Computer Forensics - We've Had an Incident, Who Do We Get to Investigate?

Computer forensics is the equivalent of surveying a crime scene or performing an autopsy on a victim' (James Borek 2001). How many people in your organization who have not had law enforcement training would have the ability to do this and present evidence that would be acceptable in a court of law? Regardless of whether the incident is an external intrusion fraud or internal staff misconduct the investigation needs to be treated the same way and the same rules of evidence apply. So how does a manager (IT or not) decide how to investigate an incident? Does the company conduct the investigation themselves using their existing personnel do they bring in the assistance of the Police or do they hire the services of a professional computer forensics company? This paper's aim is to provide Australian managers with a basis to make this decision by providing an insight into computer forensics and evidence handling and giving advantages and disadvantages for each option.