Computer Forensics Faces Private Eye CompetitionBy Deb Radcliff | Posted 2008-01-02 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Who has the right to probe digital crime? That very question may be the next battleground between the flatfooted private detective of old and the new-age computer sleuth.The Internet is boundless and cybercrime scenes stretch from personal desktops across the fiber networks that circle the globe. Digital forensic investigators like Harold Phipps, vice president of industry relations at Norcross Group in Norcross, Ga., routinely slip across conventional geographic jurisdictions in pursuit of digital evidence and wrongdoers.
Lawmakers across the Savannah River in Columbia, S.C., have different ideas, however. Under pending legislation in South Carolina, digital forensic evidence gathered for use in a court in that state must be collected by a person with a PI license or through a PI licensed agency.
If the law passes, the highly specialized task of probing deep into computer hard drives, network and server logs for telltale signs of hacking and data theft would land in the hands of the same people who advertise in the Yellow Pages for surveillance on cheating spouses, workers' compensation fraud and missing persons. Otherwise, digital evidence collected by unlicensed practitioners could be excluded from criminal and civil court cases. Worse yet, those caught practicing without a license could face criminal prosecution.
"It's an ambush," says Phipps, a 31-year FBI veteran now with Norcross Group, a digital e-discovery business. "Under the South Carolina statute, only a handful of licensed PIs across that state have the years of information system and tools experience needed to do true digital forensics with repeatable processes of documentation and chain of custody. This is the only group that stands to gain."
South Carolina isn't alone in considering regulating digital forensics and restricting the practice to licensed PIs. Georgia, New York, Nevada, North Carolina, Texas, Virginia and Washington are some of the states going after digital forensic experts operating in their states without a PI license.
Tools and training for digital forensics have existed for years, but the process of forensics remains a relative unknown art among the information security profession. It's a growing field, though, given the ever-increasing amount of cybercrime, identity theft, data leakage and regulatory landscape around data protection. Digital forensic specialists perform critical tasks ranging from identifying sources of data compromises and holes in security infrastructure, to collecting evidence for employee disciplinary actions, to testifying in criminal prosecutions.
FORUM DISCUSSION: Should states mandate licenses for forensics pros? Tell us what you think at ITLink.
With much of today's evidence lingering on computers and handhelds, PIs see this is as a lucrative field to pursue, even if they lack the requisite experience, contend digital forensic experts like John Mellon, founder of the International Society of Forensic Computer Examiners (ISFCE) based in Brentwood, Tenn. IT professionals also feel that putting forensics into the hands of what are mostly inexperienced, one-off divorce and surveillance PIs will ultimately bring the evolving, highly specialized field to its knees.
All but six states have PI licensing laws on the books, according to Jimmie Mesis, publisher of PI Magazine, 32 of which could be interpreted to include digital forensic investigators. While their languages differ, these licensing laws essentially consider a PI to be anybody engaging in the business of securing evidence to be used in criminal or civil proceedings.
"In April , the state attorney general opined that even if you never set foot in South Carolina, if you're collecting evidence to be used in court here, you still need a South Carolina [PI] license," says Steve Abrams, a licensed independent PI and computer forensic examiner based in Sullivans Island, S.C. "Licensing authorities in New York, Pennsylvania, Texas and Oregon have opined the same way."
As one of eight permanent members of the South Carolina Law Enforcement Division Private Investigations Business Advisory Committee, Abrams is a key promoter and developer of the South Carolina PI licensing legislation. He is also one of a handful of state professionals Phipps refers to who can successfully dovetail digital and conventional PI skills into a single business. In addition to legal and computer programming background, Abrams has PI licenses in South Carolina and New York, and he's looking into getting a license in Utah.
The state PI measures are not meant to be punitive against ethical, skilled forensic professionals working on behalf of their corporations, Abrams contends. Rather, they are being established to protect and preserve the integrity of evidence.
Abrams' concerns about digital evidence integrity are not unfounded.
Defense attorneys have used lapses in the chain of custody of evidence, poorly documented evidence collection techniques and lack of credibility of forensic investigators as means to have evidence thrown out of court cases. Conversely, computer security specialists have quietly complained that prosecutors and government investigatorsparticularly the FBIrely heavily on the naivety of defendants and their attorneys in computer-related cases. In some cases, an attorney doesn't know enough to challenge the validity of digital evidence presented by the state.
"The problems in South Carolina occur when folks from national [law] firms come into South Carolina, seize digital evidence, have that evidence analyzed in a lab in some other state, and then send it back to South Carolina for litigation," Abrams says. "The state has no mechanism to hold them accountable if they screw up, which I see all the time in cases."
Page 2: A Matter or Jurisdiction