PI License May Soon Be Required for Computer Forensics

buzzardsbay writes "The good folks over at Baseline Magazine have an intriguing — and worrisome — report on a movement to limit computer forensics work to those who have a Private Investigator license or those who work for licensed PI agencies. According to the story, pending legislation would limit the specialized task of probing deep into computer hard drives, network and server logs for telltale signs of hacking and data theft to the same people who advertise in the Yellow Pages for surveillance on cheating spouses, workers' compensation fraud and missing persons. Those caught practicing computer forensics without a license could face criminal prosecution."

Worrisome?

[Shadow+Wrought]

I would think that requiring an Investigative license for doing invetigative work would be a good thing.

Re:Worrisome?

[eht]

Depends on how vague it ends up being. Easy to imagine that your home machine gets hacked and then you "investigate" your own machine and give the info over to the FBI or Police, hey look you did forensic work without a license, go directly to jail do *not* pass go.

Re:Worrisome?

[Jah-Wren+Ryel]

I agree. Maybe it will get rid of some of the charlatans. The same way driver's licenses keep bad drivers off the road.

Re:Worrisome?

[MBCook]

That was my thought. Given the "experts" that groups like the RIAA use, having a license on someone that could be pulled to prevent them from continuing to work in that field seems like a good thing.

Maybe it should be a separate license. Maybe it should be a special add on class (PI + C for Private Investigator + Computer Specialty). But it's good it's SOMETHING. Someone who doesn't know what they are doing can not only cause big problems (enrage a spouse leading to anything from unnecessary worry to violence), but they could easily destroy evidence for someone who does know what they are doing making it useless in court.

Re:Worrisome?

[Stripe7]

Depending on the how they define forensic work, a system administrator could be prosecuted for reading the log files for login information, or tracing back history files to see what led to critical system files being corrupted. If these simple daily administrative tasks are classified as forensic it would make it illegal for a system administrator to do his job. With congress's track record of overly broad definitions and over generalizations, odds are good that this legislation will make a PI license a requirement for all system administrators. Hmm, does this mean I get to carry a gun too?

Re:Worrisome?

[blueg3]

Typically investigation is defined as for hire and examining other peoples' data, not your own. So investigating your own logs, and even a company having permanent staff to investigate their own logs could constitute "security", but hiring someone from another firm to examine your logs after the fact could be "investigation".

Re:Worrisome?

[lcoughey]

Being one who has a data recovery company that provides digital forensic services, it is quite frustrating to say the least. To expect a digital forensics expert to have a PI license is as absurd as expecting a PI to have a computer science degree.

We have been trying to figure out how we can become Private Investigators, but we cannot get answers. Instead, we keep getting passed around the government's phone systems. Some say we have to write an exam that doesn't exist, others say that we should be grandfathered in and others simply shrug their shoulders.

From what I can tell, this is just another case of where someone has decided that they want all the market to themselves and think they have found a way to make it happen.

Re:Worrisome?

[MBCook]

It does. It keeps quite a lot of bad drivers off the road. It just doesn't stop all of them.

If anyone, with no prior knowledge, was allowed on public roads and highways... don't you think things would be much worse than they are now with licenses?

Re:Worrisome?

[Zeinfeld]

If I did full time forensics I would be much less worried about having to get a license than the ambiguous legal landscape that existed when I did some cases in the mid 90s. You can't preserve the rule of law by breaking it. And even if you do keep to legal methods you have to be sure that you can prove that is what you did or else you can find the criminal you are trying to stop suddenly turns the tables on you.

I don't think anyone should have to worry about investigating their own machine. But what if you are going to trace the attack to the source? At what point does that become hacking? What if you have someone hand you information that has maybe been obtained by dubious methods? In the 1990s nobody knew where the line was drawn.

What happens if you hire someone to do that type of work? Are you going to be liable if they use pretexting or the like?

If Clifford Stoll was using the same techniques today he might well have had some legal issues. Even if you don't break the law you can still ruin the chances of a successful prosecution by contaminating evidence.

I don't want to have people who are working for me acting as vigilantes. I don't want them to collect information in ways that disrupts Law Enforcement efforts. This is a professional business now and we have to act like professionals. People need to understand that there is a line and consequences for crossing it.

Re:Worrisome?

[ocbwilg]

Typically investigation is defined as for hire and examining other peoples' data, not your own. So investigating your own logs, and even a company having permanent staff to investigate their own logs could constitute "security", but hiring someone from another firm to examine your logs after the fact could be "investigation".

