security and Network+ certificates. I also got my MCSE [Microsoft Certified Solutions Expert, since retired] certification to make sure I understand how Windows works and how it stores data to find relevant artifacts for investigation.

What do beginners need to know when starting their career in computer forensics?

Oettinger: It’s easy to get overwhelmed on your first survey, especially if it involves multiple devices. Be sure to identify the hash list and filter out anything known. The hardest part of our job is to identify the user of the devices. Don’t go into a survey assuming the user is someone in particular.

In the book, you wrote that digital evidence is the most volatile evidence. Why is this important for those starting a career as an investigator?

Oettinger: Digital evidence is easily destroyed, especially accidentally. Physical evidence is much easier to handle. For example, with fingerprints, you dust them off and put tape over them, place that tape between Plexiglas and it’s ready to be scanned. Same with blood. These physical objects are not easily destroyed. Some of them may be destroyed during the testing process, but you usually have enough left over to communicate with a third party about it.

The same is not true for digital evidence. You have a container, which can be a hard drive with spinning platters, an SSD or a USB device, and this is how evidence is stored. People still don’t understand how the file system works. They don’t realize how fragile it is and that you can destroy evidence by plugging a USB drive into the PC and causing a static discharge. A zap can ruin your chip and render the device unreadable. I’ve seen this happen a few times to senior officials in the department.

So many things can go wrong so quickly with digital evidence. You need to take special precautions to keep it safe, such as using a clean room. Also be sure to work with a copy of the proof rather than the proof itself. You don’t want to accidentally alter digital evidence, which is very easy to do. For example, just connect a proof to a Windows device and it will start writing information to disk. Use a write blocker to prevent modification of evidence simply by connecting to it.

You need to understand digital evidence and its limitations, then be able to explain to a third party why it is important and how it got there, as well as what you have done to protect the state of digital evidence and ensure that you didn’t. make changes.

What is the most difficult aspect of any computer forensic investigation?

Oettinger: The amount of information you have to sift through to find what’s relevant to your investigation. We’re talking about hard drives larger than 1TB. People are keeping their devices longer because the capacity has increased, and that translates into a lot of information. What makes things even more difficult is if a user has technical knowledge. I’m currently working on a case where the subject is hiding contraband footage in MP3 files. I have to browse and scan each MP3 file to see which ones have been modified. Another difficult aspect is if a device has multiple users. Finding who is responsible is all the more difficult.

What tools or applications are commonly used during an investigation?

Oettinger: I use X-Ways mainly for office exams. I also use Belkasoft Evidence Center X. I just started using Magnet Axiom for device investigations; I was a Magnet user 15 years ago when it had Internet Evidence Finder.

Are computer forensic investigators expected to testify in court?

Oettinger: It depends on who the investigator works for. I focus on the criminal side of things because the civil tends to be messier. At the local, state, and federal levels, the subject often agrees to plead guilty to a certain set of charges and receives a sentence. Nine times out of 10, it’s because the digital evidence is so overwhelming that the government offers a reduced set of charges in exchange for the guilty plea to save time and money.

I also work on military investigations. The military is much more liberal when it comes to charging suspects, so cases go to trial more often than they do compared to state or federal systems.

Any advice for new computer forensics investigators as they prepare to testify?

Oettinger: Be careful when testifying in court and talking to non-technical people. It is easy for them to misinterpret facts, for example, involving unallocated space. Nine times out of 10, they’ll assume a file is in unallocated space because the user did some action that caused it to be placed there. It’s not always accurate. If investigators find a file in unallocated space, the only thing we can tell is that it was on the device at some point, especially if there are no other file system artifacts. to provide more information. If you try to attribute this file to a specific user and you have no other proof beyond the existence of the file, you cannot say that the user in question deleted it. You can’t tell anything beyond the fact that the file is there in unallocated space. It’s a conversation I have regularly with lawyers, judges and juries. I need to explain the concept that not everything has a user initiated action.

Comments are closed.