From the state PI tests I've received feedback on, not a single question pertains to
file systems
operating systems
non-standard storage devices
live analysis
postmortem analysis
databases
timeline activity
Internet history
E-mail
instant messaging
deleted files
unallocated, pure unallocated
file slack
ETC.
What _should_ happen is something well thought out and intelligent.
It would not appear that a PI would be neutral in pushing forward a solution that does not suit his/her own agenda. As we saw in the state of Georgia. There was (is) an agenda and it was (is) very apparent.
I have yet to see a PI requirement and exam that covers the specifics, the details, and the granularity of the data forensics realm. In fact, dealing with some individuals from various state boards has clearly demonstrated that many members of such boards have zero experience and very little knowledge as to the items listed above.
One cannot set requirements and control what one does not understand.
Because a forensics practitioner has access to personal and private information does not make he/she a private investigator.
Because a forensics practitioner performs some processes that parallel processes a private investigator performs does not make he/she a private investigator.
Moving forward in 2009 and beyond what makes sense is that the forensics community works together to develop something similar to the CPA. No forensics practitioner is arguing against requirements that indicate their proficiency and professionalism. Many, however, are arguing against having to learn any number of items non-pertinent to their past work, current work, and future work (vaccinations for guard dogs, ETC). Many are arguing against having to go backwards and undertake training and learning that has nothing to do with their primary business. Many are arguing against having their right to earn a living put on hold because the minority has lobbied successfully to put forth their agenda.
In fact, what would appear to make _more_ sense than to roll up forensics practitioners under PI boards in every state is that for those PIs practicing forensics they roll up under the forensics profession. Define the requirements for the work, and any who attempt to join must meet these (whether you're a forensics practitioner, security professional, PI, etc.). It doesn't have to be a pissing contest about control and ownership. It should suit the people of every state as their information is on the line. Whatever the requirement ultimately is it should indicate that any person meeting that requirement has the knowledge and expertise to practice as a forensics practitioner and that any resident of any state should feel comfortable in retaining their services.
Unfortunately for those states currently requiring a PI license as a means to regulate and generate income from forensics practitioners the reality of it is that possession of a PI license does NOT equal knowledge and expertise in data forensics. Because we go back to the PI requirements and exams. They don't fit what the forensics practitioner does on a daily basis.
Look to other professions as examples and guidance. Lawyers retain paralegals. Paralegals have access to personal and private information. Yet paralegals aren't required to be licensed and pass the bar. Why would the same _not_ hold true for the forensics practitioner retained by an attorney? The forensics practitioner is working for the attorney at that point.
If you say that in order to practice as a forensics practitioner you must possess a PI license you are saying that every licensed PI can be hired as a forensics practitioner - that he or she has the knowledge, skills, expertise, and experience required. We _know_ this is not the case. The relationship of PI license to forensic practitioner is _not_ 1-to-1.
If that is true, that in fact a 1-to-1 relationship is not true, then the idea of a PI license as the requirement and barrier to entry is false.
This should be very simple. Define what the requirements are based upon the work involved. Set forth requirements that suit the profession, don't pull the profession into a somewhat similar category just because.
There's more, but that's enough for now. But for those who have time to pass, GOOGLE private investigators and data forensics in your area and read the information on their web sites. Then head over to archive.org and wayback their web site, and compare the forensic expert of today to the private investigator of yesterday. It's amazing to see the number of "experts" that have morphed within the past three years.
Cheers!
farmerdude
Howdy, TR (aka "farmerdude")!
Good to banter with you online. It's almost like the times we chatted at the Cybercrime Summit or the ATL HTCIA meeting. lol
To your comment
From the state PI tests I've received feedback on, not a single question pertains to
file systems
operating systems
…
ETC.
Yet, how many folks with certs for EnCase or FTK or whatever know how to maintain chain-of-custody?
Or develop a chain-of-evidence?
Or can explain the difference between the two?
Or develop a timeline?
How many EnCEs know how to question a Subject? (It's amazing how much more quickly I get relevant info from a digital device after I speak with its owner!)
How many know what constitutes "trespass" or "expectation of privacy" according to their community standards?
Or write a succinct (translation "attorney-readable") report?
Or testify in court?
ETC.
I have argued to our Computer Forensics Advisory committee that the PI CFE endorsement must be vendor-neutral. I think we can all agree that just because someone is an "expert" in the use of a particular package, they are *not* "Experts."
Because a forensics practitioner performs some processes that parallel processes a private investigator performs does not make he/she a private investigator.
Thank you! That's why a CFE *needs* to learn certain PI basics. In SC, that means the candidate must have a background in military, law-enforcement *or* apprentice for 3 years with a licensed investigator. (Some of that time is waived if one has a relevant degree.)
