Private Eyes Again

In May 2006 I wrote Avoid Incident Response and Forensics Work in These States after reading a great article by Mark Rasch about states requiring some digital forensics consultants to have private investigator licenses. One of my colleagues pointed me to a new article titled http://www.baselinemag.com/article2/0,1540,2242720,00.asp by Deb Radcliff. From the article:

Under pending legislation in South Carolina, digital forensic evidence gathered for use in a court in that state must be collected by a person with a PI license or through a PI licensed agency...

Otherwise, digital evidence collected by unlicensed practitioners could be excluded from criminal and civil court cases. Worse yet, those caught practicing without a license could face criminal prosecution...

South Carolina isn't alone in considering regulating digital forensics and restricting the practice to licensed PIs. Georgia, New York, Nevada, North Carolina, Texas, Virginia and Washington are some of the states going after digital forensic experts operating in their states without a PI license...

All but six states have PI licensing laws on the books, according to Jimmie Mesis, publisher of PI Magazine, 32 of which could be interpreted to include digital forensic investigators. While their languages differ, these licensing laws essentially consider a PI to be anybody engaging in the business of securing evidence to be used in criminal or civil proceedings...

Sounds scary so far. I take comfort in the following:

Computer forensics is more often used as an internal investigatory tool. In other words, probes and evidence collected inside the firewall stay inside the firewall. In these cases, none of the proposed or existing state laws requiring PI licenses apply. That is, until the case spills outside the enterprise domain—to a partner network or an Internet service provider, for instance.

At this point, most organizations should be turning investigations over to law enforcement or licensed PI agencies anyway, [Steve] Abrams[a licensed independent PI and computer forensic examiner based in Sullivans Island, S.C.] says. Maybe so, but history doesn't support Abrams' perspective, and IT experts and forensic consultants say most enterprises would rather keep their investigations quiet than risk public disclosure by going to law enforcement.

So those of us who perform forensics for our employers should be safe. Consultants, on the other hand...

At greater risk of exposure, however, are security and network management service providers, which often conduct investigations on behalf of their clients. In this case, they would be considered PI firms and need licensing in a majority of states, confirm Abrams and others.

Beyond a PI license, there's also certification to contend with:

States are looking to the failed Nevada legislation as a model for defining these qualifications. The attempted revision to the proposed statute defined a digital forensic professional as "a person who engages in the business of, or accepts employment using, specialized computer techniques for the recovery or analysis of digital information from any computer or digital storage device, with the intent to preserve evidence, and who as a part of his business provides reports or testimony in regards to that information."

Nevada's [failed] qualification guidelines include 18 months' experience, a Bachelor's degree in computer forensics, and a Certified Computer Examiner (CCE) credential or its successor equivalent. South Carolina won't have a requirement for any particular degree, but will require minimal training, CCE certification and annual continuing education to remain licensed, according to Abrams.

At present, the CCE is the most recognized forensic certification available to the private sector and the only one open to the private sector being considered in state PI licensing laws.

I never heard of the CCE until today. Getting the cert sounds easy:

The initial CCE process consists of a proctored online multiple choice question and answer examination, the forensic examination of a floppy diskette, the forensic examination of a CDR disk and the forensic examination of an image of a hard disk drive . An 80% or better average score is required to complete the process...

The primary purpose of this certification is to measure if the applicant understands and uses sound evidence handling and storage procedures and follows sound forensic examinations procedures when conducting examinations...

[M]ost of the grade is based upon following sound evidence handling and storage procedures and following sound examination procedures, not simply recovering the data. An 80% total average score will be required to obtain the Certified Computer Examiner(CCE) ® certification. Do not assume that we know your standard operating procedures. Your grade will be based solely upon what you have written in your reports and the exhibits that you provide.

The fee for taking the entire process is $395.

We had some good commentary in May 2006. Does anyone have any comments on this update?