A Blueprint for Implementing Best Practice Procedures in a Digital Forensic Laboratory

Meeting the Requirements of ISO Standards and Other Best Practices

2nd Edition - November 9, 2023
Authors: David Lilburn Watson, Andrew Jones
Language: English
Paperback ISBN:
9 7 8 - 0 - 1 2 - 8 1 9 4 7 9 - 9
eBook ISBN:
9 7 8 - 0 - 1 2 - 8 1 9 4 8 0 - 5

Digital Forensic Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements, Second Edition provides a one-stop shop f… Read more

A Blueprint for Implementing Best Practice Procedures in a Digital Forensic Laboratory

Purchase options

SUSTAINABLE DEVELOPMENT

Innovate. Sustain. Transform.

Save up to 30% on top Physical Sciences & Engineering titles!

Explore now

Physical science & engineering for sustainable development book covers

Institutional subscription on ScienceDirect

Request a sales quote

Digital Forensic Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements, Second Edition provides a one-stop shop for a set of procedures that meet international best practices and standards for handling digital evidence during its complete lifecycle. The book includes procedures, forms and software, providing anyone who handles digital evidence with a guide to proper procedures throughout chain of custody--from incident response straight through to analysis in the lab. This book addresses the whole lifecycle of digital evidence.

Cover image
Title page
Table of Contents
Copyright
About the authors
Acknowledgements
Chapter 1 Introduction
Abstract
1.1 Introduction
Appendix 1—Some types of cases involving digital forensics
Appendix 2—Growth of hard disk drives
Appendix 3—Disk drive size nomenclature
Chapter 2 The building
Abstract
2.1 The building
2.2 Protecting against external and environmental threats
2.3 Utilities and services
2.4 Physical security
2.5 Layout of a forensic laboratory
Appendix 1—Sample outline for a business case
Appendix 2—The physical security policy
Chapter 3 Setting up a forensic laboratory
Abstract
3.1 Setting up a digital forensic laboratory
Appendix 1—The laboratory terms of reference (TOR)
Appendix 2—Cross reference between ISO 9001:2015 and ISO/IEC 17025:2017
Appendix 3—Conflict of interest policy
Appendix 4—Quality policy
Chapter 4 The integrated management system
Abstract
4.1 Introduction
4.2 Benefits
4.3 The IMS
4.4 FCL context
4.5 Leadership
4.6 Planning
4.7 Support
4.8 Operation
4.9 Performance evaluation
4.10 Improvement
Appendix 1—Definition of core terms in Annex L
Appendix 2—Meeting the core requirements of Annex L
Appendix 3—The Goal Statement
Appendix 4—The Baseline Measures
Appendix 5—The business objectives
Appendix 6—Specific needs and expectations of interested parties
Appendix 7—The FCL audit committee
Appendix 8—The FCL business continuity committee
Appendix 9—The FCL environment committee
Appendix 10—The FCL health and safety committee
Appendix 11—The FCL information security committee
Appendix 12—The FCL quality committee
Appendix 13—The FCL risk committee
Appendix 14—The FCL service delivery committee
Appendix 15—The FCL whistleblowing policy
Appendix 16—The FCL environment policy
Appendix 17—The FCL health and safety policy
Appendix 18—The FCL service management policy
Appendix 19—The FCL business continuity policy
Appendix 20—The FCL information security policy
Appendix 21—The FCL access control policy
Appendix 22—The FCL change or termination of employment policy
Appendix 23—The FCL clear desk and clear screen policy
Appendix 24—The FCL continuous improvement policy
Appendix 25—cryptographic control policy
Appendix 26—The FCL document retention policy
Appendix 27—The FCL financial management policy
Appendix 28—The FCL mobile device policy
Appendix 29—The FCL network service policy
Appendix 30—The FCL personnel screening policy
Appendix 31—The FCL relationship management policy
Appendix 32—The FCL release management policy
Appendix 33—The FCL service reporting policy
Appendix 34—The FCL third party access control policy
Appendix 35—The FCL acceptable use policy
Appendix 36—Management roles and responsibilities
Appendix 37—Asset owners
Appendix 38—Risk owners
Appendix 39—Custodian
Appendix 40—Management review agenda
Appendix 41—Document control checklist
Appendix 42—Document metadata
Appendix 43—File naming standards
Appendix 44—Watermarks in use in FCL
Appendix 45—Document review form
Appendix 46—IMS calendar
Appendix 47—Audit plan letter
Appendix 48—Audit reporting form
Appendix 49—Corrective action request (CAR) form
Appendix 50—Opening meeting agenda
Appendix 51—Closing meeting agenda
Appendix 52—Audit report template
Appendix 53—Root causes for nonconformity
Chapter 5 Information risk management
Abstract
5.1 A short history of risk management
5.2 An information security risk management framework
