Forensic felonies

New law clamps down on PIs

The Essential Guide to IT Transformation

In other states, the legal status of forensic investigators is less than clear. For example, in February, 1991, Arizona Attorney General Grant Woods was asked by a society of professional engineers whether they, in providing engineering consulting services for litigation (forensic engineering) would be required to be licensed as private investigators, since they clearly were collecting information to be presented in court. In saying, "of course you aren't PIs" - that is, discovering the blatantly obvious - Attorney General Woods cited a 1954 California case Kennard v Rosenberg, 127 Cal.App.2d 340, 273 P.2d 839 (1954) where the court found that engineers collecting evidence to be used in court did not have to be licensed PI's under California's statute. This was decided because they, "were licensed engineers and as such were authorized to make investigations in connection with that profession"(Bus & Prof Code, § 6701).

It seems quite clear that the private detective license law was not intended by the Legislature to place a limitation on the right of professional engineers to make chemical tests, conduct experiments and to testify in court as to the results thereof. A physician, geologist, accountant, engineer, surveyor or a handwriting expert, undoubtedly, may lawfully testify in court in connection with his findings without first procuring a license as a private detective, and, as in the instant case, a photographer may be employed to take photographs of damaged premises for use in court without procuring such a license. Likewise, plaintiff Wolfe, who was hired as a consultant and expert and not as a private detective and investigator was not required to have a license as such before being permitted to testify in court as an expert.

Similarly, in New Mexico in 1969, court held that a licensed engineer, gathering evidence and giving an opinion about the speed of a vehicle involved in an accident didn't have to be a licensed private investigator because he was licensed in another profession. Dahl v Turner, 80 N.M. 564, 458 P.2d 816 (1969).

The licensing issue

So here is the problem. Forensic investigators are generally not licensed, certified, registered or regulated. Anybody with some skills (and many without them) can hang a shingle and claim to be a forensic investigator - for money. License a copy of EnCase, hook up a cable to a hard drive and voila - another successful forensic investigation! It is understandable that legislatures might want to regulate this kind of activity. Unlike the cases in New Mexico and California, the people seeking to avoid being regulated as PIs are not licensed elsewhere.

Also, forensic investigators make the argument that they do not "collect" evidence, they merely examine the evidence that is collected by others - typically the client themselves. They review the contents of hard drives, floppies, network files, and other records collected by the client. This argument is not complete either. When the client has failed to collect sufficient evidence (as in, when they are not logging data), the forensic examiner will seek information from third parties, and will cause logging and auditing to be turned on - effectively "collecting" data, or conducting an investigation.

There is a difference between conducting a forensic "examination" of evidence that has already been collected, and conducting a forensic investigation - but not much of a difference. And it is not clear that the statutes mentioned clearly make that distinction. Thus, anyone performing computer forensics or incident response services which seek to find out what happened potentially must be a licensed PI.

What is worse is the fact that internet based crimes occur across jurisdictions, but licensing boards' authority do not. So a company performing computer forensics in Georgia, run by a licensed PI in Georgia who had to examine a hard drive in California, theoretically would either have to obtain a license in California or retain the services of a California PI to do the work. Is this a full employment programme for former cops? Somehow this might, in fact, be the whole idea.

Ex-Sergeant Sam Spade, expert computer forensics PI?

Most PIs lack the skills and training to perform computer forensic functions. Sure, there are PIs who are experts in electronic evidence, but it is hardly a core PI skill set. Moreover, should we then modify the state examinations for PIs to require that the average Sam Spade be rigorously tested on FAT file recovery? To paraphrase Bogart's Sam Spade, "I don't know much, but I know when a man's files are deleted, he's supposed to do something about it". Clearly, if PIs want the exclusive right to do investigations, then they should have to demonstrate competence in the field. Somehow, I think if we did that we would see an immediate and precipitous drop in the number of PIs.

Now there are exceptions to most of these laws. Fortunately for the investigations I conduct and lead, attorneys and those working directly under them are generally exempt under the state PI licensing laws. Similarly, under many of the state licensing schemes in-house experts may also be exempt. But most companies do not have the ability, the resources or the expertise to retain full-time trained computer forensics experts. Nor would such experts benefit from having seen similar situations in other environments. There are both economies and skills to be obtained by outsourcing significant portions of incident response and computer forensics services. And most companies providing detailed forensic services have neither a PI nor an attorney on staff (What? No attorney on staff?!).

Now there obviously comes a point where, in the course of conducting a forensic investigation or incident response, that your average techo-nerd will recognise that he or she is out of his or her league, and needs a real investigator. That's when the PI can and should be called in. Asking the system administrator what logging the company is doing is not the same thing as grilling a suspect - but they both involve asking questions to determine the facts.

I can just see the promo now, Mission Impossible IV - Ethan Hunt, forensic investigator! This movie will self-destruct in five seconds. Good luck.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.

Build a business case: developing custom apps

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Amazon says Hachette should lower ebook prices, pay authors more
Oh yeah ... and a 30% cut for Amazon to seal the deal
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
Feel free to BONK on the TUBE, says Transport for London
Plus: Almost NOBODY uses pay-by-bonk on buses - Visa
Nintend-OH NO! Sorry, Mario – your profits are in another castle
Red-hatted mascot, red-colored logo, red-stained finance books
Twitch rich as Google flicks $1bn hitch switch, claims snitch
Gameplay streaming biz and search king refuse to deny fresh gobble rumors
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.