Friday, February 27, 2015

Selecting a Competent Digital Forensic Examiner



February 27, 2015

Selecting a Competent Digital Forensic Examiner

If you spend any measurable amount of time in an industry and are a keen observer, you’ll notice that there are people that do the work and people that talk about doing the work.  Generally, the two characteristics aren’t found in the same person.  So when attorneys, private investigators, corporations or law enforcement need to select a person suitable to handle their digital forensic needs, whom shall they choose?  What makes a good digital forensic examiner and what are some technical and personality traits that make the selection more valuable to your specific needs?

Background

Working in Central Virginia, I’m very close to the Metro Washington D.C. area.  If you don’t already know, this area is full of government employees and contractors.  Digital forensics has long been a stronghold of the government and indeed they’ve been at the forefront for many years for numerous reasons.  Luckily, that’s changing somewhat, but I still see dozens of jobs posted in the Northern Virginia area for digital forensic government contractors.  It’s curious to see the qualifications they’re looking for – computer science degree, coding & programming experience, experience with digital forensic tools and even some certifications.  What’s more interesting is what they don’t list.  Things like experience, an inquisitive nature, an excellent ability to articulate your findings verbally (and in writing) and investigative experience. 

As we’ve explored in a few previous articles, there are all sorts of uses for digital forensic examiners, but they pretty much all lead back to the courtroom or some other formal legal proceeding.  At the very least, when choosing a digital forensic examiner, you should have it in the back of your mind that this person could be right alongside you in some sort of later litigation.  I have yet to speak to an attorney who doesn’t agree that the ability to articulate technical findings in a simple, effective way is one of the most important and intangible assets an expert witness can possess.  But some other intangible assets are also valuable like tenacity, an open mind and critical thinking skills.

Education of Digital Forensic Examiners

When I was a teenager, I wanted to become a pilot.  My father was a pilot in the Army and two of my uncles flew combat missions in WWII, so I wanted to help carry on that tradition.  Plus, it looked like a lot of fun.  It didn’t take long for my lack of math skills to come to the forefront, however.  I distinctly recall going to my father for help on algebra homework and I just wasn’t getting it.  It was then that he told me, very matter-of-fact, that I should probably consider another profession.  Being a pilot requires a ton of math aptitude which I did not and arguably still do not possess.  He was right, so I switched my focus to the law and earned a Criminal Justice degree. (Side note: Leave it to me to get to the one area in law enforcement that requires some math skills).

Does a competent digital forensic examiner have to be a computer science whiz?  I would argue no, but it does probably help, especially if breaking into the digital forensic world from outside of government.  But formal education only gets you so far.  Just like there are talkers and doers, there are folks who are great at studying and taking tests and not so great at working.  This point will be reinforced when I get into certifications, but the fact remains that letters and degrees represent an accomplishment.  They say you had the wherewithal to stick to a program and complete that program.  They also generally represent something more intangible, and arguably much more valuable, when selecting a digital forensic examiner – critical thinking skills.  I’ve told people for years, my criminal justice degree didn’t really prepare me for law enforcement or for my eventual transition into entrepreneurship, but it did teach me how to look at things in the world with a critical eye and ask hard questions.  I’m hopeful college is still a great resource for that, but I haven’t been a college student in nearly 20 years, so I cannot speak to the evolution of education. 

Experience

When I was a rookie Police Officer, my first Field Training Officer asked me how old I was.  “23”, I told him.  He went on to say that was probably about as young as you’d want to be getting into law enforcement.  At the time, I didn’t realize what he was talking about, but as I got older, I definitely learned he was spot-on!  There is no substitute for experience.  The college of life is the best school one can attend and I’ve received more education at the hands of people who have “been there, done that” for years before I came on the scene than I ever did in formal education.  As I tell prospective clients, my 15 years in law enforcement, dealing with people every day, gives me a unique perspective on a digital forensic case.  Behind all the bits, bytes, hex code and metadata, there is a person manipulating that device.  Being experienced in dealing with people on a one-on-one basis has provided some of the most valuable education I could have received as digital forensic examiner.  Unlike many who simply examine the data, I ask about the person.  What is their background?  What types of deviancies do they exhibit (we all have some)?  What did their home look like when the device(s) were seized and what did they say when they were initially interviewed?  All of these factors play an important role and go far beyond simple storage of data.  The argument could also be made that, by taking the time to ask these questions and look at the case from a more global perspective, I may actually be saving clients time & money because I can hone in on habits, lifestyle, etc. with respect to how they use their digital devices.

