Proper methodology for computer forensics would involve a laundry-list of actions and thought processes that an investigator needs to consider in order to have the basics covered.

Customized Scripts

Also of note is the topic of scripting to perform investigations on a large scale network. Brought up as a possible solution to utilizing a forensic toolkit, customized scripts, coded by the IT sys. admin., have been talked about as a good alternative. While properly coded scripts are of great use to investigators in gathering data from unattended areas of the network, they are a compliment to, and not a fix for a good forensic solution.

Fowler adds, The nice thing about using Perl scripts is that it automates many log and data collection activities that may otherwise be forgotten due to limited time on the part of the system administrator. Tedious tasks such as collecting, analyzing, and storing log files from a number of locations can often be overlooked. A properly created Perl script can free up a system administrator so he/she can concentrate their investigative efforts in areas of the network or system that sometimes forego attention due to time constraints.


The process behind most analytical tasks is based on a generally accepted checklist of duties and/or considerations to perform such a task. Proper methodology for computer forensics would involve a laundry-list of actions and thought processes that an investigator needs to consider in order to have the basics covered. While one would think forensics methodology would come naturally to most high level sys. admins., its not that simple. Which part of training methodology deserves special attention and what should one already know and be practicing? Fowler explains, The question of training methodology is a great one. We are hearing from investigators that testify during investigations. The consensus is that the focus on the product used, is of less concern than the methodology used during the investigation itself. When training Law Enforcement students, they are often seasoned veterans with years of experience dealing with issues such as evidence handling and investigative best practices. The transition to the computer forensic mindset is usually a painless one given that they possess the basic knowledge and can apply it to most investigations.

IT professionals present an additional challenge. Although they have years of knowledge dealing with computers and networked systems, frequently the methods of protecting items of evidentiary value and utilizing accepted evidence gathering practices have not been a part of their training.

I have always said, Give me an investigator and I can train him in the technical issues in my class. Taking an IT professional and giving him the investigative mindset needed is something that cannot be covered in a 4 to 5 day class. What we can teach is sound forensic methodology that they can use while gaining the required investigative experience they need.

What Is Needed?

Fowler continues, One of the chief questions I get asked when teaching our corporate investigations course, is if I can provide a checklist of items that need to be completed in order to let the investigator know that the investigation is finished. The short answer is No. There is no checklist or special script that an investigator can run that will log in your evidence, examine the drive, chronicle the items of evidentiary value and write your reports. Each case worked will have its own set of idiosyncrasies and areas that require in-depth review. This is what separates an investigator, the compulsion to dig deeper until he is satisfied that he knows everything there is to know about the case.

Time on your hands?

Should an IT examiner have excess time on their hands, they could conduct a network investigation utilizing several types of forensic utilities to do the job of a comprehensive toolkit. There is the option of shareware, specialized forensic components, log files, scripting and much more available for consideration.

In reality, todays IT administrator already does the job of ten people and needs a solution that is customizable, expandable, upgradeable, and can adhere to industry best practices and legal protocols. Thats a tall order indeed. There are solutions out there that can perform at this level, and some are considered costly when not measured against immediate ROI and performance metrics. One should not gauge a forensic solution by its cost alone but rather by the accumulated cost of procuring multiple utilities, time constraints on the administrators, possible data loss of the company, inadequate reporting that may not be upheld in a court of law, and immeasurable loss due to employee misconduct and policy violations.

I revisit the argument of how secure do you want to be? This is a question best asked around a conference table with all the big players present. Human Resources, CFO, CSO, CEO, CIO, VP of Engineering, VP of Sales, and of course IT. All of these critical functions are directly affected by the efficiency of a good forensic solution. Instead of asking, How much does it cost? One should be asking How much is our company worth to us? There are solutions that are definitely good enough. Think about it.

When questioning Mike Fowler about the pros and cons of using Guidances solution as opposed to various solutions on the market, he replied, Remember, I was a customer of Guidances (having been in Law Enforcement conducting investigations) long before I came on board. A comprehensive enterprise solution offers comprehensive one-stop shopping in conducting drive examinations, ease of use, and the best customer service in the industry!


Computer forensics are being injected into the corporate world to fulfill a large gap in IT capabilities and a greater need for comprehensive security. There are many common misconceptions about what the technology can and cannot do. Single solutions and cutting edge tools can accomplish their goals at the hands of trained examiners employing investigative mindsets and utilizing proper methodologies. There is no quick fix forensic solution, there are brilliant tools on the market that are well worth a companys time and energy to explore. The cost in dollars is dwarfed overall by the multiple uses for enterprise forensics and their total, almost immeasurable ROI. While not at all magic, complete enterprise forensic solutions are efficient, comprehensive, and always ahead of the game.

*Guidance Software is the world's largest provider of computer and enterprise forensic investigation solutions and training. Founded in 1997 and headquartered in Pasadena, CA, Guidance Software, Inc., has offices and training facilities in California, Virginia and the United Kingdom. More than 8,000 corporate and government investigators employ EnCase software, while more than 2,300 investigators attend Guidance Software's forensic methodology training annually. Validated by numerous courts and awarded several industry awards, EnCase software is considered the standard in forensic tools

Melisa LaBancz is a freelance journalist in the San Francisco Bay Area who has spent the past several years writing unique pieces about the security industry. With a special fascination for encryption technology and computer forensics, she has called upon the industry's best to assist in the quest for layman's terms and a trailer park understanding. Her day job consists of being a security export analyst and a security PR consultant to some of the nation's most cutting edge security vendors.

When not feverish over worldwide security conferences, she can be found photographing random glass and steel architecture, antagonizing her garden into growing and finishing off her Japanese half sleeves.

In an effort to articulate complex topics for a wider variety of readers, Melisa is known to rely on her belief in comparative nonsense to build her case and has developed strong relationships among the industry's best known thought leaders.

A few selected pieces:

Super! Ultra! Jumbo! Privacy as the New Multi-Purpose Word
Do It Yourself Security: Cutting Our Umbilical Dependence on the Consultant Community
Fire and Brimstone in 21st Century Security