I'm going to start a thread, here, because I have seen the issue come up in a number of different settings, i.e., licensing of computer forensic professionals, hiring of IT people and training in LE procedures versus hiring LE and training in forensics.
And so I am going to make an assertion, a straw man to be precise, and it may sound self-serving and perhaps it is. But my goal is not to make a claim but, merely, to throw out an idea and see how the community reacts to it. And in the poll I'm not allowing for wiggle room (e.g. both, neither), because it isn't helpful to deciding how people really feel.
And this is not, purely, theoretical, as we are advising people as to how to pursue a career. And it is not meant to be critical, except as a means to challenge current ideas.
My assertion is that almost every other forensic professional is an expert in their primary field, and an expert in LE/rules of evidence, secondary and, thus, that forensic professionals of the future should be (or would, preferably be), experienced IT professionals who are trained forensics and in the rules of evidence rather than trained explicitly for forensic IT.
Consider that forensic pathologists are, first, trained pathologists and medical doctors and then trained in investigative procedure. Forensic chemists are, first, experts in chemistry who become qualified to practice chemistry in a manner consistent with the legal process. Forensic auditors are, first, accountants, and then investigators.
I am biased in that I base my conclusion, in part, on the more recent cases that I have been working in which describing the "what" is less important than being to document the "why" and "how" and that to do that,
one needs to understand how IT systems and organizations behave. And, in part, I am basing my comments on recent legislative attempts to restrict IT forensics to people with investigative experience but, perhaps, no real IT/organizational experience.
Of course, this does not apply to simple issues like whether there is CP on a computer or whether a spouse has been having a dalliance with someone other than the other spouse. And I realize that the profession can utilize the services of technicians as well as diagnosticians and therapists.
But in more complex issues, understanding how the organism (the organization), works is as important if not more important than other knowledge, in terms of building a case.
I mention this, in part, because institutes of higher eduction are building curricula around computer forensics (thanks to CSI, the interest in forensics of all sorts is on the rise), and because I have seen some recent postings emphasizing the importance of LE training or experience.
And I am wondering whether, like other positions in forensic science, forensics is the specialty and the primary area of expertise is the science or technology, itself?
Disclaimer I recently was interviewed by Jamie and by a publication interested in the prospects of a career in IT forensics and I expressed my opinion in the value of practical IT, not forensic, experience.
Also, I am happy to be embroiled in controversy, even skewered, so I look foreward to critical, well-reasoned objections.
Sean,
This is an interesting thread.
I personally think it is healthy to have a mix of both IT professionals and law enforcement, but in my experience some of the best examiners are from law enforcement that have had no previous IT experience.
To use a cliche, at the end of the day you can have alll the IT experience in the world, but all that matters is that a forensic examiner has received sufficient training to enable a jury to understand the evidence and put the criminals away.
This is a very interesting thread I wonder if those from law enforcement backgrounds vote law enforcement and those with an IT background vote IT background )
I think If for example there were 2 people one a police officer and the other an IT technician neither with forensic experience I think maybe it would be more efficient to train the police officer as without offending anyone I would say it easier to teach people who can investigate IT skills then to teach IT skilled people to think like an investigator.
But if the person in question has skills in both investigation and IT then I’m not sure it makes a difference what the background is . Working in a 50-50 law enforcement/ IT background team I can see the benefits of both and it really does helps having a mixed team with different experience.
I suggest that–given a reasonable, intelligent candidate–either background can be developed/enhanced with solid training in the lacking area. I do lean toward IT experience, perhaps, due to my own background and ability to quickly grasp legal concepts, but, moreso, because of what seanmcl mentioned
one needs to understand how IT systems and organizations behave
Andrew correctly asserts that an examiner needs to be able to effectively communicate findings to juries. Though, I wonder if that skill can be acquired through training (classroom, mock trials) more quickly than acquiring a thorough understanding of electronics, computing, mobile devices, software engineering, database design and operation through years of IT experience.
Were I short on the understanding of technical underpinnings, I would be concerned about my ability to properly convey and support my message to the jury, regardless of polished delivery skills.
Whether in the lab or on the witness stand, I will have legal resources–fellow examiners (lab), staff attorneys (lab), trial attorneys (courtroom). However, in the courtroom, supporting legal counsel is present while technical expertise is typically limited to my own experience.
Were I an attorney, I would prefer to have an expert witness whose expertise foundation is IT and is trained to speak in public forums.
I'll throw in a side aspect of the thing.
At least here in Italy the "status" of a "consultant" is different from that of a "civil servant", and the "status" of the latter is different from that of a "LE officer" from the Law standpoint.
