First published April 2005
by Nick Furneaux
For many years if someone asked what I did for a living I would have to use an all-purpose description such as I worked in computer security or even worse I would just mumble ‘computers’. Now, if I say computer forensics, they say, ‘Oh, like on CSI [a popular TV show], what colour is your Humvee?’ For the first time last month I was asked by someone (who just about knew how to pick up email) how they could get into my line of work, and this both worried and interested me at the same time.
Searching the forums I find many basic questions by those looking to get into the ‘industry’ or even more worryingly asking, ‘I’m just setting up my own business, how do you image a hard drive?’ Is this new trend a good thing or bad thing for our ‘art’?
It was not until I really stopped and thought about not only the complexities of electronic forensics but the consequences of getting it wrong that I became concerned. Can we even begin to imagine the miscarriages of justice that would happen if electronic forensic investigation became the new web design? Just about anyone with a good grounding in computing can stumble their way around EnCase or FTK, but knowing what the buttons do does not make a good investigator. So much more knowledge is needed along with a certain mind-set that takes an investigator in a particular direction or enables them to ‘see’ a line of reasoning or follow a hunch generated through experience.
On the flip side, the industry, both in law enforcement and the private sector needs new blood, young computer engineers that do understand the new technologies and how people use the Internet today. How can we both attract them and yet control the flow of people to ensure a certain level of competency and protection?
My problem is that I can’t remember when I started in forensics. Although I have been involved with computer security in the corporate sector for a decade I am unable to remember my first investigative toe in the water. I think it was to do with an employee who was deliberately deleting key company files. I certainly remember flying to a meeting on the subject in the Physics Department of The University of Florida back in 1998 and have since worked in the UK, USA and Russia; but does that history make me an expert, a specialist? How can a defence team or a corporate IT department who pay for my services be sure that I know what I am doing?
The industry needs an International Controlling Body and even an industry qualification as is now appearing for computer security. In the UK, to be ‘approved’ by any of the official or even self-appointed directories of Expert Witnesses you just need to supply proof of work done for two law firms; that’s it! Great isn’t it? I was recently approached by a law firm that had received a marketing email from my company who retained me to defend an indecent images case. They handed over all the case notes and made an appointment for me to go to the police and gain access to 3 CDs worth of illegal images and they did this all without checking who I was. This cannot be allowed to continue.
The fact is that if a person walked into my local Law Enforcement HQ and asked for access to case files containing indecent images they would be escorted from the building. However, if the same person flashes one of my business cards and has been sent by a lawyer, or similar, they are ushered in and made a cup of tea.
As another example I contacted a local Police Force Hi-Tech Crime Unit this week as we have not yet worked with them. The pleasant and helpful officer who replied to my email didn’t ask for references, experience or indeed who the heck I was but was only interested in my day rate. I am very familiar with this reaction and I find turning up in a suit with a notebook computer and an expensive business card is enough to quell their fears. It shouldn’t be enough and is wide open to abuse. My company does all it can to improve the situation by providing references on request, having ID/photo style business cards and registering with key organisations. However, the worrying fact remains that a paedophile could get his fix by setting up as a private forensic investigator defending indecent images cases without downloading a single image himself.
If there was an International Governing Body offering recognised qualifications which could also be based on provable experience, it would be a simple procedure to check up on the investigator you are planning to hire. Businesses could be approved en masse with an ISO/BS style quality and competency standard enabling them to recruit and train new people, bringing new, young trainees into the corporate sector. It would not eliminate incompetence or some tenacious people determined to gain access to illegal material but it would be better than what we have today.
In the US they now have the self styled IISFA, the International Information Systems Forensics Association (http://www.infoforensics.org/) with their CIFI certification. This is quite a challenging exam and covers all the core elements of computer forensics including Intrusion Detection, Auditing and Countermeasures. This is all very nice but, in my opinion, much more suited to a corporate internal security team not to a specialist in hard drive or even mobile phone forensics. The other problem is how many of us have ever heard of the IISFA? This ‘International’ organisation has 13 ‘Chapters’ around the world and 11 of those are in the US; the only one in Europe is in Italy. (There are around 20 other certifications available from a variety of reputable sources and, shall we say, ‘others’ as of January 2005).
With the increase in computer crime affecting the whole world, getting new blood into the forensic investigation of electronic equipment is vital if the criminals are not going to win. Working for law enforcement as a trainee is an excellent and proven way in, however the numbers are not yet there and we need a defined and ‘safe’ way to recruit, train and hire people to work in this increasingly important arena.
I am not offering to set up the type of body discussed above, I believe it should come from an existing recognised body in the security arena and even if it did happen, getting companies or law firms to check the register would be yet another hurdle. However, in an industry that can give people access to illegal material and personal information and which can ultimately affect a person’s freedom, more needs to be done to control and protect our industry from gaining a bad name and ultimately protecting the freedoms of the people we represent.
Nick Furneaux – Security and Forensic Specialist