5.3 Framework stage 1—Information security policy
5.4 Framework stage 2—Planning, resourcing and communication
5.5 Framework stage 3—Information security risk management process
5.6 Framework stage 4—Implementation and operational procedures
5.7 Framework stage 5—Follow up procedures
Appendix 1—FCL communication plan
Appendix 2—FCL information security plan
Appendix 3—Asset type examples
Appendix 4—Asset values
Appendix 5—Consequences table
Appendix 6—Some common business risks
Appendix 7—Some common project risks
Appendix 8—Security threat examples
Appendix 9—Common security vulnerabilities
Appendix 10—The FCL risk management policy
Appendix 11—The FCL IMS and ISMS scope statement
Appendix 12—Criticality ratings
Appendix 13—Likelihood of occurrence
Appendix 14—Risk appetite
Appendix 15—Security controls from COBIT 2019
Appendix 16—Information classification
Appendix 17—The risk register template
Appendix 18—Comparison between qualitative and quantitative methods
Appendix 19—FCL SOA template
Appendix 20—FCL’s security metrics template
Appendix 21—Risk glossary
Chapter 6 Quality in FCL
Abstract
6.1 Quality and good laboratory practice
6.2 Management requirements for operating FCL
6.3 ISO 9001 in FCL
6.4 FCL’s QMS
6.5 Responsibilities in the QMS
6.6 Managing sales
6.7 Provision of products and services
6.8 Reviewing deliverables
6.9 Signing off a forensic case
6.10 Archiving a forensic case
6.11 Maintaining client confidentiality
6.12 Technical requirements
6.13 Measurement, analysis, and improvement
6.14 Managing client complaints
Appendix 1—Mapping ISO 9001 to IMS procedures
Appendix 2—Mapping ISO/IEC 17025 to IMS procedures
Appendix 3—Mapping FSR quality requirements to IMS procedures
Appendix 4—Quality Manager, job description
Appendix 5—Business plan template
Appendix 6—Business KPIS
Appendix 7—Quality plan contents
Appendix 8—Induction checklist contents
Appendix 9—Induction feedback
Appendix 10—Standard proposal template
Appendix 11—Issues to consider for forensic case processing
Appendix 12—Standard quotation contents
Appendix 13—Standard terms and conditions
Appendix 14—ERMS client areas
Appendix 15—Cost estimation spreadsheet
Appendix 16—Draught review form
Appendix 17—Client sign off and feedback form
Appendix 18—Information required for registering a complaint
Appendix 19—Complaint resolution timescales
Appendix 20—Complaint metrics
Appendix 21—Laboratory Manager, job description
Appendix 22—Forensic Analyst, job description
Appendix 23—Training agenda
Appendix 24—Some individual forensic certifications
Appendix 25—Minimum equipment records required by ISO/IEC 17025
Appendix 26—Reference forensic case tests
Appendix 27—ISO/IEC 17025 reporting requirements
Appendix 28—Standard forensic laboratory report
Chapter 7 IT infrastructure
Abstract
7.1 Hardware
7.2 Software
7.3 Infrastructure
7.4 Process management
7.5 Hardware management
7.6 Software management
7.7 Network management
Appendix 1—Policy for securing IT cabling
Appendix 2—Policy for siting and protecting IT equipment
Appendix 3—ISO 20000-1 mapping
Appendix 4—Service Desk Manager, job description
Appendix 5—Incident Manager, job description
Appendix 6—Information security incident status levels
Appendix 7—Information security incident priority levels
Appendix 8—Service Desk feedback form
Appendix 9—Problem Manager, job description
Appendix 10—Contents of the SIP
Appendix 11—Change categories
Appendix 12—Change Manager, job description
Appendix 13—Standard requirements of a request for change (RfC)
Appendix 14—Emergency change policy
Appendix 15—Release Management Policy
Appendix 16—Release Manager, job description
Appendix 17—Configuration management plan contents
Appendix 18—Configuration Management Policy
Appendix 19—Configuration Manager, job description
Appendix 20—Information stored in the DHL and DSL
Appendix 21—Capacity Manager, job description
Appendix 22—Capacity management plan
Appendix 23—Service Management Policy
Appendix 24—Service Level Manager, job description
Appendix 25—Service Reporting policy
Appendix 26—Policy for Maintaining and Servicing IT Equipment
Appendix 27—ISO 17025 tool test method documentation
Appendix 28—Standard forensic tool tests
Appendix 29—Forensic tool test report template
Appendix 30—Overnight backup checklist
Chapter 8 Incident response
Abstract
8.1 General
8.2 Forensic evidence
8.3 Incident response as a process
8.4 Initial contact
8.5 Types of first response
8.6 The incident scene
8.7 Transportation to the laboratory
8.8 Incident scene and seizure reports
8.9 Post incident review
Appendix 1—Mapping ISO 17020 to IMS procedures
Appendix 2—First response briefing agenda
Appendix 3—Contents of the grab bag
Appendix 4—New forensic case form
