"Expert vs. Expertise" - Computer Forensics and the Alternative OS
by Melisa LaBancz-Bleasdale - IT Journalist - Thursday, 31 July 2003.
Dave explains, "There are a lot of civil and criminal issues that could come into play if an untrained person (let's use a sysadmin) was to conduct a forensic examination. For example: The sysadmin identifies user X on their network who is downloading child pornography. The sysadmin show the evidence to his employer, who then transfers the evidence to senior executives. User X is fired on the spot and escorted out of the building. Several issues occur here: Are you sure the files are there? Are you sure you got the right user? How about User Y borrowing User X's machine for a while? As for the emailing of the evidence to people within the company; the sysadmin has just unknowingly committed distribution of said illegal materials over the network and there is a distinct possibility that the wrong user was fired and the corporation will be facing an embarrassing lawsuit.

Another example: The sysadmin identifies a user doing something very unseemly such as threatening another employee via email. However, because the sysadmin is untrained, he contaminates the evidence. Now, someone in law enforcement has to figure out a way around the contaminated data to continue with the investigation."

Computer forensics in the hands of a properly trained investigator can prevent these issues by providing detailed facts regarding the origination of the illegal material and accurate user identification. It can also preserve the digital evidence for use in pressing charges following best practice, court-upheld standards.

There has been an upsurge in the amount of computer forensics experts in the security field. This is especially apparent in the consulting industry. Wondering what the major differences were between a forensics consultant and a law enforcement investigator, I again went to Dave for answers.

"The difference between corporate and law enforcement is the training the individual examiner has received. In my opinion, the Federal Law Enforcement Training Center (FLETC) has the best training anywhere but it's for law enforcement only. I have seen numerous seminars/conferences which charge a good sum of money and give inadequate training."

It's important to note that there are also numerous highly qualified forensics investigators available to assist with critical cases and successfully preserve evidence for trial. There are also several reputable courses taught nationwide through vendors and consultancies that are able to prepare investigators to face complex investigative circumstances.

A word of caution to anyone in need of computer forensics expertise, check references! All reputable forensics firms, including vendors with professional services divisions and independent investigators, should be able to provide a list of customers, and/or references that can bolster their claims. While details of actual cases solved will be highly confidential, the reputation and collective expertise of the investigators should be readily apparent. Past accomplishments, professional organizations, client references and provable experience are crucial to making the proper hire.

Compromising data and utilizing unproven forensic methodology can do much more damage than the crime itself. Choose your investigators with the same common sense that you would use to choose your surgeon.

Dave elaborates, "In my day to day dealings with people, 90% of computer forensics experts have never seen or touched a Unix system. There are a bunch of reasons for this: most due to the lack of official training in this environment. Most experts deal with Windows because it's easier to understand. Taking several courses in a subject does not make a person an expert.

To give you an example of where experts fail with expertise: a federal investigator was told to image a single drive Windows2000 server. Instead of creating a digital image of the physical drive, he converted the file system from Fat 32 to NTFS, then made a logical backup of the drive. By his actions, he had destroyed the original evidence and damaged my case. Standard procedure would have been to boot from a controlled floppy, create a physical image of the drive and send it to another hard drive without writing a thing to the victim drive. I would not term this person an expert by any means, however, his title and rank indicate that he is.

I also know of a government employee who is a self-proclaimed forensic expert. It says as much on his email signature block. This person has never actually conducted an investigation. However, he did take numerous courses on the subject and he has an excellent resume. A classic case of expert vs. expertise.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th