Security Basics: RE: Initial Machine login - Computer Forensics 101

[Craig Wright <Craig.Wright () bdo com au>]

The issue that is always missed with the PI debate is that it is not that a PI license is required; it is that a 
license is required. In Texas for instance the issue of PI Law for Digital Forensics in Tx is that people read the code 
in isolation. Chapter 1702, Private Security, of the Texas Occupations Code does not state that everyone needs to have 
a PI license to engage in forensics. It has exclusions.

§1702.324. CERTAIN OCCUPATIONS states:
"(b) This chapter does not apply to: ...(6) a licensed engineer practicing engineering or directly supervising 
engineering practice under Chapter 1001, including forensic analysis, burglar alarm system engineering, and necessary 
data collection;...
(9) an attorney while engaged in the practice of law;
(10) a person who obtains a document for use in litigation under an authorization or subpoena issued for a written or 
oral deposition; ...
(12) a person who on the person's own property or on property owned or managed by the person's employer:
...
(14) a person or firm licensed as an accountant or accounting firm under Chapter 901, an owner of an accounting firm, 
or an employee of an accountant or accounting firm while performing services regulated under Chapter 901;"

"Chapter 901 - Accountants", of Texas Occupations Code covers CPA's in the US. Additionally, there is the exclusion for 
a "person who obtains a document for use in litigation under an authorization or subpoena issued for a written or oral 
deposition;" which may be extrapolated to include CCE's and other that are operating under court orders.

Next, if you are working under the instruction of "an attorney while engaged in the practice of law", you are also 
excluded from this code. Many of us will be covered under one or more of these provisions and thus not need to be a PI. 
The license requirements to be an Engineer are far more stringent then those for a PI, so the subject is where the 
easiest path lies.

I am not stating that you do not need to be licensed at all, but that you do not need to be a PI. A private 
investigator is not the ONLY licensed person able to do forensic work. A licensed Accountant, a licensed Engineer and 
many other professions all suffice. These occupations are explicitly excluded from chapter 1702 of the Tx occupations 
code and similar provisions exist in Sth Carolina as well.

This is also not stating that the states can not license forensic collections, just that this does not mean that it is 
restricted to only PI's. It includes ALL the occupations deemed acceptable. As an engineer, doing work for an 
accounting firm in the course of an engagement for a law firm I would have no issues at all not having a PI license. In 
fact, given a choice, I would (if I was not already one) become an engineer BEFORE thinking of being a PI.

http://www.txdps.state.tx.us/psb/docs/OccChpt1702.pdf

Regards,
Craig Wright (GSE-Compliance)


Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au 

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steven Bonici
Sent: Thursday, 7 February 2008 12:27 AM
To: security-basics () securityfocus com
Subject: RE: Initial Machine login - Computer Forensics 101


 --PI Licensing required for computer forensics in court Groklaw blog:
the ante is increasing on the credentials required for digital evidence
submitted in courts.
http://www.groklaw.net/article.php?story=2008013014235863
Possibly related case: Another odd example... Last week, an expert
witness was excluded due to a challenge saying an individual who
graduated college with a biochemistry major does not have enough
expertise to be a computer forensic expert despite having experience and
certifications.
http://ridethelightning.senseient.com/2008/01/when-logic-and.html
[Guest Editor (Robert Lee - SANS Forensics instructor and track lead):
Many forensic analysts/experts who testify or examine evidence may not
be licensed PIs, and, as a result motions to dismiss the testimony or
the analysis will be filed in the court.  It will be up to counsel to
have a persuasive argument to counter the motion and up to the judge to
make fair decisions based on the arguments presented. Even in Texas and
South Carolina where state opinions are surfacing on the PI question, it
is still ultimately up to the judge in each case to allow the evidence
or the analysis to be included in the proceedings.  I think logic will
eventually win here, but I'm glad to see it brought up in court so more
people can discuss it.  Buckle your seatbelts; expect many more such
cases to keep popping up.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Murda Mcloud
Sent: Monday, February 04, 2008 11:10 PM
To: 'Michael Condon'; security-basics () securityfocus com
Subject: RE: Initial Machine login - Computer Forensics 101

Hi Michael,
Sorry, I forgot to give a link

http://www.e-fense.com/helix/

or F.I.R.E
http://fire.dmzs.com/


You can go for knoppix-std too.
http://www.knoppix-std.org/


The closest thing I've come to from a windows standpoint is (not the
same as the others in functionality) http://www.nu2.nu/pebuilder/

There may be others.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Michael Condon
Sent: Tuesday, February 05, 2008 2:13 AM
To: Worrell, Brian; security-basics () securityfocus com
Subject: Re: Initial Machine login - Computer Forensics 101

Well understood. That brings up another subject - is there freeware or a
documented procedure for making a bootable CD?
Michael Condon
----- Original Message -----
From: "Worrell, Brian" <BWorrell () isdh IN gov>
To: "Michael Condon" <mjc001 () juno com>;
<security-basics () securityfocus com>
Sent: Monday, February 04, 2008 10:06 AM
Subject: RE: Initial Machine login - Computer Forensics 101


Michael,

Quick sidebar, I recall reading a post about this before on another
list.  If you are being paid to do this, you need to make sure its all
above board as in some states this can be consider illegal.  Do not
recall the exact issue, but part of the outcome was that you needed to
have very clear, signed, documentation on what you were asked to do.
Think the case the article was referring too was in California.

That said, I would make a copy of the drive, and not alter the original
in any way.  This helps keep the evidence chain.


Brian


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Michael Condon
Sent: Saturday, February 02, 2008 11:15 PM
To: security-basics () securityfocus com
Subject: Initial Machine login - Computer Forensics 101

Here is a Computer Forensics 101 question.
Suppose a distraught woman comes to me with her husband's laptop and
wants me to search it for information about a suspected marital
indescretion.
1. Assuming it is an XP/Vista machine, how can I log in as
administrator?
2. Is the second approach to make a bistream copy of the hard drive
using an external USB har drive enclosure and proceed that way?