Computer Forensic changing environment!

Posted on September 2, 2008 | Filed Under Computer Forensics, Electronic Discovery 

Rapid changes in computer forensics investigations are starting to shape the future of the industry and solidify the profession.  If you are not adaptable to change then computer forensics is not the place for you.  The constant change in the industry and technology advances the profession into multiple areas of growth for the industry.  One of the major changes with computer forensics professionals is the nationwide acceptance of states going to a professional investigator licensing under state law.  The last time I checked 42 states had something on the books under licensing computer forensics professionals.    It is easier to track the states not on the books than the ones that are on the books .  Many challenges will need to be worked out as the individual states license the profession.  The need for affiliation with other states will become a necessity to meet the common practices of the computer forensics industry due to our national and global environment.  This change is good for the profession of computer forensics, but states should take a closer look at best practices and knowledge from the computer forensics professionals into account.   I would venture to say that the license professional investigator may someday have federal regulations as computer forensics investigations are so transverse across multiple states and/or countries.  It will be interesting how the field and state regulations play out over the next few years.   Should States engage in reciprocal and standardizing the process between States or should this be regulated at a federal level?


As the battle goes on about defining the profession, technology is advancing the industry to provide more information to the computer forensic investigator.  The latest trend is memory analysis that is providing detailed information that the investigator did not think of in past investigations.  Memory forensics is providing clear analysis of the whole picture when it comes to the investigation.  The advantage of memory analysis is that it is putting you at the crime spot with your camera in hand.  Vital state information of the machine is becoming key in the process of computer forensics.  The value of live investigations provides rapid response, meets the challenge of large network topology, and circumvents encrypted file systems.  The analysis with live investigations becomes a quick and easy way to find out the state of the system with accessible areas like current user activity, running processes, handles, registered drivers, physical memory analysis, system info, network connectivity and attached peripherals.  The amount of information provides investigators the ability to connect the dots a lot faster and/or provide a pre-incident triage of the computer before arriving on the scene.  The challenge that live investigations creates is a total paradigm shift in the investigation process.  The investigation becomes a proactive thought process to implement.   What comes with the paradigm shift is another level of education for the legal profession and the process of memory analysis is looking at the state of the system in a constantly changing environment.  In a live environment, users are still using the computer and changing the system state all the time.  Remember you have your camera in hand and the snap-shot is a moment in time which is very different than the post-mortem analysis.   Will the courts accept the premises of memory analysis or will they struggle and continue to revert back to the post-mortem process?
 

About this Post
Permalink | Trackback | | Print This Article | Leave a Comment


Comments

Leave a Reply