the new forensic regulator is going down the same route and will regulate that we all need to be iso9001, with the associated costs putting alot of small operations out of business, but will do nothing to assure that those practising understand their field.
I've already written to my MP suggesting that this post be added to the 'bonfire of the quangos' )
Paul
This issue must have raised itself in other fields though, so perhaps seeing how they have dealt with it would be a good place to start.
Credentialling has been used, but it is really no guarantee as their are bad practitioners who are, nonetheless, able to pass an examination.
Malpractice is often touted (mostly by plaintiffs' attorneys) as a means to eliminate bad practitioners. I have my doubts, at least insofar as medical malpractice is concerned…
The adversarial system that we have in the US is one way. Some people have suggested using Special Masters as a way to reduce ediscovery/digital forensics costs, but the problem is that there are bad practitioners out there who, nonetheless, have served as special masters.
Thus, from my perspective, the only real way is to have issues and practices vetted, in public, where other practitioners have the opportunity to question one's methods and conclusions. In this regard, we are much farther along than, say, the medical profession where you are unlikely to find a forum such as this, though I have been in medical forums where specific practices, rather than practitioners, have been challenged.
What that means, of course, is that one should be willing to speak out when they see such deficiencies as those to which Harry alludes but there are a couple problems that I see with this
1. Rarely are we (as outside observers) in possession of all the facts. Thus any such opinion needs to be couched in terms of what is known and limited by that which is unknown.
2. As a corollary to the above, there is the unfortunate fact that at least some posters may lack English language skills which may make it easy to misinterpret what they are saying. Unfortunately, some of these are also, supposedly, native English speakers (but I won't digress into the state of language education in the US or in Henry Higgin's UK).
3. Finally, rendering an unsolicited professional opinion which could be misconstrued as solicitation for business could open one to liability both as libel and, possibly, tortious interference.
This is rather interesting to say the least. At what point do we accept someones "professional" opinion as gospel? In my opinion, NEVER. Question everything. There are a couple of reasons one being that someones lively hood or freedom is at stake in many cases. The other is the lack of knowledge by the general public and the court. A jury can only make a decision based upon evidence presented. What if the evidence presented is marginal at best? Who on the jury would know the difference? Case in point, if the only "professional" or "expert" testimony presented at trial is from one side or the other how can a judge or jury make a definitive decision? They wouldn't have the knowledge to question the evidence presented. Lets be honest. Forensic testing is expensive. In many cases it isn't free. In most cases the prosecution has the resources of the government to prepare their case. The defendant only has what ever resources are available to them. In many cases those resources are limited and they may not be able to afford a good forensic defense. So the states "experts" in my opinion get an unchallenged bye.
With that said this is true in too many cases. The prosecution only presents enough evidence to show a person is guilty without examining ALL of the data that may point in another direction. Is this ethical?
This thread was started because of such a case. I started a thread with vague, novice type questions to elicit a response to evidence presented by the prosecution. The answers to this were as I suspected. The shear amount of discovery handed to the defense was overwhelming at best. Close to 500 pages. What I soon discovered is much of this evidence was nothing more than duplicated. Paring that down to only approx. 100 pages of data. Within that data, as I suspected, nothing definitively puts the defendant at that computer. It does start to point the case in another direction that the prosecution has not pursued. So is this ethical?
I will share this. The "experts" have all the information I have which I have not reveled on this forum. This being an ongoing case I have only shared details with others that I have verified as professionals privately. The prosecutions "experts" have "years of experience and over 400 hours of training". One of them is also a computer forensics teacher. Without my input the attorney may have well advised his client to take a plea deal as the evidence the "experts" are going to present at trial is so over whelming it will be hard to defend against it and if it does go to trial the defendant will most likely be looking at a substantial lose of liberty and monetary expenses that he will never be able to pay.
The lesson here is don't discount someones asking what appears to be a novice question. They may be trying, as I did, to verify their own analysis.
In no way do I mean any disrespect to anyone involved with LE. You do a job that most would find repugnant and burn out from. By all means keep doing what your doing but remember to follow the evidence. Not just what the prosecution asks you to do. You may get challenged. Be prepared to defend your hard work. As I tell my clients I am only interested in the truth. If that helps you,great, if not, so be it. I can't make a guilty person innocent.
If someone "Opens the Door" with a question, then that someone should be prepared for the responses to the question. Opinions that are insulting or otherwise not nice are just opinions. If a digital/computer forensics examiner does not already know where to find USB artifacts, then that person surely has not conducted even one exam, nor attended one formal training program.
A UNIX expert that starts their first Windows exam most likely has the brains to figure out where to get USB artifact information before blindly posting it in a public internet forum. The only exception I see would be where an urgency of physical harm is at stake and there is no time, not even minutes, to waste to get an answer. I do not believe these are the postings I see online.
Licensing/regulation? Darn tooting! How many 'experts' are online, marketing their services, charging top dollar, holding a person's liberty or finances in their hand, after only attending a FTK Book Camp? Even 1 of these is too many. Is there any reason on this planet that forensic examiners fight regulation and licensing? Would anyone hire an attorney that was unlicensed? Or visit an unlicensed doctor? How about a home repair contractor?
You'll never be able to determine who all the students are in the forums, but certainly, seeing a user name with 0 posts, in a newly created account, asking about "USB artifacts" or "is FTK better than Encase" is something called a clue…. I'd suggest that instead of answering their questions, tell them to ask their professor or instructor first. And these people do not belong in this field if they are already unprepared and have the work ethics of a lazy teenager, or worse still, handling real cases.
