February 27, 2015
Selecting a Competent Digital Forensic Examiner
If you spend any measurable amount of time in an industry
and are a keen observer, you’ll notice that there are people that do the work and people that talk about doing the work. Generally, the two characteristics aren’t
found in the same person. So when
attorneys, private investigators, corporations or law enforcement need to
select a person suitable to handle their digital forensic needs, whom shall
they choose? What makes a good digital
forensic examiner and what are some technical and personality traits that make
the selection more valuable to your specific needs?
Background
Working in Central Virginia, I’m very close to the Metro Washington
D.C. area. If you don’t already know,
this area is full of government employees and contractors. Digital forensics has long been a stronghold
of the government and indeed they’ve been at the forefront for many years for
numerous reasons. Luckily, that’s
changing somewhat, but I still see dozens of jobs posted in the Northern
Virginia area for digital forensic government contractors. It’s curious to see the qualifications they’re
looking for – computer science degree, coding & programming experience,
experience with digital forensic tools and even some certifications. What’s more interesting is what they don’t list. Things like experience, an inquisitive
nature, an excellent ability to articulate your findings verbally (and in
writing) and investigative experience.
As we’ve explored in a few previous articles, there are all
sorts of uses for digital forensic examiners, but they pretty much all lead
back to the courtroom or some other formal legal proceeding. At the very least, when choosing a digital
forensic examiner, you should have it in the back of your mind that this person
could be right alongside you in some sort of later litigation. I have yet to speak to an attorney who doesn’t
agree that the ability to articulate technical findings in a simple, effective
way is one of the most important and intangible assets an expert witness can
possess. But some other intangible
assets are also valuable like tenacity, an open mind and critical thinking
skills.
Education of Digital Forensic Examiners
When I was a teenager, I wanted to become a pilot. My father was a pilot in the Army and two of
my uncles flew combat missions in WWII, so I wanted to help carry on that
tradition. Plus, it looked like a lot of
fun. It didn’t take long for my lack of
math skills to come to the forefront, however.
I distinctly recall going to my father for help on algebra homework and
I just wasn’t getting it. It was then
that he told me, very matter-of-fact, that I should probably consider another
profession. Being a pilot requires a ton
of math aptitude which I did not and arguably still do not possess. He was right, so I switched my focus to the
law and earned a Criminal Justice degree. (Side note: Leave it to me to get to
the one area in law enforcement that requires some math skills).
Does a competent digital forensic examiner have to be a
computer science whiz? I would argue no,
but it does probably help, especially if breaking into the digital forensic
world from outside of government. But
formal education only gets you so far.
Just like there are talkers and doers, there are folks who are great at
studying and taking tests and not so great at working. This point will be reinforced when I get into
certifications, but the fact remains that letters and degrees represent an
accomplishment. They say you had the wherewithal
to stick to a program and complete that program. They also generally represent something more
intangible, and arguably much more valuable, when selecting a digital forensic
examiner – critical thinking skills. I’ve
told people for years, my criminal justice degree didn’t really prepare me for
law enforcement or for my eventual transition into entrepreneurship, but it did
teach me how to look at things in the world with a critical eye and ask hard
questions. I’m hopeful college is still a
great resource for that, but I haven’t been a college student in nearly 20
years, so I cannot speak to the evolution of education.
Experience
When I was a rookie Police Officer, my first Field Training
Officer asked me how old I was. “23”, I
told him. He went on to say that was
probably about as young as you’d want to be getting into law enforcement. At the time, I didn’t realize what he was
talking about, but as I got older, I definitely learned he was spot-on! There is no substitute for experience. The college of life is the best school one
can attend and I’ve received more education at the hands of people who have “been
there, done that” for years before I came on the scene than I ever did in
formal education. As I tell prospective
clients, my 15 years in law enforcement, dealing with people every day, gives
me a unique perspective on a digital forensic case. Behind all the bits, bytes, hex code and
metadata, there is a person manipulating that device. Being experienced in dealing with people on a
one-on-one basis has provided some of the most valuable education I could have
received as digital forensic examiner.
Unlike many who simply examine the data, I ask about the person. What is their background? What types of deviancies do they exhibit (we
all have some)? What did their home look
like when the device(s) were seized and what did they say when they were
initially interviewed? All of these
factors play an important role and go far beyond simple storage of data. The argument could also be made that, by
taking the time to ask these questions and look at the case from a more global
perspective, I may actually be saving clients time & money because I can
hone in on habits, lifestyle, etc. with respect to how they use their digital
devices.
When selecting a competent digital forensic examiner,
experience is extremely important, especially investigative experience. Experience conducting formal investigations
means that examiner has (hopefully) honed the skills of being inquisitive &
looking for the truth, which is the most important factor in any digital
forensic examination. Formal education
is great to have, but unless you can use that education within a particular
field to hone your craft, it really is just a piece of paper hanging on the
wall. Experience in almost any field
(except IT) also provides you the ability to work with and learn about
people. Be observant, look at patterns
and be inquisitive. Is there such a
thing as a dumb question? You bet! But sometimes you can learn from dumb
questions too. Often times, the obvious
answer is the one that is never spoken.
