Page 73 - Expert Witness
P. 73
Appendix F: Computer Data Gathering
Ensuring that you acquire reliable, accurate electronic data can be a challenge for a forensic practictioner
. How do you ensure the right information is gathered? What do you need in order to conduct your in-
vestigation? If you have limited knowledge of computers, how do you communicate your needs to the
computer forensic people to get the correct information and ensure that they are capable of getting the
right information? The following exchange is a good illustration of this point:
Forensic accountant (FA): I need to have a mirror of the accounting package, complete with any
access code so I can gain access to the accounting system. I would also like to be sure the audit
trail is preserved.
Computer geek (CG): What sort of system do they have?
FA: I don’t know. That’s your job, isn’t it?
CG: Let me be more specific, what sort of OS do they have?
FA: Huh?
CG: What sort of operating system do they have? You know, like UNIX or Linux?
FA: I don’t know.
CG: Okay, let’s start over.
The following outline details the steps that should be followed and the type of information to convey to
the computer forensic technician to facilitate a legitimate and efficient date extraction.
Consider the chain of evidence.
— Maintain and document the chronological history of the investigation.
When and how data was collected?
Where data was stored and found?
How the data was collected and maintained?
Who handled the data and when?
What procedures and analyses were performed?
— Maintain for each piece of evidence.
Determine the type of data of interest.
— Spreadsheets, word processing documents, PDFs, image files, sound files, and so on
— Accounting package data files
© 2020 Association of International Certified Professional Accountants 71