And I believe the basic forensic processes and methods have been detailed to the point of even lawyers know the basics (not a hit on lawyers, but its not their job to be forensic examiners yet many know quite a bit). Questions that are more technical, not found through internet searches or in books are the appropriate questions to ask in a forum such as this.
Perhaps Jamie can create a forum something to the effect of;
"If you are a student and never handled a real forensic case, or if you are charging fees for forensics yet don't know what you are doing, and you want to benefit from the experience and training of professionals without charge, then go to
And yes, I'm new to this forum, but know a little more than a little about computers and forensics…but then again, you wont catch me asking if FTK is better than Encase, or how do I open a dd image.
Licensing/regulation? Darn tooting! How many 'experts' are online, marketing their services, charging top dollar, holding a person's liberty or finances in their hand, after only attending a FTK Book Camp? Even 1 of these is too many. Is there any reason on this planet that forensic examiners fight regulation and licensing? Would anyone hire an attorney that was unlicensed? Or visit an unlicensed doctor? How about a home repair contractor?
Licensed doesn't mean competent especially when you are talking about home repair contractors. Licensing can also have unintended effects such as keeping otherwise competent people out of the market. You just have to look at some of the state private investigator regulations to understand how this works.
you wont catch me asking if FTK is better than Encase
How would that be a bad question for someone to ask?
Licensing at least means the person met some qualifications. As of now, ANYONE can put out a sign that says, "Computer Expert for Hire". That person can be a convicted felon, an uneducated self proclaimed computer expert, or etc… Fight as much as you will, but having unlicensed and unregulated digital forensic examiners involved in major litigation or criminal matters is akin to hiring someone standing outside of Home Depot to work on your 3 story house. You'll end up losing your house when your unlicensed and unregulated worker falls and sues you.
This also discredits all examiners because who is to say they are better than someone else if no one is regulated or licensed? Licensing has nothing to do with competency. Just as there are incompetent attorneys, doctors, and contractors, there will be incompetent examiners. But at least it keeps out some of these people and the licensing can be used to prohibit some from practicing forensics should they be "disbarred" for unethical conduct. No one can be "disbarred" as it stands today. You can screw up a case and still be in business to screw up another.
Harry,
You've raised an interesting question.
First of all, in your opinion, what should be the set of basic knowledge? I know CF investigators which are quite experienced, but in my opinion lack certain basic computing knowledge. I've read books about CF which contained serious errors in basic computing knowledge. I know about CF certifications and software and hardware that also contain serious errors in basic computing knowledge.
Just to name a few of the basic ones the difference between IDE, PATA and SATA, the difference between MB and MiB, interpreting the FAT access time.
But computing knowledge alone does not make up a CF investigator. And what makes one an expert? The best description until now is one that knows what he/she doesn't know (and admits what he/she doesn't know). But an expert also knows when to apply a tool and/or technique and doesn't apply a hammer to drive in screws (unless no other option is available).
I think a large part of the job is validating our findings; even the ones published. Personally I think this does not happen enough. Because it takes just a different build number or configuration for software to have different behavior.
I think how one should respond on such posts is entirely up to the person. If you feel an ethical dillema about a post, I would recommend addressing the issue at that instance. Although addressing all these posts might be a daily occupation.
I think that having proven techniques, tooling, knowledge base and open dissussion are far more valuable to have, then to continuously correct inexperienced examiners.
Joachim
Licensing at least means the person met some qualifications.
True. But qualifications to do what? That is the issue.
How about a 100 question exam of basic knowledge; a statement of adhering to ethical standards; and a criminal background check. Violation of ethics or being convicted of a felony would be disqualification of performing forensics. The written exam consisting of basics such as;
-Evidence control
-Legal knowledge (court information as example)
-And bare bones forensic information
I'm digging the general discussion here. I've been browsing the forums for a few months now, and only today did I create an account so I could chime in on the issue of "students" asking questions on the forums.
As far as inexperienced examiners go, I am at the nil end of the spectrum. I'm a 2nd year forensics student in a community college program designed to provide the basic technical, legal and ethical skills for proper digital investigation. So I'm about as fresh as they come. That said, I've really liked the encouragement and response that others generally provide to people with questions. In defense of the new forensics students that I know, none of them would exploit community responses to complete their coursework. Charlatans rise quickly, but they also fall quickly.
In my coursework, we are often presented with scenarios and cases that mimic or correspond exactly to situations in real life. So if I were to pose a question in regard to a case, it may be difficult to determine if I am working a "real" case. Additionally, in our program we have been taught to question the conventional wisdom in regard to certain paradigms of investigation. So a question that may appear novice in form, may have hidden variables and growing implications beyond the obvious answer. This is an industry that changes fast, right? Simple questions do not imply a simple education.
Even so, if it was noticed that I am inexperienced, and that I was indeed working on a "real" case, what is the ethical implication for your fellow forum members? Barring any obvious questions, or any questions that I could google quickly for an answer, I would expect my fellow forum members to guide me in the right direction. If you are worried that an inexperienced examiner is searching here for answers to an IRL case, I think you should do your best to impart your wisdom and expertise to aid their situation.
As investigators and examiners, perhaps we don't always need questions answered, but a good lead in the right direction. I suspect we are not just here for answers, but for community support on how to learn and grow into proficient and responsible forensicators. The moral dilemma is whether or not to participate in the learning and growing of our peers…and I think we all know which way to go.
Thanks for reading…