<img alt="dcsimg" id="dcsimg" width="1" height="1" src="//www.qsstats.com/dcs8krshw00000cpvecvkz0uc_4g4q/njs.gif?dcsuri=/index.php/c/a/Projects-Security/Computer-Forensics-Faces-Private-Eye-Competition/1&amp;WT.js=No&amp;WT.tv=10.4.1&amp;dcssip=www.baselinemag.com&amp;WT.qs_dlk=XVqukmLIbTfrzPaRvbGD7gAAAAI&amp;">

Whose Jurisdiction

By Deb Radcliff  |  Posted 2008-01-02 Print this article Print

Who has the right to probe digital crime? That very question may be the next battleground between the flatfooted private detective of old and the new-age computer sleuth.


Computer forensics is more often used as an internal investigatory tool. In other words, probes and evidence collected inside the firewall stay inside the firewall. In these cases, none of the proposed or existing state laws requiring PI licenses apply. That is, until the case spills outside the enterprise domain—to a partner network or an Internet service provider, for instance.

At this point, most organizations should be turning investigations over to law enforcement or licensed PI agencies anyway, Abrams says. Maybe so, but history doesn't support Abrams' perspective, and IT experts and forensic consultants say most enterprises would rather keep their investigations quiet than risk public disclosure by going to law enforcement.

At greater risk of exposure, however, are security and network management service providers, which often conduct investigations on behalf of their clients. In this case, they would be considered PI firms and need licensing in a majority of states, confirm Abrams and others.

Neither of these interpretations offers much comfort to forensic professionals or IT executives who hire them. And Abrams makes no bones about his desire to see South Carolina start prosecuting violators as soon as the ink dries on requirements amendments to South Carolina law, which could be as early as February. South Carolina's statute proposes fines of up to $5,000 and a year in jail for practicing without a license.

FORUM DISCUSSION: Should states mandate licenses for forensics pros? Tell us what you think at ITLink.

Because most organizations hire outside consultants to do their digital forensic processing, such interpretations could also call into question every piece of digital evidence enterprises gather through consultants that winds up in court, says William Boni, corporate vice president of information security and protection at Motorola. This, he says, would put a great burden on enterprise organizations and potentially paralyze their investigations.

"Anytime courts start interpreting statutes like these so narrowly, there should be concern," Boni says. "IT professionals at large, multinational organizations believe they could be challenged under these laws whenever they take a case to court. They've been particularly concerned over the outcome of the Sony case in Texas."

In the Sony case, a defendant of a copyright infringement lawsuit in Texas filed a motion last July to disqualify evidence because the investigative firm, MediaSentry (since acquired by SafeNet), did not have a private investigation license required under state law.

Sony dropped the case last month. Some speculate that this was the result of the bad publicity accumulating regarding the hefty six-figure fine that would have been levied against the elderly defendant. Had it gone to court, Abrams and others believe MediaSentry would have been subjected to the Texas licensing law because the digital evidence was gathered by a digital forensic consulting firm acting on behalf of a client.

The Recording Industry Association of America wouldn't say whether the counterclaim had any bearing on Sony's decision to drop the case. However, the RIAA doesn't believe that the absence of a PI license had any bearing on the admissibility and reliability of evidence. State PI laws cannot stop the collection of public digital evidence across cyberspace because it's "boundaryless," according to the RIAA.

"There may requirements that PIs be licensed in Texas, but we do not believe the absence of a license has any impact on the admissibility and reliability of the evidence that was collected," says Cara Duckworth, spokesperson for the RIAA. "The information [MediaSentry is] collecting is being distributed in cyberspace, which is larger than even Texas."

This is a situation that slices both ways because evidence presented in the case should have been called into question, says John Stoneham, an attorney with Lone Star Legal Aid in Beaumont, Texas, who filed the motion in July on behalf of Rhonda Crain, whom he describes as a "grandma" and a Hurricane Rita victim. The evidence presented, he contends, was incomplete, since it consisted merely of records taken over a public file-sharing system but did not investigate Crain's computer to see if it had been infected with a remote control program, which he suspects it had.

Incomplete or bungled evidence could just as easily be submitted by a PI, say forensic practitioners who feel such mistakes will become more common if private eyes try to embark on or oversee these kinds of digital probes.

"Forensics is a very new field. And now, anyone with a PI license can take an EnCase class [a popular computer examination tool] and declare themselves a forensic expert," Phipps says, citing the years of platform, system and forensic tool skills required to make a good technician that he says the vast majority of gumshoes lack.

Page 3: Skill Certifications vs. Licensing

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.