In the digital forensic consulting world, the law enforcement analogies are often synonymous; And, this analogy (COPS) always comes to mind when explaining to clients and/or the legal community what it is that we do as digital forensic examiners. We are great at at our analyses and processes; however, we fall short on explaining the tedious, methodical forensic analysis process to the client, so the client is left to draw his/her own conclusions based on what they know. Long-term, I believe there will be less "open for interpretation" matters during a forensic engagement as clientele and society for that matter become better educated and aware of forensic technology.

Would you hire an excavator operator to recover and analyze material fragments beneath the Earth's surface OR would you hire an archaeologist? Depending on your goals, you may hire both!

Do you need to burn down the haystack to get to the needle OR do you want to methodically recover the needle from the haystack? Knowing your goals beforehand is a must! The way an incident responder approaches a computer system where there is an active attack on-going could be different than the traditional digital forensic examiner, because the goals of each are different.

Staying with the analogy of a excavator operator vs archeologist, would you hire "IT" or a digital forensic professional to successfully identify, acquire, analyze, verify, and report on digital artifacts for an inquiry?

Digital Forensics is not just "information technology" whereas an archaeologist isn't just finding artifacts in the dirt. An archaeologist is a scientist whom is educated, certified, and trained in archaeology. An excavator operator is also probably educated, certified, and trained but not on the science of archaeology. In my opinion, Digital Forensics and Archaeology have a lot of commonalities. As a science, both are looking at artifacts left behind by humans. As a forensic examiner, when I am explaining how a Google search term was recovered during an analysis of browser history on a computer, I'll often provide written and/or verbal context to my client as I'm compiling the artifacts present on the computer system and adding context to those artifacts. Similarities amongst science?

Bottom line, IT professionals and Digital Forensic Professionals may have some similarities as it relates to familiarization with technology, but are entirely two separate, distinct professions. Before you retain an expert, know the difference between a computer expert and a digital forensic expert. Your case, our legal system, and the digital forensic discipline demands it! 

SIFT (SANS Investigative Forensic Toolkit) 3.0 has been released. I plan on doing a series of blog posts to introduce readers to some of the powerful tools that make up the SIFT. The SIFT is free, open source, and consists of many tools that forensic examiners utilize in an exam. Thank you to friend and SANS Faculty Fellow Rob Lee (aka Giant Persistent Friend) for all of his work through the years on maintaining this for the DFIR community. 

If there is a certai functionality or tool in SIFT you would like to see featured, drop me a comment below.

Happy DFIR SIFT-ing!