Appendix 5—First responder seizure summary log
Appendix 6—Site summary form
Appendix 7—Seizure log
Appendix 8—Evidence locations in devices and media
Appendix 9—Types of evidence typically needed for a forensic case
Appendix 10—The on/off rule
Appendix 11—Some types of metadata that may be recoverable from digital images
Appendix 12—Countries with different fixed line telephone connections
Appendix 13—Some interview questions
Appendix 14—Evidence labelling
Appendix 15—Forensic preview forms
Appendix 16—A travelling forensic laboratory
Appendix 17—Movement form
Appendix 18—Incident response report
Appendix 19—Post incident review agenda
Appendix 20—Incident processing checklist
Chapter 9 Case processing
Abstract
9.1 Introduction to case processing
9.2 Case types
9.3 Precase processing
9.4 Equipment maintenance
9.5 Management processes
9.6 Booking exhibits in and out of the secure property store
9.7 Starting a new case
9.8 Preparing the forensic workstation
9.9 Imaging
9.10 Examination
9.11 Dual tool verification
9.12 Digital time stamping
9.13 Production of an internal case report
9.14 Creating exhibits
9.15 Producing a case report for external use
9.16 Statements, depositions, and similar
9.17 Forensic software tools
9.18 Backing up and archiving a case
9.19 Disclosure
9.20 Disposal
Appendix 1—Some international forensic good practice
Appendix 2—Some international and national standards relating to digital forensics
Appendix 3—Hard disk log details
Appendix 4—Disk history log
Appendix 5—Tape log details
Appendix 6—Tape history log
Appendix 7—Small digital media log details
Appendix 8—Small digital media device log
Appendix 9—Forensic case work log
Appendix 10—Case processing KPI’s
Appendix 11—Contents of sample exhibit rejection letter
Appendix 12—Sample continuity label contents
Appendix 13—Details of the property log
Appendix 14—Contents of sample exhibit acceptance letter
Appendix 15—Property special handling log
Appendix 16—Evidence sought
Appendix 17—Request for forensic examination
Appendix 18—Client virtual case file structure
Appendix 19—Computer details log
Appendix 20—Other equipment details log
Appendix 21—Hard disk details log
Appendix 22—Other media details log
Appendix 23—Smart phone details log
Appendix 24—Other devices details log
Appendix 25—Some evidence found in volatile memory
Appendix 26—File metadata
Appendix 27—Case progress checklist
Appendix 28—Internal case report template
Appendix 29—Exhibit log
Appendix 30—Report production checklist
Chapter 10 Forensic case management
Abstract
10.1 Overview
10.2 Hard copy forms
10.3 MARS
10.4 Setting up a new case
10.5 Processing a forensic case
10.6 Reports general
10.7 Administrator’s reports
10.8 User reports
Appendix 1—Setting up organisational details
Appendix 2—Setup the administrator
Appendix 3—Audit reports
Appendix 4—Manage users
Appendix 5—Manage manufacturers
Appendix 6—Manage suppliers
Appendix 7—Manage clients
Appendix 8—Manage investigators
Appendix 9—Manage disks
Appendix 10—Manage tapes
Appendix 11—Manage small digital media
Appendix 12—Exhibit details
Appendix 13—Evidence sought
Appendix 14—Estimates
Appendix 15—Accept or reject case
Appendix 16—Movement log
Appendix 17—Examination log
Appendix 18—Computer hardware details
Appendix 19—Noncomputer exhibit details
Appendix 20—Hard disk details
Appendix 21—Other media details
Appendix 22—Case work record details
Appendix 23—Updating case estimates
Appendix 24—Create exhibit
Appendix 25—Case result
Appendix 26—Case backup
Appendix 27—Billing and feedback
Appendix 28—Feedback received
Appendix 29—Organisation report
Appendix 30—Users report
Appendix 31—Manufacturers report
Appendix 32—Supplier report
Appendix 33—Clients report
Appendix 34—Investigators report
Appendix 35—Disks by assignment report
Appendix 36—Disks by reference number report
Appendix 37—Wiped disks report
Appendix 38—Disposed disks report
Appendix 39—Disk history report
Appendix 40—Tapes by assignment report
Appendix 41—Tapes by reference number report
Appendix 42—Wiped tapes report
Appendix 43—Disposed tapes report
Appendix 44—Tape history report
Appendix 45—Small digital media by assignment report
Appendix 46—Small digital media by reference number report
Appendix 47—Wiped small digital media report
Appendix 48—Disposed small digital media report
Appendix 49—Small digital media history report
Appendix 50—Wipe methods report
Appendix 51—Disposal methods report
Appendix 52—Imaging methods report
Appendix 53—Operating systems report
Appendix 54—Media types report
Appendix 55—Exhibit type report
Appendix 56—Forensic case setup details report
Appendix 57—Forensic case movement report
Appendix 58—Forensic case computers report
Appendix 59—Forensic case noncomputer evidence report
