Computer Forensics - DIBS USA Inc.
Back to Home Page Products by DIBS USA Computer Forensic Investigation by DIBS USA Computer Forensic Training by DIBS USA Contact by DIBS USA DIBS Methodology
The DIBS® Methodology  

The DIBS® Methodology

During the early phase of the development of the science of computer forensics it became apparent that a methodological framework was required. It was obvious that such a framework required the development of forensically sound equipment and services that would meet the legal requirements of the courts. Furthermore they would also meet the practical requirements of the computer forensic practitioner.

The DIBS® methodology is based on a structured and practical approach. It considers the nature of computer forensics in terms of definitions, objectives and priorities and matches these to the practical realities of providing a comprehensive solution.

  1. Definition of Computer Crime
  2. Definition of Computer Forensics
  3. The Computer Forensic Objective
  4. The Computer Forensic Priority
  5. The Accuracy versus Speed Conflict
  6. The Need for Computer Forensics
  7. The Double Tier Approach
  8. Requirements for the Double Tier Approach
Back to Top

1. Definition of Computer Crime

Computer crime can be defined as:

A criminal act in which a computer is essential to the perpetration of the crime

A criminal act where a computer, non-essential to perpetration of the crime, acts as a store of information, concerning the crime.

Back to Top

2. Definition of Computer Forensics

Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. The subject matter includes:

  • The secure collection of computer data
  • The examination of suspect data to determine details such as origin and content
  • The presentation of computer based information to courts of law
  • The application of a country's laws to computer practice.
Back to Top

3. The Computer Forensic Objective

The objective in computer forensics is quite straightforward. It is to recover, analyze and present computer based material in such a way that it is useable as evidence in a court of law.

The key phrase here is: 'useable as evidence in a court of law.' It is essential that none of the equipment or procedures used during the examination of the computer obviate this single requirement.

Back to Top

4. The Computer Forensic Priority

The science of computer forensics is concerned primarily with forensic procedures, rules of evidence and legal processes. It is only secondarily concerned with computers. Therefore, in contrast to all other areas of computing where speed is the main concern, in computer forensics the absolute priority is accuracy. We talk of completing work as efficiently as possible - that is as fast as possible without sacrificing accuracy.

Back to Top

5. The Accuracy versus Speed Conflict

In this seemingly frenetic world where the precious resource of time is usually at a premium, pressure is heaped upon us to work as fast as possible. Working under such pressure to achieve deadlines may induce people to take 'shortcuts' in order to save time.

In computer forensics, as in any branch of forensic science, the emphasis must be on evidential integrity and security. In observing this priority, every forensic practitioner must adhere to stringent guidelines. Such guidelines do not encompass the taking of 'shortcuts', and the forensic practitioner accepts that the precious resource of time must be expended in order to maintain the highest standards of work.

Back to Top

6. The Need for Computer Forensics

The need for computer forensic services and equipment has derived from the widespread use of personal computers in both business and the home and the subsequent needs of crime investigators to have access to computer based information.

When handling computers for legal purposes, investigators increasingly are faced with four main types of problem.

  1. How to recover data from computers whilst preserving evidential integrity.
  2. How to securely store and handle recovered data.
  3. How to find the significant information in a large volume of data.
  4. How to present the information to a court of law, and to defense during disclosure.

The traditional response to the problem has been to either ignore computers altogether, or to assemble 'home grown' equipment and procedures, or to use outside 'so-called' expert services. The first of these options, to ignore the potential of computer-based evidence, is unacceptable and can prevent a crime being investigated. The second leads to a plethora of untried and non-standard techniques, which do not fulfill the forensic objective. The third too often results in work being completed by 'expert services' that overcharge, under perform and are deficient in both training and the understanding of basic forensic techniques.

In the past two years awareness amongst the legal community of the need for professional computer forensic services and equipment has increased substantially and many potentially successful prosecutions are at risk of failure due to unsatisfactory equipment, procedures and presentation in court.

Back to Top

7. The Double Tier Approach

One of the most serious problems faced when attempting to establish a computer forensic facility is the lack of trained and skilled staff. There are no full time training facilities providing streams of computer forensic graduates, and nor will there be for many years to come. There are few 'technical' people with training in investigations, and fewer still with knowledge of forensics. Therefore, no matter how ambitious the project, it will fail unless a solution can be found to this problem.

There are two ways in which computer forensic facilities can be provided and these can be referred to as the single tier and double tier approach. The latter provides a staffing solution.

The single tier approach assumes that all work is going to be carried out by qualified and highly trained technical staff. They are going to seize computers, copy them, reconstruct hard drives, run searches, examine hits, liase with clients, print evidence, write reports, solve complex problems etc. Ideally they should have experience of investigation techniques and, furthermore, be able to use complex tools and have the ability to justify their actions in court.

It is immediately apparent that any attempt to use this approach will have serious drawbacks. For example:

  • Recruitment - there are very few suitable people available
  • Cost - if they can be found they are usually very expensive to employ
  • Time - it takes time to recruit
  • Loss - they are easy to lose and can be poached by competitors
  • Logistics - they are not always available when they are needed
  • Waste - as a resource their talents will not be fully utilized
  • Dissatisfaction - they could become bored by the volume of repetitious work
  • Delay - a backlog will quickly accumulate.

In the double tier approach it is assumed that 95% of the work will be routine and will be performed by non-technical personnel under supervision. The scarce and expensive technical personnel will be utilized to supervise routine task performance and to complete complex tasks.

The non-technical personnel are referred to as trainee forensic analysts. They are people who do not have technical qualifications but they do have knowledge of computers, enthusiasm and seek to develop a career. They can be recruited by way of an internship program that will provide them with three years' training resulting in certification, by the employer, as a qualified forensic analyst.

Within the double tier approach, the forensic analyst will perform the routine non-technical tasks such as seizing, copying and reconstructing computer hard drives, running searches, examining hits and printing evidence. All of this will be undertaken under the supervision of the technical staff who will liase with clients, write reports, appear as expert witnesses and solve the complex problems found in the more difficult investigations.

The result of using the double tier approach is that a greater volume of work is completed at a more realistic cost. The forensic analysts are motivated to perform and to remain with the organization at least until training is completed. Since they are no longer performing the routine repetitive tasks, the technical personnel have greater job satisfaction, more responsibility and more challenging and stimulating problems to solve.

The double tier approach is not just a theory; it has been shown to be successful in practice.

Back to Top

8. Requirements for the Double Tier Approach

In order for a double tier approach to work it is necessary to have:

  • A defined methodology
  • Detailed and standardized operating procedures
  • Efficient and practical equipment.

Criteria for equipment must be:

  • Simple to use
  • Quick to learn
  • Totally reliable
  • Robust and durable
  • Legally acceptable
  • Operable under standard procedures.

All equipment and services produced by the DIBS® group meet the criteria of the DIBS® methodology. DIBS® has been in use throughout the world for nearly a decade and has consistently produced reliable and acceptable results.

Back to Top

Site Last Updated: March  2010

©2010 DIBS® USA Inc.
DIBS® is a Registered Trademark of DIBS USA, Inc.