Is There a Need for Industry Control?

I think the article is right on point. I have seen the same posts both on this forum and others. I am (as is the author) at a loss as to what form the controls should take. Certainly there are certifications. Perhaps a professional organization that has yet to evolve will be the answer.

What I think is missing are informed clients, juries, and judiciary. How many of us have experienced an adequate voir dire consisting of questions relevant to computer forensics? Computers are still quite intimidating to many of these, and they don't know the difference often times between a computer forensic expert and a "computer" expert. As we've discussed before, there is a need for education among those parties.

When the practice is more widely known, then market forces will address many of the problem cases. All this being said, there is still a need for new examiners to gain experience in a controlled environment. I've been asked, as I sure others have as to where one can go to get this experience in cases that are not so vital to the individual's freedom or property. As I got my start in law enforcement I was fortunate to have experienced examiners in surrounding jurisdictions who were willing to take me on and work through cases with me. I try to do this as well. Does any such apprenticing take place in the private sector?

There is lab accreditation out there as well. I am the accreditation manager for my agency (agency wide, not CF specific). I haven't looked into the lab accreditation standards that exist. I suspect that they are more facility specific than related to training and practices. Often the standards can make it impossible for all but the most well funded lab to pass. The genius in a system is when it recquires the necessary practices, but in a way that allows the requirements to be satisified by prince and pauper alike.

really good article from Nick that sparks two lines of thoughts from me.

The first is that the issues that Nick identifies is fairly symptomatic of a relatively new industry. If you look across industries and professionals who are 'consultants or consulting' there has been a big effort made to produce accreditations and standards so that employers and buyers of services know they are buying from accredited (ot at least standard acheiving) companies. Construction, Accountancy, Humas Resources area all industries that have common examinations and accreditations - if you want a surveyor you go to an organisation like RICS or similar or if you want your boiler fixed you go to CORGI for the nearest registered expert..etc, etc.

So basically I think that industry control will come, and is a symptom of a young and expanding industry.

The second part of my response is that I think Nick's article also shows up the already acute, and getting worse, issue of skills shortages in LE and Government (in terms of abaility to be able to cope with volume of work) - and born of a fast growing industry. Our firm and Nick's and a lot of others all have ex Police staff working with them so the cost of this to Law Enforcers to recruit train then lose experience Forensic staff must make them pull their hair out - especially when they still have targets to meet. That's where the private sector has the upper hand - with lower overheads and quick decision making firms can pull in resources to cope with high work volumes or large projects.

Great article Nick - some interesting issues for the industry to grapple with in the forthcoming few years.

The subject of accreditation and appropriate qualification’s has been batted around other forums to. It’s a hot topic, and Nick has hit the nail on the head when talks about searching forums to find

basic questions by those looking to get into the 'industry' or even more worryingly asking, 'I'm just setting up my own business, how do you image a hard drive?'

I have a story about this very subject. Not too long ago had a ‘defence expert’ attend my works premises, to examine a case on behalf of the defence. His opening introduction speech to me was that “the defence wanted the job doing properly…” (like flashing a red rag to a bull). So when he later explained he couldn’t access the EnCase evidence files, because it was a format he was not familiar with, I couldn’t resist gently asked his background and credentials. It transpires he was the local computer shop repair man. He was actually a really nice guy, and trying to break into the market, but hadn’t the first clue about imaging, or forensic tools. He’d never taken any courses or formal training in FC. He still continues in this practice as far as I know.

The problem is anyone can call themselves an expert in this or expert in that - In the UK, its down to the individual court to deside whether you can be elevated for that trial to an 'expert' witness.

Yes I do feel there should be some kind of minimum standard, and registration on some kind of professional body. F3 (First Forensic Forum) is the closest professional organisation I can think of in the UK specifically relating to FC.

Andy

Andy - that's a story that's not only very familiar but doesn't half make me chuckle! - nice one - I take it you remained suitably calm when told a proper job needed doing!

Thanks for the feedback guys, Andy's story about the Encase files made me laugh as I did something not dissimilar recently following a total brainfade. I was using FTK to access Encase images and highlighted the whole lot to index forgetting that you only need to access the first file. I sat there for 2 minutes looking like a complete numpty until a friendly colleague pointed out my error. Result of a 12 month old baby being up all night!

I'm glad that the feelings expressed in the article are generally agreed with and the example of CORGI in the UK is a good one but where that Body comes from I just don't know. Sadly it may require a major news worthy case or even fraud using our profession to make the judiciary, or similar, take notice.

