3 Critical Mistakes To Avoid When Hiring A Digital Forensic Examiner
If you’re looking to hire a digital forensic examiner to address the backlog in your crime lab, we have a few tips to help you avoid making a bad hire. We’ve been in the business for 17 years, have hired over 50 examiners, and have interviewed hundreds more.
Here are our top 3 things to avoid:
1. DON’T JUST HIRE THE IT GUY.
Obviously, a digital forensic examiner must be extremely knowledgeable and comfortable working with technology. However, technical skills are probably the part of the job that is easiest to learn. A great forensic examiner needs to have excellent written communication skills in order to prepare a clear, understandable report that a non-technical officer, attorney or judge can understand. He or she may also need to appear in court to defend the evidence, so great presentation skills are also a must.
2. CERTIFICATIONS ARE NOT THE SAME AS ABILITIES
There is a big difference between certifications, qualifications, and abilities. In our experience, some of the worst digital forensic examiners have almost every certification available, but don’t have the ability to tie the objectives, investigation, report and testimony together in order to complete a successful case. On the other hand, we’ve seen examiners with fewer than two certifications and seemingly limited qualifications, who can easily lay the foundation for the evidence through a clear, meticulous report while supporting the results in a clear and easily understood manner that carries weight in the court system.
3. KNOWING HOW TO USE FORENSIC SOFTWARE IS DIFFERENT THAN KNOWING HOW IT WORKS
Avoid examiners who are only experts at operating forensic software. We call these “button pushers” and we’ve developed a rule of thumb for identifying them. If their CV or email signature only includes acronyms “EnCE” or “ACE”, then I know I need to dig deeper. These are certifications offered by the forensic software vendor (EnCase or AccessData) to certify that the examiner is well versed on how to operate the software. This type of certification does not imply that the examiner knows how the software operates or understands its strengths and weaknesses. In addition, a good examiner may need to use lots of different software tools for a single case. If a candidate’s credentials are based only on the ability to operate a few pieces of software, it won’t take much complexity for that person to be in over his head.
WHAT TO LOOK FOR
Enough of what NOT to do, here are the three key attributes we look for in every examiner we hire at Flashback Data:
Meticulous - A great examiner must be meticulous about what they see, do and conclude. What data is there? What data is supposed to be there? What data is not there? Once the examination process begins, a great examiner must note all their actions, communications and thoughts within the case so it can be duplicated if necessary. A great examiner must also identify findings both large and small as accurately as possible.
Resourceful – Very few cases can be completed with a cookie-cutter approach. A great examiner must understand the needs of the case, and be able to use the specific hardware and software tools the case demands. A great examiner must also know when to ask for help from peers in the industry.
Presenter – Digital forensics can be highly technical, and a great examiner must be able to translate that complex process into a simple report that can be understood by a 6th grader. A great examiner must also be able to present well, be sharp, appear confident and well mannered, yet have the discipline to not overstate their findings or boast in court.
If you are relying on certifications, make sure one of them is CFCE (Certified Forensic Computer Examiner). This certification focuses more on the examination process rather than just one or two tools.
If finding and interviewing digital forensic examiner candidates is wearing you out, CONTACT FLASHBACK DATA. We have highly credentialed examiners with years of experience in complex cases. Our turnaround time is usually measured in days instead of months or years and our digital crime lab is accredited under the same program as the FBI and state crime labs.