As an example, a police officer has some lawful means to procure evidence that the civil servant misses (let alone the consultant).
Moreover, the possible consequences of a perjury or gross mistake in the "witness" deposition or hearing are, at least theoretically, much "serious" for the LE officer, a little less for the civil servant and yet a little less for the consultant (exception made for the loss of reputation).
The consequence is obviously that, generally speaking, a LE officer opinion has usually more "weight" than that of other subjects.
On the other hand, untrained LE officers may, even in perfectly good faith, alter seriously the evidence
it is on all the local newspapers the issue with a horrible homicide where the suspect's alibi, which had been knocked off by computer related evidence.
Just recently new exams found out that supposedly the repeated accesses to the PC by LE officers caused the deletion of some "last accessed" data, which was later found and at the moment confirms the alibi.
A quick report in English
http//
And even trained officers have a record, at least in the public opinion, and again most probably in perfect good faith, to often pursue a given thesis during the anaysis of the evidence, as opposed to be lead by the evidence to a thesis.
The result is that forensics is starting to be seen with less favour by the general public (and consequently by juries) after the initial "absolute love" caused by the popularity of CSI (and CSI-inspired) series.
People is simply losing faith in something that should be "objective" or "scientific" but that in "real life" proves to be incomplete or even deceiving.
This is probably due to a combination of some cases where "less-than-perfectly-trained" LE officers findings and conclusions were partly or completely debunked by later findings or different and proved to be correct interpretation of evidence, with some cases where the whole prosecution was based on "scientific evidence", without any "traditional investigation" confirmations/checks.
jaclaz
IMHO, both have their advantages.
An IT background would ideally give you a deeper understanding of networking, operating systems, applications, and how they interact.
However, I have also seen where this hasn't been the case…in fact, as a consultant, I most often respond on-site where this isn't the case. I have told others…and firmly believe…that if you understand "TCP/IP Illustrated vol 1" by Stevens (or just the fact that TCP has a three-stage handshake), you're head and shoulders beyond most IT folks. This isn't to say that IT folks aren't smart…I'm not saying that at all. I'm simply saying that in most of the cases I've responded to, a lack of understanding of the basics (ie, "password" is not a strong password, and _blank_ is often the first thing bad guys try for the MS SQL Server 'sa' account…) is what happens to be the root cause.
IMHO, the issue with an LE background is that in many cases, LE are LE first, then forensics types. A basic background in investigative procedure may be useful, but it can be learned by someone with the desire.
I think that regardless of the background, the key factors are a desire/thirst to understand, a logical thought process, and level of maturity where every question isn't a personal attack is about all that's really needed.
In my experience there is evidence that examiners with an IT background have a deep and comprehensive understanding of how file systems function and how operating environments utilize those file systems. This isn't to suggest that examiners with a LE background don't possess comprehensive familiarity with these fundamentals, though I believe that it is accurate to say that LE examiners are LE first and examiners second. In the United States, where I perform the majority of my work, the recent 9th Circuit US Court of Appeals ruling which attempts to redefine the doctrine of plain view may draw this difference into sharper focus; assuming, of course, that the ruling is not overturned. In the spirit of full disclosure I, myself, come from an IT background but I work closely with law enforcement. I dislike generalities, and this is opinion, but I doubt very much that it matters which background you have as an examiner so long as you have the knowledge to speak with authority as an expert witness.
I think my point has been stated by others more eloquently.
LEOs are excellent at speculation more often into the positive direction.
IT experienced are excellent at proving evidence to be correct or misleading.
I think there is slight advantage for the IT experienced individual versus LE experience only individual, both in court and in the actual investigation, when talking about background for a forensic investigator.
This question is difficult to answer because as one from a LE background I don't necessarily know what I'm missing from not having an IT background and I suspect the reverse is also true. Experience usually serves better than training whatever experience that may be.
As to which one makes a better examiner it may well depend on the type of analysis one does. What has served me well are the same suspicions and problem solving skills I developed through investigating cases of all kinds.
Computer forensics is not strictly a technical discipline. Because we are rarely interested in presenting all the data on a device we must use other skills to support our findings.
I think if you come from a background where you understand protocol and procedure you are better off. This can come from either LE or IT. In reality we are chaining together a series of events to solve a problem. Why did a system crash or what happened at an incident scene will take observation, critical thinking and patience. Not sure if one background is better as it is a matter of personality. I think there are inherit benefits and negatives from both fields of training. Example - LE people, and please do not take this as a sweeping characterizations, can be a bit rigid in their approach and IT people can be a bit of know-it-all. There is a blend of science and art when doing investigations - it's important that one know how to think analytically - not sure if you can train that or its self taught.