Computer Forensics Faces Private Eye Competition

By Deb Radcliff  |  Posted 2008-01-02
The Internet is boundless and cybercrime scenes stretch from personal desktops across the fiber networks that circle the globe. Digital forensic investigators like Harold Phipps, vice president of industry relations at Norcross Group in Norcross, Ga., routinely slip across conventional geographic jurisdictions in pursuit of digital evidence and wrongdoers.

Lawmakers across the Savannah River in Columbia, S.C., have different ideas, however. Under pending legislation in South Carolina, digital forensic evidence gathered for use in a court in that state must be collected by a person with a PI license or through a PI licensed agency.

If the law passes, the highly specialized task of probing deep into computer hard drives, network and server logs for telltale signs of hacking and data theft would land in the hands of the same people who advertise in the Yellow Pages for surveillance on cheating spouses, workers' compensation fraud and missing persons. Otherwise, digital evidence collected by unlicensed practitioners could be excluded from criminal and civil court cases. Worse yet, those caught practicing without a license could face criminal prosecution.

"It's an ambush," says Phipps, a 31-year FBI veteran now with Norcross Group, a digital e-discovery business. "Under the South Carolina statute, only a handful of licensed PIs across that state have the years of information system and tools experience needed to do true digital forensics with repeatable processes of documentation and chain of custody. This is the only group that stands to gain."

South Carolina isn't alone in considering regulating digital forensics and restricting the practice to licensed PIs. Georgia, New York, Nevada, North Carolina, Texas, Virginia and Washington are some of the states going after digital forensic experts operating in their states without a PI license.

Tools and training for digital forensics have existed for years, but the process of forensics remains a relative unknown art among the information security profession. It's a growing field, though, given the ever-increasing amount of cybercrime, identity theft, data leakage and regulatory landscape around data protection. Digital forensic specialists perform critical tasks ranging from identifying sources of data compromises and holes in security infrastructure, to collecting evidence for employee disciplinary actions, to testifying in criminal prosecutions.

FORUM DISCUSSION: Should states mandate licenses for forensics pros? Tell us what you think at ITLink.

With much of today's evidence lingering on computers and handhelds, PIs see this is as a lucrative field to pursue, even if they lack the requisite experience, contend digital forensic experts like John Mellon, founder of the International Society of Forensic Computer Examiners (ISFCE) based in Brentwood, Tenn. IT professionals also feel that putting forensics into the hands of what are mostly inexperienced, one-off divorce and surveillance PIs will ultimately bring the evolving, highly specialized field to its knees.

All but six states have PI licensing laws on the books, according to Jimmie Mesis, publisher of PI Magazine, 32 of which could be interpreted to include digital forensic investigators. While their languages differ, these licensing laws essentially consider a PI to be anybody engaging in the business of securing evidence to be used in criminal or civil proceedings.

"In April [2007], the state attorney general opined that even if you never set foot in South Carolina, if you're collecting evidence to be used in court here, you still need a South Carolina [PI] license," says Steve Abrams, a licensed independent PI and computer forensic examiner based in Sullivans Island, S.C. "Licensing authorities in New York, Pennsylvania, Texas and Oregon have opined the same way."

As one of eight permanent members of the South Carolina Law Enforcement Division Private Investigations Business Advisory Committee, Abrams is a key promoter and developer of the South Carolina PI licensing legislation. He is also one of a handful of state professionals Phipps refers to who can successfully dovetail digital and conventional PI skills into a single business. In addition to legal and computer programming background, Abrams has PI licenses in South Carolina and New York, and he's looking into getting a license in Utah.

The state PI measures are not meant to be punitive against ethical, skilled forensic professionals working on behalf of their corporations, Abrams contends. Rather, they are being established to protect and preserve the integrity of evidence.

Abrams' concerns about digital evidence integrity are not unfounded.

Defense attorneys have used lapses in the chain of custody of evidence, poorly documented evidence collection techniques and lack of credibility of forensic investigators as means to have evidence thrown out of court cases. Conversely, computer security specialists have quietly complained that prosecutors and government investigators—particularly the FBI—rely heavily on the naivety of defendants and their attorneys in computer-related cases. In some cases, an attorney doesn't know enough to challenge the validity of digital evidence presented by the state.

