Monday, September 1, 2008

Digital Forensics: Nerds need not apply

When I first got my job as an information security professional, I took a great interest in digital forensics. I felt that there was a lot of science in digital forensics, and I felt that it was an area where there were still a lot of discoveries to be made. So I took a couple classes on forensics, and I started reading a lot of books. I started running experiments of my own and developing the procedures that I would use to respond to incidents on my network.

This was all very valuable to me, and I do believe that my information is more protected now that we have documented procedures in place to respond to incidents. But I was hungry for more. I wanted to learn more about forensics, I wanted to be involved in more investigations, mysteries, and experiments. It takes a lot of work to keep up on the various digital forensics techniques, but I was willing to do the work because I really liked what I was doing. A few months ago I gave my first presentation at a national IT conference and it was on computer forensics for universities.

But it seems like things are getting harder. It is a lot of work, but I can keep up with the new developments in registry analysis, memory acquisition, and network forensics. What I can't get past is the forces in the industry that seemed determined to shut me out. For example, there are some great forensic conferences each year where outstanding new information is presented, but you can only show up if you're connected to a law enforcement agency. In April Microsoft released COFEE, a USB thumb drive that dramatically cuts the time necessary to gather evidence from a Windows machine. That's all I know about it though, because it was only released to law enforcement agencies. Sure, you can find it on the Internet, but I shouldn't have to steal knowledge. Last month I read about this on the Windows Incident Response blog:
I received an email from AccessData the other day in my work inbox, advertising something called the National Repository for Digital Forensic Intelligence, or NRDFI. ... The AccessData email said that NRDFI is a "knowledge management platform for collecting and sharing digital forensic information." The email goes on to say that the repository has been seeded with over 1000 documents - examiner tips and tricks, whitepapers, digital forensic tool collections, etc.

Sound interesting. Too bad it's completely off-limits to non-LE such as myself, those who have an interest and desire to contribute, but are not sworn officers.
There is also the trend of states making it so that you have to have a Private Investigators license to perform digital forensic work. In my state, that means that I have to have 6000 hours of work experience with a government investigative service or law enforcement agency. EDIT: I should point out that my state hasn't passed such legislation as other states have done. But if my state should go that route then I would need the 6000 hours with an investigative agency.

So I'm starting to feel like I should just give the whole forensic community the finger. Clearly they don't want any of us non-law-enforcement nerds gaining any of their sacred knowledge. You have to be chosen to join their forensics priesthood and everyone else is a dirty protestant. Am I wrong about all of this? Am I blowing the problem out of proportion?


Fsulawyer said...

Blowing it out of proportion? Maybe not. But you are pointing your finger at the wrong folks. I wouldn't blame "the community." Place the blame where it belongs on government and, more particularly, on the law enforcement branch of government. After that, you should be afraid, very afraid. Why would they want to keep digital forensics out of the private sector? Why do they wish to aggregate all of the knowledge to themselves? There are many reasons for digital forensics to be used in the private sector. As for the PI license thing, seems odd that some gumshoe can enter digital forensics with little or no training or licensing, but a true digital forensics expert has to have 6000 hours of being a gumshoe.

Reed Stone said...

I just found your blog searching for info on Pointsec and Bart PE. Love this post an here in TX you now have to have a PI license for digital forensics. I thing it is wrong and will keep knowledge to a select few and as they say Knowledge is power.