back to article US laws restrict computer forensics to gumshoes

More US states are moving towards laws that limit computer forensics work to those with Private Investigator licences, or people contracted to work for licensed investigative agencies. Pending legislation in South Carolina would limit the specialist work of capturing and making sense of evidence on computer discs and server …

COMMENTS

This topic is closed for new posts.
  1. Matthew Saroff

    This is bat%$#@ insane.

    When you look at those cases, like that poor school teacher in Connecticut sentenced to jail for basically having a spyware infected computer, and the fact that it's law enforcement who doesn't get the basics of how a compute works and screws it up, this is insane.

    This is like requiring that the person performing the autopsy to be a cop.

    They don't need to be a cop, they need to be a pathologist.

  2. Anonymous Coward
    Anonymous Coward

    Side note that few mention

    So far the laws typically do not apply to employees working on the behalf of their full time employer. This pretty much applies to the contractor/consultants.

    Not that it isn't a silly law, just that it's a silly law that applies to fewer people than most realize.

  3. Scott Bragg
    Linux

    You're looking at it backwards

    The laws as written in Georgia are meant to ensure a consistent and verifiable chain of custody for the evidence gathered by the forensics experts. It is screamingly simple to get the requisite licenses to maintain the ability to peform work for a case.

    If you work in data forensics, and have any legal experience at all, then you know what kind of nightmare is engendered by a clueless tech or lawyer with regards to the protection of the data needed for a case.

    The laws don't give anything extra to the Investigators mentioned in the article. They already have their licenses. Now the computer techs and forensics experts hired by those law firms and investigators are held to the same evidentiary standards as any other type of evidence.

    Scott

  4. Anonymous Coward
    Anonymous Coward

    @Side note that few mention

    >>Not that it isn't a silly law, just that it's a silly law that applies to fewer people than most realize.

    Hmm.. trusting COURT evidence to someone with the comparative skills of a brick affects you when defending yourself from criminal charges. That it affects few does not matter; it's criminal proceedings and should be handled by a trained, qualified expert that knows what the hell they're talking about.

  5. Anonymous Coward
    Anonymous Coward

    So...

    Someone with a PhD in computer science and years of specializing in computer forensics is disqualified from being allowed to perform an forensics analysis. A dude who got an online private dick's license in 4 months, sure, he has all the skills needed.

    Bloody hell.

  6. Dennis

    @So...

    I understand your comment, but I have yet to meet a PhD in computer science who is good at anything but: academic research, writing academic papers, and sticking their hand out for grant money! Maybe leave that part out next time.

    Otherwise, as a former consultant, this will be just one more hoop to jump through to do business. I'm sure the "qualified" companies doing this are thrilled at the prospect of not having to worry about pesky (and competent) competition from the "little guys".

  7. Anonymous John

    Raymond Chandler must be spinning in his grave.

    It was a day like any other day. I entered my office and poured my first bourbon since breakfast half an hour ago.

    My head pounded. I'd been to the bar on 31st Street last night, and someone had slipped me a mickey again. I wondered why I kept going there, but what the hell, I like the atmosphere.

    The door opened and this dame came in with yet another laptop.I sighed. I should be walking these mean streets catching gangsters and hoodlums. Not trawling through hard disks looking for kiddie porn.

    I had another slug of bourbon and went home. It had been a long day.

  8. Anonymous Coward
    Anonymous Coward

    Maybe it's to keep the Geek Squad from ratting....

    I think it's to prevent A-holes like those at the box stores from making cases when they 'fix' someone's drive.

  9. Morely Dotes

    What do you expect?

    Laws are written by special interests, and passed by politicians who haven't the faintest clue what the law actually says.

    Can you imagine trying to explain to a politician what you mean when you tell him "the data have been repeatedly overwritten by a walking 01 pattern, and the original data can't be reliably reconstructed from what's left?" Or "the date/time stamps on these files may have been tampered with, but there's no way to know for certain?"