When selecting a competent digital forensic examiner, experience is extremely important, especially investigative experience.  Experience conducting formal investigations means that examiner has (hopefully) honed the skills of being inquisitive & looking for the truth, which is the most important factor in any digital forensic examination.  Formal education is great to have, but unless you can use that education within a particular field to hone your craft, it really is just a piece of paper hanging on the wall.  Experience in almost any field (except IT) also provides you the ability to work with and learn about people.  Be observant, look at patterns and be inquisitive.  Is there such a thing as a dumb question?  You bet!  But sometimes you can learn from dumb questions too.  Often times, the obvious answer is the one that is never spoken. 

Certification(s)

Last year, I wrote an article on this blog about certifications vs. experience (linked here: http://prodigital4n6.blogspot.com/2015/01/normal-0-false-false-false-en-us-x-none_41.html ), so I won’t beat the dead horse, but I will say that certifications do play a very similar role as formal education in that they demonstrate the commitment to complete a course of study and, normally, the adherence to commonly accepted practices.  I’m currently going through a CISSP study course and, while the information is certainly useful, I’ve noticed that it is also somewhat outdated.  I recognized this with many computer forensic courses too.  Slowly, but surely, they’re coming around to skipping the DOS portion of the course and not really investing too much time in other out-dated mediums like floppy disks, but it takes time.  Meanwhile, that certification could be full of virtually useless information in the modern age.

As someone looking for a competent digital forensic examiner, you should education yourself as to what certifications cover and what they don’t.  The difference between a CCE (Certified Computer Examiner) and a CFCE (Certified Computer Forensic Examiner) are pretty notable, but they both sound good!  I will emphasize a point in my previous article, however – Letters behind your name a great, but they don’t illustrate what you’ve done or anything you’ve accomplished.  They don’t relay any substantive information other than the candidate paid some money to complete a course and did so successfully.  Completion of a course does not equal education in a particular field.

Technical Aptitude

Technical aptitude is not a huge consideration, but it is one to have in mind when selecting a competent forensic examiner.  I’ve participated in courses designed for the “no experience” candidate and it’s quite painful to have to sit through instructors teaching other students with no knowledge of how computers work how to create a folder on the desktop or how to create a text file so we can examine the data in that file.  And there’s more than just digital forensic aptitude.  Competent examiners need to know the components of a computer, how to access them, how they work and what their processes mean in the overall system architecture.  Knowledge of networking hardware and concepts are important too.  If your prospective examiner isn’t at least a little bit of a computer geek. I’d keep looking.
On a different side of the “technical” spectrum is something mentioned earlier and often in this blog – The ability to articulate your processes, findings and conclusions in a simple, understandable way.  If you call a digital forensic examiner looking to hire him to work a case for you and he can’t tell you the tools he uses, what he can and cannot recover for you and use some real-world analogies to draw between the techie side of forensics and the man-on-the-street understanding of forensics, then he will certainly not be able to do that in a court of law. 

Personality Traits

Another collection of intangible assets of a competent digital forensic examiner are their personality traits.  Traits like tenacity and an inquisitive nature (leaving no stone unturned) are qualities that people either have or they don’t – they can’t be taught.  These go right along with critical thinking skills and they are so vitally important to a competent examiner that I would argue they override anything else on this list.  Being able to look at a piece of evidence and ask the all-important questions of who, what, where, when, how – and sometimes why – means you have an examiner that won’t give up until they find everything that could possibly be of value in your case.  For instance, if you are working a child exploitation case and the subject has 300 contraband images on their device, but the overall library is 30,000 legal images, what does that tell you as an examiner or as an attorney?  What does it mean in the overall scope of the case and are you doing justice a disservice by reporting only the contraband images?  Whether a government or private examiner, the truth of the case is what’s most important and the personality of the examiner will dictate whether they have a “check the box” mentality or if their work ethic and desire to get the whole picture will override any laziness or propensity for sloppy work.
Does your examiner have testimony experience?  Does he bore you with overly-technical jargon when you speak to him or does he engage you and help you understand?  Is he likeable, approachable, thoughtful and thorough?  If the answer is no to any of these questions, then I would suggest there are many examiners around the country and they are not all created equally.  Google has all the answers and you’ll probably find a great examiner if you look past the first 3 search hits (the first ones are always paid ads anyway)… or even on page 2 of the search hits!

