Sunday, April 26, 2009

Computer Forensics Show, Washington, DC this week

If you happen to be attending the Computer Forensics Show in Washington, DC this week, I will be there to speak on the topic of Challenging Digital Evidence.

I will be there for the whole conference.  So if you are attending, it would be great to meet you.

Saturday, April 25, 2009

Study: Separate police, labs because of bias

An article published in the Las Vegas Sun raises issues about the control of forensics by police labs and the possiblity of cultural bias.

Subtle biases contaminate forensic findings when scientists answer to cops, researchers find

I have worked on the other side of a lot of cases involving police computer forensics examiners. While I have to mostly agree with the recent report Strengthening Forensic Science in the United States: A Path Forward issued recently, I have not experienced what might be considered to be intentional bias on the part of my law enforcement counterparts.

However, there are other pressures that can create problems for law enforcement examiners, whether they are aware of them or not.

In cases where the investigating officer is also the forensic examiner, there is a greater potential for problems to arise. Especially if challenged in the courtroom.

However, I submit that if there is an issue, having the evidence tested by a qualified defense expert serves to offset any unintentional bias by creating a secondary independent examination of the same evidence.

Probably the most disturbing issue with forensic evidence presented in any criminal case is that it can be admitted without independent testing. This is especially egergious in the "soft" forensic sciences where the evidence is judged by human senses, such as in fingerprints, lip prints, handwriting analysis and tool marks to name a few.

Digital evidence is either there or it is not. Locating that evidence is the challenge presented for computer forensics examiners. Once evidence is located, it is then subject to interpretation. One of the challenges with computer forensics evidence is making sure it is presented in the correct context. And that is subject to human judgement in many cases.

Friday, April 10, 2009

Digital Forensics Professionals - Where are we going?

Digital forensics has its foundation in data recovery. That is the first step in every digital forensics examination. Back in the old days, before forensics software was created, data recovery was done using laborious manual processes and used tools like Norton's Disk Doctor, Norton's PC Tools, and other types of DOS based command line tools. Peter Norton was one of the founding fathers of disk tools.

Computer forensics, like most forensic sciences, came out of the need for law enforcement to have better investigative and evidence gathering techniques. Because of this, many advances in technique, process and technology have occurred over the last twenty years.

Computer forensics built upon the data recovery process by adding the processes and procedures needed to use recovered data in a legal setting: The creation of standards for the acquisition and preservation of evidence, application of the chain of custody and investigative and reporting tools and techniques.

As those of us in the industry are aware, digital forensics follows the technology in an ever advancing world of new operating systems, new Internet browsers, new and different types of storage devices and digital systems.

Digital forensics also must stay abreast of the war between those who would do harm to others using digital technology and those who would prevent them from doing so.

As one of the few forensic disciplines that is driven at the pace of Moore's Law, the efforts to stay abreast of the advancing technology requires a tremendous effort by hundreds of dedicated computer scientists in the industry.

It is through the efforts of the many unknown and the few well known such as Brian Carrier, Harlan Carvey, Gary Kessler, Eoghan Casey and others that the industry is able to continue to advance at the pace it does. There are so many in the computer and software community who contribute both on the technology side and the process side of digital forensics, that while not becoming famous for their efforts, contribute mightily to the industry. It is this attitude of never being satisfied that what the industry has is good enough that makes Digital Forensics both a rewarding and challenging endeavor.

The Struggle for Identity

While the industry is doing a Herculean job to maintain pace with technology, it is not advancing as it should in other areas. This has created an identity crisis that must be dealt with soon for the industry to mature into what it should be; A recognized and standardized area of forensic science.

This leaves us in a position where states are trying to license us as private investigators, there are no truly cohesive standards for digital forensic professionals and while there are certifications galore, none of them really mean that much.

Why are we in this spot?

We are letting others decide who we are instead of deciding for ourselves as an industry. We are depending on the American Bar Association's statements to bolster our arguments. We do not have a national organization to lobby for all of us. We should be self regulating, not regulated by others.