Moving forward in 2009 and beyond what makes sense is that the forensics community works together to develop something similar to the CPA…. Many, however, are arguing against having to learn any number of items non-pertinent to their past work, current work, and future work (vaccinations for guard dogs, ETC). Many are arguing against having to go backwards and undertake training and learning that has nothing to do with their primary business. Many are arguing against having their right to earn a living put on hold because the minority has lobbied successfully to put forth their agenda.
Are you volunteering to work with others to develop a suitable exam for CFE endorsement? *I* am! (I appreciate, though, that your forensic liveCD keeps you busy. This past wet month means you'll also be busy on the farm.) But how do we know *what* we need to know? (Though I'll give you that one on vaccinating guard dogs. Woof!) That sounds like the schoolkid complaining, "But Dad! I'll *never* need to know 'jawgraphy!'"
And if, say, I decide I'd like to transition my knowledge of CF to the practice of law, yup, some aspects of my life will be on hold while I attend law school. (Lordy, if my ex-wife thinks I'm obnoxious NOW, wait 'till I pass the Bar!)
In fact, what would appear to make _more_ sense than to roll up forensics practitioners under PI boards in every state is that for those PIs practicing forensics they roll up under the forensics profession.
Erm, no, many CFEs tend to be what attorney Craig Ball refers to as "tool-tykes." They know how to click on menu options, but know little-to-nothing about "what's under the hood." And most PIs I know will tell me they don't know computers and they don't WANT to know computers. They say to me. "That's why we keep *your* number on speed-dial!"
Look to other professions as examples and guidance. Lawyers retain paralegals. Paralegals have access to personal and private information. Yet paralegals aren't required to be licensed and pass the bar. Why would the same _not_ hold true for the forensics practitioner retained by an attorney? The forensics practitioner is working for the attorney at that point.
In SC, we call them "legal investigators" and these *don't* need a PI license.
If you say that in order to practice as a forensics practitioner you must possess a PI license you are saying that every licensed PI can be hired as a forensics practitioner….
That is spurious logic. To say "If A is to the left of B and B is to the left of C, then A must be to the left of C" is not true if these points are on a circle. Forensic practitioners and PIs are *not* reflexive professions. Regrettably, in my State, there is nothing to stop one from saying "I'm licensed as a PI, therefore I can perform computer forensics." That's one of the scenarios our committee is endeavoring to prevent!
There's more, but that's enough for now… [Compare] the forensic expert of today to the private investigator of yesterday.
And recall, too, where CF was 15 years ago, when about our only "forensic" tool for the PC was Norton Ghost! wink
Cheers!
farmerdude
To you, as well! D
-AWTLPI
The facts of the matter really are quite simple
1) Most forensics practitioners need and want some baseline requirement, as found in other professions (BAR, CPA, etc.). Most presumably, insurance, business permit(s), and a combination of experience, education, training, certifications. A baseline foundation can easily be determined across the board. (Though by the requirements of every individual forensics-oriented certification this appears not to be true.)
2) If a forensic practitioner's business doesn't require he/she to perform PI-centric processes then he/she should not be required to obtain a PI license.
For example, many forensic practitioners never question a subject. They analyze data and report findings.
3) If a forensic practitioner is retained by someone having the legal right to data why should he/she be required to obtain a PI license?
For example, many forensic practitioners are retained by law enforcement, the courts, or legal counsel. As such, he/she is acting on their behalf and fall under their umbrella. Any of these three have obtained the right to access data and the forensic practitioner works within that right. Why would anyone argue that a PI license must be required to work under this umbrella? Other experts working under this umbrella are not required to have a PI license.
4) As already evident in a number of states, having access to personal and sensitive information is not a condition to obtain a PI license. The forensic practitioner, the help desk support person, the computer shop repair person, the tax preparer assistant, the paralegal, the hospital data entry person, etc., all have access to private, personal and sensitive data. A PI license does not solve or resolve the issue of privacy and responsibility. Rather, a national mandate about the creation, storage, access, retention, and destruction of data is needed. And not separate acts for every industry (IE, HIPAA, GLBA, etc.). Because all data needs to recognized and protected.
5) Arguing or discussing the number of intelligent, educated forensics practitioners versus the number of point-and-click wannabes is pointless. It doesn't get to the heart of the matter nor resolve the issue at hand. The same holds true for the number of intelligent, educated private investigators versus the number of point-and-click wannabes. To t*t-for-tat about forensics certifications, "tool tykes", etc., is a waste of resources.
6) Providing the residents of states with experienced and professional forensics practitioners _is_ something every state should be concerned about. Forcing the square peg into the round hole, because it will go if you cram it hard enough, is not in the best interest of the residents. Removing a population of experienced, educated, and qualified forensics practitioners because they don't hold a PI license is not only a disservice to the residents but may result in a legal mess that could result in botched cases, large financial costs, and lost liberties.
