Canadian Criminal Law/Appendix/Model Examinations/Computer Forensic Analyst

Background

 * 


 * Name / employer / duration of employment / current position
 * employment on date of offence / on duty on day of offence

Qualification

 * education and training in computers and computer analysis / name of program / time of education
 * Any special training with respect to computer forensics / What is Computer Forensics?
 * Go details of training:
 * name of course / where is it available / who developed it / standardized program
 * starting at first program, list all educational programs completed, including duration (hours/days)
 * whether training involved hands on work / circumstances of this hands on work / ability to confirm results / any supervision
 * Go through the analysis process involved
 * success in the course / any certification / by what organization / time and duration of certification / requirements to be certified / requirements to maintain certification
 * Any other relevant training
 * gave training / presentations on the topic
 * Admit Resume


 * Experience
 * number of prior cases you have performed analysis upon / # of times you have been asked to give an opinion / # of times you have testified in court / # of times qualified (when and where)
 * documenting all prior evaluations / method of documenting / reviewed before court


 * Seek to have computer analyst qualified as an expert in _____

Review Tools, Methodology and Terms

 * state of computer when you first receive it
 * Software tools used (FTK, EnCase, etc) / purpose of tools / preservation of data
 * types of files examinable on the hard drive
 * accessible documents, images, videos
 * inaccessible documents, images, videos (full or partial)
 * what is necessary to recover inaccessible or deleted file
 * different ways files are deleted / what is preserved
 * there are several programs and services to recover data (est. that it could be reckless to assume deleted files are gone for good)
 * manner to make files unrecoverable / software programs that exist

Examination of a Computer

 * gained access to a computer / where / from whom
 * type of computer / serial number / peripheral equipment / likely age of computer
 * state of machine when beginning / accessing the hard drive using EnCase or similar / reason for using EnCase or similar
 * identify operating system being used

Contents of the Computer
 * found any files that were relevant to the case
 * types of files (pictures, videos, documents)
 * contents of the documents
 * did you review the contents of the files / do the file names reflect the contents
 * metadata and characteristics of the files:
 * hash values and names of files / number of files found / total size of all the files / length of videos
 * location of files found / directories / unallocated space
 * dates of created, modified, and accessed / comment on accuracy of times and dates / other ways of determining date they were downloaded, opened or deleted

Signs of User's Identity
 * examined files for signs of who uses the account:
 * checked OS registry / registered owner’s name
 * user accounts enabled on OS / whether one user can put files in another user’s directories
 * images of persons or family members
 * internet browsing history (including log-in information)
 * documents with names on it
 * connection with web log-in accounts with a certain name

Signs of User's Familiarity with Computers
 * consider whether settings of P2P software were modified
 * other software installed on machine, software that is generally directed at advanced user
 * signs of customized operating system, desktop, etc. / how much different did set up look from the default installation out of the box

Other Potentially Relevant Information
 * details on the software packages installed on the machine
 * details regarding OS installation (time and date, by whom)
 * synchronization of computer's clock
 * other software installed (file deleting software, chat programs, viruses, spyware, or other file sharing programs)