Certification(s)
Last year, I wrote an article on this blog about
certifications vs. experience (linked here: http://prodigital4n6.blogspot.com/2015/01/normal-0-false-false-false-en-us-x-none_41.html
), so I won’t beat the dead horse, but I will say that certifications do play a
very similar role as formal education in that they demonstrate the commitment
to complete a course of study and, normally, the adherence to commonly accepted
practices. I’m currently going through a
CISSP study course and, while the information is certainly useful, I’ve noticed
that it is also somewhat outdated. I
recognized this with many computer forensic courses too. Slowly, but surely, they’re coming around to
skipping the DOS portion of the course and not really investing too much time
in other out-dated mediums like floppy disks, but it takes time. Meanwhile, that certification could be full
of virtually useless information in the modern age.
As someone looking for a competent digital forensic
examiner, you should education yourself as to what certifications cover and
what they don’t. The difference between
a CCE (Certified Computer Examiner) and a CFCE (Certified Computer Forensic
Examiner) are pretty notable, but they both sound good! I will emphasize a point in my previous
article, however – Letters behind your name a great, but they don’t illustrate
what you’ve done or anything you’ve accomplished. They don’t relay any substantive information
other than the candidate paid some money to complete a course and did so
successfully. Completion of a course
does not equal education in a particular field.
Technical Aptitude
Technical aptitude is not a huge consideration, but it is
one to have in mind when selecting a competent forensic examiner. I’ve participated in courses designed for the
“no experience” candidate and it’s quite painful to have to sit through
instructors teaching other students with no knowledge of how computers work how
to create a folder on the desktop or how to create a text file so we can
examine the data in that file. And there’s
more than just digital forensic aptitude.
Competent examiners need to know the components of a computer, how to
access them, how they work and what their processes mean in the overall system
architecture. Knowledge of networking
hardware and concepts are important too.
If your prospective examiner isn’t at least a little bit of a computer
geek. I’d keep looking.
On a different side of the “technical” spectrum is something
mentioned earlier and often in this blog – The ability to articulate your
processes, findings and conclusions in a simple, understandable way. If you call a digital forensic examiner
looking to hire him to work a case for you and he can’t tell you the tools he
uses, what he can and cannot recover for you and use some real-world analogies
to draw between the techie side of forensics and the man-on-the-street
understanding of forensics, then he will certainly not be able to do that in a
court of law.
Personality Traits
Another collection of intangible assets of a competent
digital forensic examiner are their personality traits. Traits like tenacity and an inquisitive
nature (leaving no stone unturned) are qualities that people either have or
they don’t – they can’t be taught. These
go right along with critical thinking skills and they are so vitally
important to a competent examiner that I would argue they override anything
else on this list. Being able to look at
a piece of evidence and ask the all-important questions of who, what, where,
when, how – and sometimes why – means you have an examiner that won’t give up
until they find everything that could possibly be of value in your case. For instance, if you are working a child
exploitation case and the subject has 300 contraband images on their device,
but the overall library is 30,000 legal images, what does that tell you as an
examiner or as an attorney? What does it
mean in the overall scope of the case and are you doing justice a disservice by
reporting only the contraband images? Whether
a government or private examiner, the truth of the case is what’s most
important and the personality of the examiner will dictate whether they have a “check
the box” mentality or if their work ethic and desire to get the whole picture
will override any laziness or propensity for sloppy work.
Does your examiner have testimony experience? Does he bore you with overly-technical jargon
when you speak to him or does he engage you and help you understand? Is he likeable, approachable, thoughtful and
thorough? If the answer is no to any of
these questions, then I would suggest there are many examiners around the
country and they are not all created equally. Google has all the answers and you’ll probably
find a great examiner if you look past the first 3 search hits (the first ones
are always paid ads anyway)… or even on page 2
of the search hits!
Conclusions
The selection of a digital forensic examiner could be the
most important single choice you make in any given case. If you are preparing for litigation, the
examiner can help point you in the direction you should go as far as
strategy. If you are involved in
corporate investigation, the level of thoroughness of the examiner can help forestall
any possibility of litigation down the road.
If you’re investigating a divorce or custody dispute, the proper
selection of forensic examiner can help get the evidence you need to prove
infidelity or bad parenting and help the court decide what may be in the best
interest of the family as a whole. In
government, the public safety implications that stem from the appropriate
selection of a digital forensic examiner can be larger than any other previous
considerations.
It’s hard to put a monetary value on the effective, thorough
use of a digital forensic examiner, for indeed, the ripple-effect they can have
on a case (good and bad) is hard to measure.
We’ve certainly explored in previous articles how digital
evidence is everywhere and attorneys like Craig Ball will echo that
sentiment to their colleagues. But when
you whittle down the playing field to the forensic examiner(s) that you choose
to represent your (or your client’s) interest best, I hope this guide will serve
to help separate the wheat from the chaff.
Look deeper, think more critically, look beyond the letters
& degrees, go with your gut, but use your head… Just a little advice from a
seasoned Digital Forensic Professional.
Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Web: www.ProDigital4n6.comTwitter: ProDigital4n6
