JOHN P. GRANCARICH

Imagine that your company is conducting an internal investigation into an employee's alleged access to prohibited Internet Web sites. One worker has filed a sexual harassment claim against another, and counsel has instructed a computer forensics examiner to determine if the allegations are true. The examiner visits the company's office after business hours, creates a forensic image of the suspect's computer and performs an analysis back at the lab; he finds that the allegations are true and the suspect did access inappropriate and prohibited Internet Web sites over an extended period of time. The case seems open and shut — but is it?

The practice of computer forensics, a unique hybrid of legal knowledge and computer science, is undergoing remarkable growth and facing tremendous challenges. New software, new technologies and more creative attacks and intrusions often leave the computer forensics examiner one step behind, constantly playing catch up and having to perform research quickly to follow the particulars of the investigation in progress. If we also factor in that many computer examiners are not investigators or fraud examiners by training, we begin to understand the enormous burdens that this new breed of professional faces with endlessly creative fraudsters and criminals.

This leaves us with the question of what we should reasonably expect a computer forensics examiner, or any investigator for that matter, to achieve in a scenario ...