Friday, April 10, 2009

Digital Forensics Professionals - Where are we going?

Digital forensics has its foundation in data recovery. That is the first step in every digital forensics examination. Back in the old days, before forensics software was created, data recovery was done using laborious manual processes and used tools like Norton's Disk Doctor, Norton's PC Tools, and other types of DOS based command line tools. Peter Norton was one of the founding fathers of disk tools.

Computer forensics, like most forensic sciences, came out of the need for law enforcement to have better investigative and evidence gathering techniques. Because of this, many advances in technique, process and technology have occurred over the last twenty years.

Computer forensics built upon the data recovery process by adding the processes and procedures needed to use recovered data in a legal setting: The creation of standards for the acquisition and preservation of evidence, application of the chain of custody and investigative and reporting tools and techniques.

As those of us in the industry are aware, digital forensics follows the technology in an ever advancing world of new operating systems, new Internet browsers, new and different types of storage devices and digital systems.

Digital forensics also must stay abreast of the war between those who would do harm to others using digital technology and those who would prevent them from doing so.

As one of the few forensic disciplines that is driven at the pace of Moore's Law, the efforts to stay abreast of the advancing technology requires a tremendous effort by hundreds of dedicated computer scientists in the industry.

It is through the efforts of the many unknown and the few well known such as Brian Carrier, Harlan Carvey, Gary Kessler, Eoghan Casey and others that the industry is able to continue to advance at the pace it does. There are so many in the computer and software community who contribute both on the technology side and the process side of digital forensics, that while not becoming famous for their efforts, contribute mightily to the industry. It is this attitude of never being satisfied that what the industry has is good enough that makes Digital Forensics both a rewarding and challenging endeavor.

The Struggle for Identity

While the industry is doing a Herculean job to maintain pace with technology, it is not advancing as it should in other areas. This has created an identity crisis that must be dealt with soon for the industry to mature into what it should be; A recognized and standardized area of forensic science.

This leaves us in a position where states are trying to license us as private investigators, there are no truly cohesive standards for digital forensic professionals and while there are certifications galore, none of them really mean that much.

Why are we in this spot?

We are letting others decide who we are instead of deciding for ourselves as an industry. We are depending on the American Bar Association's statements to bolster our arguments. We do not have a national organization to lobby for all of us. We should be self regulating, not regulated by others.

What should we do?

First of all, we have to all embrace the concept that we are neutral experts. Not advocates for one side or the other. We should not be divided into opposing camps, some in law enforcement, some in private practice. While some work solely for the prosecution, and some assist defense attorneys, none of that should matter.

The first thing we need is a national organization that supports and advocates for all digital forensic professionals. Not just for one group or another.

For purposes of this post, I'll make up the name. "American Association of Digital Forensics Professionals"

What would be the purpose of such an organization?

1. Set a national standard applicable to all DFPs.
2. Create a certification that is recognized nationally, is based on reality and is applicable to real world cases.
3. Lobby national and state governments to make sure the profession is properly represented.
4. Provide some self regulating through the censorship of professionals who violate ethical or professional practices.
5. Provide the public with the assurance that someone who has managed to become a member of the AADFP has been vetted properly.
6. Provide a meaningful conduit for reporting to the Association instances of misconduct, that can be investigated and mitigated.
7. Create and sponsor continuing education.
8. Provide a clearinghouse for the collection and dissemination of industry relevant information.
9. Promote the industry as a genuine forensic science.
10. Participate in government and industry summits where forensic science is discussed and decisions made that effect our industry.
11. Provide educational materials and opportunities to up and coming high school and college students interested in entering the field.
12. Publish information for use by the legal community to assist them in better understanding the role and capabilities of digital forensics in litigation.
13. Set professional standards for all members.
14. Adopt and enforce a statement of ethical practice.

It is my opinion that if the industry had such an organization in place, and it was properly funded and performing as outlined above, most of the state boards that are considering PI licenses could be convinced that state level regulation is unneeded.

We need to come together as an industry and begin to present a united front and speak as one voice.

Until we move in this direction, it is my opinion that we will continue to have the issues we have today with random legislation and attacks by the PI community on our ability to provide professional services.

If we want to be able to argue that we are professional forensic scientists and not just computer people with some forensic and legal skills, we need to set the standards high and abide by them. Otherwise, there is not enough to distinguish us from the computer guy down the street or the PI who buys some forensic software product.


  1. As I always do, I'm going to disagree that the certifications that exist aren't worth much. While there may be some that have less value than others, I believe that there are many out there that ARE worthwhile. These certs require a significant amount of knowledge and include written and practical exam components that require re-certification. These certs go a fair length toward moving those who only know how to click the "Find All Evidence" button to the end of the line.

    While I agree that a large, all-encompassing regulatory body would be beneficial, I'm not sure that there's the will to get that done. Which is too bad.

  2. Hi Moby,

    I would disagree with the statement, "These certs go a fair length toward moving those who only know how to click the "Find All Evidence" button to the end of the line."

    While certs may establish a minimum level of competency, an expert examiner they do not make.

    As I have said in the past, certifications are worth any amount that they are worth to the person obtaining them, and they do server a purpose, but not at that high a level.

    They are not a prerequisite for practice, nor a requirement, hence their universal value is diminished.

  3. Have you considered that when the state passes the law to recognize the proposed certification you are referencing, they would likely create a requirement for individuals to be licensed and the requirement for the license would be this certification? The state would probably then pass laws requiring continuing education of their own, thus requiring the individual to maintain two sets of continuing education and pay fees to maintain the certification and the license.

  4. The goal would be for states "not" to pass laws regulating the industry, but for the industry to regulate itself.

    However, if the organization recognized the other certifications, that should be acceptable to the state.

  5. Having a governing organization is a great idea! I've dealt with the PI License requirement in TX for some time now, and see that it only hinders Computer Forensic professionals in being able to practice. We are trained in both legal and technical areas, but it is true that we are to remain unbiased in the information we provide. That's why we are trained to do computer "examinations" as opposed to "investigations".

  6. I would encourage everyone to look at The American Society of Digital Forensics & eDiscovery (

    New organization forming to emphasize best practices, standards,andan impartial view.

  7. As someone who is just embarking on getting into the field, your post about rallying people together is actually pretty exciting. Maybe it's because I'm just starting out and have the energy and optimism about it, but it sounds like a great way of setting standards in the industry, and getting support for those of us just starting out.

    Speaking about certifications in general, as an Internet researcher for a recruiting firm I'd say that regardless if a cert gives the holder actual expertise, indicates expertise, or adds value to their skills, it's the employer that ultimately dictates whether or not it has "perceived value". I'm guessing that if someone is an independent contractor, certifications don't mean as much if you can't back them up with your ability to perform beyond just knowing how to use the software.


I have moderated my comments due to spam.