For example, let's look at what AWTLPI has written about the state of South Carolina. He has indicated that in order to obtain a PI license in SC I would need to have either a military background, experience in law enforcement, or apprentice for three years with a licensed private investigator. If a PI license is required to work as a forensics practitioner in SC then I would not be deemed acceptable to work as a forensics practitioner in SC based upon those three criteria. All of my knowledge, all of my experience, all of my testing and validation, all of my development - it would not matter in South Carolina. Rather, another person with a PI license but lacking my knowledge, my skills, my experience, etc., would be able to work as a forensics practitioner.
Now tell me, AWTLPI, how do you explain that to the residents of South Carolina? A lesser qualified person holding a private investigator's license can work as a forensics practitioner but a more experienced and qualified person cannot be retained as their expert?
To reiterate, forcing a PI license to be the criteria for working as a forensics practitioner in any state is both A) ignorant and B) does not solve the issue at hand. The very fact that there are many more licensed private investigators who do not work as forensics practitioners is evident of why a PI license is not the answer. Instead we (forensics practitioners (including PIs working as forensics practitioners) need to work together with other similar professions to resolve what is at stake and define the requirements. Backroom lobbying and forcing personal agendas based upon greed and ignorance is bulls*t. Would it not be wise and more intelligent to work together for the greater benefit of our profession and those who retain us?
Cheers!
farmerdude
The reason that I disagree with it being a PI license is that PIs do not have the expertise to perform the work properly. So without a experience and training requirement specific to digital forensics, it places people at the mercy of someone who does not know what they are doing.
Having it as a separate license for DFC places some requirements on obtaining the license that adds some insurance that the DFC will actually have the proper experience and training.
Also, having it as a separate license in no way prevents PIs from getting the license if they qualify.
On the other hand, it is it only s PI license, then the experience needed to qualify for a PI license should allow full credit for DFCs experience to qualify for that license. However, the catch 22 is that a private DFC will probably not have the background or desire to be a PI.
I wrote a position paper on this. You can get it from my website at
Also, if I remember correctly, the SC law was amended to only require a PI license if you are obtaining original evidence, i.e. doing acquisitions. Consultants working on evidence obtained by others are not required to hold a PI license. Correct me if I am wrong on this.
Yet, how many folks with certs for EnCase or FTK or whatever know how to maintain chain-of-custody?
Or develop a chain-of-evidence?
Or can explain the difference between the two?
Or develop a timeline?
How many EnCEs know how to question a Subject? (It's amazing how much more quickly I get relevant info from a digital device after I speak with its owner!)
How many know what constitutes "trespass" or "expectation of privacy" according to their community standards?
Or write a succinct (translation "attorney-readable") report?
Or testify in court?
ETC.
Sorry. But I know policeman who are simply lousy at testifying in court and painful to watch. I know policeman and PIs who, on occasion, have broken the law or violated an individuals rights, in pursuit of their case.
Licensing someone doesn't prove anything. In most cases it is simply a barrier to the entry of others into the field.
Look at SC as an example. There is nothing in their Private Investigator law which does anything to protect the public or guarantee compentency in the aforementioned areas except the requirement that the PI post a $10,000 bond.
So what? How does any of that guarantee that you'll be good at what you do? How does that protect the public?
Also, it exempts attorneys. Why? What special qualities do attorneys have that make them qualified investigators?
At least other professional boards such as law and medicine require demonstration of some level of training by accredited organizations and even then, there is the danger of restraint of trade. When states passed medical licensing laws requiring advanced education, the number of women and minorities practicing medicine dropped precipitously. Further, there is no evidence that the public was unhappy with the system prior to licensing.
I am not saying that credentialling is not important. But the process of credentialling should serve the public interest, not the interests of the profession, if the states are going to do it.
A couple points of clarification
In SC, you need a PI license if you are doing work for-hire ("hanging out you own shingle"). A license is NOT needed for in-house corporate CFEs or those working exclusively for *a* law firm.
As to LarryDaniel's comment, SC State Attorney General Henry McMaster issued the following opinion on April 23, 2007
Consistent with such, in the opinion of this office, the better reading of Sections 40-18-20, 40-18-30 and 40-18-70 support the conclusion that such provisions require that an individual or company selling their services in South Carolina as “computer forensics” experts secure licenses as private investigators. Such determination would be applicable to individuals who accept fees to examine and copy computer hard-drives to extract information to be reported to clients and to be presented in courts as evidence and/or testimony in civil and criminal actions. The duties performed by such individuals or companies would appear to meet the definition of “private investigation business.”
So, farmerdude, you are more than welcome to review my work or even be called in as an "Expert Witness" (assuming you pass the Daubert Hearing) in our fair State, but you'd have to do so for free.
