Earlier this year, Forensic Focus conducted a survey of its members to find out a bit more about them, their roles in the industry, and common challenges facing digital forensic practitioners today. Below is a brief run-down of the results.
First of all, some demographic details. The majority of our members are situated in either the USA (36%) or the UK (22%). Other countries represented include Australia, Belarus, Belgium, France, India and Poland. 89% of respondents were male, and 11% female.
Law enforcement was the most popular sector, with 39% of respondents; slightly behind it at 35% were people working in the corporate sector. Among those who answered ‘Other’ were retired people, consultants, and individual freelancers. The vast majority stated their position as ‘Analyst’, with ‘Technician’, ‘Director’ and ‘Manager’ closely behind.
We also asked respondents about how they had entered the field in the first place. The most popular answers to this question were ‘After studying a related discipline’ and ‘Career move from law enforcement’. Several people reported having ended up in digital forensics almost by accident, with quotes like “After handling incidents in the past, I inadvertently created a new role for myself” being fairly common.
Moving on to the challenges faced by digital forensics examiners, the most common was encryption and anti-forensics techniques. The volume of data in each case was another important challenge, as were a lack of training and insufficient funding or resources.
ISO 17025 being a hot topic in digital forensics at the moment, we also included a few questions about this and its usefulness in investigations.
Interestingly, 42% of respondents said their organisations were not planning to attain ISO 17025 accreditation, with only 12% giving a definite ‘Yes’. However, 62% said they either agreed or strongly agreed with the statement “A formal means of standardisation is necessary for the digital forensics community”, demonstrating that the need for standardisation as a concept is agreed upon within the industry, but perhaps ISO 17025 might not be the best way to achieve this.
Only 1.75% of people believed strongly that ISO 17025 would help their organisation’s processes or prospects, and only 2.7% said they thought the standard covered all necessary aspects of digital forensics standardisation.
We then asked people to share their thoughts on ISO 17025 in particular, and standardisation in general, in a freeform comment box. Common responses included:
- ISO 17025 is too expensive and this money could better be spent elsewhere, for example on training.
- Tool vendors should be responsible for validation, rather than each group of users having to do so independently.
- In the UK, police forces are being given different advice about, and assessments for, ISO 17025, which seems to defeat the object of standardisation.
- Digital forensics moves too quickly for a standard such as ISO 17025 to keep up.
Some of the more in-depth comments included the following.
“ISO 17025 should have been driven from the centre and should not each force an organisation to spend considerable time and effort to get to a place where it is obvious people need to be employed simply to be administrators and checkers. At the moment valuable time is spent not processing case work but checking others’ work or following a tick-box regime rather than empowering people to think for themselves, solving problems in a logical way appropriate to the investigation in hand.”
“It is being massively interpreted across the public sector. It is supposed to set standards, however, to reach those new standards, inconsistent procedures are being put into place. ISO is seen by many as purely a money-making exercise and is not respected by a lot of colleagues. Where law enforcement is concerned, it has massively increased the time taken to examine an exhibit, with little or no benefit in return.”
“It is liable to create too much emphasis on having the accreditation, which organisations are spending an obsessive amount of time on, in turn neglecting the core role of doing digital forensics. As long as protocols are adhered to within the law of the land then that should be sufficient. The evidence test in a courtroom will NOT be whether you have the ISO standard! A digital forensic investigator whose organisation has ISO will likely achieve same/similar results to a DFI who does not have ISO.”
The final section of the survey allowed respondents to share their views about digital forensics in general, and to talk about any important points that had not come up so far. This drew some interesting responses, including some people discussing how most digital forensic events are catered towards criminal rather than civil matters:
“I would like to see some more distinctions drawn between forensics as it applies to criminal vs. civil matters. Every time I attend an event, I’m struck by the dichotomy, and frankly, how little of what is discussed applies in the civil sphere – to the point that it’s close to being a waste of time. I guess what I’m trying to say is that they’re very different areas, and next to nothing is catered to the civil side.”
The high cost of forensic tools was also a point of contention, with one respondent pointing out that this cost gets passed on to the client, meaning that fewer people employ forensic analysts than perhaps should.
Gender bias in digital forensics, which has been the subject of several talks and panel sessions at recent conferences, came up as a challenge in the survey.
“Still experiencing gender bias when asking for training dollars, the men typically get approved throughout the year, the women typically receive a single approval each year. It’s maddening.”
In summary, then, it seems digital forensics still has quite a way to go in several areas, from standardisation to gender bias. But on the whole people had positive things to say about the industry, and work is being done in several different areas to address such challenges as triage, encryption and accreditation.