Private Eyes Again

In May 2006 I wrote Avoid Incident Response and Forensics Work in These States after reading a great article by Mark Rasch about states requiring some digital forensics consultants to have private investigator licenses. One of my colleagues pointed me to a new article titled,1540,2242720,00.asp by Deb Radcliff. From the article:

Under pending legislation in South Carolina, digital forensic evidence gathered for use in a court in that state must be collected by a person with a PI license or through a PI licensed agency...

Otherwise, digital evidence collected by unlicensed practitioners could be excluded from criminal and civil court cases. Worse yet, those caught practicing without a license could face criminal prosecution...

South Carolina isn't alone in considering regulating digital forensics and restricting the practice to licensed PIs. Georgia, New York, Nevada, North Carolina, Texas, Virginia and Washington are some of the states going after digital forensic experts operating in their states without a PI license...

All but six states have PI licensing laws on the books, according to Jimmie Mesis, publisher of PI Magazine, 32 of which could be interpreted to include digital forensic investigators. While their languages differ, these licensing laws essentially consider a PI to be anybody engaging in the business of securing evidence to be used in criminal or civil proceedings...

Sounds scary so far. I take comfort in the following:

Computer forensics is more often used as an internal investigatory tool. In other words, probes and evidence collected inside the firewall stay inside the firewall. In these cases, none of the proposed or existing state laws requiring PI licenses apply. That is, until the case spills outside the enterprise domain—to a partner network or an Internet service provider, for instance.

At this point, most organizations should be turning investigations over to law enforcement or licensed PI agencies anyway, [Steve] Abrams[a licensed independent PI and computer forensic examiner based in Sullivans Island, S.C.] says. Maybe so, but history doesn't support Abrams' perspective, and IT experts and forensic consultants say most enterprises would rather keep their investigations quiet than risk public disclosure by going to law enforcement.

So those of us who perform forensics for our employers should be safe. Consultants, on the other hand...

At greater risk of exposure, however, are security and network management service providers, which often conduct investigations on behalf of their clients. In this case, they would be considered PI firms and need licensing in a majority of states, confirm Abrams and others.

Beyond a PI license, there's also certification to contend with:

States are looking to the failed Nevada legislation as a model for defining these qualifications. The attempted revision to the proposed statute defined a digital forensic professional as "a person who engages in the business of, or accepts employment using, specialized computer techniques for the recovery or analysis of digital information from any computer or digital storage device, with the intent to preserve evidence, and who as a part of his business provides reports or testimony in regards to that information."

Nevada's [failed] qualification guidelines include 18 months' experience, a Bachelor's degree in computer forensics, and a Certified Computer Examiner (CCE) credential or its successor equivalent. South Carolina won't have a requirement for any particular degree, but will require minimal training, CCE certification and annual continuing education to remain licensed, according to Abrams.

At present, the CCE is the most recognized forensic certification available to the private sector and the only one open to the private sector being considered in state PI licensing laws.

I never heard of the CCE until today. Getting the cert sounds easy:

The initial CCE process consists of a proctored online multiple choice question and answer examination, the forensic examination of a floppy diskette, the forensic examination of a CDR disk and the forensic examination of an image of a hard disk drive . An 80% or better average score is required to complete the process...

The primary purpose of this certification is to measure if the applicant understands and uses sound evidence handling and storage procedures and follows sound forensic examinations procedures when conducting examinations...

[M]ost of the grade is based upon following sound evidence handling and storage procedures and following sound examination procedures, not simply recovering the data. An 80% total average score will be required to obtain the Certified Computer Examiner(CCE) ® certification. Do not assume that we know your standard operating procedures. Your grade will be based solely upon what you have written in your reports and the exhibits that you provide.

The fee for taking the entire process is $395.

We had some good commentary in May 2006. Does anyone have any comments on this update?


Anonymous said…
Hi Richard,

That's the case in Singapore where I am based working for I-Analysis Pte Ltd. As we gather evidence for potential civil or criminal proceedings we fall under the Private Investigation and Security Agencies Act. This was made known to us by a law firm that hired us to gather evidence for their client.

2. —(1) In this Act, unless the context otherwise requires —

"company" means —

(a) a company incorporated pursuant to the Companies Act or pursuant to any corresponding previous law; or

(b) a company or other body incorporated outside Singapore;

"licence" means a private investigator’s licence or a security guard agency’s licence, as the case may be, granted under this Act;

"licensee" means the holder of a licence;

"licensing officer" means the licensing officer appointed under section 4 and includes an assistant licensing officer appointed under that section;

"private investigator" means any person (whether or not he carries on any other business) who exercises or carries on or advertises or notifies or states that he exercises or carries on or that he is willing to exercise or carry on or in any way holds himself to the public as ready to undertake any of the following functions:

(e) securing evidence to be used in civil or criminal proceedings,

on behalf of any other person and for or in consideration of any payment or other remuneration (whether monetary or otherwise);

There is no provision for technical credentials such as certifications, however the police audit each application prior to granting the licence.

