January 12, 2015
Is Digital Forensics Primarily an I.T., Infosec or Legal
Services Practice?
One only needs to spend some time on the LinkedIn professional network to get a
decent grasp on the scope of their particular industry. Whether you work in real estate, banking or
government, you can get a good idea about not only who may also be in your
industry within a certain area, but it’s generally a “no-brainer” what category
that industry belongs to. However, this
is not always the case with Digital Forensics…
Recently, I was searching LinkedIn
for other Digital Forensic practitioners with similar credentials. In doing so, this presented a wide array of
candidates both in the public sector and private industry. However, when they self-identify what
category their practice falls within, several different responses presented
themselves. These responses seemed to
concentrate on one of three areas:
Information Technology, Information Security and Legal Services (to
include law enforcement). So why does
Digital Forensics have such an identity crisis when it comes to labeling in
which category it belongs? Perhaps its
because the need for digital forensic professionals spans many areas, which can
no doubt leads to some confusion about the role of a digital forensic examiner
at first glance.
Digital Forensics in Information Technology
While the other categories are used quite a bit, it’s
reasonable to say that most digital forensic examiners self-identify within the
field of Information Technology. Of
course, because of the ubiquitous nature of “Information Technology”, the very
label itself spans everything from technical programmers to business analysts. Indeed, a capable digital forensic examiner
(DFE) has to have a solid background and knowledge of how computers (and
sometimes networks) work. The
knowledge-base of a DFE must include hardware, software, file systems, different
functions of the aforementioned and differences within the industry. No doubt these are very technical areas of
study. However, the Merriam-Webster
definition of “Forensics” bears noting in this discussion as well:
FORENSICS:
- relating to the use of scientific knowledge or methods in solving crimes <or>
- relating to, used in, or suitable to a court of law
These definitions rely heavily on the methods and practices
for presenting evidence in a court of law to present the findings suitable for
incorporation into a finding of fact and/or legal decision.
Digital Forensics only adds to the above-listed definition by adding
that the particular “scientific knowledge or methods” are applied to digital
media in its various forms. I submit
that merely having a background in Information Technology does not adequately
prepare a DFE for the inevitable challenges he will face when the veracity,
validity and authenticity of digital evidence is challenged. Therefore, the proper practice of Digital
Forensics goes far beyond Information Technology, but IT is still a part of the
overall knowledge base of a competent Digital Forensic Examiner.
Digital Forensics: Information Security
With the multitude of recent information security (infosec)
breaches occurring almost daily and undoubtedly affecting all of our lives, it’s
clear that information security has crossed over from being merely a
governmental concern as it relates to national security to very much a private sector concern as it relates to many other issues. Not too long ago, most DFE roles within
infosec were restricted to the government and government contractors. They almost always required high-level
security clearances and extensive training in not only the practice of digital
forensics, but the principles of information security as well. However, the infosec industry is transforming
into something we all care about as consumers and something we all need to pay
attention to going forward.
The role of a DFE in infosec is traditionally to be called
in after an infosec breach has been discovered, examine the affected areas of
the infosec breach, determine the scope of the data theft and report on their
findings. This role requires not only
the above-mentioned training, but also some decent knowledge about network
architecture in order to effectively examine a networked environment without
having to take part or all of the network out-of-service. Again, more and more infosec breaches are
occurring in the private sector and through retailers who cannot shut down
their networks for a DFE to conduct his examination, so networking knowledge is
quite crucial for an effective DFE in an infosec role. This is often referred to as Digital
Forensics Incident Response or DFIR. But
because breaches can happen internally or externally, the role of the “dead-box”
or stand-alone hard drive/digital media DFE is not trivial either. All of that being said, the self-identification
of a DFE as being in the “Information Security” field is not totally inaccurate
and is very much more descriptive than the global use of “information
technology”.
Digital Forensics as a Legal Service
The Merriam-Webster dictionary definition of “forensics”
stated above provides an excellent basis on which to launch any discussion of
digital forensics, or any other forensic science for that matter. The overriding principle in forensics is the methodologies
that are used. Is what you did
verifiable, repeatable and defensible?
If so, then you’re probably well on your way to a decent forensic
practice. If not, then the basis of your
findings starts to crumble when challenged.
This is not to say that every
digital forensic case will come before a judge or arbitrator in a formal legal
proceeding. Indeed, most of them do
not. However, in the spirit of “plan for
the worst and hope for the best”, we always want to make sure our evidence is
handled properly and documented thoroughly.
Disregarding those principles is what leads to overturned convictions
and a bad reputation for Digital Forensic Examiners and the industry
overall.
Providing the label of “legal
services” to digital forensics not only encompasses those working as a DFE in
law enforcement, but those of us in the private sector who’s main clientele are
practicing attorneys and investigative professionals. After all, whether you’re case involves an
unfaithful spouse in a divorce, embezzlement, employee acceptable use of
computer policy violations or intellectual property theft, ALL of the
circumstances in which you would call upon an expert in digital forensics have the
potential for litigation in some form and thus, it is an undeniable scientific,
legal service.
Conclusions
There can be no argument that the role of a digital forensic
examiner requires a decent background knowledge in information technology. Indeed, this is why most reputable training
outlets dedicate some time to computer hardware parts and terminology, not to
mention the more specified areas of file systems, data storage, nomenclature,
etc.
But in discussing what major role the Digital Forensic Examiner
must ultimately train and prepare for, there can be no argument that it is
first and foremost rooted in the acceptable standards and practices of
forensics in the legal system.
Technology changes, system architecture changes and training methods
change. The need for reliable, competent
experts with well-rounded knowledge about how the legal system works and
requires of him may not only be the biggest intangible in a digital forensic
examiner, but also one of the most accurate descriptions of his role within any
system.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Owner, Lead
Forensic Examiner
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
Web: www.ProDigital4n6.com
