Saturday, February 27, 2010

More On Licensing for Digital Forensics Examiners

It appears that the question is no longer; Will we be required to have a license to practice in some states?, has become a question of; When we will be required to have licenses to practice digital forensics?

 The stated purpose of licensing is to, "Protect the public trust."  And I agree with that.  But the other question is, will licensing accomplish that goal?

When it comes to licensing versus court qualification, we have a chicken and egg problem.  The standard for admitting a person as a computer forensic expert in a court room seems to be pretty low, mostly due to the lack of understanding of the field by judges, prosecutors and attorneys.

The secondary issue for licensing is, will it provide a better standard for someone to be qualified in a court of law and at the same time protect the public from non-experts practicing in an expert field?

In other words, how expert must an expert be to satisfy both those needs?

In most fields that require licensing, such as Doctors, Engineers, CPAs, etc. there is a rigorous training and educational foundation and widely accepted standardized testing requirement.

I would not knowingly go to an unlicensed doctor for medical care.  Nor would a person with no formal medical training, licensing or experience be a good candidate as an expert witness.

In the case of these professionals, licensing gives us, the public, at least an indication that the person providing services has received training and has demonstrated enough knowledge to obtain a license.  It also tells us that the person providing services is subject to some oversight.

In our case, does having an extensive computer experience background provide enough to provide the public with some protection?

In my mind, it does not.  I run into computer service guys all the time that are now suddenly doing "forensics".

The recurring problem with that scenario is that they have no training or knowledge of evidence handling or preservation.  The reason that people are vulnerable to this is simple:  People think that computer expertise equals computer forensics expertise.

I submit that it does not.

Now to take the licensing issue a little further, we have the issue of whether an expert who is unlicensed in a state can testify in that state as an expert.

I submit that a doctor licensed in North Carolina can easily testify as an expert in California or any other state, providing that they do not practice in that state without a license. 

If all of the work in a case is performed in the home state of the examiner, but they go to testify under subpoena in a state requiring a license, what would the rule of law be?  Does the subpoena trump the licensing requirement?

Would an expert appointed in a federal case be subject to state licensing laws?

Back to my main point: How expert should an expert be to practice and will that be part of any licensing?

What contributes to the proper qualifications for digital forensics expert and should these be included in any licensing laws?

In my opinion, there should be a combination of required minimum experience in digital forensics, and a minimum amount of forensic training.

Certifications are helpful, but there are so many that it is difficult to determine which ones should count toward licensing.

The best option would be the same as the requirements most stated have for professional licensing:

A state licensing exam.

When I received my NC Refrigeration License back in the 1980's and later on my Unlimited General Contractor's license in NC and VA, I had to take tests along with other requirements to sit for those tests.

Each of those tests dealt with the law, building codes, technical aspects of the trade and proper bidding procedures.

For the purpose of protecting the public trust, I advocate that states require testing for licensing.

Such tests should not be like a certification test, but should cover the things that are important to forensics.

1. Knowledge of the law as it pertains to digital forensics.
2. Knowledge of accepted best practices.
  • Proper evidence handling and preservation from acquisition to courtroom.
  • Chain of custody.
 3. Knowledge of standard operating procedures.
  • Hash analysis
  • Signature analysis
  • Evidence verification
Remember, that state licensing exams should only be designed to measure competence from a forensic practice standpoint and is not a detailed technical test like a certification.  So it would not include questions  about the NTFS file system or the dd commands to make a copy.  Nor should it be tool specific in any way.

The licensing exam should be designed as a "check" to make sure that someone applying for a license has the proper knowledge needed to protect the public, not to determine technical competency.  Technical competency should be covered by a minimum training and experience requirement.

Other things like certifications can be substituted for some of the experience requirement, just like education.

To sum it up, you need X years of education in the field, or X years of experience in a closely related field, i.e. IT support, or certifications, or a combination of the above that sets the minimum requirement to sit for the state exam.

Other things that I think should be required for a license in our field:  Errors and Omissions insurance in addition to general liability.

By establishing state licensing, regardless of who administers it; Private Protective Services Boards or whatever they may be called, it would at least give a person contracting for services some assurance that the person they are hiring has passed a state exam.

While none of the suggestions above will guarantee a "Good examiner", they can at least set a minimum standard for courts and the public to be assured that the person they are hiring understand the "forensic" aspect of the computer examinations and not just the technical.

Reblog this post [with Zemanta]

Saturday, February 13, 2010

Help Identify Murdered North Carolina Child

 Below is a forensic reconstruction that was done by Frank Bender.  This child's body was found ten years ago in North Carolina.  Please spread this image as far as you can and hopefully someone will come forward to identify him.


 The full articles pertaining to this case are below:

Frank Bender: Dying Philadelphia Forensic Sculptor's Last Effort to Find Murdered North Carolina Child - ABC News

New 3-D facial reconstruction could help solve cold case

Investigators search for clues in cold case