Sunday, June 15, 2008

Computer Forensics Examiners: To License or NOT.........

I have been reading a great deal of articles concerning the trend that some states are taking to require Computer Forensics Examiners to be licensed as a Private Investigator before they can commercially offer this service. I have to admit that I have mixed feelings about this.

First, let me say that I am a licensed Private Investigator, so one might assume that I would be all in favor of this type of requirement. Of course this would be an ASSumption, and it would be incorrect.

While on one hand I will say that computer forensics is a type of investigation since it's results are going to be used in court by it's very definition, there may be an argument as to why a person would need a Private Investigator's license to perform this service.

On the other hand, are these same states that are requiring that a Computer Forensic Examiner have a P.I. License going to require EVERY expert witness that has to go over specific case details, run tests on evidence, interpret these test results, and report on them to have a P.I. License? In the truest sense of what an Expert Witness is supposed to do, he or she is performing a type of investigation also. Will tire tread experts now have to have a P.I. License?

There is a larger consideration to make here also. A P.I. License does NOT make a person a competent Computer Forensics Expert. There are Private Investigators right now that have less than 5 years of Computer Forensics Examination experience that are going into court and testifying on their examination results that would not know the difference between a yellow and a black hardware write-blocker from Tableau. Think about the implications here. By requiring Computer Forensic Examiners to have a P.I. License, there would seem to be a limiting effect on the quality of Computer Forensics Examiners made available to the defendant's attorney. What about the people that have been in the business of conducting Computer Forensic Examination for 10 and 15 years, like Dan Farmer and Andrew Rosen? I could not imagine being charged with a serious computer crime, and wanting to be able to hire the very best Computer Forensics Examiner I could find like Andrew Rosen, and instead having to settle for a Private Investigator that only 5 years ago could not even figure out how to turn his computer on. I don't want to hire a Computer Forensic Examiner that BOUGHT a certification, I want to hire the Examiner that wrote the program that these certifications are being brought from. I don't want to have to sit through some P.I.'s "guesswork" as to what might have occurred on my computer, I want to be communicating with someone that can tell me what happened on my computer and that he can actually prove it. Maybe it is just me, but I feel that this new legislation that some states are passing that require Computer Forensics Examiners to have a P.I. License is not very well thought out.

If these states that are now requiring Computer Forensics Examiners to have a P.I. License would have given it a little more thought, they may have found that requiring a separate state certification to offer Computer Forensics Examinations might have been the wiser way to go.



Ricky B. Gurley Best Cyber Investigator


4 comments:

Anonymous said...

Nice to hear from you again..

Rick I am surprised at you, listing all of those "canned" excuses for computer forensics examiners/investigators NOT to be licensed. Every item you mentioned are the propaganda items by those folks in our field who just can't qualify for a PI license. How mnay have criminal histories? Did you ask them? How many have investigative experience and training? Did you ask them?

I was also surprised by your expert witness descriptions...many expert witnessess ARE licensed in their field and they have to be. YOu need to understand the concepts of "factual witness" and "expert witness." Post investigation, post case evaluators, are often referred to as expert witnesses, doing post case reevaluations for expert opinion NOT INVESTIGATIONS.

An unlicensed expert witness will indeed be challenged if he does an investigation as defined by law. A factual witness is part of the first steps of the evidence building case, and that's what many computer forensics examiners what do....an investigation.

Don't defend the unlicensed computer forensics examiners...the consumer needs the "protection" from the fraud that has been getting publicity, and the fraud is happening. Call me if you need some examples.

PS: By The Way----Andrew Rosen...is a Texas Licensed Investigator, because it's the law, the right thing to do, and the professional thing to do. And you mention ANOTHER SPECIAL license JUST for the unlicensed computer forensics people......boy are they arrogant to want that? How specail do they really think they are because they know how to use a computer to find data as evidence on another computer or device.

Who is going to pay for that special license? If someone wants the best unlicensed computer forensics investigator, they are rare these days, then there are exceptions such as making the "unlicensed one" a W-2 employee of a PI or an attorney to get in that way. The PI licensing concept is for consumer protection, not our protection.

It's kind of sad when you gave that example of a licensed PI with computer forensics training who is not so good, thus a PI license does not quarantee a good computer forensics examiner. That's failed logic.....a license to practice law does not guarantee a good lawyer. A licensed Barber does not guarantee to good hair cut.

Don't sell the PI profession short and don't give in to the unlicensees out there. They want the easy way out, because in my experience the ones who whine the loudest about this CAN'T QUALIFY FOR A PI LICENSE!!!!

K. Stockham
Licensed Comp.Forens. PI
Modesto, CA

Anonymous said...

Sounds like someone has an agenda to limit his competition because he is one of those truly able to easily qualify for both types of work.

The knowledge required for a Private investigator's license is knowledge that is almost completely irrelevant in any fashion for the work of a computer forensics expert. And the same is most certainly true for the reverse. Where is the logic in requiring they share a licensing system?

I'm all for licensing, don't get me wrong. But the licensing needs to make sense and be truly in the public's interest.

In most states, the PI licensing requirements are geared towards ex-cops and military. How does that make sense in any fashion for the computer forensics expert? Further, by licensing computer forensics experts as PIs, you are allowing them to do ALL of the work PIs are licensed to do, including work that is way way out of their area of expertise. How exactly does that protect the public's interest?

I currently hold exam based certifications regarding computer forensics from 3 different professional organizations that provide education and standards certifications in this field. Thankfully I live in a state that has not seen fit to pass a law that requires me to seek a license in an area far outside my expertise in order to conduct my business. The certifications I hold, and keep current, are a far greater evaluation of my expertise than whether I hold a state PI license.

The two disciplines are so far from each other that to say they must share the same licensing and requirements is like saying a CPA must pass the bar exam instead of his state accounting boards.

To say they should be licensed the same way, is to ignore the very fundamental facts that make them each unique fields.

Push for smarter licensing requires that recognize the vast difference between these two fields of work.

Anonymous said...

Read your article. I think it is really interesting. I am glad there are people like you who are willing to share their knowledge on Computer Forensics with others. Looking forward to more posts like this from you soon.

Benjamin Wright said...

Rick: Texas PI/forensics legislation is causing problems for robo-cop traffic enforcement. A Texas judge said the company running a red-light camera was acting illegally because it did not have a private investigator license. On the basis of this ruling, motorists are challenging traffic tickets. See deails: http://legal-beagle.typepad.com/wrights_legal_beagle/2008/12/e-discovery-forensics-private-investigator-license-for-computer-data-collection-and-assessment.html --Ben