Okay, I get it…you've got a secret, and you just want me to know that you have the secret. Gotcha. You're a cop, aren't you?
😉
The only secrets i have are the ones my wife THINKS I have!!
I'm not a cop, (but I play one on tv??) nah..
No, i'm private. Wasn't always but last few years I am. I just happened to make a couple of presentations to a Certified Fraud Examiner group where several academic types were, and also did some IR for a university that gained my some inroads. I'm just trying to make sure this field keeps a high ethical and knowledge basis so the good old govt will not regulate it to bad.
Although I have to tell you, I think we need some standardiztion of credentials and skills, and oh yes, some decent background checks that have been verified.
> standardiztion of credentials and skills
Now that's interesting!
What would you consider for standardization?
"standardiztion of credentials and skills"
There are several organizations who will tell you that you are capable based on "their" standards.
Who would be the person to say that person A's credentials and skills are up to par but person B's aren't?
other organizations have been able to define standards for their groups. Our problem is most certifications are vendor specific. Of the nonvendor and nonOS Specific, we have LE and NonLE. I believe having a "standard" cert would be a good first step. But we are in the formative years yet. Will it be CCe, GCFI, or another?
I know right now in NC we have computer service firms representing themselves as CF because they know how to image a drive <would it stand up in court?> and find deleted files. Sometimes, maybe most they don't even image. They install keloggers, Illegal in this state, but they do it. The sad thing for the client is, nothing would ever be admissable, and they "examiner" would never get qualified as an expert witness, but they advertise the service and get clients. Nothing illegal in taht.
But on whole, the science of fornesics suffers.
To be honest, some of the LE-only training I'm familiar with (I used to work for Sytex, and got to meet some of their folks from Columbia, MD, who provided training to the FBI) can stay LE-only. Much of the stuff I and others do on a daily basis is much more advanced than that. I don't think that I'd even want to see that level of training in anything more than the most basic of certs.
> Nothing illegal in taht.[sic]
No, you're right. A lot of times, though, what the client wants is not what one would do, really. I've been on-site several times when the client has said, "we hired you b/c you're the expert, but here's what we want you to do." In one case, I had to image CDs to ensure that they could be read, even though those CDs had been produced by the LE arm of the overall organization…I had to do this due to political issues between sub-organizations.
So…many times you'll be on-site and rather doing what you do best, and know how to do, you'll have to do what the client wants, regardless…even after letting them know what the issues are.
I have actually turned down jobs because of what the client wanted. It doesn't pay to risk my rep, my liablity insurance, not to mention my sanity.
LE folks are just so far behind, and generally their "superiors" aren't that big on CF. Feds, well they are Feds.
I think IR is even harder to standardize than CF. But when I think of standards I am thinking of bounds, because techniques are changing with technology and with the compromise. So pulling plug or not pulling the plug for instance isn't the issue, and therefore not the what the standard would address. the issue and the standard would be addressing the best way to preserve the state of the "crime Scene" and the eveidence in a way that best allows the examiner to determine who what when and where within the bounds of rules of evidence.
Hows that for verbose?
I apologize for being so late in responding – I had roof work to do!
A couple things that been said has stirred my innards! 1) The provided definition of innovation is all well and good. However, I think it is just as important to apply innovative concepts to currently available tools to augment or invent new analysis methods. Innovation (entirely new concept) is not guaranteed to be acceptable in our judicial system – commonly accepted practice (Dalbert Test - scienitific consensus).
2) As for the topic of contributions (forensic knowledge), some have provided more than others and some a lot more than most. Nothing I would write home to Mom about, but I don't write to my Mom anyway - IMHO. This goes along with my previous comment about being critical. I believe that procedures and techniques must be critiqued. However, the manner in which those comments are delivered can mean the difference between night and day.
The question was ask of me, "What comments do I have concerning innovation." First off, most new ideas are usually considered innovative until those ideas are accepted as common place or common knowledge. The moniker "innovative or Innovation" IMO is like the Tide commerical, "new and improved"- so what!.
Secondly, most people do not readily accept innovation. [THIS IS NOT A COMPLAINT] For example I presented the concept of using Distributed Processing to overcome computing resource shortfalls. I would not categorize the comments as being overly supportive. The same goes for the "Information Retrivial concepts" or "suggested wiki alternative"!
As a matter of fact - the comments actually had the reverse affect – it will take a while but I will design and build those two products. I did not expect anyone to jump up and say great idea - but my point is innovative ideas are not generally accepted initially. I believe that most people do not want to share what they think (innnovative idea) because people will take liberties.
I have found that most technical people are shy. A very few are arrogant or confident. By far most are shy when it comes to their peers and peer reviews.
IR standards are like the missing link. There are so many dynamics to any given situation how would you standardize the process. For example when do you pull the plug and when do you not pull the plug?
I think CF does need a common skills test administered by an national oversite certification board. I think the test needs to be around 200 questions and should consist of a two practical forensic assignments per system type ( Solaris, Linux, Freebsd, WinXP, Win2K, Win2003, MAC, Win98<. network equipment(routers and firewalls) and IDS. Each candidate must pass the test, and successfully completed the excerises in three of the systems areas for basic qualification.
Vendor certifications are just that special vendor qualifiers , Cisco, Snort, RealSecure, Juniper, Encase, FTK, ProDiscover, X-Ways, Linux Bootable CD's, etc….
Well - that's my .02!
<IR standards are like the missing link. There are so many dynamics to any given situation how would you standardize the process. For example when do you pull the plug and when do you not pull the plug?>
hey az;
In one of my post I used this example foir a standard, the standard not being whether or not to pull the plug, but the standard being to choose and coumnet the best alternative given the situation for preserving data AND allowing the investigation to go forth.
Now not to rankle you <really nothing evil intended here> but to show just how the system works, if you spelled Daubert Dalbery in my court jurisdictions you'd never get qualified as expert witness anymore than if yu spelled Frye Fru or didn't know the difference. I'm just using this as an example of how the legal system views our work, and how we need to standardize ourselves BEFORE the government does.
Mostly what you say I agree with in principle at lease. Yes, any innovation will have a limited shelf life before it is normal, but thats the whole idea behind an innovation.
As for the wide distributed workload deal, I see wheer you and keydet are both coming from. Your biggest obsatacle will be chain of custody. Once you allow any part of the case, no matter how small or for what reason into someones control, you have created a courtroom nightmare for your prosecutors. So along with the technical aspects you face making sure all your bases are covered that way.
Have great day, I gotta spend mine in court.
Bill
sorry not Dalbery, Dalbert