Thursday, March 26, 2009

Wednesday, March 25, 2009

North Carolina PI Licensing Update and Digital Forensics Examiner Licensing

North Carolina in is the process of updating its laws regarding computer forensics and cell phones forensics.  The change provides for a separate license for Digital Forensics Examiners.


Here is the bill sponsored by Senator Snow for the 2009-2010 session.

Amend Private Protective Services Act.

You will want to look at section 5a.

I think North Carolina has created the best model for this type of licensing as it does the most to protect the public from people claiming to be digital forensics experts while at the same time, taking into account the people who should not be required to have a license to do their jobs.

Sunday, March 15, 2009

Excellent post by Harlan Carvey on Incident Management.

If you don't know, Harlan Carvey is the author of the classic, "Windows Forensic Analysis" book published by Syngress. Harlan is an icon in the field of computer forensics for his knowledge and, obviously, for his book that should be on the shelf of every professional examiner. The newest edition is due out soon and I know I will be buying a copy.

Harlan wrote a post on incident management that is well worth reading. Take a look:

Incident Management 101

Harlan is also the author of the very handy tool, RegRipper that is used to parse the Windows registry file for data of interest to examiners. Harlan will be joining me on Talk Forensics in May.

Saturday, March 14, 2009

Expert Witness Bias

I was watching a popular real crime news-tabloid program the other night and there was a lot of discussion about expert witnesses. Especially experts that work for the defense.

Since digital forensics experts fall into that category just like DNA experts and fingerprint experts, I thought I would spend a few words on the subject and hopefully spark some conversation from my readers out there.

To begin with, I think that attempting to imply that an expert witness is biased is just a bit of drama, usually put on by prosecutors or by hot shot lawyers in the big money civil cases. The equivalent of a cheap shot to attempt to discredit the expert by insinuation.

Sadly, that drama can sometimes sway a jury into thinking that the expert has some underlying agenda outside of their stated purpose of representing the facts in the case, in a neutral manner.

The mere fact that you have two experts involved in a case that very likely will not agree on the interpretation of the facts, is not an indicator of bias. Quite the contrary, if you ask me. When two experts examine the same evidence and reach different conclusions, how would you be able to tell which one has the biased opinion in any case? Because they are getting paid to do the work? Court testimony is just part of the job, just like the underlying lab work that must be done to prepare to do that testimony.

One of the points brought up during the show was whether or not the expert exclusively worked for the defense. Of course, that same argument can be made on an even stronger level for prosecution experts who are employed full time to do nothing but work for the prosecution.

Actually, since the prosecution's expert's entire career is spent working for one side, the possibility of bias becomes greater than that for an expert who may work for an attorney once and never work for them again. Being part of the “team”, going after the bad guys and protecting the public can be a very strong influence on a person over time. Especially if getting branded as someone who is not a “team player” can jeopardize their career.

The other big point made is how much the defense expert is getting paid to testify. One of the guest commentators on the show said that experts get four hundred to eight hundred dollars an hour. Obviously, I don't charge enough.

The counter argument is that the prosecution expert is getting paid to testify as well. The retort to that was that the prosecution expert is only getting their government salary. Hello? Do they think we are all stupid?

Of course the prosecution expert is getting paid their salary. If you add in all the overhead required to keep that government expert on the payroll, equip and maintain the state lab, pay benefits, etc, the fully loaded hourly rate is probably pretty close to what most experts charge.

Since private experts don't have the benefit of being funded by the taxpayers, they have to pay everything that the government is paying on behalf of their expert and make a profit in order to stay in business. Oh yeah, and they are probably paying 50% in taxes on that profit if they are incorporated.

In reality, the net that the expert gets to keep is probably less that what the government expert is getting.
If the expert happens to be a medical doctor, four hundred dollars an hour is probably what he bills anyway doing his regular doctor job. How is any of that information relevant to the case? It isn't.

I think that the biggest mistake people make, is to think that experts are on the team to win the case. If an expert does have that attitude, then they should be booted off whatever team they are on and not allowed to testify at all. Experts are there to vet the facts and to keep the other side from mis-interpreting or mis-representing the evidence.

Of course, some attorneys will try to make the jury believe that the expert is there to help their side win. That tactic is used to attempt to instill doubt in the minds of the jury. It is a lot like those trick joke questions you ask people; “So, have you stopped beating your wife yet? Yes or no?”

Those little tricks really have no place in the courtroom, but they get used anyway. And that is sad, since people are playing with a person's life. It is not a game to win or lose. It is a trial that is supposed to be fair and equal under the law.

