One of the most serious problems faced when attempting to establish a computer forensic facility is the lack of trained and skilled staff. There are no full time training facilities providing streams of computer forensic graduates, and nor will there be for many years to come. There are few ‘technical’ people with training in investigations, and fewer still with knowledge of forensics. Therefore, no matter how ambitious the project, it will fail unless a solution can be found to this problem.
There are two ways in which computer forensic facilities can be provided and these can be referred to as the single tier and double tier approach. The latter provides a staffing solution.
The single tier approach assumes that all work is going to be carried out by qualified and highly trained technical staff. They are going to seize computers, copy them, reconstruct hard drives, run searches, examine hits, liase with clients, print evidence, write reports, solve complex problems etc. Ideally they should have experience of investigation techniques and, furthermore, be able to use complex tools and have the ability to justify their actions in court.
It is immediately apparent that any attempt to use this approach will have serious drawbacks. For example:
* Recruitment – there are very few suitable people available
* Cost – if they can be found they are usually very expensive to employ
* Time – it takes time to recruit
* Loss – they are easy to lose and can be poached by competitors
* Logistics – they are not always available when they are needed
* Waste – as a resource their talents will not be fully utilized
* Dissatisfaction – they could become bored by the volume of repetitious work
* Delay – a backlog will quickly accumulate.
In the double tier approach it is assumed that 95% of the work will be routine and will be performed by non-technical personnel under supervision. The scarce and expensive technical personnel will be utilized to supervise routine task performance and to complete complex tasks.
The non-technical personnel are referred to as trainee forensic analysts. They are people who do not have technical qualifications but they do have knowledge of computers, enthusiasm and seek to develop a career. They can be recruited by way of an internship program that will provide them with three years’ training resulting in certification, by the employer, as a qualified forensic analyst.
Within the double tier approach, the forensic analyst will perform the routine non-technical tasks such as seizing, copying and reconstructing computer hard drives, running searches, examining hits and printing evidence. All of this will be undertaken under the supervision of the technical staff who will liase with clients, write reports, appear as expert witnesses and solve the complex problems found in the more difficult investigations.
The result of using the double tier approach is that a greater volume of work is completed at a more realistic cost. The forensic analysts are motivated to perform and to remain with the organization at least until training is completed. Since they are no longer performing the routine repetitive tasks, the technical personnel have greater job satisfaction, more responsibility and more challenging and stimulating problems to solve.
The double tier approach is not just a theory; it has been shown to be successful in practice.
Requirements for the Double Tier Approach
In order for a double tier approach to work it is necessary to have:
* A defined methodology
* Detailed and standardized operating procedures
* Efficient and practical equipment.
Criteria for equipment must be:
* Simple to use
* Quick to learn
* Totally reliable
* Robust and durable
* Legally acceptable
* Operable under standard procedures.
Resource: DIBS Methodology USA