Yes, but where do you draw the line? It's easy to say that you can investigate anything from within your company. But what if an attack originates from outside your network, comes across the Internet, and compromises machines on your network. Do you start investigating it internally as "security", and then hand it off to someone else once (presumably licensed) you get outside of your network? If that's the case, then won't the perpetrator have a built-in defense in court by claiming that the "internal" part of the investigation that generated the data that was fed to the "outside" investigator wasn't held to the same forensic standards?

I do see some serious problems with this. Firstly, most PIs are not what I would consider computer forensic experts, computer security experts, or even technology experts. So allowing them to collect forensic data from computers while excluding legitimate computer forensic experts (computer science types) actually lowers the standards. That doesn't make sense. The second problem is that in some states it is not easy to get a PI license, especially if your only investigative training is in computer forensics. Thirdly, because of the global nature of the Internet it means that a forensic investigator who is investigating a compromise in New York may also need to have a PI license in all 49 other states just in case they might have to collect evidence from a system in one of those states. It just doesn't make sense.

Then there's the fact that this law will dramatically reduce the number of people legally allowed to practice computer forensics and testify in court. How does that affect expert witnesses? If you're charged with a computer-related crime and the only 7 firms licensed as PI/Computer Forensic Experts in the state all work with police departments, how do you find an expert witness to rebut their testimony? I can forsee circumstances where a traditional PI with a "point and click" forensics program provides the police with allegedly ironclad evidence that is more full of holes than swiss cheese, and the defendant not being able to discredit/rebut the evidence because their own expert witness isn't licensed in the state.

This is good!?

[NFN_NLN]

How is this a bad thing? Requiring a PI license would imply some level of legitimacy.

"So long as computer forensic specialist implies a PI license" AND NOT "a PI license implies a computer forensic specialist".

Re:This is good!?

[FooAtWFU]

Why not have a voluntary certification program, and require people not certified to disclaim that they aren't? You could easily have the best of both worlds.

What if I want to go set up a little computer forensics business and employ my own genius employees that I know and trust? Why should I have to submit to a board comprised of my competitors, deal with licensing requirements which seriously may (now or in the future) risk being outdated, not applicable to many specialized sorts of work, or which provide a false sense of security by being utterly trivial? What happens when the board requires you use Microsoft-certified tools only and bans grep et cetera?

Some economists hold that labor market regulations such as these are among the primary long-term threats that hamper economic growth. (Some places require you to get a license to arrange flowers.)

Re:This is good!?

[harlows_monkeys]

Well, one problem is that the skills required for a PI have little to do with forensics skills, so this makes as much sense as requiring a hazardous waste transporting licensing would. If there is a need for regulation of forensics, then make a new license for that.

Re:Why?

[peragrin]

well for one thing it would curb the RIAA who's media sentry company doens't have a PI's license so their investigations in several states are falling short of being prosecutable.

Not necessarily a bad thing

[the_humeister]

Although I don't think the license should be a PI license. Rather, it should be computer forensics license. Someone with a PI license doesn't necessarily know jack about computers.

Forensic "work" vs forensic "hobby"?

[Kazoo+the+Clown]

Doesn't this simply say that you have to be licenced to do computer forensic work for hire? What does it really say about doing it on your own PC just to learn about it? I suspect there's some mislead impressions being taken here...

Re:what's the problem?

Not having a PI license, I'm making this all up.

But a lot of the licensing process for many professions is not so much licensing and testing their skill AT the profession (certainly there is some aspect of that in some case), rather it's ensuring that the practitioner is aware of the legal and procedural environment within which they practice.

Understanding what they can look at, what the limitations they are under in performing their practice, what obligations they have in terms of working with State agencies, what their liabilities are, etc.

As a perfect example, consider a Notary Public. Here's a profession that, at least at the knowledge and technical level, requires little skill. It is almost solely a beauraucratic invention. How to takes signatures, how to validate ID's, the laws and procedures surrounding witness and notarizing signatures. But it's all very formalized to ensure integrity of the process, because of the weight and ramifications the actual signatures carry legally. It's one thing to "sign" something, but getting it notarized is "signing it right" and carries extra weight.

Since computer forensics starts encroaching in to the legal arena, a lot of the "legal mumbo jumbo" surrounding how the evidence is gathered, handled, and processed comes in to play, and licensing the "evidence gatherer" is a mechanism to ensure that the investigator is aware of their limitations and responsibilities under the law to perform their task.

protectionism...

