So Sam, based on your statements, there really isn't a need for any experts.
If you work for a company which doesn't allow you to get the training you need and you can't turn down work then that's ok, make the best of it and ask the question on a forum.
Anyone can hang their shingle and say they do CF work and come on here everyday and ask all the basic questions they want, because that's how they become more knowledgeable.
If you've ever visited a prison where someone is locked up because of either a poor expert or poor LE work, and have to look at someone who can't leave because of that, maybe you think differently, maybe not. I did.
Man, did I get myself sidetracked earlier…
To the point, I believe that the 'student' questions are potentially unethical to begin with. I am reluctant to reply to such questions as the party is either a) too lazy to figure out or research the answer, which is probably what the purpose of the exercise was in the first place, or b) possibly academically dishonest and is going to use someone else's response as their own.
Non student questions about basic fundamental techniques or issues are problematic as well. The person that is asking is being paid to provide a service and is potentially relying on someone else's skills and knowledge for monetary gain without compensating the party that helped them out. Would any private practitioner not bill for sub-contract work? Is providing assistance to someone who is going to bill based at least partially on your help something you would do if they walked through the door and asked for you to provide your time for free?
We all like to help others but I think that when someone seeks assistance on a fundamental issue and is potentially billing for their work based on my responses, I for one will be somewhat more reluctant to respond.
Thanks harry for making this a topic. I never really thought about this before.
It isn't OK, it is far from it. However, my point is that such people are going to accept the work regardless. Hence, my point is that it is best they ask the question than not.
My other point is that as soon as a forum becomes the basis of determining if another person is an expert or not it becomes a dangerous ground. Ultimately, in the UK that is for the court to decide if a person is an expert or not. It is not for someone to wave a forum post around and claim another person is not an expert based on it.
I'd also state, does asking a 'hard' question mean that a person is an expert? Personally, I'd much prefer a person that asks the basic questions and questions the answers than someone that asks the hard questions and just takes the answers as being correct. It is also worth noting that what constitutes a basic/hard question to one person may not be perceived as such to another.
Kind regards
Sam Raincock
I would agree that to one person something easy may be something hard to someone else.
However, cmon Sam, in all fairness, is someone who holds themselves out to be a CF expert and asks where do I look to find out what USB items have been connected to a computer really an expert?
Isn't it fair to assume that if they don't know the basics, that the much harder questions will also elude them?
And while posting that question to a forum will get them that answer, if they are any kind of investigator at all (even a lower level one) wont that open up "why is the USB instance ID containing a & key" and onward.
You can follow some posters from the time they got the case "can someone tell me where to get sample forensic contracts" all the way to "how much should I charge" through to the USB question, and then "where can I find a sample report"
forensicakb
In my experience, some of the simple questions that people think they can easily answer are often the questions that need to be carefully considered to ensure evidence isn't missed/misinterpreted.
I take your point that some people may use forums to assist them completing a considerable amount of their work and may take the answers as read. However, I don't think it can be assumed that everyone whom asks a 'basic' question is not an 'expert' because they have done so (and that this could be ultimately used against them in implying such a thing). I also do not think that someone not knowing something that is considered as 'basic' means that they don't know how to consider the 'harder' questions. They may be just seeking another way of thinking about a matter or looking at the other possibilities the question may need to consider.
For example, your question about the use of USB devices with a computer - let's say a question is asked "Where do I find information relating to all of the USB devices that have been used with computer A since I need to produce a list to be able to state a particular device has never been used". This may raise other relevant discussion points, that may have not been initially considered. For example
What happens if the OS has been upgraded?
What about if wiper software has been used - where else may there be evidence?
What about a reinstalled OS?
How can the restore points/LNK files etc. assist?
Can you say definitively that a device has not been used?
A simple question…lots of other possible questions and discussion points to potentially consider.