What should we do?

First of all, we have to all embrace the concept that we are neutral experts. Not advocates for one side or the other. We should not be divided into opposing camps, some in law enforcement, some in private practice. While some work solely for the prosecution, and some assist defense attorneys, none of that should matter.

The first thing we need is a national organization that supports and advocates for all digital forensic professionals. Not just for one group or another.

For purposes of this post, I'll make up the name. "American Association of Digital Forensics Professionals"

What would be the purpose of such an organization?

1. Set a national standard applicable to all DFPs.
2. Create a certification that is recognized nationally, is based on reality and is applicable to real world cases.
3. Lobby national and state governments to make sure the profession is properly represented.
4. Provide some self regulating through the censorship of professionals who violate ethical or professional practices.
5. Provide the public with the assurance that someone who has managed to become a member of the AADFP has been vetted properly.
6. Provide a meaningful conduit for reporting to the Association instances of misconduct, that can be investigated and mitigated.
7. Create and sponsor continuing education.
8. Provide a clearinghouse for the collection and dissemination of industry relevant information.
9. Promote the industry as a genuine forensic science.
10. Participate in government and industry summits where forensic science is discussed and decisions made that effect our industry.
11. Provide educational materials and opportunities to up and coming high school and college students interested in entering the field.
12. Publish information for use by the legal community to assist them in better understanding the role and capabilities of digital forensics in litigation.
13. Set professional standards for all members.
14. Adopt and enforce a statement of ethical practice.

It is my opinion that if the industry had such an organization in place, and it was properly funded and performing as outlined above, most of the state boards that are considering PI licenses could be convinced that state level regulation is unneeded.

We need to come together as an industry and begin to present a united front and speak as one voice.

Until we move in this direction, it is my opinion that we will continue to have the issues we have today with random legislation and attacks by the PI community on our ability to provide professional services.

If we want to be able to argue that we are professional forensic scientists and not just computer people with some forensic and legal skills, we need to set the standards high and abide by them. Otherwise, there is not enough to distinguish us from the computer guy down the street or the PI who buys some forensic software product.

Thursday, April 9, 2009

Want to help change the world?

I received this email from Todd Matthews of Namus. I thought I would share it with everyone:

Dear Friends,

This past weekend -- I spoke at an event in Albany, New York.

The event has been arranged annually for 8 years by Doug and Mary Lyall. Parents of missing Suzanne Lyall, founders of the Center For Hope and two of the most wonderful people I have ever encountered. I knew they were the salt of the earth, but after spending time with them over the course of these event -- I cannot describe their dedication and tireless effort. You would have to encounter them in person to truly realize their full compassion.

They managed to establish a New York Missing Persons Day -- and established a monument for the missing in Albany --

They came CLOSE to getting a National Missing Persons Day --- one sig sort of becoming a reality.

I suggested they try again -- this time as a National Missing and Unidentified Persons Day.

We've had a state level success occur in Missouri --

And we can make this happen at a National Level as well.

This needs media coverage to help shine a light on this effort --- if you can help -- please do, or refer to a media colleague. We have to make this happen for the more than 100,000 missing -- and the between 40,000 - 50,000 sets of unidentified remains.

-- Todd

Todd Matthews
NamUs /Southeast Region
Regional Systems Administrator

NamUs - National Missing and
Unidentified Persons System

On the Topic of Licensing Forensics Specialty Professionals, Including Computer Forensics Professionals as Private Investigators.

This is the position paper I wrote on this topic when North Carolina began considering requiring Private Investigator licenses for computer forensics. I decided to post it here, in its entirety, so people would be able to understand my stance on this issue.

