Tuesday, May 02, 2006

Avoid Incident Response and Forensics Work in These States

Here's an informative and scary article titled Forensic Felonies. It warns of a new Georgia law that may require incident response and forensics investigators to be licensed private investigators. Article author Mark Rasch notes:

Georgia is not the only state that requires private investigators or private detectives to be licensed. Indeed, the Georgia law is in fact modeled after similar laws in California, Arizona, Utah, Nevada, Texas, Delaware, and New York – just to name a few. In each of these cases, the law requires that a person providing the defined "investigative" services for remuneration be licensed in that state as a Private Investigator.

Good grief. This has to be promoted by criminal elements. What a great way to keep security experts from helping identify and remove threats? It's probably also a play by the Private Investigator community to get their hands on more security work. That's similar to an argument I heard from a lawyer once that all security investigations should be run through law firms. That would be the only way to keep findings from prying eyes, thanks to attorney-client privilege. Again, another way for a non-technical party to make money from a technical problem.

Has anyone else encountered this issue?


Anonymous said...

I've been keeping a close watch on this since I'm sure it will come to my state (Ohio) at some point. My question with the Georgia law is, wouldn't this apply to journalists as well?

According to the article, "a Private Investigator is any person who is in the business of obtaining or furnishing, or accepting employment to obtain or to furnish, information with reference to..." with the list being things like crimes, wrong doings, etc.

Journalists, especially investigative reporters, are hired to obtain information on criminal acts.

WN said...

I asked Rasch about this but didn't get an answer: I can't find in the Texas statutes where it says this. The only reference I can find specifically excludes digital evidence.

IF it's on the books, nobody seems to know about it. If I get some time, I might ask the Texas Office of the Attorney General.

Anonymous said...

Add South Carolina to the list of states that require a PI license for computer forensics examiners. See the first Q&A in the faq at:


The full SC Statute is at:


Is there anything that can be done to stop this trend? Or do we all need become PIs?

So will a PI license become the "ultimate certification", and add more fuel to the fiery debate about the value and/or legitimacy this certification vs that certification?

Chris_B said...

Not entirely sure this is a "bad thing". If the idea is that a person who presents evidence in court on the matter of computer crime should have an accepted legal certification, is the PI such a bad model?

As it stands right now, a "computer expert" can be a complete snake oil salesman and since they have no "license" to revoke, can keep on selling wherever they go.

Richard Bejtlich said...

Right now the court can decide whether someone is an expert. It also depends for whom the "expert" testifies. Why should a computer professional need a PI license when a scientist or engineer does not? The PI license has no bearing whatsoever on the effectiveness of the forensics.

Anonymous said...

Minnesota requires this too.

Gal Shpantzer

shadow said...


I agree with you 100% that PI and Forensics are NOT related. Really getting sick of seeing other industries lobbying for laws to be created so they can attempt to steal work from security professionals. This stinks of the same crap they are pulling in the UK outlawing security tools.

Anonymous said...

The reality of the situation is I have tried since June 2005 to get my PI license to allow me to eventually perform computer forensic work for the public in SC. HOWEVER what I have found is the process is very difficult. Mr. Abrams is in a very unique situation - he's a computer expert & lawyer. Also in June/July 2005 office personnel at SLED Licensing did not even return my phone calls or faxes when I inquired about performing computer forensic work and steps I would need to take to be properly licensed.

In SC to become a License PI you must be a PI apprentice for 3 years (BS or MS exempts 1 to 1.5 years). Most PIs are not up-to-speed with computer forensics and want you to perform surveillance and tracking of individuals in order to meet the 3 year requirement. I have documented contact with 22 PI agencies in my area and they either "already have it covered with their 'tech guy'" or they not interested in this area. Likewise I'm not interested in taking pictures of people and following them into unknown areas.

So far it's simply been frustrating. When I read the Baseline article I probably side with John Mellon - there needs to be uniformity in the computer forensic licensing field in the mean time we'll probably have some form of the Nevada proposal in SC shortly. And I think there could be merit to having a separate state licensing board for Information Security & Computer Forensics. It would be good to see the CISSP (as an example) be be elevated to a state licensed professional.

Recently I took the online practice test for Certified Computer Examiner (CCE) test. Extremely simple test if you have any forensic experience. There is a separate hardware self-assessment practice test - if you have cracked open a PC before you should ace. I truly hope the certification (Q&A + Practical) is challenging enough to weed out the "PC Magazine Experts".

In any case, today I signed up for the Certified Computer Examiner (CCE) exam and class. I wonder if we'll see the number of CCE certifications significantly increase? This must be good for their business!

Anonymous said...

Computer Forensics licensing is the only way to clean up the profession. Of course it's going to be hard to get a PI license, because of the basic investigative skills needed to do investigations INCLUDING computer forensics investigations. Stop asking for the license free high tech journey. If you get caught on a case...your problems will go beyond your control. Other professons...engineers, scientists...most already have licensing. Investigative Journalisits....they are W-2 employees or free-lancers who are not looking evidence on cases, but are looking for material to write about. The public deserves protection from unlicensed professionals. What makes computer investigations special....NOTHING. Computer Forensics is a science? Hah Hah hah. What a bunch of propaganda! Get licensed or get caught