Advice for beginner computer forensic investigators

Plenty of career opportunities are available to those interested in cybersecurity, one being as a computer forensic investigator. A computer forensic investigator examines computers and digital devices involved in cybercrimes. Evidence uncovered can be used during court proceedings, and investigators are often called on to testify at criminal and civil court hearings.

For those interested in a career in computer forensics, they can read author and forensic investigator William Oettinger's Learn Computer Forensics: Your one-stop guide to searching, analyzing, acquiring, and securing digital evidence.

In this interview, Oettinger explains what new examiners should expect when starting out, what certifications he earned before becoming a computer forensic investigator and more.

Check out an excerpt from Chapter 2 of Oettinger's book, which breaks down what kind of computer workstation and response kit investigators should invest in to carry out a thorough examination of the digital evidence.

Editor's note: The following interview has been edited for clarity and conciseness.

What prompted you to write Learn Computer Forensics?

Click here to learn more about
Learn Computer Forensics.

William Oettinger: A lot of books out there cover how to do certain bits and pieces of computer forensics investigations, but there isn't anything for the new examiner starting out. Plus, a lot of textbooks cover the theory side. But few cover the hands-on side, and no one else has covered the entire process.

I wanted to provide a point of reference for those at the beginning of their career, for example, to help them pick their equipment, along with other considerations around hardware and software.

What knowledge or experience should investigators have when starting out in computer forensics? Are there any relevant certifications?

Oettinger: They should be curious about conducting investigations and know to ask questions when doing so. From there, they need an understanding of computers and how they communicate.

Even before taking forensic classes, I took courses on Windows. From there, I earned my CompTIA Security+ and Network+ certifications. I also earned my MCSE [Microsoft Certified Solutions Expert, since retired] certification to make sure I understood how Windows works and how it stores data in order to look for artifacts pertinent to an investigation.

What should beginners know as they start their career in computer forensics?

Oettinger: It's easy to get overwhelmed during your first investigation, especially if it involves multiple devices. Make sure to identify the hash list and filter out everything that is known. The hardest part of our job is identifying the user of the devices. Don't go into an investigation assuming the user is anyone specific.

In the book, you wrote that digital evidence is the most volatile piece of evidence. Why is this important for those beginning an investigator career?

Oettinger: Digital evidence is easily destroyed, especially accidentally. Physical evidence is much easier to handle. For example, with fingerprints, you dust them and place tape on them, put that tape between Plexiglas, and it's ready to be analyzed. The same with blood. These physical items aren't easily destroyed. Some of it may get destroyed during the testing process, but you usually have enough left over to communicate with a third party about it.

The same isn't true of digital evidence. You have a container, which could be a hard drive with spinning platters, a solid-state drive or a USB device, and that's how the evidence is stored. People still don't understand how the file system works. They don't realize how fragile it is and that you can ruin evidence by plugging a USB drive into the PC and causing a static electrical discharge. One zap can ruin your chip and make the device unreadable. I've seen that happen a couple times to senior members of the department.

So much can go wrong so fast with digital evidence. You have to take special precautions to keep it safe, such as using a clean room. Also, be sure to work with a copy of the evidence rather than on the evidence itself. You don't want to accidentally alter digital evidence, which is very easy to do. For example, just connecting evidence to a Windows device makes it start writing information to the disk. Use a write blocker to prevent changing evidence just by connecting to it.

You have to understand the digital evidence and its limits and then be able to explain to a third party why it's important and how it got there, as well as what you did to protect the state of the digital evidence and ensure that you didn't make any changes.

What is the most difficult aspect of any computer forensic investigations?

Oettinger: The sheer amount of information you have to go through to find what is pertinent to your investigation. We're talking about hard drives in excess of 1 TB. People keep devices longer because capacity has increased, and that results in so much information. What makes things even more difficult is if a user has technical knowledge. I'm working a case right now where the subject hides contraband images in MP3 files. I have to go through and scan each and every MP3 file to see which ones have been altered. Another difficult aspect is if a device has multiple users. Finding out which person is responsible is that much tougher.

What are common tools or applications used during an investigation?

Oettinger: I use X-Ways primarily for desktop examinations. I also use Belkasoft Evidence Center X. I just started using Magnet Axiom for device investigations; I was a Magnet user 15 years ago when it had Internet Evidence Finder.

Are computer forensic investigators expected to testify in court?

Oettinger: It depends on who the investigator works for. I focus on the criminal side of things because civil tends to be messier. At a local, state and federal level, the subject often agrees to plead guilty to a certain set of charges and gets a sentence. Nine times out of 10, this is because digital evidence is so overwhelming that the government offers a reduced set of charges in exchange for the guilty plea to save time and money.

I also work military investigations. The military is much more liberal with what it will charge suspects with, so cases go to trial more often than they do in comparison to the state or federal systems.

Any advice for newer computer forensic investigators as they prepare to testify?

Oettinger: Be careful when you testify in court and talk to nontechnical people. It's easy for them to misconstrue facts, for example, involving unallocated space. Nine times out of 10, they're going to assume a file is in an unallocated space because the user did an action that caused it to be placed there. That's not always accurate. If investigators find a file in unallocated space, the only thing we can say is that it was on the device at one time -- especially if there are no other file system artifacts to provide more information. If you try to attribute that file to a specific user and don't have any further proof beyond the existence of the file, you can't say the user in question deleted it. You can't say anything beyond that the file is there in unallocated space. That is a conversation I have consistently with lawyers, judges and juries. I have to explain the concept that not everything has a user-initiated action.