Using experts on both sides of a case gives the person being tried a better chance for fairness. When you allow an expert to testify on one side without the other side having the benefit of obtaining an an expert analysis of that evidence, you are crippling the chance that person has at getting a fair trial.

I don't think that you can ever really tell if an expert is biased unless they have a history of giving false or misleading testimony. It is a shame that this cheap tactic is used when no evidence of that exists, just to “win.”

What is really frightening are the documented cases of prosecution experts falsifying evidence and lying on the stand to secure a conviction. And in these instances, the experts were allowed to work for years and testify in dozens, and sometimes hundreds of cases.

I think there is probably more hard evidence of biased experts on the prosecution side of the aisle than on the defense. At least in criminal cases.

But hey, the prosecution are the “good guys.” Right? Well, they should be the fair guys.

Friday, March 13, 2009

Ouch. Guidance Software loses suit when unable to produce its own e-discovery.

Here is an interesting article from over at Law.com about a little litigation issue that Guidance Software was involved in.

When ordered to produce emails and memos, Guidance was unable to find them after doing an internal investigation.  For the world leader in e-discovery software and training, you would think they would have had a little better success.

Guidance Grilled Over Absent Memos

Kind of makes you wonder.

Sunday, March 8, 2009

Your First Computer Forensic Job Interview

You have always wanted to work in computer forensics and now finally you have been invited to an interview. How should you prepare? Well, the first thing to do is to get the interview into perspective and develop the right mindset. Let me say right now that you will not be successful at some interviews for a broad spectrum of reasons outside your control from not having the right technical skills through to the interviewer having just had a major argument with their partner ten minutes before you walk in to the room.
If you don’t get the job, it really isn’t the end of the world so learn from the experience and use it at the next interview. Looking through the statistics of the 50+ computer forensic candidates we have placed into their first role, over 60% of candidates were successful at their second or third interviews, often due to learning from an unsuccessful first interview.
Computer Forensic job interviews take all sorts of formats with some very technical, but most tend to be a mix of assessing three key areas: technical skills, competencies and personality. I will discuss all three separately , but - and keep this quiet - in my experience, as long as you can demonstrate a certain technical level, interviews at this level often come down to the interviewing manager liking you personally. This actually this makes sense as the company is really buying your potential at this time and they want to take someone in whom they can invest time and money.
However, the interviewer will not feel positive towards you if you cannot answer any of their technical/competency related questions so that is your first area to prepare:
1, Technical questions.
The technical level you need to demonstrate varies considerably depending on the job and organisation. Just make sure you do all the obvious things like researching the areas mentioned on the job description, read the forums, listen to the podcasts etc to ensure you are fully updated on current technical thinking and advances.
The golden rule here is not to try and bluff your way through when you don’t know the answer. If you don’t know the answer to a technical question please just say so but then suggest areas where you may go to find the answer if you were asked the question in a work environment.
If you are not technically strong enough for a role, there really is nothing you can do about it on the day.
2, Competencies
Most interviewers will concentrate their questions around the following competencies: Interpersonal skills, problem solving and decision making, planning and organising, information handling and analysis, written/oral communication skills, teamworking.
All you need to do is to prepare three/four examples of each before the interview. Really try to balance the examples from different aspects of your life such as College, work experience, hobbies, private research and any other aspects of your life. This preparation should avoid you having to desperately think of new examples under pressure on the day.
3, Personality
Remember, if the interviewer doesn’t like you then it is very unlikely that you will be successful. When answering technical questions it can become easy to become almost robotic in our answers and, in my experience, more people fail computer forensic interviews for not allowing their personality to come through than for any other reason.
Think about it: if you get the job you will often be spending days/nights at a time with the interviewer under pressurised conditions far away from home. This isn’t the time to run through your stand up comedy routine but do be yourself and interesting/interested.
Get excited, prepare well, be yourself and good luck!
David Sullivan
www.appointments-uk.co.uk

Friday, March 6, 2009

Talk Forensics Selected as a Featured Show on Blog Talk Radio

I want to thank everyone for their support in helping Talk Forensics to become a featured show on Blog Talk Radio so quickly.

All of my guests have been wonderful and the listener support is awesome.

I also want to thank my fellow bloggers and podcasters who have mentioned Talk Forensics on their blogs and shows.

This Sunday my guest is Dr. Michael Baden, of HBO's Autopsy series, and the author of several books on forensic pathology.

If you missed any of the previous shows, you can listen to them using the player over on the right column or subscribe to the podcast on iTunes.

Join us on Sunday's at 4:00PM Eastern and ask the experts those questions you always wanted to know about.