If I am not wrong, there is a specific provision excluding employees performing such tasks for their employer as part of their employment however I can't seem to find the reference at the moment. This would be similar to what you wrote about in your post.

The Law Society in the UK has a list of recognised experts but how they are judged to have sufficient knowledge to be accepted as experts I am not sure.

hogfly said…
I obtained the CCE a few years ago while pursuing my degree in computer forensics and I'm up for recert right now. Every two years it's required that the examiner perform one examination if you meet education requirements during the two year period or perform a number of examinations that have been documented. The original testing was not too bad. The CCE is the only vendor neutral cert that's worth getting right now when it comes to the private sector.

The CCE list is the most worthwhile part of getting the cert IMO. There's a lot of intelligent discussion and the PI issue has been discussed time and time and time again. I suspect the CCE is looked upon favorably due to the fact that it originated in Georgia. The Southeast Cybercrime summit is put on by Kennesaw State U. - and is heavily attended by CCE's.
Michael Dundas said…
The company I work for is in Canada. My group does forensic investigations on behalf of ISPs. In most cases this is network forensics. Our customers are ISPs around the world with a fair number in the United States. Wonder how these laws apply to investigations that are done remotely? I'm guessing they don't, as there would have to be some sort of International agreement. But I'm not a lawyer, so I will have to look into it.
Anonymous said…
The reality of the situation is I have tried since June 2005 to get my PI license to allow me to eventually perform computer forensic work for the public in SC. HOWEVER what I have found is the process is very difficult. Mr. Abrams is in a very unique situation - he's a computer expert & lawyer. Also in June/July 2005 office personnel at SLED Licensing did not even return my phone calls or faxes when I inquired about performing computer forensic work and steps I would need to take to be properly licensed.

In SC to become a License PI you must be a PI apprentice for 3 years (BS or MS exempts 1 to 1.5 years). Most PIs are not up-to-speed with computer forensics and want you to perform surveillance and tracking of individuals in order to meet the 3 year requirement. I have documented contact with 22 PI agencies in my area and they either "already have it covered with their 'tech guy'" or they not interested in this area. Likewise I'm not interested in taking pictures of people and following them into unknown areas.

So far it's simply been frustrating. When I read the Baseline article I probably side with John Mellon - there needs to be uniformity in the computer forensic licensing field in the mean time we'll probably have some form of the Nevada proposal in SC shortly. And I think there could be merit to having a separate state licensing board for Information Security & Computer Forensics. It would be good to see the CISSP (as an example) be be elevated to a state licensed professional.

Recently I took the online practice test for Certified Computer Examiner (CCE) test. Extremely simple test if you have any forensic experience. There is a separate hardware self-assessment practice test - if you have cracked open a PC before you should ace. I truly hope the certification (Q&A + Practical) is challenging enough to weed out the "PC Magazine Experts".

In any case, today I signed up for the Certified Computer Examiner (CCE) exam and class. I wonder if we'll see the number of CCE certifications significantly increase? This must be good for their business!
Anonymous said…
The CCE is the only vendor neutral cert that's worth getting right now when it comes to the private sector.

hogfly, what do you think of the GCFA cert? I am considering going for that one this year.
hogfly said…
I have a few problems with the GCFA.

First - SANS removed the requirement for a practical. It's a paper test now unless you go for "gold".

Second - It's based largely on Helix and Sleuthkit/Autopsy. Not entirely vendor neutral is it?

Third - It doesn't test against procedures - which is really what forensics hinges on. Bad procedures equals bad outcome.

I don't see much else that's wrong with it though.
Clay Boswell said…
SC is in process of removing PI requirement for digital forensics.
Clay Boswell, GCFA, CISSP, PI said…
SC is well on way to exempting those in Computer Forensics & Network security from being licensed Private Investigators (PIs).

This measure has made it's way out of the subcommittee and is on to full senate for approval; next step would be to pass the SC House (and appears that will happen.)

I think there needs to be some standard for the profession set to protect public interest and keep unskilled PC techs from mishandling evidence. Just not sure what the right balance of oversight would be at this point.

On other hand, I went through the process and now have a full PI Agency License so I guess it proves anyone can do it.


Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4