Wednesday, January 19, 2011

Computer Forensics: What's in a name? After all it's only a name.

"What's in a name? That which we call a rose by any other name would smell as sweet." -William Shakespeare
While this may hold true in a literary setting, what about computer/digital forensics? How important is a name? I think as a community we need to truly define ourselves. The community seems to be steering towards digital forensics (computer forensics, mobile device forensics, etc. as sub-disciplines). John J Barbara had a two part series in DFI News on the Digital Forensic Sub-Disciplines, which was a great article outlining these sub-disciplines and ASCLD/LAB defining the lifecycle of one discipline into the next. Where does one discipline begin and where does one end? 
For example, while you (forensic examiner/analyst) are performing a forensic analysis of a forensic image you carve out a deleted video (.AVI) of the alleged crime (e.g. armed robbery) from the suspect's seized computer. The case officer/investigator requests you to "enhance" the video quality to aid in the "forensic identification" of a second suspect. Have you crossed over from the computer/digital forensic discipline into video forensic analysis sub-discipline? Can you testify as a forensic video expert?
I've had the opportunity to explain these separate disciplines of computer forensics and mobile device forensics to a jury. A lot of people feel that because you are an "expert" in the area of computer forensics that you should automatically be an "expert" in mobile device forensics. There are a lot of gurus out there that live and breathe mobile device forensics and are experts in the field; however, I'm not one of them. As a community and a computer/digital forensic discipline we must know where these boundaries exist and educate not only ourselves, but our teams/clients/attorneys/officers, etc. about these sub-disciplines. Remember, as the expert it is your responsibility to establish those boundaries with clients/attorneys and a jury.

With these disciplines/sub-disciplines, it also brings up another ongoing issue in the community. What do we call ourselves? Are you a computer forensic technician/examiner/analyst, a digital forensic technician/examiner/analyst? The king of drive-bys, Ovie Carroll, brought up this very topic in this week's CyberSpeak. Besides telling us to go "PreFetch Ourselves" in this episode, Ovie discusses some important issues about the community defining itself (nothing but love for the Ovie).
You wouldn't call an engineer, a technician; nor should you assume your technician is an engineer. Same methodology applies to computer forensics. A forensic technician/first responder's training and expertise will differ from a forensic analyst. Just as a forensic examiner and forensic analyst are different. Each person interacts with the digital evidence in a different manner with separate job duties and goals.
So are you a technician, examiner, analyst, expert or even a scientist? These titles have been discussed on several forensic mailing lists in the past and the debates are always interesting.


Honorable Mentions

 If you read a book you like or one that was a very painful process from beginning to end, write about it and share your viewpoints. Write an amazon book review. This is good for providing feedback to the author and it is good for the forensic community because you can let others know what books they need to have on their bookshelf and books they should not waste their money on.

Thank you for the kind feedback and continuing to follow my blog; keep those tweets, e-mails, and page views coming! My next blog post I plan to share some forensic projects I'm working on and the power of sharing what you know outside of the computer forensic community.

2 comments:

davehull said...

Great post Brad. I get requests from clients I've done computer forensics work for in the past, asking me if I can do mobile devices or video analysis. And you're right, most assume that since I can do computer forensics, I can do it all. I refer them to specialists in those disciplines. There's so much to master in a single discipline that being a master of them all seems implausible.

As for what do we call ourselves, I'm less hung up on that. I do computer forensics analysis and incident response. I generally prefer the term "practitioner." I don't call myself an expert, though courts have, because I'm always learning. My analysis includes evidence collection, I suppose in bigger shops that's something junior members do. Is that what differentiates a technician from an analyst?

Eric Huber said...

I agree with Dave which is always a safe position to take. This was a great blog post and very thought provoking.

I lean towards the phrase "digital forensics" because it covers a whole host of sub-disciplines such as traditional computer forensics, mobile device forensics, network forensics, malware analysis, etc