Wednesday, March 4, 2009

Ethical Practices for Digital Forensic Examiners

John J. Barbara has posted an excellent article on ethics and raises a very probing question regarding digital forensics.

"Since the examiner in the scenario is also the investigator, can we be assured that he is “disinterested” in the outcome of the case?"

That is a very important question. Considering that digital foreniscs is one of the few areas in which the officer who is conducting the investigation and making the arrest is also the forensic scientist. Is this really a good scenario to put someone in where making arrests ending in sucessful prosecution has an impact on thier job?

Ethical Practices for Digital Forensic Examiners
By John J. Barbara

Should Computer Forensics Professionals Consider Changing Jobs in a Recession?

I had asked David Sullivan to write a couple of posts as my guest on Ex Forensis.  Here is the first of two articles he was kind enough to write.


In these tough economic times almost all areas are suffering and although computer forensics hasn’t been hit as hard as some sectors, recruitment in this area is considerably down. For the first time in my six years of recruiting in the computer forensics/electronic discovery area, I know well-qualified, experienced computer forensics professionals who are not currently employed and cannot find a new position.
It therefore follows that if you are in a (perceived) secure position at the moment then you should stay where you are and wait for the economy to pick up before you consider your career options. Or does it?
Maybe so but then again, this could be a great time to make a move. Ok, I recruit in this area so you may think it is clearly in my interest to say that, but consider the following points:

  • If a company is recruiting in these times, this is because the position is a key one of considerable importance to the organisation. This means job security should be as good as anywhere at this time;

  • Organisations recruiting at this time know that people are reluctant to move so it could be an opportunity to make a real advance in terms of the financial package;

  • Arguably, a company investing in new people at this time is confident in their future business so this is the sort of dynamic, successful organisation you want to join;

  • You may think your current role is safe, but in this market there is no such thing as safe: everything has changed and all is relative. What if your company has already let people go? In this situation keeping an eye out for opportunities must be a sensible idea?

  • Nobody knows how long this downturn will last. What if it is for three, five or seven more years? Are you prepared to just tread water in an unfulfilling position until then?
Even when the economy is booming, changing jobs is always a risk. Due to the lack of opportunities available now, if you realise a couple of months down the line that you have made a mistake, then it is much trickier to just find another position. So, if you are lucky enough to be offered an attractive new role, you must consider the following issues before signing a contract:

  • Some companies do work on a ‘last in, first out’ basis. Really take the time to discover the financial stability of any organisation you are joining using all available information;

  • Even if the company is releasing people from other parts of the business, this doesn’t necessarily mean they aren’t looking to build their computer forensics capability. In addition to the normal questions about the role, department, responsibilities etc, discover if the role is replacing someone or a new position (a replacement role is likely to be less risky);

  • As they become leaner and sharper to survive, some organisations focus purely on their core activities: is computer forensics their core business? If not, is it an area that could be disbanded? Three months after joining a company this isn’t something that you really want to hear.

  • Before you go ahead and accept the position, ensure you negotiate a financial package that you are happy with as there are unlikely to be big pay increases on the horizon.
In summary, changing jobs in a recession is something that you much approach with caution. However, before you dismiss it out of hand, ask yourself if staying where you are is a greater risk.
David Sullivan
www.appointments-uk.co.uk



A Little IT Fun

If you do, or have ever done very much IT work, it seems that you accumulate a certain number of requests for free computer support work.

Most of the time, I don't mind doing a little bit of this for friends and family.  But there always seems to be the one that decides you are their free IT support for life.

Sometimes it is tempting to have a little fun in the process of providing this IT work.   Here are some suggestions you can use to liven things up a bit.


  1. Someone calls you and tells you that they cannot get on the Internet.  Just tell them the Internet is currently full and they will need to wait a day or too until they free up some space.
  2. Some video cards support rotation by using the key combination Ctrl +Alt + Directional Arrows.  You can flip the screen left, right or upside down.  Try flipping an unsuspecting person's screen upside down.  Then, when they call you to fix it, say something like, "Wow, that is unusual.  All your data is upside down."
  3. Someone calls you and says that they think someone is trying to hack into their computer.  Tell them to hold a minute while you check it out.  Come back on the line and say, "You're right.  I just looked at your house on Google Earth and there were some guys in black ninja suits in the yard." (Don't do this with someone who is really paranoid.)
  4. Someone calls you and asks if you can hack into their boyfriend's, girlfriend's, wife's or husband's email account so they can see what they are up to.  Tell them you can, but there is an extra fee for that.  When they ask, "How much."  Tell them one million dollars to cover your legal fees and lost income while you are in prison.