You can download this document in PDF format from my website at Position Paper

On the Topic of Licensing Forensics Specialty Professionals, Including Computer Forensics Professionals as Private Investigators.
Licensing for Digital Forensics Professionals and other forensics specialties is the right and proper course of action to take at this time. However, licensing these specialty professionals as Private Investigators would be detrimental to both professions.
Right now the Private Protective Services Board has an opportunity to create new rules and amendments to the current licensing legislation that would be of great service to the people who need and contract for these services. As many states are currently dealing with the same legislative issues, the North Carolina Private Protective Services Board has an opportunity to create legislation that could serve as a badly needed model for other states to follow as well.
However, defining the new legislation too broadly or too narrowly would be a disservice to the consumers of specialty forensics services by either excluding qualified forensics professionals from practicing or allowing unqualified persons to provide forensic specialty services without the proper training and expertise.
The issue at hand is whether or not Digital Forensics Professionals or specialty forensics professionals should be licensed as Private Investigators.
The language in the current legislation would seem to support that specialty forensics professionals should be licensed as Private Investigators since it is possible for them to perform some services that would overlap what is traditionally considered private investigation:
1. Obtaining evidence for use in a court of law.
2. Interviewing persons related to the matter at hand.
3. Presenting evidence in a court of law.
While there is some overlap in what forensic specialties professionals may do in the course of providing their specific services, there is no overlap in the required expertise to perform scientific and technical forensics services once you leave the realm of the three items mentioned above.
Therefore, it is imperative that separate and distinct licensing should be required for persons who wish to engage in providing computer or digital forensics services and other specialty forensics services. Such licensing should be exclusive to forensics professionals and not be considered a subset the Private Investigators license nor should holding a Private Investigators license be considered a prerequisite to hold a specialty forensic license.
It is clear that the licensing for forensics specialties should be separate from the umbrella of the Private Investigators license for the following reasons:
1. The experience and training for forensics specialties that are not covered by professional state licensing boards, should be included in the provision. This would include persons engaging in handwriting analysis, computer forensics, DNA analysis and other non-regulated forensics science activities. It is surprising to learn that even DNA analysts are not required to have state licenses to perform forensic DNA analysis.
2. The possibility of doing harm to a person through lack of expertise increases as the level of required expertise exceeds that of laymen and non-specialists in the field.
3. The need for qualified expert witnesses on both sides of a case to ensure that persons receive the best ligation support possible. When it is not possible for a person to retain the services of a qualified expert, it creates an unfair advantage for the other side in both civil and criminal proceedings.
4. While the court is the ultimate determiner of who may qualify as an expert witness; if unqualified individuals are allowed to practice, harm may come to persons long before the issue of qualifications of an expert is brought before a judge.
5. While the expertise in investigations is inherent in what constitutes a Private Investigator, expertise in investigating technical and scientific data is not and should not be allowed to be assumed by holding a Private Investigators license..
A Proposed Framework for Licensing Requirements for Computer and other Specialty Forensics Professionals:
1. Forensics Specialty Professionals must have and maintain Errors and Omissions insurance in addition to standard liability insurance.
2. Applicants must pass a criminal background check.
3. Certification from a nationally recognized certifying body is required. (In the case of computer forensics professionals, the Certified Computer Examiner issued by the International Society of Forensics Computer Examiners is the most widely recognized vendor neutral certification. It is important to note here that this certification does not cover Cell Phone Forensics, another specialty for which there is no certifying body at present.)
4. A minimum of 80 hours of training in the specific specialty by a nationally recognized vendor.
5. A minimum of 3 years of full time employment providing forensics specialty services in the field for which a license is desired. Client references and employment history must be documented.
6. A 4 year degree in the area of specialization can be substituted for two years of experience. A 2 year degree in the area of specialization can be substituted for 1 year of experience.
7. An associate license can be issued in lieu of a full license to persons entering the specialty field providing they meet the minimum certification requirements, 80 hours of specialty training and are employed full time under the supervision of a licensed specialty forensics professional.
