Over 70% of UK Homes have a computer, with 93% + connected to always-on broadband, and with a backdrop of a fact, that with the majority of criminal and corporate cases, somewhere in the background a Computer, PDA, or Cell-Phone may be lurking – thus the case for Computer Forensics.
No matter SME, or Corporate, there is no doubt that, with the array available systems capabilities, free, and at cost tools, organisations with internal technological capabilities may maintain a technological Computer Forensics Capability to respond to incidents, and any requirement for collection and analysis of artifacts.
This complex capability is in two parts, of which the technological aspect amount to the lesser of the two evils. The question is, if the results of a case, artifact(s), or applied processes, were subjected to test or challenge, seeking to validate the scientific approach, would they meet the expectations of evidentiary reliability? Where analysis has been conducted, would the processes meet the necessary quality expectations of the ISO/IEC 17025:2005, and ISO 9000? Lastly, would processes, procedures, and associated disciplines be robust enough to satisfactorily counter any challenge?
By its nature, Computer Forensics is heavily dependent of technical capabilities, tools, and snazzy technological prowess. However, this is a game of two halves, with the most critical components representing the applied rigour of process, applied disciplines, and documentation used to underpin such the activity. Any weakness, gap, or break in the chain could result in those impressive skills employed reacting to an incident being entirely wasted – for a Disk Image that has been obtained outside of a rigorous process may not be completely wasted effort, as it may be considered a high cost backup – but would it represent a reliable robust Forensic Artifact – possibly not!
To conclude, based on experience, and cases, it has been continually demonstrated that it is absolutely essential for a Computer Forensics Policy, and Operational First Responder Documentation Set to exist. Agreed that to have in-house Forensic Tools, and Applications are a must, but the most important part of all is to apply rigour, then apply process, finishing off with, yes, you guessed PROCESS.