Kind regards
Sam Raincock
One also needs to consider that although this field is "Computer Forensics" there are many potential sub-specialties, such as certain OS or FS, incident response, malware, internet content, and so on. If one were the expand the field to Digital Evidence, you'd be adding in cell phones and small devices and further skills. When I started in '00, it was widely considered that if you were competent in DOS, Windows 3.x/95/98, FAT and NTFS then you were across most of the issues. Since then I've had to expand my knowledge to cover the various *nix and Mac OS (both <=9 and OSX) and related FS. I've learned more about artifacts from internet usage, be it browser, messenger/IRC or P2P and so on, as well as hacking, malware and so on.
I don't think that the simple fact that I didn't hit a Linux box until somewhere after my 100th case, and that I sought help from co-workers in any way impugned my general skill as an examiner. I was fortunate at the time that I was working with a team of other examiners who had a range of skills and that one of them was a jet at Linux and helped me a lot on that case, and that therefore I didn't need to reach out to the broader community for assistance. I was able to use the assistance of my colleague, apply the general forensic principles and methods that I had developed to that point and come out with a sound and defensible result.
Therefore whilst certainly it's suspicious if an examiner asks enough questions over the course of a month to cover pretty much all aspects of a case, the occasional question about something that might seem simple to me doesn't necessarily set off the "OMG NOOB" reflexive response. (Although all of the "I'm a college student and can you please answer my homework or take my questionaire" postings do.)
What does alarm me is some of the court transcripts that I've read where supposed examiners on the stand make comments which show their complete lack of understanding of the discipline. I agree that it would be highly beneficial if we could weed these people out BEFORE they get heard by a jury, but courts under both the English/Australian and US systems have the power to test a witness for competency through voire dire prior to accepting testimony, and if it's not done, then it speaks to a failure of attorneys to understand the most simple bases of scientific evidence. I had to learn the rules of evidence in law school, and I'd hate to think that practicing litigators have forgotten them when I still remember them and I'm not a lawyer.
I'd reckon that the majority of forensic related questions have been asked and answered in forums, email lists, books, magazines, training programs, conferences and by simply testing the theory of the question. The basic questions that are asked are many times from students that are not only lazy to do their own homework, but lazier still to not even at least 'Google it'.
Which brings about a new generation of college educated forensic 'experts' that have intentionally neglected to do their own homework and plagiarize from others through the internet. How's that for ethical conduct?
Controversy… I love it!
Let me lace up my gloves and step into the ring a little here…
Let's say that I face an opposing expert in a case and, while researching the opposing person (as I do in EVERY situation) I find that they have posted a basic query to Forensic Focus or Digital Detective what am I likely to do next? Even worse, what if that question related directly to the case being contested?
I hope no one on here is naive enough to believe that the things they post on forums such as this won't come back to bite them on their hind quarters.
Same would apply if I were a college professor. If I found my students asking question and then quoting their answers verbatim I would have them disciplined for plagiarism.
I realise that everyone has to start somewhere but, PLEASE, search for your answer first. Buy a book, read the blogs, listen to the podcasts (personal plug), do something to educate yourself first.
Let's say that I face an opposing expert in a case and, while researching the opposing person (as I do in EVERY situation) I find that they have posted a basic query to Forensic Focus or Digital Detective what am I likely to do next? Even worse, what if that question related directly to the case being contested?
You need to specify please - what exactly is it you do when you find someone you're up against has asked a question in the past that you decide is basic?
It's interesting that you yourself post here anonymously.
DFICSI
I do not see any difference between a person obtaining a previously unknown answer from a book/website than asking someone on a forum for assistance and discussion of the points. It's just another way of learning.
My personal opinion is that you should only base your comments on what that expert has produced in their report and not the questions they may have asked on a forum or in a class/seminar/conference etc.
If you have concerns about an expert then you should highlight that to their registered body (if applicable) or write to their company. In the event their report is incorrect and it is not resolved in expert meetings, then you could highlight issues that you have identified in their training, expertise etc. However, at the end of it all, it's up to the court to determine if they accept a person as an expert or not.
If forums are used as something to target an CF expert/examiner then all that will happen is that people will not use them or move on to tightly controlled closed forums. I believe the above debate was something that occurred (perhaps in reverse) about 5/6 years ago when a certain forum was opened up to defence - there was grave concern that such 'experts' would use the information on forums against the Prosecution examiner. I for one hope it never happened!
Kind regards
Sam Raincock