Sunday, December 7, 2008

More on PI Licenses for Digital Forensic Work.

There has been a little more chatter on the subject of private investigator licenses for people performing digital forensic work, or in other cases perform digital investigations.

Here is a short piece by Ben Wright (who commented on my blog the other day) about unintended consequences in Texas from their law requiring PI licenses for computer investigations. Hint: People are challenging tickets issues by red light cameras.

I also found a posting where the State of Michigan has defined what it would take for you to be a private investigator working on computer forensic cases. I have to actually say that I'm not up in arms about what Michigan has done as much as what I've seen in Texas. The Michigan law requires you to be a private investigator, but you can become a private investigator by getting certified as a computer forensic specialist and they had defined what exactly they expect from a certification program. So rather than tell me that I have to spend 10,000 hours working for someone peeking in peoples windows to catch cheating spouses before I can do computer forensic work, I have been given the option to complete a reasonable amount of study in areas that make sense for what I would want to do. Kudos to you Michigan.

There is still the problem of defining what an investigation is. Many times system administrators have to figure out what is causing a problem on their systems...and sometimes that problem turns out to be people. At what point would you say that their work has become an investigation? Is it an investigation if you set out from the start to catch a criminal as is the case for the red light cameras in Texas? What if a student comes to the help desk with a computer that is acting funny and I start to investigate? During the investigation I might go through log files, and I might run tools like Seccheck and rootkit revelaer. Maybe I'll even take a snapshot of the ram and look for running processes or open ports that are hidden. What if during this process I figure out that someone intentionally installed bad software on the computer and I figure out who did it? Has all the evidence been spoiled because I am not a private investigator and I didn't know that in helping this student out I was going to find evidence of misuse?

I'm also still not a big fan of the whole private investigator license anyway. Even though Michigan has done something to make it easier to swallow, I still don't want to be a private investigator. I am a computer security professional, and I don't want to be lumped in with a group of people 95% of whom do not do what I do. I can't show up to a industry meeting of private investigators and start talking about extracting strings from a hard drive image to find useful files that are hidden in slack space on a hard drive. If it is so important that we forensic types prove our worth then come up with some other licensing for us. Most state legislators recognize that even though coroners do investigative work, they are completely different from private investigators and have different licensing requirements. If there are any states where you can be a county coroner just by getting your PI license then let me know so I don't visit. I don't want Sam Spade performing an autopsy on me.


Anonymous said...

"I don't want Sam Spade performing an autopsy on me. "

Uh... my guess is that you wouldn't really worry too much about it. :-)

(I agree with your point though - I wouldn't want an unqualified individual performing an autopsy on a loved one).

Black Fist said...

Yeah, I guess you're right. But I better look good for my funeral or somebody is going to get haunted!