This article simply echoes a fundamental difference that has long been known by investigators as it relates to forensics. Forensics is one peice of the evidence. The title Forensic Examiner is often confused with an Investigator. They are not the same position. An examiner takes the data given to them and reports on his/her findings. Their expertise is reviewing/examining the forensic evidence provided to them. This evidence is only one piece of the puzzle.

An investigator's role is to put all the peices together. They do not focus on one item, like a computer hard drive, to answer the question.

It is amazing to me the number of companies and corporation who hire forensic experts and expect them to be able to conduct a real investigation. They cant, they have never been trained in the various methodologies of truly looking at everything rather than just the evidence presented to them.

In one article you talk about Anti-forensics and how the tools will hurt investigations. That could not be further from the truth. Though a forensic examiner may not be able to obtain any forensic evidence, an investigator sees the use of the anti-forensic tools as evidence.

The idea that in the good old days there was strictly a digital investigation or a physical investigation is also hogwash. There may have been a digital or physical examination in order to determine what happened and when. It may also point out how to fix the problem.

True investigations answer all the questions of who what where when how and most importantly why. They address all potential sources of evidence not just the physical or digital.

In the case of the financial center employee hacking the hospital, after they figured out the how and who, did they think to look what else he was doing? Did they address the why behind it and the fact that the why may have resulted in other hacks or attacks to their own network.

A true investigation would have revealed this and a trained investigator would know the questions to ask.