Appendix 60—Forensic case disks received report
Appendix 61—Forensic case other media received
Appendix 62—Forensic case exhibits received report
Appendix 63—Forensic case work record
Appendix 64—Forensic cases rejected report
Appendix 65—Forensic cases accepted
Appendix 66—Forensic case estimates report
Appendix 67—Forensic cases by forensic analyst
Appendix 68—Forensic cases by client report
Appendix 69—Forensic cases by investigator report
Appendix 70—Forensic case target dates report
Appendix 71—Forensic cases within ‘x’ days of target date report
Appendix 72—Forensic cases past target date report
Appendix 73—Forensic cases unassigned report
Appendix 74—Forensic case exhibits produced report
Appendix 75—Forensic case results report
Appendix 76—Forensic case backups report
Appendix 77—Forensic case billing run report
Appendix 78—Forensic case feedback letters
Appendix 79—Forensic case feedback forms printout
Appendix 80—Forensic case feedback reporting summary by case
Appendix 81—Forensic case feedback reporting summary by forensic analyst
Appendix 82—Forensic case feedback reporting summary by client
Appendix 83—Complete forensic case report
Appendix 84—Items processed report
Appendix 85—Insurance report
Chapter 11 Forensic case evidence presentation
Abstract
11.1 Overview
11.2 Notes
11.3 Evidence
11.4 Types of witness
11.5 Reports
11.6 Testimony in court
11.7 Why a forensic case may fail
Appendix 1—Nations ratifying the Budapest convention
Appendix 2—Criteria for selection an expert witness
Appendix 3—Code of conduct for expert witnesses
Appendix 4—Report writing checklist
Appendix 5—Statement and deposition writing checklist
Appendix 6—Nonverbal communication to avoid
Appendix 7—Etiquette in Court
Appendix 8—Testimony feedback form
Chapter 12 Secure working practices
Abstract
12.1 Introduction
12.2 Principles of information security within FCL
12.3 Managing information security in FCL
12.4 Physical security in FCL
12.5 Managing service delivery
12.6 Managing system access
12.7 Managing information on public systems
12.8 Securely managing IT systems
12.9 Information systems development and maintenance
ISO/IEC 27001 certification
Appendix 1—FCL statement of applicability (SOA)
Appendix 2—ISO/IEC 27002 attributes
Appendix 3—Some information/cyber security standards adopted by FCL
Appendix 4—Software licence database information held
Appendix 5—Logon banner
Appendix 6—FCL’s security objectives
Appendix 7—IMS calendar
Appendix 8—Asset details to be recorded in the asset register
Appendix 9—Details required for removal of an asset
Appendix 10—Handling classified assets
Appendix 11—Asset disposal form
Appendix 12—Visitor checklist
Appendix 13—Rules of the data centre
Appendix 14—User account management form contents
Appendix 15—Teleworking request form contents
Appendix 16—Information security manager (ISM), job description
Chapter 13 Ensuring continuity of operations
Abstract
13.1 Business justification for ensuring continuity of operations
13.2 Management commitment
13.3 Training and competence
13.4 Determining the business continuity strategy
13.5 Developing and implementing a business continuity management response
13.6 Exercising, maintaining and reviewing business continuity arrangements
13.7 Maintaining and improving the BCMS
13.8 Embedding business continuity in FCL processes
13.9 BCMS documentation and records—General
Appendix 1—Supplier details held
Appendix 2—Headings for financial and security due diligence questionnaire
Appendix 3—Business continuity manager (BCM), job description
Appendix 4—Contents of the BIA form
Appendix 5—Proposed BCMS development timescales
Appendix 6—Incident scenarios
Appendix 7—Strategy options
Appendix 8—Standard BCP contents
Appendix 9—Table of contents to the appendix to a BCP
Appendix 10—BCP change list contents
Appendix 11—BCP scenario plan contents
Appendix 12—BCP review report template contents
Appendix 13—Mapping IMS procedures to ISO 22301
Chapter 14 Managing business relationships
Abstract
14.1 The need for third parties
14.2 Clients
14.3 Third parties accessing FCL and client information
14.4 Managing service-level agreements
14.5 Suppliers of office and IT products and services
14.6 Utility service providers
14.7 Contracted forensic consultants and expert witnesses
14.8 Outsourcing
14.9 Use of subcontractors
14.10 Managing complaints
14.11 Some reasons for outsourcing failure
Appendix 1—Contents of a service plan
Appendix 2—Risks to consider with third parties
Appendix 3—Contract checklist for information security issues
Appendix 4—SLA template for products and services for clients
Appendix 5—RFx descriptions
Appendix 6—RFx template checklist
Appendix 7—RFx timeline for response, evaluation, and selection