Also the First Forensic Forum is great if you are in law enforcement but try getting approval as a member if you don't use Vogon tools or are involved in defence work; closed doors all over the place.

Nick

Nick, access to the F3 to my knowledge is open to all in the industry, and half of the official representatives are from the private sector. You do not need to be nominated for membership. It's got nothing to do with Vogon anymore. F3 has an anual conference, and regular training days (open to all members). Membership cost next to nothing and well worth it.

I like going to the conferences, and catching up with folks in the industry I have met on courses and jobs, etc. It's great for networking in the UK.

On your behalf I have just made some enquiries regarding membership and I have some contact details for the appropriate person: Steve Buddell (from KPMG).

If you PM me I''ll give you more details.

Andy

I thought the following paragraphs from a recent article at the SAP Info website might be relevant to this discussion:

In academia, Purdue University’s Center for Education and Research in Information Assurance and Security recently produced a study on the state of the computer forensics’ science. The study found forensic investigative procedures at present were still constructed in an informal manner that could impede the effectiveness or integrity of the investigation. Unfortunately, the study pointed out informal nature of the procedures could prevent verification of the evidence collected and might diminish the value of the evidence in legal proceedings.

Kate Seigfried, author of the study, commented: "Both the law enforcement community and the private sector/academia are concerned with the lack of a standardized or even a consensus approach to training forensic practitioners.” According to Siegfried, what is less obvious is a consensus approach to tackling the identified issues and needs. "A framework needs to be developed which includes input from the private sector, public sector, law enforcement and research community,” she urged. "Attention can then be focused on using the technology to gather information on potential targets/victims or targeting the technology and the underlying infrastructure itself.” The study noted the recent CSI/FBI Computer Crime Survey estimated that the cost to US businesses in 2003 was about $200 million.

Purdue’s Spafford is also worried about the ad hoc nature of cyber forensics today. "I am concerned that we develop a more scientific and rigorous approach so that we may have confidence in the results,” he stressed. "It is unfortunate if we are unable to prosecute a criminal because we are unsure of our analysis; it is a greater tragedy if we wrongly accuse an innocent person of malfeasance because we have not appropriately gathered and analyzed the evidence.”
Formalizing the process of evidence gathering

He wants to answer two key questions:

* How do we formalize the process of cyber forensic evidence gathering and analysis using appropriate and rigorous scientific method.
* How do we augment information systems so as to produce better audit and evidentiary trails while at the same time not exposing them to additional compromise.

Seigfried has another concern. She sees computer forensics at a crossroads in its journey to become a recognized scientific discipline. "The continued lack of a professional certification, investigative standards and peer reviewed method, may ultimately result in cyber forensics being relegated to a ‘junk science,’ as opposed to a recognized scientific discipline,” she said.

Like several governments around the world, the US Government has recognized to some extent the value of the science and has established the National Cyber-Forensics & Training Alliance (NCFTA) as a partnership between the public and private sectors to try and train perople to work in the field. NCFTA, which includes the FBI, the National White Collar Crime Center, Carnegie Mellon, Microsoft, Cisco Systems, KPMG, RAND, Lucent Technologies, Mellon Financial, IBM, AT&T, Seagate and others, recognizes the problem but so far the funds to fix it have not been substantial.

The Alliance is working to change that.

The full article can be read at http://www.sapinfo.net/public/en/index.php4/article/Article-9854425e554fc3aa1/en/articleStatistic

Kind regards,

Jamie

A very interesting article, Nick.

Until recently, the generalised security business had no standards at all. CISSP has become the de facto standard because there was a gap in the market, and many jobs descriptions now specify it. Eventually, all security consultants will require it, and security managers will increasingly require an ISACA CISM qualification as well. There are other niche qualification/standards - CLAS for UK Government work is a formalised one., but vthey aren't going to be mainstream.

The same is true within the Penetration Testing arena. Until the introduction of the UK Government CHECK standard, there was no benchmark for PenTesters in the UK (and increasingly, parts of Europe. They may not be eligible for CHECK, but they want the quality seal that goes with it.) Not all organisations can acheive CHECK status, however, so it can't become The Standard. With PenTesters, there was also the additional cachet of vulnerability research as a form of quality mark.

We work in very immature professions, really. Individual reputation has gone a long way in the past - in future it might not go as far.

This is obviously a major topic - the Lab Accreditation and Vogon/Ibas threads all have similar underlying themes - how do we professionalise the industry in an inclusive way, rather than one based on corporate size?