Lessons Learned Repository for Computer Forensics

A Backup Article Contributed by Sumedh Shanbhag

A Repository of Lessons Learned in Computer Forensics

Computer Forensics have seen technological gadgets reach amazing levels of sophistication. However, this has come at a price. The law enforcement agencies have been pushed to the limit by the great degree of dexterity displayed by criminals in the use of such gadgets.

New hardware or software come along with problems of their own for the computer forensic analyst.

The rapid rate of introduction of new software and hardware make it difficult for the computer forensic analyst to cope with. Also, the forensic analyst may come across some cases similar to the ones he had solved earlier, but he may not remember the techniques he had used to arrive at a solution to solve that case. This requires the computer forensic analyst to maintain a repository of all the cases he has solved, as reference to solving similar cases in the future. This will save the computer forensic analyst dozens of hours of research and analysis.

The goal of maintaining a repository of lessons learned is to disseminate information gathered during past experiences, so as to avoid the use of practices that may lead to undesirable outcomes. A lessons learned repository for a computer forensic analyst is not a database of tutorials or general practices to be followed by the computer forensic analyst. Rather it is a collection of the past experiences of computer forensic analysts which are shared by them to others in the same field.

Important Functions of a Lessons Learned Repository in Computer Forensics

The following activities have to be performed by a computer forensic analyst in order to have a systematic, easily-accessible lessons learned repository.

1) Collecting the lessons

2) Storing and maintaining the lessons

3) Retrieving the lessons

These activities are closely entwined with each other in that shortcomings or carelessness in maintaining one of them, may lead to the entire purpose of such repository maintenance to be lost.

The value of collecting lessons depends on the willingness of others to contribute their experiences and also the manner in which the experiences are packaged by the computer forensic analyst for easy accessibility.

The computer forensic analyst must also take care that the database is stored and maintained in the proper manner so as to be easily retrievable.

Future Work by Computer Forensics on the Lessons Learned Repository

The lessons learned repository of computer forensics analysts should be continuously updated. As such it should be a dynamic repository and not a static one. The computer forensic analyst should be alert in this regard while gathering information for the repository. Also the computer forensic expert must keep himself updated about the new advances in technology. He must also not rely completely on the repository, but must also make an effort to solve the cases himself. Over dependence on the repository may lead to the expert not applying his expertise and may lead to a mental block.

But all said and done, the lessons learned repository should be the holy grail of the computer forensics expert.