Appendix 8—Forensic consultant’s personal attributes
Appendix 9—Some tips for selecting an outsourcing service provider
Appendix 10—Areas to consider for outsourcing contracts
Chapter 15 Effective records management
Abstract
15.1 Introduction
15.2 Legislative, regulatory, and other requirements
15.3 Record characteristics
15.4 A records management policy
15.5 Defining records management requirements
15.6 Determining records to be managed by the ERMS
15.7 Using metadata in FCL
15.8 Record management procedures
15.9 Business continuity
Appendix 1—MOReq2010 requirements
Appendix 2—Mapping of ISO 15489 part 1 to FCL procedures
Appendix 3—Types of legislation and regulation that will affect recordkeeping
Appendix 4—Record management policy
Appendix 5—Record management system objectives
Appendix 6—Business case template
Appendix 7—Outline of the ERMS project
Appendix 8—Selection criteria for an ERMS
Appendix 9—Initial ERMS FEEDBACK questionnaire
Appendix 10—Metadata required in the ERMS
Appendix 11—Sample email metadata
Appendix 12—Forensic case records stored in the ERMS
Appendix 13—Dublin core metadata elements
Appendix 14—National archives of Australia metadata standard
Appendix 15—Responsibilities for records management
Appendix 16—Metadata for records stored off-site
Appendix 17—Records classification system
Appendix 18—Disposition authorisation
Appendix 19—Additional requirements for physical record recovery
Appendix 20—Specialised equipment needed for inspection and recovery of damaged records
Chapter 16 Performance assessment
Abstract
16.1 Overview
16.2 Performance assessment
Chapter 17 Occupational health and safety (OH&S) procedures
Abstract
17.1 General
17.2 Leadership and worker participation
17.3 Planning for OH&S
17.4 Support for the OHSMS
17.5 Operational planning and control
17.6 Performance evaluation
17.7 Improvement
Appendix 1—OH&S policy checklist
Appendix 2—The OH&S policy
Appendix 3—Health and safety manager job description
Appendix 4—Examples of OH&S drivers
Appendix 5—The forensic laboratory OH&S objectives
Appendix 6—Common hazards in a forensic laboratory
Appendix 7—Hazard identification form
Appendix 8—Some areas for inspection for hazards
Appendix 9—Inputs to the risk assessment process
Appendix 10—OH&S risk rating
Appendix 11—DSE initial workstation self-assessment checklist
Appendix 12—DSE training syllabus
Appendix 13—DSE assessors checklist
Appendix 14—Measurement of OH&S success
Appendix 15—Specific OH&S incident reporting requirements
Appendix 16—OH&S investigation checklist and form contents
Appendix 17—OH&S incident review
Appendix 18—ISO 45,001 mapping to IMS procedures
Chapter 18 Human resources
Abstract
18.1 Employee development
18.2 Development
18.3 Termination
Appendix 1—Training feedback form
Appendix 2—Employee security screening policy checklist
Appendix 3—Employment application form
Appendix 4—Employment application form notes
Appendix 5—Verifying identity
Appendix 6—Document authenticity checklist
Appendix 7—Verifying addresses
Appendix 8—Verifying right to work checklist
Appendix 9—Reference authorisation
Appendix 10—Statutory declaration
Appendix 11—Employer reference form
Appendix 12—Employer’s oral reference form
Appendix 13—Confirmation of an oral reference letter
Appendix 14—Verifying qualifications checklist
Appendix 15—Criminal record declaration checklist
Appendix 16—Personal reference form
Appendix 17—Personal oral reference form
Appendix 18—Other reference form
Appendix 19—Other reference oral reference form
Appendix 20—Employee security screening file
Appendix 21—Top management acceptance of employment risk
Appendix 22—Third-party employee security screening provider checklist
Appendix 23—Recruitment agency contract checklist
Appendix 24—Investigation manager, job description
Appendix 25—Forensic laboratory system administrator, job description
Appendix 26—Employee, job description
Appendix 27—Areas of technical competence
Appendix 28—Some professional forensic and security organisations
Appendix 29—Training specification template
Appendix 30—Training proposal evaluation checklist
Appendix 31—Training supplier interview and presentation checklist
Appendix 32—Training reaction level questionnaire
Appendix 33—Code of ethics
Appendix 34—Termination checklist
Chapter 19 Accreditation and Certification for a digital forensic laboratory
Abstract
19.1 Accreditation and Certification
19.2 Accreditation for a forensic laboratory
19.3 Certification for a forensic laboratory
Appendix 1—Typical conditions of Accreditation
Appendix 2—Contents of an audit response
Appendix 3—Management system assessment nonconformity examples
Appendix 4—Typical close-out periods
Chapter 20 Emerging issues
Abstract
20.1 Introduction
20.2 Specific challenges
Glossary
Index

