I would have to agree with Keydet 89 that LE is first LE. They learn the basics of forensics and then learn the more advanced stuff just as you and I would. Granted, they do get a lot of free training. But first and foremost they are Police Officers. But to really understand what is going on, an IT background would be helpful. Taking apart a computer is easy, but to really understand what the OS is, what the MFT is, what FAT or NTFS is and everything that goes along with it, does not involve Police Procedures. Nor is it LE that are writing the books or coming up with the software programs that we use.
For instance, you can read a book and be able to do almost anything. But it is the real world experience where you learn. You pick up things along the way, that can lead you in other directions. As in, not only doing forensics, but doing Pen testing and "ethical hacking".
One item I forgot to add in my first paragraph is that you can learn the proper ways to handle evidence, take classes on expert testimony. This would be the same things that LE will learn. The only difference we don't use warrants (if working in the civil arena) to get the data. We are hired by other companies to help support them in litigation or as stated in an earlier post, showing a husband or wife the emails proving their spouse is cheating on them.
I was a civilian examiner employed by LEA. Best of both worlds. I was the property officer for my lab for 3 years, so I know more than I need to know about chain of custody. I also did criminal law at Uni, and what I didn't know was filled in by a colleague who was an ex-prosecutor before changing to forensics.
Regardless of which way you start, you're going to have deficiencies. However if you are doing this full time, in my experience, by the time you have about 5 years under your belt, the difference is very little.
The most valuable experience I have from law enforcement is investigative experience. It's a development of intuition, and computer forensics is an intuitive process.
Second is experience from hanging out with criminals (perhaps also achieved through a mis-spent youth!). When I got out of college I worked in a jail for 3 years. I decided early on I could learn something from everyone. Most criminals love to talk about themselves and the stuff they did. Those conversations served me very well as a patrol officer and investigator. They still do today. In our field we work on computers but we are examining the deviant mind.
Chain of custody and evidence handling is simple.
Having started out in the same place as Tony and then moved over to the UK, working in Corporate Litigation and now in government/pseudo law enforcement, I agree with him.
I have had to learn the legal side of things and bolt that on to my IT education and experience and then re-learn aspects of it after moving to a new country. I have also helped to bring LE officers up to speed in the technical side of things while at the same time learning invaluable things from them that have had me considering a LE career at times.
No-one can rest on their laurels in this industry, so no matter your background you are obliged to keep up with both technical and investigative/legal advances and changes that affect the specific field you work in.
I agree in part with Greg's points also. I was taken out of a pure forensic lab environment and embedded with detectives for 3 years, and I learned a heap from working with them on a day to day basis, particularly about how criminals think, the mechanisms by which many kinds of crimes are perpetrated, and the surprising things that criminals keep that can be evidence that you'd think any normal person would get rid of.
Also, hello Simon. I hope you're enjoying London.
Also, hello Simon. I hope you're enjoying London.
Tony, It's Catherine, I'll have to tell Simon about this, he'll love to be mistaken for a girl wink
I think when we discuss this topic it cannot be done in generalities but in specifics. I have had a few instances of Netword admins reporting a crime (DOS or intrutions) and then dumping a Huge log file in my lap as the evidence. Well..in that case I NEED (as LE) the Network Admin to walk me through his network, the log and the processes just so I can get it on paper to initiate a criminal action. Down the road if/when it goes to trial, I will need the EXPERT, which is the Admin, to testify. The Role of a Tech LE in in this is to understand the basics and keep it organized.
Forensics, for a MAJORITY of the cases, and I am talking "Criminal Law", not the crazy voodoo Malware stuff, can be accomplished by a LE. Realize that modern LE dept's are not just giving a guy FTK and PC and calling him a Forenic Guru. Take for example the FREE LE Classes offered by NW3C (National White Collar Crime center , WV-USA). They have Basic, Intermediate and Advanced Data Recovery class. You will spend a Week of your life manually recovering data using Norton Disk Edit, Re chaining FAT tables etc. Not a fun date, but very educational. Jump to their NTFS class. A week looking through the NTFS Metadata…gutting the MFT (Hex and all). I purpose that there are very FEW classes in the IT world that go into this level of detail on these specific topics.
Being a Paper cert holding a MCSE, A+,Net+,Sec+,SAN's GSEC and the tool specific EnCe + ACE doesn't hold a candle to the LE Specific CFCE certification process and the effort and learning it took to obtain that.
I guess alot of it has to do with Job experience. I have a a civilian analyst that is/was neither LE or IT and I would put her on any forensic investigation and obtain a thorough result.
All that being said…I would rather the IT dept's run the Forensic training and keep it away from the Criminal Justice Types. I work on a College campus and at least I can say that folks in IT have some hands on experience with IT, where most of the CJ folks are not LE types, mostly Attorneys or Sociologist who needed a position… LE is really something to be lived and experienced…not learned in a book. And those experiences are what will make or break a good Forensic Examiner or
Think of it this way - what would be faster and easier?
Teaching IT enough LE to properly identify, preserve, and secure digital evidence, or teaching LE enough IT to do the same?
This will always be a difficult question, however, I am more leaning towards IT over LE. I have degrees in both Computer Science and Criminal Justice, and thought the CJ degree was more interesting, but less technical in nature. Since we don't want or really have "push-button forensics", I think there is a lot more that can go wrong on the IT side, and that it would require more tech skills to master.
My own belief is that you need a strong IT background, with "just enough" LE to properly handle the evidence and present it in court.
bj
This is really interesting ready how different people react to this. My opinion is, that a healthy mix of both is adviseble. To me merely having the two is not enough, Computer Forensics to me is a science. Therefore I think a scientific mind is needed, a mind that is ever evolving and learning. The le mind set is inquiring and that helps in following data artefacts and drawing a conclusion, the IT mindset is on how computers work, which helps understanding different OS. But for me where it all marinates togetheri s adding a scientific mindset to that in understanding how things work, why they work like that and the end result in this recipe for me would be ideal. A person who has a strong emotion of judgement who follows the evidence and is inqusitive, a person who understands computers and the systems they use and a person who knows why things work like they work and how they change.
Greetings,
An observation - it is very difficult to get LE experience if you've been doing IT most of your life. It is much easier to get IT experience if you've been doing LE most of your life.
I'm currently talking to a number of people about ways to gain LE experience and am not having much success. Unfortunately, I was better connected to the CA LE community due to 15 years of SAR work and I don't have those connections in IL.
-David