[j0nb0y]

This is just protectionism...

Most states have ridiculous requirements for getting a PI license. You basically can't get one in many states unless you've been a police officer. There is no public interest reason to do this. Requiring the PI license for this is just a gift to all the people who already have PI licenses.

I haven't looked at computer forensics recently, but when I did (roughly five years ago), there were some problems with it. Basically, because of the way that courts certify experts to testify in court, it was impossible to hire a computer forensic expert to work for the defense. It went something like this:

1. To testify as an expert in court, you have to be a member of the leading professional body for your field.
2. The leading professional body of computer forensic experts forbade its members from working for the defense.

Obviously that's problematic. Hopefully it's changed by now.

The other thing I thought was really funny was the way that most computer crime labs staff up with "experts". Rather than hiring people with computer science degrees and training them on how to do police work, they tend to hire police officers and then train them on computer forensics. The good ole boy system at work.

blame the realtors

[acvh]

They started it with mandatory licensing. I mean, come on, a license to sell a house? What advanced training does that require? But each group, when it gets big enough, lobbies for this protection of its turf. In NJ you need a license to be an interior decorator.

This could be a good thing

As someone who works in the computer forensics training field, I see all types. There are thousands of people knocking down the door now trying to get into computer forensics. Many are former law enforcement, but with absolutely no computer experience at all. They figure forensics work is just like dusting for fingerprints - you take a one week course and you're done. And they flunk out of IACIS exams left and right. With the new E-Discovery laws in place, and a greater public awareness of this job field, the problem is getting worse over time.

Requiring a PI may be good to keep the field small, to people that really want to pursue this work. I've just seen too many receptionists and desk jockeys enter computer forensics for the money, then forget to use a write blocker and overwrite evidence - whoops!

Posting anonymously... because... yea!

Re:license requirements?

[blueg3]

Few nerds gather evidence of hacking or data theft for later use in legal proceedings.

So yeah.

[Damocles+the+Elder]

So...I know it's against the whole Slashdot mindset to read the article, but I at least skimmed it, and here's what I got out of it.
1. It's a South Carolina thing (And who lives in S.C., anyways? Seriously.)
2. It's only in the case of evidence in court cases. (i.e., you'd have to have a PI license to submit evidence gleaned from a computer HD).

So all you people freaking out, even kiddingly, about not being able to tag -a at the end of your ls commands, you can calm down.

Re:what's the problem?

[hashish]

No it doesn't. There is nothing stopping a IT security 'investigator' gaining a PI license, what is being proposed is using existing laws to ensure that the IT security invegtigator are controlled in the same way PI are. The existing PI laws were created to weed out the rouge PIs and how would weeding out the rouge IT investigator be a problem?

Courts have rules

[bill_mcgonigle]

I would think that requiring an Investigative license for doing invetigative work would be a good thing.

Yes, especially if you want to get paid. Imagine being hired by a company to do some forensic work, and you've found out all kinds of interesting things, and then it makes it to court, and it's all thrown out because you didn't understand and follow basic rules on how to handle evidence, and what's legal and not legal to do.

Good luck getting paid by the employer after losing the case for them. In some jurisdictions you might even face liability or criminal charges.

I've looked into the process, and in some states it's not too bad - IIRC some states require a period of apprenticeship, you can't just take a test.

Re:3.141.....

Close! Actually, an irrational policy.

Re:License required for use in court

"A guy who comes home and finds his door kicked in does not get to collect finger prints from his house to prove who did it" I guess you missed out on those Hardy Boys books as a kid. More on topic... I don't understand the necessity of a PI license for handling legally accessible evidence. I mean, sure, there need to be licenses for storming a building, but if someone brings you a DVD and says "Can you recover the corrupt video files..." Why not? The court system is set up specifically to support this--it's called a rebuttal witness. Basically, if a specific piece of evidence is challenged on account of its authenticity or validity, an expert witness can be summoned. So, if you present some mined evidence and explain your methods, there is already a legal mechanism in place to allow that information to be challenged, if it needs to be. I understand how a PI license for this would put a heavier burden on the prosecution to ensure that they've got all their ducks in a row, but it hurts the defense--Can you imagine defendants having to hire PIs just to help them present their own digital data?

