Computer Forensics Best Practices
Forensic examiners adhere to specific standards and rules for conducting examinations that are designed to insure that the original evidence is not altered while in their custody, and to insure that their evidence is later admissible in court. Most best practices and policies are written with those goals in mind. The following are samples of best practices observed by most examiners during the course of their examinations.
Whenever possible, do not examine the original media. Write protect the original, copy it, and examine only the copy.
- Use write blocking technology to preserve the original while it is being copied.
- Computer forensic examiners must meet minimum proficiency standards.
- Examination results should be reviewed by a supervisor and peer reviewed on a regular schedule.
- All hardware and software should be tested to insure they produce accurate and reliable results.
- Forensic examiners must observe the highest ethical standards.
- Forensic examiners must remain objective at all times.
- Forensic examiners must strictly observe all legal restrictions on their examinations.