Slashdot Mirror

← Back to Stories (view on slashdot.org)

PI License May Soon Be Required for Computer Forensics

Posted by ScuttleMonkey on from the geeks-licensed-to-buy-cool-surveillance-gear dept.

buzzardsbay writes "The good folks over at Baseline Magazine have an intriguing — and worrisome — report on a movement to limit computer forensics work to those who have a Private Investigator license or those who work for licensed PI agencies. According to the story, pending legislation would limit the specialized task of probing deep into computer hard drives, network and server logs for telltale signs of hacking and data theft to the same people who advertise in the Yellow Pages for surveillance on cheating spouses, workers' compensation fraud and missing persons. Those caught practicing computer forensics without a license could face criminal prosecution."

12 of 282 comments (clear)

  1. Worrisome? by Shadow+Wrought · · Score: 4, Insightful

    I would think that requiring an Investigative license for doing invetigative work would be a good thing.

    --
    If brevity is the soul of wit, then how does one explain Twitter?
    1. Re:Worrisome? by eht · · Score: 4, Insightful

      Depends on how vague it ends up being. Easy to imagine that your home machine gets hacked and then you "investigate" your own machine and give the info over to the FBI or Police, hey look you did forensic work without a license, go directly to jail do *not* pass go.

    2. Re:Worrisome? by Jah-Wren+Ryel · · Score: 5, Insightful

      I agree. Maybe it will get rid of some of the charlatans. The same way driver's licenses keep bad drivers off the road.
      --
      When information is power, privacy is freedom.
    3. Re:Worrisome? by Stripe7 · · Score: 5, Insightful

      Depending on the how they define forensic work, a system administrator could be prosecuted for reading the log files for login information, or tracing back history files to see what led to critical system files being corrupted. If these simple daily administrative tasks are classified as forensic it would make it illegal for a system administrator to do his job. With congress's track record of overly broad definitions and over generalizations, odds are good that this legislation will make a PI license a requirement for all system administrators. Hmm, does this mean I get to carry a gun too?

    4. Re:Worrisome? by blueg3 · · Score: 4, Insightful

      Typically investigation is defined as for hire and examining other peoples' data, not your own. So investigating your own logs, and even a company having permanent staff to investigate their own logs could constitute "security", but hiring someone from another firm to examine your logs after the fact could be "investigation".

    5. Re:Worrisome? by lcoughey · · Score: 5, Insightful

      Being one who has a data recovery company that provides digital forensic services, it is quite frustrating to say the least. To expect a digital forensics expert to have a PI license is as absurd as expecting a PI to have a computer science degree.

      We have been trying to figure out how we can become Private Investigators, but we cannot get answers. Instead, we keep getting passed around the government's phone systems. Some say we have to write an exam that doesn't exist, others say that we should be grandfathered in and others simply shrug their shoulders.

      From what I can tell, this is just another case of where someone has decided that they want all the market to themselves and think they have found a way to make it happen.

    6. Re:Worrisome? by MBCook · · Score: 4, Insightful

      It does. It keeps quite a lot of bad drivers off the road. It just doesn't stop all of them.

      If anyone, with no prior knowledge, was allowed on public roads and highways... don't you think things would be much worse than they are now with licenses?

      --
      Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    7. Re:Worrisome? by Zeinfeld · · Score: 5, Insightful
      If I did full time forensics I would be much less worried about having to get a license than the ambiguous legal landscape that existed when I did some cases in the mid 90s. You can't preserve the rule of law by breaking it. And even if you do keep to legal methods you have to be sure that you can prove that is what you did or else you can find the criminal you are trying to stop suddenly turns the tables on you.

      I don't think anyone should have to worry about investigating their own machine. But what if you are going to trace the attack to the source? At what point does that become hacking? What if you have someone hand you information that has maybe been obtained by dubious methods? In the 1990s nobody knew where the line was drawn.

      What happens if you hire someone to do that type of work? Are you going to be liable if they use pretexting or the like?

      If Clifford Stoll was using the same techniques today he might well have had some legal issues. Even if you don't break the law you can still ruin the chances of a successful prosecution by contaminating evidence.

      I don't want to have people who are working for me acting as vigilantes. I don't want them to collect information in ways that disrupts Law Enforcement efforts. This is a professional business now and we have to act like professionals. People need to understand that there is a line and consequences for crossing it.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    8. Re:Worrisome? by ocbwilg · · Score: 4, Insightful

      Typically investigation is defined as for hire and examining other peoples' data, not your own. So investigating your own logs, and even a company having permanent staff to investigate their own logs could constitute "security", but hiring someone from another firm to examine your logs after the fact could be "investigation".

      Yes, but where do you draw the line? It's easy to say that you can investigate anything from within your company. But what if an attack originates from outside your network, comes across the Internet, and compromises machines on your network. Do you start investigating it internally as "security", and then hand it off to someone else once (presumably licensed) you get outside of your network? If that's the case, then won't the perpetrator have a built-in defense in court by claiming that the "internal" part of the investigation that generated the data that was fed to the "outside" investigator wasn't held to the same forensic standards?

      I do see some serious problems with this. Firstly, most PIs are not what I would consider computer forensic experts, computer security experts, or even technology experts. So allowing them to collect forensic data from computers while excluding legitimate computer forensic experts (computer science types) actually lowers the standards. That doesn't make sense. The second problem is that in some states it is not easy to get a PI license, especially if your only investigative training is in computer forensics. Thirdly, because of the global nature of the Internet it means that a forensic investigator who is investigating a compromise in New York may also need to have a PI license in all 49 other states just in case they might have to collect evidence from a system in one of those states. It just doesn't make sense.

      Then there's the fact that this law will dramatically reduce the number of people legally allowed to practice computer forensics and testify in court. How does that affect expert witnesses? If you're charged with a computer-related crime and the only 7 firms licensed as PI/Computer Forensic Experts in the state all work with police departments, how do you find an expert witness to rebut their testimony? I can forsee circumstances where a traditional PI with a "point and click" forensics program provides the police with allegedly ironclad evidence that is more full of holes than swiss cheese, and the defendant not being able to discredit/rebut the evidence because their own expert witness isn't licensed in the state.

  2. This is good!? by NFN_NLN · · Score: 4, Insightful

    How is this a bad thing? Requiring a PI license would imply some level of legitimacy.

    "So long as computer forensic specialist implies a PI license" AND NOT "a PI license implies a computer forensic specialist".

  3. Not necessarily a bad thing by the_humeister · · Score: 4, Insightful

    Although I don't think the license should be a PI license. Rather, it should be computer forensics license. Someone with a PI license doesn't necessarily know jack about computers.

  4. protectionism... by j0nb0y · · Score: 5, Insightful

    This is just protectionism...

    Most states have ridiculous requirements for getting a PI license. You basically can't get one in many states unless you've been a police officer. There is no public interest reason to do this. Requiring the PI license for this is just a gift to all the people who already have PI licenses.

    I haven't looked at computer forensics recently, but when I did (roughly five years ago), there were some problems with it. Basically, because of the way that courts certify experts to testify in court, it was impossible to hire a computer forensic expert to work for the defense. It went something like this:

    1. To testify as an expert in court, you have to be a member of the leading professional body for your field.
    2. The leading professional body of computer forensic experts forbade its members from working for the defense.

    Obviously that's problematic. Hopefully it's changed by now.

    The other thing I thought was really funny was the way that most computer crime labs staff up with "experts". Rather than hiring people with computer science degrees and training them on how to do police work, they tend to hire police officers and then train them on computer forensics. The good ole boy system at work.

    --
    If you had super powers, would you use them for good, or for awesome?