Friday, January 2, 2015
L.E. or I.T? That is the question…
Original Post Date: August 20, 2014
By: Patrick Siewert, Owner & Lead Forensic Examiner, Professional Digital Forensic Consulting, LLC
As is often the case with new companies, we find ourselves discovering a lot about the landscape of our particular industry. In marketing our suite of digital forensic, eDiscovery, data recovery, data preservation and expert witness services, we’ve found that there are two decidedly different “camps” as far as digital forensics is concerned – the Law Enforcement camp and the Information Technology camp. So which one is better? That’s the question we shall attempt to explore….
Let’s start with identifying the purpose of digital forensics and how that fits into the skill sets of the two camps. As was detailed in previous articles, our goal in digital forensics is to obtain the purest evidence possible and preserve it in the state in which it was seized or captured and then perform an examination on an exact copy of that digital device. Toward that end, it would seem reasonable that the skills and training in proper seizure, cataloging, secure storage and tracking of original, evidentiary pieces of digital media would be appropriate. These skills are not just desired, but vital to ensure proper evidence handling and to avoid any questions in later proceedings with regard to evidence tampering or mishandling.
In the spirit of full disclosure, your author is a 15-year law enforcement veteran with basic and advanced training in digital forensics and not an I.T. practitioner. However, I have taken several standardized I.T. certification courses (such as A+) and been exposed to the overview of digital forensic training that is afforded by most standard I.T. certifications. Through that training, it was apparent that they only touch briefly on incident response and digital evidence handling and refer the standard I.T. practitioner to more experienced digital incident response personnel. However, from early on in the Police Academy, I can speak with a high degree of experience that the emphasis on proper evidence seizure, handling and documentation have been drilled into my head as extremely important. One needs only to refer to the first O.J. trial to see an example of how poor evidence handling can have disastrous consequences on an otherwise rock-solid case. Beyond the basic training in the police academy, every law enforcement officer is schooled in the “real world” applications of proper evidence handling. Indeed, the State Lab issues guidelines for proper handling that all law enforcement officers are required to read and adhere to. But even beyond just being a beat cop, the experience gained through dozens of successfully investigated criminal cases with repeated adherence to best practices for seizure, collection, documentation, storage and analysis of evidence is the best education anyone can get in order to know what to do with [digital] evidence in any given circumstance. These are all professional exposures and hands-on training that I.T. professionals don’t have access to. While the technical training of an I.T. professional may be slightly more advanced, (and certainly hands-on I.T. experience is an excellent way to be able to operate effectively over time) there is always the possibility that an untrained I.T. professional may inadvertently seize evidence that he has no legal right to examine, causing potential civil liability. What’s more, if the evidence was seized without proper authority or the chain-of-custody was not documented appropriately, the results of the subsequent examination could become null and void or, in legal terms, “fruit of the poisonous tree”.
While the Fourth Amendment guarding against unreasonable search and seizure applies mostly to governmental entities such as law enforcement, it also serves as an excellent guideline for private practitioners as to what is appropriate in most circumstances. After all, just because the Fourth Amendment may not apply to a private digital forensic examiner, it doesn’t mean they may be exempt from civil rights violations if a device is seized and examined without proper legal authority.
Another basic skill that is trained in the police academy and honed with experience is the ability to simply and effectively explain technical terms to a judge, jury and/or legal counsel. Law enforcement are trained and tested in proper courtroom testimony, which also translates to depositions and administrative procedures. Having attended several digital forensic training courses that are offered to both law enforcement and the private sector, I can speak from experience that this subject is not emphasized at all. Simply put, the I.T. practitioner may be a very skilled “geek”, but can he get on the witness stand and speak articulately and simply about the digital forensic process to a level where people with no technical aptitude can understand a subject which is undoubtedly highly technical in nature? With little or no training and likely very limited experience in official sworn testimony, I would offer the answer is a resounding “no”.
While these examples of the differences between digital forensic practitioners with backgrounds in law enforcement and information technology are certainly not exhaustive, they definitely begin to demonstrate some very basic approaches that separate practitioners in law enforcement versus information technology. So as an attorney, a corporation, an individual or a government agency that may be looking to employ a digital forensic consultant, you only have to ask yourself which background is important to you? I’d offer that you can turn an investigator into a geek and get the best of both worlds… It’s our experience that the same doesn’t hold true for turning a geek into an investigator.
Pro Digital is a full-service Digital Forensic Consulting Service based in Richmond, Virginia and available globally.