"The problems in South Carolina occur when folks from national [law] firms come into South Carolina, seize digital evidence, have that evidence analyzed in a lab in some other state, and then send it back to South Carolina for litigation," Abrams says. "The state has no mechanism to hold them accountable if they screw up, which I see all the time in cases."

Page 2: A Matter or Jurisdiction

Computer forensics is more often used as an internal investigatory tool. In other words, probes and evidence collected inside the firewall stay inside the firewall. In these cases, none of the proposed or existing state laws requiring PI licenses apply. That is, until the case spills outside the enterprise domain—to a partner network or an Internet service provider, for instance.

At this point, most organizations should be turning investigations over to law enforcement or licensed PI agencies anyway, Abrams says. Maybe so, but history doesn't support Abrams' perspective, and IT experts and forensic consultants say most enterprises would rather keep their investigations quiet than risk public disclosure by going to law enforcement.

At greater risk of exposure, however, are security and network management service providers, which often conduct investigations on behalf of their clients. In this case, they would be considered PI firms and need licensing in a majority of states, confirm Abrams and others.

Neither of these interpretations offers much comfort to forensic professionals or IT executives who hire them. And Abrams makes no bones about his desire to see South Carolina start prosecuting violators as soon as the ink dries on requirements amendments to South Carolina law, which could be as early as February. South Carolina's statute proposes fines of up to $5,000 and a year in jail for practicing without a license.

FORUM DISCUSSION: Should states mandate licenses for forensics pros? Tell us what you think at ITLink.

Because most organizations hire outside consultants to do their digital forensic processing, such interpretations could also call into question every piece of digital evidence enterprises gather through consultants that winds up in court, says William Boni, corporate vice president of information security and protection at Motorola. This, he says, would put a great burden on enterprise organizations and potentially paralyze their investigations.

"Anytime courts start interpreting statutes like these so narrowly, there should be concern," Boni says. "IT professionals at large, multinational organizations believe they could be challenged under these laws whenever they take a case to court. They've been particularly concerned over the outcome of the Sony case in Texas."

In the Sony case, a defendant of a copyright infringement lawsuit in Texas filed a motion last July to disqualify evidence because the investigative firm, MediaSentry (since acquired by SafeNet), did not have a private investigation license required under state law.

Sony dropped the case last month. Some speculate that this was the result of the bad publicity accumulating regarding the hefty six-figure fine that would have been levied against the elderly defendant. Had it gone to court, Abrams and others believe MediaSentry would have been subjected to the Texas licensing law because the digital evidence was gathered by a digital forensic consulting firm acting on behalf of a client.

The Recording Industry Association of America wouldn't say whether the counterclaim had any bearing on Sony's decision to drop the case. However, the RIAA doesn't believe that the absence of a PI license had any bearing on the admissibility and reliability of evidence. State PI laws cannot stop the collection of public digital evidence across cyberspace because it's "boundaryless," according to the RIAA.

"There may requirements that PIs be licensed in Texas, but we do not believe the absence of a license has any impact on the admissibility and reliability of the evidence that was collected," says Cara Duckworth, spokesperson for the RIAA. "The information [MediaSentry is] collecting is being distributed in cyberspace, which is larger than even Texas."

This is a situation that slices both ways because evidence presented in the case should have been called into question, says John Stoneham, an attorney with Lone Star Legal Aid in Beaumont, Texas, who filed the motion in July on behalf of Rhonda Crain, whom he describes as a "grandma" and a Hurricane Rita victim. The evidence presented, he contends, was incomplete, since it consisted merely of records taken over a public file-sharing system but did not investigate Crain's computer to see if it had been infected with a remote control program, which he suspects it had.

Incomplete or bungled evidence could just as easily be submitted by a PI, say forensic practitioners who feel such mistakes will become more common if private eyes try to embark on or oversee these kinds of digital probes.

"Forensics is a very new field. And now, anyone with a PI license can take an EnCase class [a popular computer examination tool] and declare themselves a forensic expert," Phipps says, citing the years of platform, system and forensic tool skills required to make a good technician that he says the vast majority of gumshoes lack.

