The flaw in modern cyber forensics

There is no question that cyber forensics is a hot topic. Cell phone forensics, PC forensics, and other device forensics is a hot topic. Not only are more and more law enforcement agencies getting their own forensics detectives and labs, but more private firms are involved in forensics now. And there are some amazing tools. I have used Encase, FTK, OSForensics, Oxygen, and others. Every year each tool seems more packed with features, and many are remarkably easy to use.

But there is a problem, and one I am seeing in both my training and my forensics practice. That problem can best be described by considering other aspects of forensics. If I introduced you to a person, lets call him John Smith, and told you he was a forensic accountant, I bet you would assume he was a CPA, had an accounting degree, and several years of accounting experience before concentrating on forensic accounting. And you would be correct.   If instead I informed you that Mr. Smith performed blood and DNA forensic analysis, you would naturally suppose he had a background in biology and chemistry. And you would be right. If I suggested to you that we take someone with no biology or chemistry background, give them a couple of weeks of training and have them perform DNA and blood forensics, you would laugh at me. If I told you we should take someone who had never even had basic accounting courses and give them a few weeks crash course and they could be forensic accountants, you would think I had gone mad.

However that is exactly what is happening in cyber forensics. In both law enforcement and private sector. Frequently people with no computer science background, not one year of experience in any IT discipline, go and get training in basic procedures and one of the popular tools, and are now performing cyber forensic investigations. Without any solid foundation in basic computer science. I have seen this in private sector forensics in everything from small private investigation firms up to some of the larger forensic firms. I have seen it in law enforcement from small local departments, to major agencies. And it is a major problem.

I am not suggesting you absolutely must have a computer science degree to do cyber forensics. I am suggesting your background should include a thorough understanding of basic hardware, operating systems, and networking technology. Something equivalent to a minor in computer science, or perhaps the CompTIA A+ and Network+ certifications. And I consider this just the basic requirements. By no means ideal.   Now if you find yourself already practicing forensics, either in the private sector or in law enforcement, my advice is that you now go back and correct the gaps in your knowledge. Learn basic hardware, networking, and operating systems.


See this article on LinkedIn


About the Author:

I am a computer scientist, inventor, consultant, and author. I have over 20 years of professional experience in the IT industry, over 15 years teaching/training, and over 11 years in litigation support/expert witness work including 39 cases and testimony at trial, depositions, and hearings. I have authored 19 published books (including our on security, three on forensics, and one on cryptography), have 6 patented inventions, have been a guest speaker at multiple locations including the Harvard Computer Society, Columbia Chapter of the ACM, Southern Methodist University Computer Science and Engineering Colloquium, University Texas at Dallas ACM chapter, Hacker Halted security conference, Takedown security conference, ISC2 Security Congress, Hackon India, and multiple other locations. I have conducted training and provided consulting for major companies, law enforcement agencies (local, state and federal), and various government agencies as well as friendly foreign governments. I conduct research in cryptography, forensics, and related topics. I also consult on computer security and forensics.