Conclusions

The selection of a digital forensic examiner could be the most important single choice you make in any given case.  If you are preparing for litigation, the examiner can help point you in the direction you should go as far as strategy.  If you are involved in corporate investigation, the level of thoroughness of the examiner can help forestall any possibility of litigation down the road.  If you’re investigating a divorce or custody dispute, the proper selection of forensic examiner can help get the evidence you need to prove infidelity or bad parenting and help the court decide what may be in the best interest of the family as a whole.  In government, the public safety implications that stem from the appropriate selection of a digital forensic examiner can be larger than any other previous considerations.
It’s hard to put a monetary value on the effective, thorough use of a digital forensic examiner, for indeed, the ripple-effect they can have on a case (good and bad) is hard to measure.  We’ve certainly explored in previous articles how digital evidence is everywhere and attorneys like Craig Ball will echo that sentiment to their colleagues.  But when you whittle down the playing field to the forensic examiner(s) that you choose to represent your (or your client’s) interest best, I hope this guide will serve to help separate the wheat from the chaff.

Look deeper, think more critically, look beyond the letters & degrees, go with your gut, but use your head… Just a little advice from a seasoned Digital Forensic Professional.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Web: www.ProDigital4n6.com
Twitter: ProDigital4n6

Friday, February 20, 2015

Digital Forensics & Mental Health



February 20, 2015

Digital Forensics & Mental Health

As a former law enforcement officer, tactical team member and child exploitation investigator, I’ve certainly seen my fair share of gruesome car accidents, injuries, violence and child victimization.  And while the police generally get quite a bit of attention with regard to the concerns of Post-Traumatic Stress Disorder, seldom (if ever) are the civilian counterparts in digital forensics afforded the same considerations.  I’d like to user this forum to start changing that mindset, if even a just a little.

Background

Soldiers, medics and front-line combat personnel certainly see some of the worst man has to offer.  From wounded comrades to children being used as homicide bombers, the horrors of combat have been well documented throughout history.  One of my personal role-models is Lt. Col. Dave Grossman, whose written works “On Killing” and “On Combat” break down the stigma typically associated with the “John Wayne” and Hollywood imagery of combat and tell the truth about how traumatic combat really is.  From men displaying acts of pure cowardess to defecating themselves, these actions are real, physiological symptoms of operating in a high-stress environment, such as combat.  In civilian law enforcement, it’s often reported that a very high percentage of officers involved in combat situations in which they had to kill or seriously wound another person don’t work in the field much more than a couple of years after the incident.  The very fact that police officers, firefighters & combat soldiers receive hazardous duty benefits means society has deemed their positions not only of higher value than other public servants, but that they also have a high propensity for danger.  This is why I would cringe whenever another police officer would tell me to “stay safe.”  There’s nothing safe about these positions.  If you want safe, go work in a library.

The almost inevitable fallout from working these positions is some sort of psychological damage, most commonly referred to as Post-Traumatic Stress Disorder or PTSD.  While it’s often the butt of jokes from people who have never worked in dangerous situations, it’s also a real phenomenon.  For example, I have two friends & former co-workers who responded to a domestic dispute that turned violent.  The aggressor in the situation grabbed his pistol and began shooting his family members, then at my friends as they arrived at the house in response to frantic 911 calls from the shooter’s family.  One of my friends had to shoot and kill the man who was about to shoot and kill him.  The other friend shot at the man from a distance, but they both delivered deadly force.  This incident occurred over 4 years ago.  One of my friends is still in law enforcement, the other is not, but they bond over the incident and speak to each other yearly as a reminder of how fortunate they are to be alive after that day.

The stress of combat isn’t the only environment where a public safety practitioner can fall victim to the psychological effects of trauma.  As a child sexual exploitation investigator, I would routinely work in an undercover capacity chatting online with grotesque, sick men (yes, they were all men) who consistently talked about doing horrible, vile things to a person they thought was a young girl (age 13) - from rape to incest & marriage to pregnancy.  In addition to those cases, I would routinely attempt to identify and arrest people involved in the trading of child pornography images on the internet.  These images are not of 17 year-old girls, they are of small children, sometimes infants, being bound, drugged, raped, molested and violated in acts you can’t even imagine.  These acts are recorded then traded and shared amongst people with similar interests.  Initially, I would investigate these cases, view only what I had to in order to make the case, then submit the evidence to someone else for digital forensic examination.  As time went on, I became responsible for not only the investigation, but the computer forensics portion of the cases as well.  This meant my exposure increased from a moderate percentage to almost 100% in every case.

Forensic Examiners in the Weeds

In many ways, the forensic examiner has it worse than the investigator.  In order to get a complete picture of the evidence for court, it must ALL be examined, not just the parts that are good enough to make a case.  I recall one case (referenced here: http://prodigital4n6.blogspot.com/2015/01/case-study-commonwealth-v-emanuele.html) where there were not only mountains of child pornography images, but terabytes of adult pornography and bestiality images too.  As the forensic examiner in these cases, once the images are viewed, you can’t un-see them.  Some of them are so vile and disgusting, they make you gag.  These images get emblazoned in your memory for a time and the best thing you can do is take a break from the work and try to let the memory fade.  The repeated exposure to these types of images had an effect on my marriage, my relationships with co-workers, my overall attitude and my desire to keep working.  The argument could be made, much like officers involved in deadly force incidents, that the PTSD effect from repeated exposure to images like this led to my eventual departure from law enforcement.  If that isn’t textbook PTSD, I don’t know what is.  Over the years, I attempted to talk about my haunts with a couple of different counselors, but it’s hard to relay the horror of things to people who don’t even want to know these evils exist.

If you are a digital forensic practitioner and you’re reading this, you may be thinking, that’s what we have hash sets of known child pornography for – so we don’t have to view all of the images.  While this point is very well taken, many cases still require those involved in the process to view and verify the images, regardless if they belong to hash sets of known child victims.  This is also why we show images to judges & juries at trial.  An alpha-numeric string doesn’t adequately relay what the image contains.  Not even close.

Agencies like the FBI do have measures in place to ensure the mental well-being of their agents, especially those involved in child exploitation investigations.  I do not know, however, if the same considerations are offered for civilian forensic examiners employed by the FBI who are unquestionably exposed to more of these images than the agents themselves.  Examiners have to look at it all, that’s the only way we can know what really happened.  I worked at a smaller rural agency who not only didn’t give any consideration to the stress the repeated exposure had on mental health, but denied several attempts for us to join forces with the FBI task force, which would have offered us the opportunity for yearly psychological evaluations and access to counseling.  I’m forced to wonder if this phenomenon is present for other child exploitation task force officers employed by smaller, local and/or rural agencies.  With all the political and monetary capital being fed into national child exploitation investigations and state task forces, how much is being set-aside to ensure appropriate mental health of the investigators AND the forensic examiners, whether they be civilian or sworn?

Conclusion

There is a trend afoot in the world of digital forensics in law enforcement.  The movement is progressing in many areas to transition the role of a digital forensic examiner away from sworn law enforcement officers and move toward an all-civilian digital forensic work force.  Why, you may ask?  To save money.  But what is the cost in terms of human capital when examiners get burned-out, stressed-out, over-worked and perhaps even sloppy because they are exposed to things that most people should never see?  It can be very hard for some people to remain consistently objective under those circumstances.
Perhaps it’s time to consider adding civilian digital forensic examiners to the statutory list of public servants who are afforded certain considerations because of the hazards their job exposes them to.  Do civilian examiners have to kick open doors and handcuff people? No.  But their job on the back-end of an investigation is just as important as the investigator and they are often exposed to much more psychological trauma than investigators.  

The job of a digital forensic examiner isn’t glamorous (despite the new CSI: Cyber series).  It is interesting, challenging, ever-evolving, fascinating and valuable.  I love it no matter who my “client” may be because I get to pursue the truth in every case.  But maybe it’s time for administrators to stop counting beans and start caring about the people doing the work. 

As a close friend of mine who is a retired Trooper once wisely said, the command simply doesn’t exist without the rank-and-file.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Web: www.ProDigital4n6.com
Twitter: @ProDigital4n6