    I'd rather try to teach dolphins to ride unicycles. The odds of success are far better.

  10. Aubry Thonon

    Idiotic knee-jerk comments.

    I *am* one of those computer experts, and I don't work for the police. Having said that, it amazes me the number of knee-jerk comments looking at this from the wrong end.

    The idea is not to stop non-cops from doing the Forensic investigation, it's to make sure that whatever is found is admissible evidence when presented in court. The term Forensic means exactly that: "of, relating to, or used in courts of law or public debate or argument ".

    I don't care how much of a technical genius the guy doing the search is, if he/she and her firm are not up to date on the necessary chain-of-evidence requirements, then *any* data they present is suspect. Let's face it, who are you more likely to believe did a proper job keeping the evidence "clean" whan (say) investigating if a car was tempered with: the CSI people or a local mechnic.

    So get off your high horses - this is simply a piece of paper which states that the person doing the investigation has actually been taught about what is required when gathering evidence FOR A COURT.

  11. Anonymous Coward
    Anonymous Coward

    So the US chooses to be legally stupid despite options

    If the US wants to be truly stupid then just outlaw computer forensics...

    too bad everyone leaves a forensic trail of decisions in the choices of naming and

    heirarchy layout for personal data on any machine handled,

    just my 2c

  12. Tom

    @ AC

    If "A dude who got an online private dick's license in 4 months" can get one that easy I would think the PHD should not have much trouble getting the right paperwork and at the same time maybe learn about court evidence.

    It's the type of cowboys the RIAA uses that create the need for this type of law. It's too bad they will mostly end up with a law that just makes more paperwork without fixing the real problems.

  13. Ole Juul

    More on: Idiotic knee-jerk comments.

    Even the writer of this article says "Most private investigators come from a police or forces background." So what? Now more will be comming from an IT background. Anybody interested can google "how to become a PI" and you'll see that there are all types of people with a wide array of skills in the field. The author goes on to say "expecting computer forensics experts to have a PI licence makes about as much sense as requiring PIs to have computer science degrees." Hello? How hard is it to get a PI license? I know it varies from area to area, but the basic requirement is that you are bondable and know the basic laws. If a computer forensics person is going to skip a beat over that one, then he/she probably shouldn't be in that business. In fact if you're not willing or able to take legal responsibility for your actions, you probably shouldn't be in any business. It's no more outragious than asking automobile drivers to get a drivers license. Certainly getting a license for being a professiional investigator is not going to take years of education and you won't need any "police or forces background" either. I think some people have been watching too much TV.

  14. Keith T
    Coat

    This is what we get for advocating anarchy -- someone else stepping in to do our job for us.

    If IT people don't make the work part of the IT profession, another profession will gobble it up.

    We've had engineers take over coding real-time programming and control systems.

    We've had accountants take over the design and management of business applications.

    And we've had salesmen take over our body shops.

    After private eyes taking over computer forensics, what will be next.

    This is what we get for advocating anarchy -- someone else stepping in to do our job for us.

    Our customers (courts, banks, car makers) want our qualifications and training regulated. They want the distribution of dangerous tools regulated. They are the customers, they get to choose who provides the commercial services they purchase.

    If we don't regulate us and our work, they will regulate it for us.

  15. Keith T
    Coat

    @anonymous

    No, your Phd in CS will just have to do another 4 week course, this time the PI course. That isn't the problem in this case. (Although it is a big problem if he wants to lead the internal design and programming of an accounting system, since that means 5 years of night courses.)

    The problem is that our field, its practices and standards, are being set by outsiders. That is the hallmark of a trade.

    If we want to be a profession, we must seek to be mostly self-regulating.

    You can't have anarchy in a commercial or academic environment, something always comes along to organize things.

    People's lives, people's savings, people's reputations, depend, in this case, on testimony in court. Courts don't want amateurs involved.

