|
Usually going to forensics only happens in extreme circumstances - where a party is presumed to have deliberated deleted or altered their hard drive to cover up illeagle activity or fraud.
Usually it happens after hardware is siezed in a legal action and the chain of custody falls on the organization doing the seizing. There is no set standard, and usually the effort is proportional to the severity of the case but might include: witnessed testimony, access control logs, documented and audited processes (if this is an organization we're talking about).
To my knowledge, there is no certification standards for forensics, tbut there are a number of private companies (as well as government organizations) that specialize in these activities to different levels complexeity - Apparently the CIA has technology that can read back 7 re-writes of a hard drive.
I guess a lot depends on the circumstances:
Is your friend trying to find evidence of wrong doing on someone else's computer? And if so, is criminal procsecution an expected outcome?
Or is your friend trying to cover something up that may be on his computer?
__________________
I would believe only in a God that knows how to Dance.
Friedrich Nietzsche
|