How about a 100 question exam of basic knowledge; a statement of adhering to ethical standards; and a criminal background check. Violation of ethics or being convicted of a felony would be disqualification of performing forensics. The written exam consisting of basics such as;
-Evidence control
-Legal knowledge (court information as example)
-And bare bones forensic information
That's woefully insufficient. The Forensic Specialties Accreditation Board for example requires any certification to consist of peer review, practical testing as well as exam based questioning. Plus of course ethics and periodic re-certification.
I've said in the past, and I'll restate it now, that I'm in favour of licensing CF so long as it is licensing CF and not trying to lump us in with PIs or some other mob. I think the reasonable standard is to require a certification with the above mentioned elements and a criminal history check of some kind, but not to try for every state to bootstrap their own exam, because I can't see that working out well.
The community may want to 'self regulate' with accepted and common sense standards before government entities start regulation with what they believe are common sense standards. The longer this takes, the closer to being regulated without having a word to input on standards. Without some sort of oversight with teeth, there will always be those that will cause embarrassment to the profession.
So I say, if you find incompetence out in the wild 'doing forensics', let it be known by outing the errors in cross examination or declarations. Let the court put the light on someone that shouldn't be doing what they are doing. All it takes is a few to be spanked publically before others decide to stay ethical and not bite off more than they can chew. And for students that may just cut and paste for their homework…in some schools, you get kicked out. Nothing wrong with that.
With all the banter and disagreements in beliefs of what things should be, perhaps we should just let things fly in the wind. No regulation, no certifications, no licensing, just a free for all in this field which will eventually turn into a non-professional career. Basically, anyone that wants to do forensics, can.
And the students…lets do their homework for them so they can hurry up and also get into the field!
Sarcasm it may be, but there may be some element of truth in it. Companies that do forensics well get return custom, companies that are shown up in court as fools won't. We could just default to natural selection ?
Same for the students, they may get their questions answered for a piece of homework, but, if they don't understand it - it will be shown up in exams or at job interview or in a probation period at their first company.
Survival of the fittest !
forensicakb
I don't know that I would discredit anyone for the above, or for a few errors in a book.
Not a few errors, but mistakes in basic knowledge; the point is that it is basic (computing) knowledge. The examples are mainly intended to reflect upon in light of Harry's question. Namely what basic knowledge are we talking about? And what makes a CF investigator (in)experienced? And if the "experts" are making the mistakes will the "non-experts" learn (copy) the same mistakes?
IMHO, I've yet to see a case some down to these differences.
Most of the legal cases I know of (mainly private law) do not deal with computing questions at all. As long as both parties agree; why argue.
Everyone who has written a large number of reports has errors, most private examiners carry insurance just for this. Usually the errors, have no bearing on the overall outcome of the case, and really can only be used to say this person made an error in their report.
You're right that every one makes errors; and when you have a solid case a few minor errors don't matter.
(Side topic) You raise an iteresting question, namely when does an error matter?
Joachim
The comments made earlier by other posters that CRFP definitely didn't work and that the Forensic Regulator might not work then what should be put in place instead to assess those providing computer forensic services?
The comments made earlier by other posters that CRFP definitely didn't work and that the Forensic Regulator might not work then what should be put in place instead to assess those providing computer forensic services?
I don't know Greg but an accreditation service that purely assesses your ability to fill in forms or follow procedures does not one single thing for the standard of forensic practitioners. I went to one of the later pre-release (you can see I’m a software engineer) meetings of CRFP and it was clear then the direction that had been chosen and that they were not going to listen to any other ideas.
What I can say is that I have been doing this a long time now and I have yet to see a case that has fallen down (in this country) based on chain of evidence - any problems I have seen (and I have seen a handful) could easily be explained and their ramifications put into perspective.
Pretty much if not all the cases I have seen where there has been an issue have been
1) the expert taking sides and slanting their opinion to prove/disprove a case
2) not understanding some relevant technical issue, and frankly they were the sorts of issue that would not be caught out by some sort of technical test
3) not being thorough enough and not noticing some artefact that was relevant to the case, again unlikely to be resolved by any of the current accreditation proposals
Neither CRFP or the Forensic regulators current proposals would address the rather wide examples above and so I wonder what exactly the proposals are intended to serve. The cynic in me says that some minister/quango will be able to point a finger and say “look we are addressing this issue” when in fact they are taking the easy way out and just adding beaurocracy (accompanied of course by additional cost) to the procedure.
There will be no winner here, standards will not be improved, costs will go up, smaller business will fold due to excessive cost and there will still be sub-standard examiners out there who are good at filling in forms.
Actually there will be winners and that will be the larger companies who can afford an isoxxxxx consultant to manage the box ticking and of course the isoxxxxx companies will win as well (perhaps it is time to rebrand myself).
You set up BACE (British Academy of Computer Experts - I think) about 12-15 years ago I can’t remember what the standards everyone else had to achieve to become members but I assume that there were some standards/tests etc. that you had thought about and implemented (you made me a fellow and a cfsiceng based on just knowing me and my work – which was flattering – so I can’t answer this question). What were your thought processes back then and have they changed now? What happened to BACE?
Perhaps an answer that addresses the issues is a body that someone must join (with a fee to fund it) and to which opposing experts can complain – after someone reaches a certain number of complaints a case is referred for review. Sounds simple but with a little thought it is clear that it will not work, or wont work well. Most of the civil work I do would be client confidential and my clients would not be at all happy if the case was opened up for another expert – especially if they had just won because the other expert was deficient. So while it might do the job I expect it would not reach the bar and any shoddy work that I or any of you do would be quietly swept under the table – which is pretty much what happens now.
Charlatans rise quickly, but they also fall quickly.
