ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ABOUT US

Launched in 2007, WhiteHatWorld.com is the online resource for key decision makers working in the security industry.

WhiteHatWorld.com looks at all aspects of the security industry, with in-depth analysis, webcasts, whitepapers and targeted regional training opportunities.

Think of WhiteHatWorld.com as your security information gateway!

LATEST NEWS

Jul 30, 2008

WHW Monthly Update - Late-Breaking Computer Attack Vectors
Sponsor: Core Security Technologies
Speaker:Matt Hines

Aug 6, 2008

Vulnerability Management Thought Leadership Roundtable
Sponsor: Qualys, Tenable, Rapid7
Moderator:Mark Bouchard
Panelists: Ron Gula, Tas Giakouminakis, Jonathan Bitle

Aug 13, 2008

Custom Webcast
Sponsor:TriGeo

Aug 27, 2008

WHW Monthly Update - Late-Breaking Computer Attack Vectors

Click Here to register for any upcoming WhiteHatWorld.com webcast.

Forensics Showdown - Technologists are on the verge of losing control of the emerging field of digital forensics analysis — the process of scouring data in multiple systems for evidence to be used in legal proceedings.

By Deb Radcliff

WhiteHatWorld Editor

PI laws in a growing number of states mandate that forensics professionals cannot present evidence in their courts unless they are, or work under, a licensed private investigator. In South Carolina and Texas, forensics practitioners even face criminal fines and jail for violations. Worse, some laws could be interpreted to apply to any organization conducting routine service and assessment operations.

“The way Texas law is written, anyone doing penetration testing and security architecture review could fall under the same rules requiring a licensed investigator to oversee them,” says Rob Lee, principal consultant at Mandiant and track lead for the SANS forensics courses.

State PI laws are already being used to challenge analysis of digital evidence.

As I was uncovering this story for the January issue of Baseline, a case in Texas had already challenged RIAA’s investigative techniques in an illegal downloading case against a little old lady based on an IP address collected at the music sharing site. The RIAA subsequently dropped the case. Other challenges to RIAA’s evidence-gathering techniques are appearing in Oregon, New York, Massachusets and elsewhere, although no court has ruled under their PI rules.

These cases prove we need controls and definitions on how digital evidence is collected and analyzed so there is consistency and quality control in court proceedings. But putting PIs in charge is crazy. Their careers and training are too different.

Do a keyword search in any state PI database on “digital forensics” and you mostly turn up key loggers and spy-on-your-spouse advertisements. According to Jimmie Mesis, editor and publisher of PI Magazine, most PIs have neither the skill nor the inclination to perform true digital forensics for corporate, legal and regulatory proceedings.

In other words, a typical licensed PI wouldn’t know a bit of slack space (erased, but not overwritten) on a poorly-wiped hard drive from a file folder staring him in the face. (See next month’s overview of federal investigative techniques by former Secret Service agent, Keith T. Schwalm.)

Inversely, it is not possible to quickly infuse geeks with the several years of gumshoe, dumpster-diving investigative ways of PI’s. Should the laws be upheld, there will be a dearth of experts with the right combination of PI and digital forensics skills.

Steve Abrams, a licensed PI, certified forensics examiner and licensed attorney in New York and South Carolina, represents one of the handful of those who could meet the professional requirements, should these laws be upheld. As a member of the forensics committee in the South Carolina Law Enforcement Division (SLED), he’s also had a large part in creating requirements for South Carolina.

Despite how it looks, Abrams says his motivation is to get badly analyzed digital evidence out of the court systems where he sees it all too often.

Aside from the RIAA cases, a good example of bad digital evidence going to court would be computer evidence used in a rape charge against Naval Academy MVP football player Lamar Owens..

In this case, evidence was easily disputed because the IMs leading up to the event were not preserved in their original form. The dialog between claimant and accused was copied and pasted into to a Word file (which could easily have been modified) by the claimant’s boyfriend, who provided printouts. Because of delays by NCIS in obtaining the computers involved, the original files on both computers had been overwritten. This meant there was no way to corroborate the evidence.

Note that the weight of the evidence was disputed, but still allowed, notes Lee. He adds that until the skills gap is filled, judges will have to accept evidence presented by unlicensed agencies and weigh it accordingly. Otherwise all cases would have to halt until enough PI-licensed forensics experts like Abrams can fill the gap — or independent licensing bodies can be created.

In April, forensics industry and professional associations including the HTCIA (High Tech Crimes Investigative Association), the ISFCE (International Society of Forensics Computing Examiners) and others petitioned the North Carolina Private Protective Services Board as it was outlining digital forensics requirements. The goal was to convince the board of the differences in forensics and PI professions and appeal for time to set up a state forensics board through forensics professional associations.

A national licensing body would be ideal, says Toby Finnie, founder of the 1800-member High Tech Crime Consortium (HTCC), which presented in North Carolina. Unfortunately, she adds, states aren’t likely to accept federal regulation, so computer forensics representatives have no choice but to go state to state.

Did the April appeal make a difference to the North Carolina board?

“It remains to be seen,” says Finnie, sounding tired. “We provided valuable input and let the board know we’re available for follow-up. But it’s hard to know how they’re going to respond.'"

*Disclaimer: Radcliff also does freelance Editing for the SANS analyst program, although she’s had no direct dealings with Lee in this endeavor.

List of state statutes:

http://www.crimetime.com/licensing.htm

FUN STUFF

It is said that the ability to make and understand PUNS is the highest level of language development. Here are our favorite 5 as submitted by you!

1. A vulture boards an airplane, carrying two dead raccoons. The Stewardess looks at him and says, 'I'm sorry, sir, only one carrion allowed per passenger.

2. Two fish swim into a concrete wall. The one turns to the other and says, 'Dam!'

3. Two hydrogen atoms meet. One says, 'I've lost my electron.' The other says, 'Are you sure?' The first replies, 'Yes, I'm positive.'

4. A group of chess enthusiasts checked into a hotel and were standing in the lobby discussing their recent tournament victories. After about an hour, the manager came out of the office and asked them to disperse. But why they asked, as they moved off. 'Because,' he said, 'I can't stand chess-nuts boasting in an open foyer.'

5. Frankly my dear scallop, I don't give a clam who is responsible. It’s a crappie situation and the story just smelts fishy to me.

CONTACT US

Please fill out the form below to be included in our weekly email communication, which will notify you of our upcoming webcasts and/or other events.
First Name		Address
Last Name		Address2
Company		City
Job Title		State/Zip
email		Phone
message