Computer forensics is clearly the vogue business to be in among Information Technology professionals these days. Information security consultants, data recovery labs and even some computer repair shops are now offering “Computer Forensic” services. Unfortunately for consumers, some basic software, a vendor certification and flashy title does not guarantee competency – let alone expertise. In a marketplace inundated with self-proclaimed “experts”, consumers must exorcise caution when selecting a computer forensic services vendor.

In order to ensure they receive professional forensic services, consumers should carefully review the Curriculum Vitae and equipment resources of each perspective expert. Key areas to scrutinize include technical acumen, industry experience, certifications held, training received, equipment utilized, ethical standards and professional associations. Genuine experts will be more than happy to explain their credentials, provide supporting documentation and itemize equipment at their disposal. The following questions will help differentiate true digital evidence specialists from amateurs and neophytes:

• What is the experience level of the forensic computer examiner or investigator? How long have they been in the industry? How many and what type of cases have they worked?
• What is the primary business of the firm or examiner? Do they deal with digital evidence on a full-time or part-time basis?
• What relevant education and training does the individual possess? Was the training provided by respected vendors or organizations? How current is their training?
• Will the collection and/or analysis occur in a state that regulates computer forensic services? Is the examiner and/or firm licensed to collect and investigate digital evidence in that jurisdiction? Are they insured? What are the consequences of unlawful collection?
• Does the individual hold any professional certifications directly relevant to his or her area of expertise? Does the person hold any peripheral certifications that are indirectly related? Are they vendor specific or vendor neutral? Do they require continuing education and/or periodic competency assessments?
• Is the individual affiliated with any professional organizations? What technical resources, networking opportunities and/or a knowledge base do they provide to their membership? Do they endorse and uphold a code of ethics? Does the individual actively contribute to the organization?
• Has the examiner provided courtroom testimony? Have they ever been admitted as an expert by the court? Have they ever failed to qualify as an expert?
• Is the individual versed in proper evidence handling procedures? Do they employ formal documentation procedures when collecting evidence? Do they maintain accurate chain-of-custody records?
• Is the examiner really committed to ethical analysis and reporting practices? Do they author thorough, objective and factual reports or are they willing to employ “smoke and mirror” tactics?
• Does the vendor utilize multiple industry accepted forensic hardware and software technologies or are they limited to one or two basic tools? Do they own the tools? Does the individual regularly test and verify the functionality of his or her utilities?
• Are methodologies and processes employed by the practitioner forensically sound? Are they commonly accepted in the industry and courts?

Pricing is certainly another important consideration when choosing a vendor for digital forensic services; however, keep in mind that hourly rates are a very poor basis for cost comparison. This is because the quality of forensic equipment and technical resources available to an examiner substantially influence project time requirements. When comparing fees, it is more appropriate to evaluate vendor cost management processes and historical expenditure data from similar engagements (see article on computer forensic cost estimates).