I wouldn't be so sure. One of the things that you learn as a witness at trial is that there are people out there willing to take money to say things that an ethical expert would never say. While Daubert, Kumho, etc., have raised the bar, they have not been an absolute barrier to the admission of "expert" testimony lacking scientific merit. Furthermore, in the courtroom, where success often matters more than determining the truth, such "experts" can become relative celebrities; specialists in the application of their unique approaches to the truth.
And I'm not speaking only of digital forensics, here. There are medical experts who make the rounds defending DUI suspects using junk science to create reasonable doubt.
In my coursework, we are often presented with scenarios and cases that mimic or correspond exactly to situations in real life.
That would be good. But just as in the real world of experts, you have to demonstrate that your opinions come from the results of your own work and are not dependent upon conclusions drawn by another. Routinely, we are asked to swear to the fact that our opinions and conclusions are based on our own professional knowledge, experience and practice. Not much different from the classroom, really.
Even so, if it was noticed that I am inexperienced, and that I was indeed working on a "real" case, what is the ethical implication for your fellow forum members? Barring any obvious questions, or any questions that I could google quickly for an answer, I would expect my fellow forum members to guide me in the right direction. If you are worried that an inexperienced examiner is searching here for answers to an IRL case, I think you should do your best to impart your wisdom and expertise to aid their situation.
You are putting up a straw man in order to tear it down.
This forum is filled with examples of individuals who have aided others with their own experience and findings. Each of us has much to learn and much of that learning will come from the work of others.
But the original poster was not concerned about providing legitimate aid to others. His issue was how to handle a situation in which, in his professional experience, a poster seemed to be beyond his capabilities. This situation is, potentially, no different than the situation where a doctor concludes that another doctor is over his/her head in treating a patient or a lawyer is out of his league in representing a client.
In all cases, the issue is what should a competent professional do?
I don't know Greg but an accreditation service that purely assesses your ability to fill in forms or follow procedures does not …
Great post Paul, some very interesting points made more relevant by the lenght of time you've been in the profession.
If the industry does not regulate itself, the governments will.
Would you allow a non-computer forensic oriented member of this computer forensic oriented community to attempt helping you see the forest instead of the single tree? ?
ALL (exception made obviously for the examples, NTFS, Unix, etc.) are arguments that have been debated in connection with about ANY profession known to mankind.
I have seen exactly the same kind of discussions among lawyers, M.D.'s, chemists or salesmen.
The fact that "qualification" often has very little to do with knowledge, capability, and attitude, and, more generally, with what (whatever it is) is needed to make someone into a reliable, competent, esteemed PROFESSIONAL, has been beaten as much as the proverbial dead horse since the very beginning of the sheer concept of "school", "exam", "diploma", "certification", etc.,(and with roughly the same amount of utility as the deriving from actually beating the mentioned dead horse)
But, unlike the profession of lawyers, M.D.'s, etc. the computer forensic is a field where ALL things are (or should be) BINARY or 0/1, Black/White, NO shades of gray allowed.
From the outside (but my actual occupation is not as totally different or "distant" from computer forensic as it might seem) I can observe in a number of members here some traits that do make me wonder.
I can see on this forum EXAMPLES (please do understand that the following is a generalization and is not in ANY way intended as an offence or critic to anyone in particular) of
- closed mindedness (I know but I won't tell you)
- jealousy/secrecy about methods used (My way - that I won't tell you - is way better than yours - that you won't tell me)
- personal attitude (or party actually paying for the case study, prosecution vs. defense) reflecting on results (since I'm convinced the guy is guilty, let me find something to nail him or since I'm convinced the guy is innocent, let me grasp at straws to help this poor lad)
- etc.
that are IMHO INcompatible with the theoretical role of scientist that a forensic expert should have.
Again, these kind of issues are common traits among other professions, and have been debated for years, decades and centuries, and we already have answers (actually non-answers) to most, if not all, the questions raised
- NO academical, formal or other form of qualification, exam, certification, course attendance, education
- NO guild, association, board
- NO Law, rule, protocol
- NO self-regulating code of ethics or of standard practice
- NO free market
has EVER been capable of EFFECTIVELY give GUARANTEE against
- malpractice
- incompetence
- blatantly evident (and severe) mistakes
nor of DEFINITELY assuring
- reliability
- correctness of the results (not necessarily being the same as the correctness of procedures)
- "professionality"
As I see it the non-sensically nature of applying a norm like ISO9001 (otherwise very senceful) to people who ultimately are "artisans" (as opposed to being a "industry workers"), the multiplying of needs for completely pointless qualifications or formal education, the creation of a"guild" and most of the other "ideas" till now suggested are the same already applied UNSUCCESSFULLY to a number of other professions.
Nothing new under the sun.
In my experience - as said not strictly related to computer forensics - the difference is still made by the individual an intelligent, motivated, hard working, competent, honest person is likely to succeed (in the long run, as in the short one the few "taking shortcuts" WILL win) in the profession he/she chooses.
Point is WHAT makes more likely that the large majority of the forensic computer experts will be made of this kind of people?
I doubt that ANY of the listed "measures" as said very common among other work categories is an answer, most probably the answer lies in a mix of them all (in unknown relative ratios) with the ONLY exception of ANYTHING that goes in the way of giving the wider possible access to BOTH the actual profession and to the sharing of methodology used, etc.
After all, this is a Public Forum (which allows me to rant freely wink ), it could have been a closed one, only acccessible to those that know the computer forensic expert secret handshake. roll
This should mean something.
When I see the "defensive attitude" of the "guild members", I shiver.
That's basically the way tyrants (and not only them) have ruled for centuries, keeping information away from the public knowledge and only allowing access to the few "elected ones".
jaclaz