8. A minimum 15 hours training per year by a nationally recognized vendor in the specialty field is required to maintain a Specialty Forensics License.
Dealing with the overlap between specialty forensics professionals and Private Investigators:
1. Anyone who acquires original evidence must comply with the state and federal rules of evidence and accepted standards for the specialty forensics services provided.
a. In the case of computer forensics, the standard is set forth by the US Department of Justice, Federal Bureau of Investigation, and other government agencies that have created specific guidelines’ for the handling, acquisition and preservation of fragile digital evidence.
b. Improper handling of digital evidence can render it useless in court.
c. Proper chain of custody must be maintained and documented.
2. Interviewing persons involved in the matter at hand is sometimes required in the course of performing the services of the specialty forensics professional. However, there is no need for the specialty forensics professional to perform classical investigative interviews or surveillance of persons.
3. Presentation of evidence in a court of law in the specialty field is what should be focused on here, where the person providing the testimony would normally be required to qualify as an expert in the field. It would be counter productive for a specialty forensics professional to testify as to the general investigation of the matter at hand as it would also be counter-productive for a non-specialized investigator to present and testify to the validity of evidentiary findings in an expert area.
To wit, under the licensing provisions for specialty forensics professionals, limited investigative activities should be allowed where such activities are required to perform the specific tasks associated with the specialty. This would reflect the model used by the NC Refrigeration License where license holders are granted a limited electrical license to perform the duties of the specialty.
1. Acquisition of original evidence:
a. The gathering of original evidence specifically as required to meet the needs of the specialty for examination and analysis would be allowed.
i. Forensically imaging digital evidence such as hard drives and other digital storage devices by qualified digital forensics professionals. (Digital Forensics Only)
ii. Acquisition of handwriting samples for the purpose of handwriting analysis.
iii. Collections of paper documents for the purpose of document analysis.
iv. Collection of DNA samples by qualified DNA analysts.
2. Interviewing persons involved directly in the course of the specialty analysis.
3. Presentation of findings in a court of law as an expert in the specialty field, providing the court recognizes the person as a qualified expert.
4. Analysis of evidence lawfully obtained by others such as cell phone record analysis for GPS positioning purposes, DNA samples, handwriting samples, digital devices, etc.
Jurisdictional Issues:
Dealing with the needs of national companies, law firms and other entities that may need to collect, analyze or present evidentiary findings in North Carolina could be addressed by allowing the issuance of temporary licenses. However, this would put an undue burden on the Private Protective Services Board to investigate and issue such licenses.
A better solution would be to simply required specialty professionals to acquire a license in North Carolina under the standard licensing requirements of other Specialty Forensics Professionals. Otherwise they would need to hire a licensed North Carolina Specialty Forensics Professional to perform the work. Either scenario would benefit North Carolina in the long run and protect the residents from unscrupulous and unqualified practitioners from providing services in the state.
It is clear and important that specialty forensics professionals be licensed and held to appropriate standards for operating a forensics business in the State of North Carolina.
It is also clear that requiring specialty forensics professionals to obtain and hold a Private Investigators license would put an undue burden on said professionals since many of them have no intention of providing Private Investigation services, do not have the appropriate background to do so and cannot suspend the activities of their current practices to obtain such a license by entering a field outside their area of expertise.
It is also clear that having Private Investigators, simply by virtue of holding a license, practice in area outside of their expertise would be detrimental to the persons and firms requiring the services of qualified experts and would be a disservice to the constituents in the state of North Carolina.
It is also clear that restricting the ability of persons to obtain the services of qualified experts would create an imbalance of justice where evidence may be collected and presented as facts where an opposing expert cannot be obtained. This is especially harmful to persons charged with crimes who may not be able to mount an adequate defense if they must depend on persons who are not qualified in the field or must rely solely on the statement of facts provided by the prosecution.
There is a clear danger to the residents of North Carolina of allowing persons to operate as computer forensics or other specialty forensics professionals without proper licensing and oversight by the Private Protective Services Board.
Reasonable and proper standards must be set for the qualification, licensing and oversight of computer forensics and other specialty forensics professionals as professionals in their field and not as Private Investigators.