Hello, and welcome back to the computer forensics bootcamp. In this module, we are going to talk about what computer forensics is in the role of the computer forensic examiner. The National Institute of Standards and Technology, NIST, defines digital forensics as a forensic science field. It is considered a forensic science. We're going to be mainly concentrating on the retrieval, storing, and analyzing electronic data, and we're going to use this data in investigations, whether they're criminal, civil, or internal investigations. One thing we need to be aware of is a multitude of items can contain digital evidence. We always think of computers and cell phones, mobile devices. But now we have to be aware of motor vehicle entertainment centers, aerial drones, and a variety of Cloud storage options, as well as watches, Alexas, refrigerators, TV's. There's all kinds of devices out there that contain digital evidence. Another challenge we face as forensic examiners is the sizes, the amount of data that we're looking at. We have vast sums of data, and we are looking for that small piece of data that is relevant to our particular investigation. We also need to be concerned about preserving the evidence, meaning that when we collect this evidence, we've got to do it in a way that is reliable and proven, and we have to do it without altering the evidence in any way. We want to make every effort not to alter the evidence. Here is a layout talking about the process of computer forensics. Again, it is the collection, storage, preservation, analysis, and presentation of electronic evidence. Remember, this process must be repeatable. In other words, you must be able to do it more than once. It must be repeatable. It must be reproducible, meaning that you could give that evidence to another examiner and they could come up with the same results you did, the same findings, and it must be verifiable. We must be able to verify what our tools or our forensic software is telling us. How do we achieve this? We achieve this through what they call approved methodologies. In other words, methods that have been scientifically tested. We're going to use tools that have been validated. We're going to validate our tools, and we're going to talk a lot more about that in upcoming modules. We're going to follow these procedures every time, all the time. That way, when you're called into court or you're testifying before your boss or in a civil case, you can say with the utmost certainty that this is how you performed this particular examination because you always do it that way. You want to get into good habits so you do not skip or miss any steps. The role of the examiner, what is the job of the examiner? Well, we have some major responsibilities, and they're going to include the collecting of the digital evidence. We're going to have to examine and preserve this evidence, we are going to do reporting. Reporting will usually be in a written form, but you can have some form of verbal reporting also. You're going to want to include some type of peer review and quality assurance. Peer review is when a colleague looks over your work and checks it. Quality assurance is pretty much the same thing. Court presentations are another thing we're going to be responsible for, and we're going to have to present this evidence in court, whether that's criminal or civil or some type of internal hearing. We also find ourselves responsible with anything associated with computers or investigations. Another thing that computer forensic examiner has to be aware of is they probably have more than one boss or reporting chain. This could be because of the function of the legal system or the function of your employer. I know when I worked in the public sector, I reported to my direct supervisor, but I also had a sergeant who was in charge of the forensic laboratory, and then I also had to talk to the state's attorney. There were multiple bosses that I was reporting to. Some agencies or companies have a division of labor. A lot of times the evidence will be collected by the first responders or the investigators, and then they're going to deliver that evidence to a laboratory for examination by a forensic examiner. So we have the first responders and the investigators working in the field and the examiner working in the lab. In some cases, you will be responsible for both those jobs. But if you're not, if you're the forensic examiner working in the lab, you want to make sure you are talking to the first responders and the investigators working in the field. If you're somebody that works in the field, you want to make sure you understand the proper way to collect digital evidence, and you and the examiner are talking to each other and on the same page. In our next module, we're going to talk about some forensic methodologies and investigative processes.