Page 3: Skill Certifications vs. Licensing

Do a keyword search on "Digital Forensics and Private Investigation" in any state private investigator database and you'll see that the listings do reflect poorly on the reputation of digital forensics. Most are for cheesy divorce and personal monitoring firms advertising, "Is your spouse cheating on you?"

Quality control around digital forensics is a major issue. Private investigators and IT experts alike say they are worried about protecting the evolving profession and are looking for ways to institute measurable quality controls.

"Requiring digital forensic experts to obtain PI licenses does not serve the public's best interest," says Toby Finnie, executive officer of the High Tech Crimes Consortium (HTCC). "Instead, digital forensic examiners should be required to show demonstrated levels of competencies, based on standards and practices developed by peers."

HTCC, a law enforcement assistance network with more than 1,800 members in 37 countries, is drafting a briefing paper to provide background information and guide state legislators in their development of independent practical regulatory controls for forensics that can keep pace with the dynamic discipline.

"Like a doctor who's gone to medical school, works in his field, takes continuing education and maintains his medical licenses—that's the level of accountability we need for digital forensics," says Stan Kang, a principal in the Forensics and Investigative Response Practice of Verizon Business Services in Norfolk, Va. "Since most companies outsource digital forensics to consultants, they need a way to know that chain of custody and other rules of legal evidence are applied."

Because they are already licensed by their industry-specific agencies, certified accountants, medical examiners and engineers are exempt from state PI requirements, Abrams explains. IT professionals are pushing for the same thing for forensics, but Abrams contends that states don't want the cost and overhead of setting up another independent licensing body.

In South Carolina, an ad-hoc advisory committee is revising the state's computer forensic regulation under its PI laws to include definitions and guidelines for digital forensic professionals, which will go to legislature by end of January, according to Abrams. These guidelines are being modeled after the Georgia, Nevada and North Carolina guidelines. The North Carolina guidelines are currently in committee. Both the Georgia and Nevada guidelines have died in committee, but expect them to be back, says Finnie.

FORUM DISCUSSION: Should states mandate licenses for forensics pros? Tell us what you think at ITLink.

States are looking to the failed Nevada legislation as a model for defining these qualifications. The attempted revision to the proposed statute defined a digital forensic professional as "a person who engages in the business of, or accepts employment using, specialized computer techniques for the recovery or analysis of digital information from any computer or digital storage device, with the intent to preserve evidence, and who as a part of his business provides reports or testimony in regards to that information."

Nevada's qualification guidelines include 18 months' experience, a Bachelor's degree in computer forensics, and a Certified Computer Examiner (CCE) credential or its successor equivalent. South Carolina won't have a requirement for any particular degree, but will require minimal training, CCE certification and annual continuing education to remain licensed, according to Abrams.

At present, the CCE is the most recognized forensic certification available to the private sector and the only one open to the private sector being considered in state PI licensing laws. The credential requires professionals to abide by a strict code of ethics and pass a stringent certification exam that tests skills and knowledge. There are about 1,000 CCEs, of which about 70 percent are in the private sector and the balance in law enforcement, says ISFCE's Mellon.

Mellon acknowledges that the ISFCE and his training firm, Key Computer, have a lot to gain through such legislation. The exams are offered at a modest $300 fee, he says, so they're not a big money maker. Still, experts question the ability of one organization to meet the demand.

The ISFCE is currently considering reorganizing itself into a non-profit to be more flexible in structure, Mellon says. As a non-profit, he notes, the ISFCE can take a stronger political stand against the takeover of his profession by private eyes.

"Forensic examiner licensing can only be a good thing," says Mellon. "But you don't want it to fall on 50 state PI licensing agencies to manage. So, we're reaching out to our listserve of CCEs telling our members how to reach their legislatures and what to tell them."

All state examiners need to get together with their digital forensic communities to develop a unified exam for the states before it's too late, says Norcross Group's Phipps. He adds, "Under an independent exam, we [digital forensic professionals] can control our own destiny."

Deb Radcliff is a freelance writer and editor in Northern California who specializes in computer-based crime and information security.

WRITE TO US: What's your take on the digital forensic debate? Send comments to