    If IT people insist on being amateurs, we will be excluded from the organizing process.

  16. Anonymous Coward
    Alert

    CF/ED professional.

    It all sounds like another form of red tape said to be regulated but basically unenforcable. Accountability, industry eminence, relationships are key to the big picture. This area of expertise although important is taking a back seat to technology. Tech changes every 6 months. If you take true CF work and compare to EDiscovery or combine. There is an interesting picture. Only 10% of the ED work and production comes from CF Identification, preservation/Collection, processing, hosting.

    I employ former LE and IT professionals to co-exist in our labs. The differentiator is the cost of the latest software and the training. It will be a short time before industry identifys with the professionals.

  17. Patrick Bryant

    Reply from a PI and CISSP

    The author makes several false assertions.

    First, the article implies that that those employed in private industry would be prohibited from performing forensic work for their employers. While I can only speak to the regulations of the states of California and Washington, where I have been licensed, both states only require a PI license when one is investigating a crime or loss for hire AS A CONTRACTOR. Employees are not restricted from doing their duties, and in fact, performing investigative work as an employee is how many PIs qualify for their license. There is no prohibition on gathering evidence for your employer.

    The purpose of all forms of state licensing of professionals is to establish minimum qualifications in fields for which the general public would be incapable of determining. Would you want to see anyone who claims to be a medical doctor? Are you qualified to ascertain their educational background, professional performance history, and to submit to them written examinations? Would you want to have to do this every time you needed to vet a new professional?

    Specifically with regard to PIs, the issuing state takes fingerprints and runs those prints through the state's criminal records agency and the FBI. This is to prevent the fox from guarding the hen house. The state also opens an account with those agencies to detect any new arrests and convictions of persons holding a license. Finally, the state can revoke the license of an unscrupulous licensee to prevent further harm from being done to the public.

    While the ISC2 (the board governing CISSP certifications) asks applicants if they have felony convictions, they do not and can not verify the applicant's claims by checking their fingerprints. It's on the "honor system." The paradox of that situation should be obvious: can we trust criminals to be honest? The need for a criminal background check is apparent in the case of PIs, since they often gather evidence for use in court and could possibly alter that evidence to suit their needs.

    The author claims that: "Most private investigators come from a police or forces background..." While that may be true, I didn't have one day of experience in either field when I received my PI license. The California Bureau of Security and Investigative Services (BSIS) credited me with the computer forensics work I had done in private industry in order to qualify for the 6,000 hours of documented and paid investigative experience needed to qualify for a PI license. California may require a PI license for some computer forensic work, but they also grant credit toward receiving a license for those who have actually done that work for their employers.

    The requirement to hold a PI license is not a barrier to entry for anyone possessing the requisite years of experience in the field, and the author's claim that the requirement smacks of protectionism is no more so than the requirements for medical doctors, attorneys, and other professionals to qualify for state licenses.

    The author's suggestion that all PIs should now be required to hold a computer science degree is as absurd as requiring that aircraft pilots be required to hold degrees in aeronautical engineering. A PI license demonstrates general knowledge in conducting investigations, retaining evidence, and state-specific laws pertaining to evidence. While the CISSP exam covers investigations - and it could not possibly cover the state-specific laws and procedures pertaining to all 50 states. Finally, imagine the cost to the public if PIs were actually required to hold a computer science degree.

    Performing computer forensics is a highly specialized field, while the knowledge needed to obtain a PI license and pass the written exam pertains to gathering evidence for use in court. Digital forensic data is in a special class: it is far more perishable and vulnerable to alteration and chain-of-custody failures than is conventional physical evidence. If your freedom and property were at risk, would you want someone who had not been verified as being a non-felon or who may not have received intense training on the custody of evidence -- gathering your forensics for use in court?

    Patrick Bryant, CISSP, CISA, California Licensed PI number 23268

This topic is closed for new posts.