David Lilburn Watson

David Lilburn Watson heads up Forensic Computing Ltd, a specialist forensic recovery and investigation company. He is responsible for the coordination and efficient delivery of the computer forensic and electronic evidence recovery services, digital investigations, and provides support for a broad range of investigative, security and risk consulting assignments. He is a Certified Fraud Examiner (CFE) and a Certified Information Forensic Investigator (CIFI), a Certified Computer Crime Investigator (CCCI), an Advanced Certified Computer Forensics Technician (CCFT). In addition to specialised forensic certifications he is a Certified Information Security Systems Professional (CISSP), a Certified Information Systems Manager (CISM) and a Certified Information Systems Auditor (CISA). David has also led Forensic Computing Ltd to ISO 27001 and ISO 9001 certification, making FCL one of very few consultancies to hold such important credentials in the field of forensic services.

Affiliations and expertise

Head, Forensic Computing Ltd, London, UK

Andrew Jones

Dr. Andrew Jones is a digital forensic and information security researcher and academic and has developed several tools and processes for the efficient and effective recovery of data from a range of devices. He has also participated and led a number of forensic investigations for criminal and civil cases. Andrew has been involved in several information security projects for the Government Communications Electronic Security Group (CESG), the Office of the E-Envoy, the police and a defense contractor. He acted as the technical advisor for the then National Crime Squad Data Acquisition and Recovery Team and he is currently on the committees for five information security and computer forensic conferences. He also sat on two working groups of the governments Central Sponsor for Information Assurance National Information Assurance Forum. He holds posts as an adjunct professor at Edith Cowan University in Perth, Australia and the University of South Australia in Adelaide. He has authored six books in the areas of Information Warfare, Information Security and Digital Forensics, including co-authoring Digital Forensics Processing and Procedures, First Edition.

Affiliations and expertise

Director, Forensic Computing Ltd. London, UK

Life Sciences

Physical Sciences & Engineering

Social Sciences & Humanities

Health