Home page logo

basics logo Security Basics mailing list archives

Re: Spam: RE: Forensic/Cyber Crime Investigator
From: Jason Coombs <jasonc () science org>
Date: Thu, 09 Feb 2006 12:14:06 +1300

Robinson, Sonja wrote:
Agreed. There are legislative implications. Employees can sue, my employees can commit crimes, even regulatory. That involves law and my cases can and do end up in court. Case closed, so to speak. My first case for a prvious employer was an employee committing crimes (identity theft and fraud). SO my forensic investigation according to your standards was not forensic, just an invesitgation. What is they went to jail? What if they didn't? How does their sanction or punishment determine whether I used forensic techniques?

You are confusing your role in the process with that of law enforcement. The definition of "forensic" is literally "an argumentative exercise" or "belonging to, used in, or suitable to courts of judicature or to public discussion and debate" -- other definitions include (paraphrasing) "an argument meant to convince or pursuade" -- so, fine, you're conducting a "forensic" investigation. You have some agenda, you're being paid by somebody to do the investigation, and because you are not a sworn law enforcement officer you have nothing other than your personal ethics and bias to guide you in your actions.

The "digital evidence" you discover will never be blindly accepted by law enforcement, the prosecutor, or the court, even if it is blindly accepted by the jury because you are allowed (currently) to claim that your methods as a "forensic investigator" are as good if not superior to law enforcement's. Proper law enforcement "forensics" must consider you to be a possible suspect in the crime. How many times have you personally been investigated as a potential co-conspirator in these crimes you've been professionally investigating without law enforcement affiliation? The truth is you don't even know, because you aren't told after the fact that you were investigated unless wiretap act provisions or similar apply.

I maintain that you and others who presently believe they are engaged in "computer forensics" are simply confused, and that eventually you will understand your mistaken conception of your role in the process.

Meanwhile, you're raking in the dough making a very comfortable living, and good for you. The ethical implications of willfully misrepresenting yourself as something or somebody more important than you really are would seem to call into question every single one of your findings, but that's a subtle point that is lost of laypersons for the time being. Exploit their lack of understanding as long as you can, my friend.

The fact is that what you are doing is no different from what private investigators have done for centuries: you dig through information and you find answers to questions or solve mysteries. You actually, almost literally, do little more than dig through the electronic garbage, just like any dumpster diving PI, or sometimes you're allowed to look through a person's filing cabinet and read or photocopy all of their papers.

This is not forensics.

However, your "forensic arguments" and "forensic investigations" do clearly fall within the dictionary definition of "forensic" -- which is the cause of much of the confusion, and also the source of your immediate (substantial) business opportunity.

But never forget that you are exploiting a business opportunity born of the conditions of the present marketplace.

All ethical computer forensic investigators who I know are working to spread awareness of the difference between "forensic" and "forensics" and actually would prefer that the term be changed entirely unless there is actual law enforcement action on behalf of the public.


Jason Coombs
jasonc () science org

The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]