Monday, January 12, 2015

Is Digital Forensics Primarily an I.T., Infosec or Legal Services Practice?

January 12, 2015

Is Digital Forensics Primarily an I.T., Infosec or Legal Services Practice?

One only needs to spend some time on the LinkedIn professional network to get a decent grasp on the scope of their particular industry.  Whether you work in real estate, banking or government, you can get a good idea about not only who may also be in your industry within a certain area, but it’s generally a “no-brainer” what category that industry belongs to.   However, this is not always the case with Digital Forensics…

Recently, I was searching LinkedIn for other Digital Forensic practitioners with similar credentials.  In doing so, this presented a wide array of candidates both in the public sector and private industry.  However, when they self-identify what category their practice falls within, several different responses presented themselves.  These responses seemed to concentrate on one of three areas:  Information Technology, Information Security and Legal Services (to include law enforcement).  So why does Digital Forensics have such an identity crisis when it comes to labeling in which category it belongs?  Perhaps its because the need for digital forensic professionals spans many areas, which can no doubt leads to some confusion about the role of a digital forensic examiner at first glance.

Digital Forensics in Information Technology

While the other categories are used quite a bit, it’s reasonable to say that most digital forensic examiners self-identify within the field of Information Technology.  Of course, because of the ubiquitous nature of “Information Technology”, the very label itself spans everything from technical programmers to business analysts.  Indeed, a capable digital forensic examiner (DFE) has to have a solid background and knowledge of how computers (and sometimes networks) work.  The knowledge-base of a DFE must include hardware, software, file systems, different functions of the aforementioned and differences within the industry.  No doubt these are very technical areas of study.  However, the Merriam-Webster definition of “Forensics” bears noting in this discussion as well:


  • relating to the use of scientific knowledge or methods in solving crimes <or>
  • relating to, used in, or suitable to a court of law

These definitions rely heavily on the methods and practices for presenting evidence in a court of law to present the findings suitable for incorporation into a finding of fact and/or legal decision.  Digital Forensics only adds to the above-listed definition by adding that the particular “scientific knowledge or methods” are applied to digital media in its various forms.  I submit that merely having a background in Information Technology does not adequately prepare a DFE for the inevitable challenges he will face when the veracity, validity and authenticity of digital evidence is challenged.  Therefore, the proper practice of Digital Forensics goes far beyond Information Technology, but IT is still a part of the overall knowledge base of a competent Digital Forensic Examiner.

Digital Forensics: Information Security

With the multitude of recent information security (infosec) breaches occurring almost daily and undoubtedly affecting all of our lives, it’s clear that information security has crossed over from being merely a governmental concern as it relates to national security to very much a private sector concern as it relates to many other issues.  Not too long ago, most DFE roles within infosec were restricted to the government and government contractors.  They almost always required high-level security clearances and extensive training in not only the practice of digital forensics, but the principles of information security as well.  However, the infosec industry is transforming into something we all care about as consumers and something we all need to pay attention to going forward.

The role of a DFE in infosec is traditionally to be called in after an infosec breach has been discovered, examine the affected areas of the infosec breach, determine the scope of the data theft and report on their findings.  This role requires not only the above-mentioned training, but also some decent knowledge about network architecture in order to effectively examine a networked environment without having to take part or all of the network out-of-service.  Again, more and more infosec breaches are occurring in the private sector and through retailers who cannot shut down their networks for a DFE to conduct his examination, so networking knowledge is quite crucial for an effective DFE in an infosec role.  This is often referred to as Digital Forensics Incident Response or DFIR.  But because breaches can happen internally or externally, the role of the “dead-box” or stand-alone hard drive/digital media DFE is not trivial either.  All of that being said, the self-identification of a DFE as being in the “Information Security” field is not totally inaccurate and is very much more descriptive than the global use of “information technology”.

Digital Forensics as a Legal Service

The Merriam-Webster dictionary definition of “forensics” stated above provides an excellent basis on which to launch any discussion of digital forensics, or any other forensic science for that matter.  The overriding principle in forensics is the methodologies that are used.  Is what you did verifiable, repeatable and defensible?  If so, then you’re probably well on your way to a decent forensic practice.  If not, then the basis of your findings starts to crumble when challenged.

This is not to say that every digital forensic case will come before a judge or arbitrator in a formal legal proceeding.  Indeed, most of them do not.  However, in the spirit of “plan for the worst and hope for the best”, we always want to make sure our evidence is handled properly and documented thoroughly.  Disregarding those principles is what leads to overturned convictions and a bad reputation for Digital Forensic Examiners and the industry overall.   

Providing the label of “legal services” to digital forensics not only encompasses those working as a DFE in law enforcement, but those of us in the private sector who’s main clientele are practicing attorneys and investigative professionals.  After all, whether you’re case involves an unfaithful spouse in a divorce, embezzlement, employee acceptable use of computer policy violations or intellectual property theft, ALL of the circumstances in which you would call upon an expert in digital forensics have the potential for litigation in some form and thus, it is an undeniable scientific, legal service.


There can be no argument that the role of a digital forensic examiner requires a decent background knowledge in information technology.  Indeed, this is why most reputable training outlets dedicate some time to computer hardware parts and terminology, not to mention the more specified areas of file systems, data storage, nomenclature, etc.
But in discussing what major role the Digital Forensic Examiner must ultimately train and prepare for, there can be no argument that it is first and foremost rooted in the acceptable standards and practices of forensics in the legal system.  Technology changes, system architecture changes and training methods change.  The need for reliable, competent experts with well-rounded knowledge about how the legal system works and requires of him may not only be the biggest intangible in a digital forensic examiner, but also one of the most accurate descriptions of his role within any system.

Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally