Posted on | January 7, 2008 | No Comments
I was just reading that South Carolina may soon require those who offer data forensics as a service to be fully licensed private investigators. I wish that every other State would follow suit.
In college, I started out as a criminal justice major. My criminal justice classes were the only classes that I attended eagerly (and faithfully). Often, the teachers were seasoned investigators who were working for State agencies or at the Federal level. I heard so many horror stories of really evil people getting acquitted due to investigative blunders, such as a poor chain of custody when handling evidence.
I’m not so sure that a private investigator license is what’s needed in regards to ensuring that computer forensic techs properly document and preserve evidence that they collect. I’d (really) like to see a more specific license created to standardize techniques in a more blanket fashion, every system administrator should need to become certified.
Lets say your checking on a web server that’s showing abnormal loads and bandwidth usage. You log in, you realize that somehow, someone has injected code and your now serving pages for the mob, or worse. At this point, you’ve already tap danced on a digital crime scene simply by logging in unless you carefully document every single thing that you do. That computer is not your server anymore, its evidence. Depending on what the machine was hijacked to do, it may become very interesting to investigators at the Federal level.
When you gather evidence that is to be presented in court you really have to ensure that you establish a bullet proof chain of custody. Since the evidence is digital and ‘anything can be fabricated’, lawyers are quite often able to inject reasonable doubt by building straw man arguments that suggest it was gremlins who planted the evidence while the computers were in transit to a lab in an unsealed and unlocked truck.
I tried to find a statistic on how many cyber crime cases were thrown out due to botched forensics, I couldn’t find any that agreed with each-other. I saw some experts speculating that the botched acquittal rate was as high as 40%, others were gandering at 60%, but didn’t substantiate the number. Regardless, its hard enough to prosecute these kinds of things, if your job in any way involves evidence collection – you should be certified.
I guess, in summary, the private investigator license might be a bad idea, but only in implementing a sound (and good) idea. Maybe the folks who brought us selinux will develop some kind of certification that’s more specific to the industry?