Stop overreacting

[MillionthMonkey]

Sorry, but I don't see how another inane 'licensing' will do more good than bad. Just because someone is licensed does not mean they're honest. Heck, all care repair shops in NY have to be licensed. Do you REALLY thing that keeps them honest?

Whether "all car repair shops in NY are honest" or not, the licenses do present a mechanism that can hold them accountable and close them down if sufficient effort is put into enforcement. Licensure can often atrophy into a simple tax collected by a licensing authority that doesn't perform proper enforcement procedures for the licenses it issues, but that's not the idea.

Since a private investigator has a license, he's on the hook if he presents incorrect or bullshit evidence to the court. Ordinarily I can't go to a PI with pictures of my wife and my neighbor taken through open windows, and have him photoshop them into obscene pictures that I can take to court for a divorce proceeding, presented as evidence bearing the imprimatur of a licensed investigation. The court would indeed take that type of evidence more seriously than if you just had some friend of yours photoshop his dick into her mouth himself. That wouldn't be admitted as evidence. The PI has got a license; your friend doesn't. If the PI is indeed found to have violated the terms of his license by doing that, he'll lose his license, and may be subject to fines and jail time in addition to those he'd get for falsification of evidence.

"The problems in South Carolina occur when folks from national [law] firms come into South Carolina, seize digital evidence, have that evidence analyzed in a lab in some other state, and then send it back to South Carolina for litigation," Abrams says. "The state has no mechanism to hold them accountable if they screw up, which I see all the time in cases."

A license if just a scrap of paper that means you paid someone for it. Perhaps you passed a test too. That means about as much as that 10th grade biology final that you crammed for the night before and then erased from your brain after the next morning. I'm much more interested in holding people ACCOUNTABLE for their actions than having the government "protect" me.

A license is not just "a scrap of paper" that required a fee for a licensing authority. After your 12th grade finals are over you may find that scraps of paper can do surprising things. They can imbue you with certain legal responsibilities. If you practice medicine, or practice law, or conduct private investigations, you can do certain things the rest of us can't, and you are on the hook for doing them correctly- you're held ACCOUNTABLE for your actions. Doctors, lawyers, and private investigators each bear their own types of accountability. If you make a legal promise to conduct yourself in some way, and the promise you made then gets "erased from your brain after the next morning", you're going to find yourself in a world of hurt. You'll find it's not like studying for finals at all.

A forensic investigator is gathering information that might certainly be used to put someone in jail. "Oh no, I need a license to do that? Waaah!" Well, duh! What if you're incompetent, or a liar, or the darling of law enforcement because you find child porn on every machine that comes in? Do you really think that type of behavior should be legal, or that evidence from your lab should be admissible in courts?

"It's an ambush," says Phipps, a 31-year FBI veteran now with Norcross Group, a digital e-discovery business. "Under the South Carolina statute, only a handful of licensed PIs across that state have the years of information system and tools experience needed to do true digital forensics with repeatable processes of documentation and chain of custody. This is the only group that stands to gain."

I don't know what he's complaining about; he stands to gain too. They're trying to make everyone imagine that a handful of film-noir private eyes are planning to take over the computer

Re:Already Required in Texas

[Unlikely_Hero]

only having 12 people allowed to do computer forensics for a living is probably more of a bad thing than a good thing...

Re:A current private investigator geek

[happyslayer]

If by "forensic work" you mean autopsying a computer to figure out why/how/when it died or was compromised, then that could fall into your normal work. (Again, I'm talking from Ohio statutes; they leave that exception open. I think this was a reasonable exception, because lots of jobs require some "investigation" to find out what happened.)

If your client/company decides that they even might be filing criminal charges or a civil complaint, then they should, early on, consciously decide how they are going to proceed. If they want an airtight case, or prevent opposing counsel from ripping them and their evidence to tattered little pieces, they have to decide if an in-house investigation is sufficient.

Again, in my opinion (IANAL, blah-blah-blah), figuring out what's on a computer, what happened to it, and even how to prevent it could be considered "digital forensics" but also doesn't require an special licensing. If you start trying to track the people responsible, that's where you start to get into the realm of private investigation, and you should be aware of what your laws require.

As I said, IMHO, "digital forensics" is just like any other lab tech: Specialized knowledge and analysis capability, and an ability to prove your findings to an opposing expert, an attorney, or a court. Beyond that, the South Carolina law/bill seems to be creating an issue where there really shouldn't be one.