I am sure you creative IT folks out there can some up with some more.

Tuesday, March 3, 2009

There's a New Certification in Town - DFCB Certifcation

There is a lot of buzz about the new certification from the Digital Forensics Certification Board.

I read through all of the documents on the site, and all the meeting minutes, etc.

Then I ran through the Founders Assessment Form where you put in your experience, education, training, certifications and other stuff.

It is interesting that they require five years of experience, but you can only score 40 points in the experience section.

I decided to see if the form was set up like I thought it was. Here is what you need to break the magic 100 number to be a founder:

4 Years Experience (But you can't just use 4 years of full time experience, you have to pick a mix apparently. Looks like a flaw in the form to me.

Experience Section 40 points
A Bachelor's Degree 10 points
3 Certifications 15 points (They don't have to be in forensics. )
360 hours of training 40 points

Total Points 105

While you can get some points for testimony, depositions or writing a book (10 points for a book. Seems a little low to me since it takes about a year to write one.)

Many examiners will go for years and not testify, so I left those points on the table.

I picked what I thought might be the most common attributes of people to get to the 105 points.

So just for fun, I put up a poll on the right side of the blog. It would be interesting to see how many people hit the magic number and how people scored on the assessment.

If you need to fill out the assessment form to score your self, it is here.

DFCB_Scoring_Sheet_Founders_Process

Oh and the fee is 300.00 if you ACT NOW!

Monday, March 2, 2009

Comment Moderation

I decided to turn off comment moderation so people won't have to wait to see their comments appear on the blog until I have time to get to a computer or moderate them via my Blackberry.

I hope this will foster more lively and timely conversation.

Obviously, SPAM will not be tolerated.

All I ask is that you keep it clean and on topic.

If offensive or SPAM comments get out of hand, I will be forced to turn moderation back on.

Sunday, March 1, 2009

Part 2 - Computer Forensics Certifications, Are they really worth it.

Apparently my post hit a nerve.  So I thought I would explore this a little more and get to the heart of the matter about certifications in this field.

And I am sure that I am going to get some more comments, because I am going to state the truth as I see it.

Certifications as it stands today, don't mean anything.


Ok, I said it.  Now I have to back it up. Here goes.

Holding a certification would only mean something if it was required for you to practice in the field.  The fact that you can practice "forensics" with no more than a how-dee-do to your credit leaves the field open to "button jockeys".

This ain't IT folks.  No offense to the huge number of computer support people out there, I spent many years doing IT work and still do some of it for selected clients.

But at the end of the day, if Mary isn't getting her email for a few hours, no one is going to prison or going to die because of it.

That is the difference.  When you start tossing around the word forensics, you are entering a totally different arena where what you do has an impact on people's lives.

And certifications, as they stand today, do nothing to standardize the field, because the certifications are not standardized.

I consider myself to be a "kick ass" defense expert.  Is there a certification for that? Yes, there is.  It's call references. And I have a lot of them.  Including some from cases where my work directly kept someone from going to death row.

DanMiami says, "Again, there is NO EXCUSE for a true expert in this industry to NOT have certifications in what they think they are experts in."

I have to reply that there is no real driving reason to get certifications.  Having one will not enable someone to explain the inner workings of how file carving works, or data recovery or how to recover an MS Exchange EDB.

As long as you can buy a book and attend a short boot camp to get a certification with no prior experience, their value is pretty low to me.

And that is the truth about it.  Right now, certifications are as valuable as the individual who gets them thinks that are.

A certification, a professional does not make.

Someone else pointed out an article from the National Academies of Sciences where they state, "Certification and Accreditation Should Be Mandatory
Many professionals in the forensic science community and the medical examiner system have worked for years to achieve excellence in their fields, aiming to follow high ethical norms, develop sound professional standards, and ensure accurate results in their practice.  But there are great disparities among existing forensic science operations in federal, state, and local law enforcement agencies.  The disparities appear in funding, access to analytical instruments, and availability of skilled and well-trained personnel; and in certification, accreditation, and oversight.  This has left the forensic science system fragmented and the quality of practice uneven.  Except in a few states, forensic laboratories are not required to meet high standards for quality assurance, nor are practitioners required to be certified.  These shortcomings pose a threat to the quality and credibility of forensic science practice and its service to the justice system, concluded the committee.
Certification should be mandatory for forensic science professionals, the report says.  Among the steps required for certification should be written examinations, supervised practice, proficiency testing, and adherence to a code of ethics.  Accreditation for laboratories should be required as well.  Labs should establish quality-control procedures designed to ensure that best practices are followed, confirm the continued validity and reliability of procedures, and identify mistakes, fraud, and bias, the report says."


