"What's in a name? That which we call a rose by any other name would smell as sweet." -William Shakespeare
While this may hold true in a literary setting, what about computer/digital forensics? How important is a name? I think as a community we need to truly define ourselves. The community seems to be steering towards digital forensics (computer forensics, mobile device forensics, etc. as sub-disciplines). John J Barbara had a two part series in DFI News on the Digital Forensic Sub-Disciplines, which was a great article outlining these sub-disciplines and ASCLD/LAB defining the lifecycle of one discipline into the next. Where does one discipline begin and where does one end?
For example, while you (forensic examiner/analyst) are performing a forensic analysis of a forensic image you carve out a deleted video (.AVI) of the alleged crime (e.g. armed robbery) from the suspect's seized computer. The case officer/investigator requests you to "enhance" the video quality to aid in the "forensic identification" of a second suspect. Have you crossed over from the computer/digital forensic discipline into video forensic analysis sub-discipline? Can you testify as a forensic video expert?
I've had the opportunity to explain these separate disciplines of computer forensics and mobile device forensics to a jury. A lot of people feel that because you are an "expert" in the area of computer forensics that you should automatically be an "expert" in mobile device forensics. There are a lot of gurus out there that live and breathe mobile device forensics and are experts in the field; however, I'm not one of them. As a community and a computer/digital forensic discipline we must know where these boundaries exist and educate not only ourselves, but our teams/clients/attorneys/officers, etc. about these sub-disciplines. Remember, as the expert it is your responsibility to establish those boundaries with clients/attorneys and a jury.
With these disciplines/sub-disciplines, it also brings up another ongoing issue in the community. What do we call ourselves? Are you a computer forensic technician/examiner/analyst, a digital forensic technician/examiner/analyst? The king of drive-bys, Ovie Carroll, brought up this very topic in this week's CyberSpeak. Besides telling us to go "PreFetch Ourselves" in this episode, Ovie discusses some important issues about the community defining itself (nothing but love for the Ovie).
You wouldn't call an engineer, a technician; nor should you assume your technician is an engineer. Same methodology applies to computer forensics. A forensic technician/first responder's training and expertise will differ from a forensic analyst. Just as a forensic examiner and forensic analyst are different. Each person interacts with the digital evidence in a different manner with separate job duties and goals.
So are you a technician, examiner, analyst, expert or even a scientist? These titles have been discussed on several forensic mailing lists in the past and the debates are always interesting.
- More on Volume Shadow Copies on Harlan's blog. Also here and here.
- The NYC4SEC meetup is going on right now. Follow @NYC4SEC and checkout the group's website.
- Indy Digital Forensics Group is up and running. Our December meeting and met a group of great forensic folks from law enforcement, e-discovery, corporate/ir, educators, etc. January meeting we formed an ASDFED chapter. If you are driving distance within Indianapolis and looking at getting involved this is a great opportunity. Contact Rob Zirnstein (President of Indianapolis ASDFED Chapter) if you would like to join our chapter or attend meeting. Our meetings are posted on the ASDFED website.
- Ken Pryor's Brief Update on his Digital Forensics Blog. Also Part II of Ken's Forensics on less-than a shoestring budget on the SANS Computer Forensics and Incident Response Blog.
- TaoSecurity: Wanted: Incident Handler in Michigan
- CyberSpeak Jan 16, 2011- PreFetch Yourself
- The Apple Examiner is a great resource for iOS forensic investigations (formerly MacOSXForensics). Also news today that MacMarshal released Mac Memory Reader, a free command line acquisition tool for capturing RAM on Mac computers.
- Windows Registry Forensics by Harlan Carvey is now available. If you follow @Syngress on Twitter you may have caught the 50% off sale yesterday only on this book. I have mine ordered and looking forward to receiving it.
If you read a book you like or one that was a very painful process from beginning to end, write about it and share your viewpoints. Write an amazon book review. This is good for providing feedback to the author and it is good for the forensic community because you can let others know what books they need to have on their bookshelf and books they should not waste their money on.
Thank you for the kind feedback and continuing to follow my blog; keep those tweets, e-mails, and page views coming! My next blog post I plan to share some forensic projects I'm working on and the power of sharing what you know outside of the computer forensic community.