Making a case for computer forensics
- By Patience Wait
- Nov 03, 2005
A commitment to establishing a computer forensics operation is an expensive proposition, and it's not a one-time purchase decision. Computers and software have to be upgraded frequently. New technologies, such as cell phones and personal digital assistants, require new tools and training. Analysts need to constantly refresh their skills.
Ovie Carroll, a special agent with the Postal Service who specializes in computer forensics, says a lot of computer crime shops don't understand how to demonstrate their offices' return on investment.
'They need to give not just numbers'how many forensic supports they've provided'but the amount of media [hard drives, disks, portable devices] they've gone through,' he said.
Also, they should tie the work to the end result: How many cases were cleared, how many indictments and convictions were earned, how much money was recovered?
Just as important, Carroll said, are estimates of manpower savings'how many hours the computer crimes people save by using forensic tools to conduct search and analysis.
If a field agent seizes a computer hard drive containing massive amounts of data, a forensics analyst can save a lot of working hours by trimming the data down to the few dozen files relevant to the case at hand, Carroll said. It also makes the field officer more efficient.
'I think management should be cognizant of the risk in not paying attention to quality computer crime' tools, he said. 'I can't think of any law enforcement manager that would walk into a house to do a crime scene search and say, 'Wow, this house is too big, so we're just going to do the living room.' That's like in computer crime, would you say, 'I don't have time and money to search all the computer evidence, so let's just do this one hard drive?' '