I couldn't agree more.

Most of the vendor neutral certifications require you to sign a "Code of Ethics."  The question is, who enforces that or even oversees it?  No one, that I can find.

As far as I am concerned, for certification to really mean something, and I believe that it should, it should be the minimum bar you must hurdle to practice in the field.

It should be standardized like the CPA exam, the Medical Boards, the Bar Exam or the Professional Engineer requirements  that you must meet to get a license to practice.

You don't see people running around putting their stamp on engineering plans after they run through a boot camp for a week.

Having a real, standardized, practical certification that is recognized by all states, and is a requirement to practice,  should be the goal of every professional in this field.

And I am not talking about us getting Private Investigators licenses.  That is just a dumb idea that unleashes people with fake credentials on an unsuspecting public.

So while having a CCE or EnCE or whatever behind your name does mean something from the standpoint that you got the certification.  It does not accomplish much in the way of improving the field.

As a matter of fact, in every case I have worked, I have never encountered a law enforcement examiner with a certification of any kind.  

Does that mean they are "button jockeys"?  Not from what I saw.  And I certainly would not call them that since they have a gun and I don't.

I personally know some "button jockeys" out there and it pisses me off that people are paying them good money for a job they cannot do.  So, tell me, what professional board or oversight committee do I report them to?

That my friends, is THE problem.

Computer Forensics Certifications - Are they really worth it?

This is a post that is probably going to garner some negative comments.

What good are certifications. really?

1. They can get you a job interview.
2. You can use them to qualify as an expert in court.
3. You get to put letters after your name.

As far as 1 and 2 are concerned, they aren't really necessary, just helpful.

Certifications are big business.  Considering that certifications tend to be expensive and time consuming to get, do they really offer a return on the investment?

Becoming certified for a piece of vendor specific software such as Guidance Software's EnCE or Access Data's certification does not really make you a better user of the software.

Getting other certifications that are vendor neutral so to speak, don't really make you a better examiner.

Most certification tests are just rote memorization of answers that will allow you to pass the test.

The "practicals" that some require are pretty contrived and become a guessing game as to what the test scorer is looking for.  Since not every agency does reporting the same way, there is not a standardized way of doing a "practical".

I have held both a refrigeration license and a commercial general contractor license.  Both of these required very long tests, up to eight hours.

Neither of the tests reflected anything remotely resembling the skills needed to actually build a building or install a refrigeration system.

They did reflect the skills needed to pass the tests.

Maybe I should put UGCL and RCL after my name.  At least it would be fun to see people's reaction when they ask what those mean.

While I am not against certifications, I question their value in the real world.  At one time the marketplace was flooded with A+ and Microsoft certified folks.  I had a guy that worked for me who held both the A+ and the MCSE certifications.  Sadly, he could not install a modem in a computer and make it work.  Nor could he even begin to set up a router or install a network.

I know guys that collect certifications like some women collect shoes.  Since their companies are willing to pay for them, they just keep going and going to boot camps and various training targeted toward getting the certifications.

I recently did some interviewing for a position I had open.  It was interesting how many people, certified or not, could not explain to me what a router does or answer something as simple as what is a non-routable IP address.

Or the difference between a hub and a switch.  Or how to set up sub-netting.

Or what the probable cause of your DHCP server service shutting down on a MS server.

Let alone port forwarding, NATing, or what a DMZ is.

That is before I ever asked any forensic type questions such as; Can you explain to me, in plain terms like someone who never uses a computer would understand,

1. What does it mean to defragment a hard drive?
2. What happens when you view a web site?
3. What is the internet cache and why is it important?
4. What is unallocated space?
5. What is a file system?

and so forth.

Do I really care if they know that floppy drives use the FAT12 format?  Not really.

I do care that they understand the FAT32, NTFS and have some idea of HPFS and EXT2 systems.  You can look that stuff up in a reference book.

At the end of the day, real knowledge only comes from experience.  Granted, you need to know what a tool is doing so you can explain the process that is used to carve out web pages, or how to verify that you are seeing the entire contents of a hard drive. (Think Host Protected Area)

While I would love to have someone as smart as Brian Carrier or Harlan Carvey or Mark McKinnon working with me, there are not a lot of those guys floating around unemployed.  And I probably can't afford them anyway.

From my standpoint, if you apply for a job with me and I am scanning resumes, certifications plus experience will get you an interview.

But only real, practical knowledge and the ability to communicate is going to get you a job.

And I cannot stress enough how important the ability to communicate clearly is to being successful in this field. (Think court testimony.)