Digital forensic skills are challenging to acquire and frequently are less than useful unless you are working in emerging technologies or have a solid foundation of the very basics. More and more the focus upon digital forensic examination is within the legal community yet the challenges outside of the legal aspects remain the same - solve a problem and fix it.
That is correct. When a skilled IT professional works on, solves and corrects an IT issue, whether it is a network challenge, a program problem or even a physical configuration concern or failure, they are in fact conducting a forensic examination...
at least I certainly hope so. You see, it can be difficult to impossible for a forensic examiner to unconditionally establish the cause and effect relationship if components of the environment have changed in a manner that renders it difficult to impossible to not only recreate the original environment but also be able to testify as to the accuracy of the examination.
Having started my career in forensic investigations in the 60s, I can say without question that unless the examiner is able to establish and document the original environment at the time of the incident that it can be impossible to complete a true forensic analysis. When components of an investigation are not verifiable in absolute terms, they are subject to question and/or challenge and may result in an other than desirable result.
For me, conducting a forensic examination of the digital world provides great joy. It is challenging and often results in enhancing existing skills or developing new ones not previously needed, sometimes never to be needed again. I can honestly state that many digital forensic skills which I have developed and used in almost 45 years of experience within the world of IT are quite useless today. However, what they have done is build a repertoire of experience which allows me to enter an environment that I have not seen previously and still develop a reliable and complete forensic investigation that, should it be necessary, could be introduced into a court of law.
As the world of digital forensics began to enter into the legal world I became concerned. My background in the law was very limited. I had never been a plaintiff or witness and had not been required to testify in court. My initial contacts with the legal process were relative to the discharge of employees for cause. Fortunately, Human Resources became the task master in such cases and made those responsible for information security aware of what they must do in order to establish a case that will stand the test of “discharge for cause”. If, in your career, this challenge has not yet been encountered I suggest that you take the time to learn the issues within the corporate and legal environment for which you are responsible.
Such experience earlier in my career prepared me for the day when I conducted an investigation that resulted in the discharge of several executives including one who was in my direct line of ascension. The lesson: Be prepared to conduct and/or manage investigations which may result in “corporate/political” complications that could result in your own discharge. Learning the legal aspects for testimony in court is another matter and differs greatly for those conducting an investigation of their employer's resources versus a forensic investigator not employed by the damaged party.
Short of studying for a law degree I am not sure there is any other way of learning how to prepare for testimony in court other than that of actual experience. Obviously, an understanding of the law is important, but that does not prepare you for discovery, pre-trial examination or court room experience. Discovery for the corporate employee versus a contracted forensic examiner is actually quite different. For the corporate employee it is difficult to determine what might be requested and what the court will order. Commonly it is far more than anticipated and not infrequently elements are demanded that may not exist. On the other hand, the contracted forensic examiner, generally speaking, need only take great care that all matter and communication relative to the case be maintained in a manner that allows prompt production during discovery.
It is not uncommon in either situation for discovery to demand materials which are deemed inappropriate. The problem, however, is that the corporate employee is not in much of a position to challenge “inappropriate” demands. However, the contracted forensic examiner should be able to divert such demands on the basis that much of the material in possession represents the business of other clients and has nothing to do with the case in question. Keep in mind that even when engaging a contract forensic examiner that it does not preclude the opposition (plaintiff, defendant or prosecutor) from imposing significant discovery demands upon their opposition. The major difference is that it is much more difficult to target individuals when the forensic examination is conducted by an outsider.
Those who wish to enhance their knowledge and skills relative to dealing with law enforcement might consider taking some courses in criminal justice; especially those dealing with state and constitutional law. Also to be considered are courses that deal with investigation/development of a case and defense. In many criminal justice programs the course titles will not be indicative of this and will require you to communicate with the dean or lead professor of the program. While it does not hurt to ask about digital forensics investigation, etcetera, those are few and far between. However taking a course that addresses investigation/development of a criminal case, preferably including defense, should teach the principles and concepts.
Yes, the world of digital forensics is changing not only within information technology but also within law enforcement. The challenge dealing with law enforcement is that (1) all too often existing laws are inadequate, (2) commonly, local law enforcement is not prepared for technology cases, (3) outside resources to law enforcement is often limited, (4) prosecutors commonly are not knowledgeable about technology and rely on “experts” who may not be qualified, (5) defense attorneys that understand technology sufficiently to perform adequately are not common, and (6) the majority of the judicial system is inadequately skilled to adjudicate such a case.
In my next blog I will examine a case which demonstrates all of these points.
More...
01-03-2009