To address seanmcl's comments
True, licensing/credentialing do not guarantee good work. Just because a person has passed the Bar does not make her a good attorney. Nor does having "MD" after a name make that person a good doctor. That's why we have malpractice- and license-revocation statutes.
Our State's Computer Forensic Advisory Committee was not formed in the interest of restraint-of-trade. Far from it. We *are* interested in protecting the public. We want to be able to say to our residents, "If a PI claims to be able to perform digital forensic analysis, we have examined her qualifications and endorsed them."
To argue as to whether or not those performing digital forensics in SC should have a PI license is moot. It's been the law for the past few years and our State Attorney General has indicated no desire to change it. All we're seeking to do is to establish a certain mandated level of expertise before we issue an endorsement.
-AWTLPI
To address seanmcl's comments
True, licensing/credentialing do not guarantee good work. Just because a person has passed the Bar does not make her a good attorney. Nor does having "MD" after a name make that person a good doctor. That's why we have malpractice- and license-revocation statutes.Our State's Computer Forensic Advisory Committee was not formed in the interest of restraint-of-trade. Far from it. We *are* interested in protecting the public. We want to be able to say to our residents, "If a PI claims to be able to perform digital forensic analysis, we have examined her qualifications and endorsed them."
To argue as to whether or not those performing digital forensics in SC should have a PI license is moot. It's been the law for the past few years and our State Attorney General has indicated no desire to change it. All we're seeking to do is to establish a certain mandated level of expertise before we issue an endorsement.
Well, malpractice is the market solution to the problem of incompetent physicians. Licensing is not and never has been. It is barrier to entry, purely, and one based upon assumptions about outcomes which have never been proved (and I am speaking as someone licensed to practice medicine in Pennsylvania).
More to the point, which you did not address, is WHO pressed for the SC legistion. Certainly not the public and not the consumers of IT forensic services. Neither did the public press for medical licensure.
So who does the law serve? Cui bono!
Again, it goes without saying, but here in the States the backroom lobbying for pushing personal agendas based upon greed and ignorance is rampant. I only wish it were criminal. The PI board pushed for changes here in Georgia, and not for the general welfare of the residents of the state of Georgia. Everyone unfortunately suffers. The majority pays for the mistakes and greed of the minority, I think the saying goes.
If anyone has an interest there is a DVD video of a member of the Georgia Board answering questions and attempting to defend his position that forensic practitioners need to be licensed PIs. Unfortunately neither he nor the legislative rep with him were able to answer many questions, such as technical specifications, file system types, live analysis, cross-border storage area networks, how to measure the qualifications needed, ETC. But he did reiterate that _he_ (PI Board) should license forensic practitioners - though they don't know what it is forensic practitioners do nor how they do it. And there they stood, stating they did not know, nor had they thought of it.
This discussion has gone where it almost always goes - in the crapper. The PIs saying it's fair and needed and the like, and others stating it's not and questioning motives and how it can possibly apply. Still waiting for that PI to _agree_ that a PI license is overboard and not required, but that some standard should be set forth. You don't see that, do you? You only see I have it, you should too!
And finally, in response to "So, farmerdude, you are more than welcome to review my work or even be called in as an "Expert Witness" (assuming you pass the Daubert Hearing) in our fair State, but you'd have to do so for free." then I can only say with all sincerity I am sorry for the residents of South Carolina, because they unfortunately reside in a state that has allowed a minority to control the majority by putting forth personal agendas based upon greed and ignorance that will have long-lasting impacts on their rights to life and liberty. Shame on the legislature of South Carolina for being apparently so narrow minded and uneducated. Had they done their homework, had they represented the residents who put them there, they would have defined a standard that _all_ folks practicing as forensics practitioners would need to meet.
Cheers!
farmerdude
More to the point… is WHO pressed for the SC [legislation.] Certainly not the public and not the consumers of IT forensic services. Neither did the public press for medical licensure.
So who does the law serve? Cui bono!
The issue was first raised to our State Attorney General by the then chief of our State Law Enforcement Division (SLED), Major Mark Keel after several cases had been tossed due to botched "forensics." SAG McMaster's response is partially quoted in my previous posting. The full text can be downloaded as a PDF
Pursuant to Maj. Keel's request for comment, SAG McMaster tasked SLED with looking into a solution. SLED approached our State's PI association, SCALI, suggesting that we form a joint committee to look into the matter of CFE endorsement v. separate licensing for CFEs.
No outside special interest groups were involved in the forming of this committee. The State AG does not stand to gain financial interest in licensing CFEs and any funds generated for SLED from such an endorsement would be trivial in comparison to the funds collected from regular licensing fees. The goal has always been to protect the public from substandard examinations and reduce, if not eliminate future incidents of incompetent digital forensics.
-AWTLPI