wow now this is what you call a thread…or indeed threads!!!
As one of the many who have turned to the dark side from a former life in LE I will do a bit of fence sitting and say I see both sides of the argument.
However the the initial question of Is there a need for Industry Control is a prickly one because, as has been mentioned, who sets it up, who administers it , what is the entry level etc.
Having said that I dont think the question is 'Is there a need' but more of do we take moves to self regulate asap or allow imposition.
Because we should be under no illusion if, as an industry which must include public and private sector, we do not address the issue of regulation it will be imposed the minute there is a high profile blunder. At the moment lots of smaller blunders go unnoticed or unrecorded, this wont last.
It is inconceivable to me that the importance of what we do will be overlooked or not understood for much longer.
I agree that accreditations from companies that have some axe to grind are fairly worthless. I also agree that to have completed a very technical degree course is not always a good indication of someones expertise for a court or tribunal.
I like the suggestion that a BMA type body would be the best way to go. Some kind of examination both practical and theorectical would be needed. This membership could be on an annual or biennial (or whatever) bbasis to ensure the quality of members.
I could go on, as people who know me will testify, but hopefully I have added to the debate which I believe is going to be fundamental to the shaping of our industry over the next couple of years. if I offend, sorry it is not intentional, but the very real problem in our field is that there are too many one man bands who buy a copy of Encase and call themselves CF investigators. They are not, they very often do not adhere to basic principles and can/do make some very obvious mistakes which harm us all.
Yes we need regulation and we need it now.
cheers
Chris
I agree with your point about one-man bands. A certificate in EnCase or FTK makes you good with their product and doesn't make you good at forensics if you don't have any other qualifications to back you up. There are far too many people out there with these vendor based certificates that are no more than point and click forensic examiners that end up posting on boards such as this when the come across something technical.
On another point the BMA is a regulatory body whose members are already qualified to a high standard. There are two points for the CF industry to consider, initial qualifications and then some form of overarching regulation.
Also, isn’t the BMA run by doctors for doctors? Is it a good idea to be self-regulated or would we be better off with an independent watchdog?
I disagree about the point and click aspect. While the classes show you how to get to the information that you need with "their" product, you are shown where the data is at and why it is there.
The registry isn't going to change whether you use regedit, registry viewer, encase, or anything else. You can interpret the results of an index.dat in numerous programs and certainly net analysis doesn't let you explain the difference in times to a jury.
I do defense work, groups like HTCIA, IACIS, etc wont let people who do defense work play in their sandbox. Does this mean I am not qualified? No, it means that I will not get a certification from those 2 organizations or any organization that has rules against doing defense work.
Good to see this thread kicking off again! Some really good points being made by all posters.
I too do not come from an LE background and with the majority of work being defence or corporate some organisations won't touch me with a barge pole. However I come to the industry having now had 20 years of IT security and Corporate investigation experience. I'm I qualified? I don't know how even I judge the answer to that question. The Courts are happy when I act as an expert witness, I can recite the ACPO guidelines for aquisition with my eyes closed and standing on my head, I regularly find evidence on drives where other investigators have not and several Police Forces call for advice now and again which I happily give free of charge. Qualified, I don't know? Do I believe I do a good job for my clients, I do. Do I believe that I need to be regulated; absolutely, and anyone that doesn't probably needs to consider their confidence in their skills.
The post about the CRFP is an interesting one, I've contacted them and am interested in what they are offering, perhaps the industry will get behind it, at least here in the UK.
What do you think?
ah y'know these are the interesting topics not what software to use )
The point about defence work is well made. In my opinion nobody should be afraid to conduct defence work as long as sound methodology is adhered to. in my experience the only people, or organisations, that do oppose it are those staffed by existing or former LE agents who seem to believe that by doing defence work you are the devil and are some how going to trip up the prosecution. If its wrong its wrong and as FORENSIC practitioners we will adduce what is wrong or for that matter right!!Listen to my mind it is not about defence or prosecution work, in fact that is the very reason we do need some form of assoc or regulation.
The industry is not about Encase, FTK, Paraben or god forbid Vogon!!! Yet some people would have you believe that is the case.
What we do is about a methodology and sound procedure that actually is very easy to measure. The question is who will be the arbiter of the methodology, governement? (no chance) the law? (hope not) vendors? (never) us (absolutely) Rather than being subjective we need to be objective about who we are and what we do.
And just to give you an idea about how I have come to these opinions…
I have been involved in investigating computer crime for the last 15 years. 11 of which have been in LE and the remainder in commerce. I have worked in both small and global companies., Jeez I sound old!!
well thats a little more ranting of my chest. sorry if my thoughts are a little less than joined up but I write it as i think it. more later
This is an important subject lets keep the posts coming in!!
cheers
chris
armresl, I stand by my assertion about point and click investigators. I know of people who have no computer or law enforcement experience that have managed to go on a vendor based course, get hold of a copy of the software and go into the CF and IR business, with nothing more than this one course to provide them with CF and any relevant IT knowledge.
I’ve never been on a specific vendor based course, but I’ll be surprised if they give you a thorough grounding in the basics of data storage, file system structure or registry fundamentals. More likely just how to direct their software package at the relevant repository, registry or wherever, and extract artefacts. And no, the registry probably won’t change, but if you never really understand it to begin with then it doesn’t have to.
Going on these courses does not make you a competent FE.
We seem to be on the same wavelength Chris, I believe that in this country (and the US) everyone is entitled to a defence, that is what our justice system is built on. Why do so many LE demonise it so much? I know a number of LE professionals who get fed up with the less moral from our art walking into a HiTech Unit and who immediately start shouting the 'Trojan' defence; they give us a bad name.
I defended a CP case 2 weeks ago and within a few hours work could see the person was guilty, thankfully I have reasonable lawyers that then instruct me to gather more evidence against the person so that they will plead guilty. That is working for the good of the client not some half baked technicality that the defendent gets all excited about and insists on pleading not guilty and getting hung, drawn and quartered for it.
I've worked in good and bad HiTech Crime Units, some where they are really looking out for the truth, others where they just want to pin someone to the wall. A defence expert is key to ensuring justice.
Recently I represented a person charged with fraud. There appeared to be considerable evidence against them until we looked at computer evidence. It showed that he was utterly not guilty. Without a defence expert he would have gone to prison. We should be treated equally to the prosecution experts not like second class citizens.
Lets get some registration and industry control and undemonise the job!
Perhaps this should be a different thread Jamie?
Nick