DFICSI
If you were opposing no doubt you've tested it and validated if he is correct or not? So the point is "what is the correct agreed evidence to put before the court?".
The point you highlight is a concern about the person's ability to test and research - which in some respects is a side point. How do you know that the person hasn't taken the answer to the question and researched and tested it themselves? You cannot assume because they have received an answer on a forum that they haven't tested the answer. It would likely be an inexperienced barrister whom would use your line of questioning unless they knew the answer the expert would give – in fact in the UK I am not so sure the above questioning would be a good strategy unless they had absolutely nothing else to go on!
Computer forensics is no different to any other area. People often do not question what they read in books, learn on courses or what their software tool tells them. In fact, a fully questioning mind is fairly rare in all disciplines (and usually annoys people - I sit on my hands in courses/conferences ) ). People have a certain level of trust for certain information they have been provided. That trust level is different for everyone and will also often depend on the person providing the information.
However, where do you draw the line on trust? If you don’t have a certain amount of trusted knowledge then you will never do any work. You will spend your career validating tools, testing NTFS etc.
Kind regards
Sam Raincock
However, where do you draw the line on trust? If you don’t have a certain amount of trusted knowledge then you will never do any work. You will spend your career validating tools, testing NTFS etc.
Spot on. We take certain things on trust - the behaviour of our software for example, be it EnCase, FTK, whatever else - ok, we all know of areas where certain products fall down, but that's the point of the community. For security we have both
These are formally reviewed to known standards, Forensics is somewhat lagging behind in this regard. Books and other information sources are somewhat reviewed, but even then, there are many which contain factual errors into print. The forum, however, is peer reviewed ( to a certain extent ) and in that regard makes the case for assurance and trust much the same way as Open Source Software does - many eyes, nothing hidden, all can correct. Thus, to a certain extent, asking here may be considered to be a more trustworthy method of obtaining information than reading a book.
( I _still_ maintain that a good level of self testing is a good thing, especially where an item of evidence relies on it ! )
It never fails to amaze me how threads start off with a basic question and then get diverted on to various other arguments.
To go back to Harry's original question. If we wish to consider ourselves as professionals, what can, or should be done if we become aware of serious deficiencies on the part of a supposed expert?
I have over the years seen a small number of posts here and in other forums or mailing lists where the content of the question posted exposes the serious lack of knowledge and experience on the part of the poster. … However where the poster is clearly acting on a live case and shows such a lack of basic knowledge which can only put their client at risk how should the community respond?
I have in the past sat in concerned silence but not acted and I suspect I am not alone. I do think this is however not a responsible attitude, but what should be done?
H
My position on this kind of thing is probably well known by now but I'd like to second almost everything included in Ben's last post (Ben - can I pay you to answer my email as well? ) )
Sorry, back to the OP's question…
Jamie
I wouldn't say that the thread necessarily got diverted away from Harry's original post. What arose is more due to the fact that people's opinions and ethics differ regarding precisely what should and should not be done, as well as what exactly constitutes something that one would/could class as a lack of knowledge in a particular area.
For the record, Sam and others have given their views on what to do about it already, and I find myself in agreement with Sam. These issues should be dealt with privately so that the report/statement can be revised or a new report agreed upon for that trial. That way the 'expert' who was mistaken can learn from the experience without suffering from any public embarrassment. We all get things wrong from time to time. Indeed Craig Ball has written a very good article on that very topic right here on FF!
Ben
Interesting a lot of this thread is mirrored in my recent blog post http//
I think a major part of the problem is that almost by definition those newer to the field often don’t appreciate the gravity of the position they have and there duty to the court. This can be seen by some of the posts, especially on here as the membership is not vetted (not a criticism of the forum - just a fact) but also to a lesser extent on some of the closed forums, it is this I think Harry refers to. Some posts, and the follow up comments by the OP pretty clearly show the OP is new to the field and is struggling with the basics.
I have posted in the past regarding newbies and overly basic questions and suggested that they are potentially doing their client a disservice by taking on the case - we are often playing with peoples liberties. When I have done so, not for many years now, I was shot down by other, quite experienced, practitioners as "people have got to start somewhere". Quite frankly while people have got to start somewhere IMHO they should not dabble in a field with such serious ramifications if they get it wrong. It’s all well and good saying that the other side will be reviewing the work and any mistakes will be picked up their - but often the other side won’t see the report and it will be used in cross examination – and they will stand or fall based on the presentation skills on their advocate.
Ben - can I pay you to answer my email as well?
Jamie,
Whats the hourly rate? wink
Ben
Good point, well made Bryan …
Let me abstract the situation slightly to bring us back to ethics, the law in certain juristictions requires that you assist someone who needs help in case of emergency ( two US states for example, but not the UK ). There is in this case a legal requirement to render aid - generally though there is no legal obligation to help anyone ( parent/child, carer/caree exceptions apply ).
This would mean that, as we have no legal duty of care, either to the person asking the question, or to their end client that we can ethically stand back and not act. Should you choose to act, in the belief that you are performing an act in the greater good, or indeed for the better of the individuals, then you should be free of obligation &/or repercussion e.g. through a "good samaritan" or "whistleblower" law.
However, as, with a few notable exceptions ( Lee 😉 ) people are largely anonymous the ability to actually do anything of any value is practically impossible - I'm sure Jamie wouldn't extend a dictatorial hand to remove people who don't meet a certain standard, as this is the antithesis of what this forum is about - but that realistically is the only practical solution.
Otherwise, I think that the ethical thing to do, is to ensure that as individuals we behave ourselves - e.g. we know our stuff, do our research, and, when faced with an opposition who are, fundamentally wrong, let the right people ( the judge & jury ) know the truth. Forensics is usually a nice field in that respect - you are right, or you are wrong and you can prove it.
What does alarm me is some of the court transcripts that I've read where supposed examiners on the stand make comments which show their complete lack of understanding of the discipline. I agree that it would be highly beneficial if we could weed these people out BEFORE they get heard by a jury, but courts under both the English/Australian and US systems have the power to test a witness for competency through voire dire prior to accepting testimony, and if it's not done, then it speaks to a failure of attorneys to understand the most simple bases of scientific evidence. I had to learn the rules of evidence in law school, and I'd hate to think that practicing litigators have forgotten them when I still remember them and I'm not a lawyer.
This is one of the reasons why I'm unenthusiastic about licensing digital forensics people. Licensing certainly has a role especially in areas where public health and safety can be positively protected by a licensing arrangement. However, I'm seeing quite a few people who think that licensing is a test of competence and that's generally not the case.
This is one of the reasons why I'm unenthusiastic about licensing digital forensics people. Licensing certainly has a role especially in areas where public health and safety can be positively protected by a licensing arrangement. However, I'm seeing quite a few people who think that licensing is a test of competence and that's generally not the case.
That was one of the issues with crfp - I never did register - the criteria fro registration was set to determine whether you could fill in a form and follow procedures and did nothing to say that you actually knew what a byte was.
It looks to me (although a bit out of touch) that the new forensic regulator is going down the same route and will regulate that we all need to be iso9001, with the associated costs putting alot of small operations out of business, but will do nothing to assure that those practising understand their field.