Is Digital Forensics too dependent on point and click tools?

Should the Federal Government regulate Digital Forensics?

Does Digital Forensics fall under the umbrella of Technology or Science?

Digital Forensic Certification Bodies Should be Accredited by the Forensic Specialities Accreditation Board (FSAB)

Follow by Email

Saturday, December 13, 2008

SWGDE's position on standards and controls for computer forensics

The scientific working group for digital evidence, in response to a series of articles by John Barbara that appeared in Forensic Magazine:

have taken a very interesting stance. In a published document, the SWGDE claim that computer forensics is different than other forensic sciences because in computer forensics "false positives are non-existent". Therefore controls are not applicable to this field.

I am deeply troubled by what I consider to be a false belief system – computer forensics and its tools are infallible. This position is not supported by the larger scientific community and in fact numerous examples are available that contradict this position (e.g., orphan files and folders in NTFS, misrepresentation from data carving).

What is equally as disturbing, is the notion that has been proffered that somehow using a hashing algorithm to verify the integrity of a forensic copy of the original, is a control against false positives at the data abstraction and presentation layer during the analysis and examination phases.

Most of the examples of false positives occur due to an error in the data abstraction layer. Since we rely on tools (software) to abstract the data (we cannot see the ones & zeroes etc.) an error in the tool becomes problematic, as we trust the tools output. To date, none of the commercial computer forensic tool vendors are willing to share the error rates of their tools, so we are left to experimentation in order to try and determine this for ourselves.

I have weighed in on this issue with the SWGDE (full disclosure - I am a non-voting academic associate member). Since the SWGDE has publicly released their position paper, I think that in the spirit of open discussion and debate, we in the digital forensics community need to weigh in on this. I believe this is a watershed issue and it needs to be addressed.

Here is the link to the SWGDE position paper:

Journal of Digital Forensic Practice

As the Editor-in-Chief of the Journal of Digital Forensic Practice I would like announce the latest round of a call for papers for the Journal. Author instructions for submissions can be located at:

National Center for Forensic Sciences Announces Certification Body for Digital Forensics

By way of full disclosure, I am the Chair of Certification Committee for this Body. This effort is an indirect result of the AAFS recognizing the new section of Digital and Multimedia Sciences.

Certification of Digital Forensics Professionals - Becomes a Reality

Introduction to Certification
The Digital Forensics Certification Board (DFCB) will offer digital forensics practitioners the opportunity to achieve a professional certification. DFCB is headquartered at the National Center for Forensic Science at the University of Central Florida’s Research Foundation, in Orlando. This certification will require more than paying a fee and passing a test; successful completion of the certification process will require a peer-group validation of knowledge, skills and abilities in the analysis and evaluation of digital evidence. Certification will be based on successfully meeting core competency requirements identified by a community of experts.
Attaining certification will require strict adherence to an ethics component. Continuing education and other related professional activities will be required for all digital forensics professionals recognized by the DFCB.

Certification and Application Overview
Professional core competencies in digital forensics will be evaluated in the application and examination process: foundation knowledge, acquisition knowledge, examination knowledge and analysis knowledge and reporting (written and testimonial) knowledge. The “Founders”
graded application process will begin in the fall of 2008 and continue to the end of the calendar year. One type of certification will be offered for both managers and practitioners: the Digital Evidence Practitioner (DEP) Certification will include those who are practitioners and managers in digital evidence programs in law enforcement or the private sector. For applicants to qualify for the DEP certification under the Founders provision, an applicant must provide evidence of digital evidence practical experience. Note that, in general, an applicant’s experience should include a mixture of both digital forensic acquisitions as well as analyses. A total of at least five (5) years experience is required which will include full-time practical experience conducting digital forensics. One year of current experience in the last three years is required to apply for practitioner status.

Goals and Objectives
The goals and objectives of the DFCB are as follows:

1. To promote trust and confidence in the Digital Forensics profession
2. To provide an objective certification process in digital forensics which will help the maturation of digital forensics as a science
3. To encourage, promote, aid, and affect the voluntary interchange of data, information, experience, and knowledge about methods and processes among the membership of DFCB
4. To establish, encourage, and enforce observation of a Code of Ethics and Standards of Professional Conduct
5. To publish and distribute books, pamphlets, periodicals, papers and articles supportive of activities and purposes of DFCB
6. To establish and conduct such committees, bureaus, and offices as are necessary and incidental to the activities of DFCB
7. To conduct surveys, studies, hold conferences, symposiums, seminars, and forums
8. To arrange for the presentation of lectures and papers on matters and problems of interest
9. To foster, promote, encourage, study, research, facilitate discussion, collect and disseminate information of service or interest to the members of DFCB or the public at large
10. To conduct (such other) related activities as may be necessary, desirable, or incidental to gaining recognition of accomplishments in the field of investigations and analysis involving advanced technologies within government, business and academia.

Every person certified by DFCB will be required to demonstrate excellence, integrity, and objectivity in every forensic analysis where conclusions are formulated and reported for presentation in the judicial system.

For more information, please contact:

Sam Guttman – DFCB President
Mark Pollitt – DFCB Vice-President
Carrie Whitcomb – Director, NCFS
Telephone number for all officers: 407-823-6469

NIJ Announces New Round of Funding for Electronic Crime & Digital Evidence

The NIJ has finally posted their RFP for funding related to E-Crimes and Digital Evidence Recovery!

Welcome to My Blog

Welcome to my blog on all things related to Cyber Forensics. I intend this blog to be a resource to discuss what we are currently doing in the field of digital forensics and digital evidence. Many of my students requested a resource that they could go to to discuss and keep up to date on happenings in the field. I figured X-mas break was a good time to start the blog!

As an educator, program chair, research scientist, journal editor-in-chief (shameless plug – Journal of Digital Forensic Practice) and committee board member at the national and international level, I hope to share what is current and maybe more importantly, what is coming down the pipe.

I hope this blog encourages frank and open discussion and allows us to shine a light on this burgeoning scientific field. While vendor responses etc. are encouraged, this is not a venue for direct or indirect exceptions.