Forensic felonies

New law clamps down on PIs

In other states, the legal status of forensic investigators is less than clear. For example, in February, 1991, Arizona Attorney General Grant Woods was asked by a society of professional engineers whether they, in providing engineering consulting services for litigation (forensic engineering) would be required to be licensed as private investigators, since they clearly were collecting information to be presented in court. In saying, "of course you aren't PIs" - that is, discovering the blatantly obvious - Attorney General Woods cited a 1954 California case Kennard v Rosenberg, 127 Cal.App.2d 340, 273 P.2d 839 (1954) where the court found that engineers collecting evidence to be used in court did not have to be licensed PI's under California's statute. This was decided because they, "were licensed engineers and as such were authorized to make investigations in connection with that profession"(Bus & Prof Code, § 6701).

It seems quite clear that the private detective license law was not intended by the Legislature to place a limitation on the right of professional engineers to make chemical tests, conduct experiments and to testify in court as to the results thereof. A physician, geologist, accountant, engineer, surveyor or a handwriting expert, undoubtedly, may lawfully testify in court in connection with his findings without first procuring a license as a private detective, and, as in the instant case, a photographer may be employed to take photographs of damaged premises for use in court without procuring such a license. Likewise, plaintiff Wolfe, who was hired as a consultant and expert and not as a private detective and investigator was not required to have a license as such before being permitted to testify in court as an expert.

Similarly, in New Mexico in 1969, court held that a licensed engineer, gathering evidence and giving an opinion about the speed of a vehicle involved in an accident didn't have to be a licensed private investigator because he was licensed in another profession. Dahl v Turner, 80 N.M. 564, 458 P.2d 816 (1969).

The licensing issue

So here is the problem. Forensic investigators are generally not licensed, certified, registered or regulated. Anybody with some skills (and many without them) can hang a shingle and claim to be a forensic investigator - for money. License a copy of EnCase, hook up a cable to a hard drive and voila - another successful forensic investigation! It is understandable that legislatures might want to regulate this kind of activity. Unlike the cases in New Mexico and California, the people seeking to avoid being regulated as PIs are not licensed elsewhere.

Also, forensic investigators make the argument that they do not "collect" evidence, they merely examine the evidence that is collected by others - typically the client themselves. They review the contents of hard drives, floppies, network files, and other records collected by the client. This argument is not complete either. When the client has failed to collect sufficient evidence (as in, when they are not logging data), the forensic examiner will seek information from third parties, and will cause logging and auditing to be turned on - effectively "collecting" data, or conducting an investigation.

There is a difference between conducting a forensic "examination" of evidence that has already been collected, and conducting a forensic investigation - but not much of a difference. And it is not clear that the statutes mentioned clearly make that distinction. Thus, anyone performing computer forensics or incident response services which seek to find out what happened potentially must be a licensed PI.

What is worse is the fact that internet based crimes occur across jurisdictions, but licensing boards' authority do not. So a company performing computer forensics in Georgia, run by a licensed PI in Georgia who had to examine a hard drive in California, theoretically would either have to obtain a license in California or retain the services of a California PI to do the work. Is this a full employment programme for former cops? Somehow this might, in fact, be the whole idea.

Ex-Sergeant Sam Spade, expert computer forensics PI?

Most PIs lack the skills and training to perform computer forensic functions. Sure, there are PIs who are experts in electronic evidence, but it is hardly a core PI skill set. Moreover, should we then modify the state examinations for PIs to require that the average Sam Spade be rigorously tested on FAT file recovery? To paraphrase Bogart's Sam Spade, "I don't know much, but I know when a man's files are deleted, he's supposed to do something about it". Clearly, if PIs want the exclusive right to do investigations, then they should have to demonstrate competence in the field. Somehow, I think if we did that we would see an immediate and precipitous drop in the number of PIs.

Now there are exceptions to most of these laws. Fortunately for the investigations I conduct and lead, attorneys and those working directly under them are generally exempt under the state PI licensing laws. Similarly, under many of the state licensing schemes in-house experts may also be exempt. But most companies do not have the ability, the resources or the expertise to retain full-time trained computer forensics experts. Nor would such experts benefit from having seen similar situations in other environments. There are both economies and skills to be obtained by outsourcing significant portions of incident response and computer forensics services. And most companies providing detailed forensic services have neither a PI nor an attorney on staff (What? No attorney on staff?!).

Now there obviously comes a point where, in the course of conducting a forensic investigation or incident response, that your average techo-nerd will recognise that he or she is out of his or her league, and needs a real investigator. That's when the PI can and should be called in. Asking the system administrator what logging the company is doing is not the same thing as grilling a suspect - but they both involve asking questions to determine the facts.

I can just see the promo now, Mission Impossible IV - Ethan Hunt, forensic investigator! This movie will self-destruct in five seconds. Good luck.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.

Sponsored: Designing and building an open ITOA architecture