Monday, January 11, 2010

The Digital Forensic Sub-Disciplines?

In the December 2009/January 2010 issue of Forensic Magazine, John J. Barbara posits the following question to begin his article on digital forensic sub-disciplines: "Can we clearly differentiate whether an examination falls under Computer Forensics, Forensic Audio, Image Analysis, or Video Analysis?"

To begin with, I was a little suspicious of the article - given the author's profession. It seemed to me that he is making a pitch here that will certainly help his business. What's his business, you ask? He runs a company that specialises in helping agencies set up and  comply with the ASCLD/LAB and ISO regulations. Is there a conflict here? Perhaps - but read the article for yourself before forming any conclusions.

One of the key points of the article (for me) was hidden about midway down the page. "Although the initiative toward gaining accreditation for the discipline was being driven primarily by the federal agencies ..." Why are federal agencies driving the initiative? Are state and local agencies participating in a meaningful way? What about privateers? How are their interests represented?

The author walks the reader through a hypothetical case where a single analyst processes a piece of digital multimedia evidence. Then he proceeds to illustrate that the analyst really was performing four functions (sub-disciplines) as part of the process. The sub-text hints that there is something inherently wrong with the single analyst model.

This article, for me, represents the latest in a worrisome trend in advocacy - away from the local / private lab toward a regional / nationally controlled lab. This, while good for the author of the article's business, it is certainly not good for the citizens of this country. Here's why ...

This trend, the NAS report, the SWG's and so forth, has been moving forensic work in a certain direction. That direction is towards greater standardisation and control of the work. So far so good. But the next logical step is to say that agencies with a single analyst (like many local police agencies and privateers) should no longer be to allowed to work across sub-disciplines. I, for example, have received training and worked cases involving video, image, audio, cell phone, and small device forensics. I also image hard drives (computer forensics). Must I now choose a specialty? What does this do to the local agency, given today's economic mess? The only agencies that are currently hiring analysts in great numbers are federal. But are federal agencies going to handle the video when a car is broken into on my block? Hardly.

Information and standardisation are good when they are used as a guide toward mastery of a given subject. They are bad when they are used to drive the market towards a specific vendor's practice - even when that "vendor" is the government. I'd hate to see the state of justice in this country when hundreds or thousands of well meaning and quite capable privateers and local LE analysts are driven out of business in the face of these "mandates." The right to an vigorous defense will be in jeopardy when all forensic functions are dispensed at the federal or regional level - driven by cost controls and governed by shrinking budgets.

If "forensics" is discussion and debate ... let the best rise practices to the top - be them private, local, state, regional, or national - in an openly competitive atmosphere. When the federal government steps in and mandates these practices - thus driving out perfectly good practitioners - everyone loses. At this point, forensics, as such, is dead. There is no discussion or debate allowed. Everyone loses.

This is just one citizen's opinion. What say you?

No comments: