Cyber Forensics

Accreditation and Certification Standards - the Holy Grail of Digital Forensics

2011-09-01T09:50:00.001-04:00

They say that those who do not study history are doomed to repeat it. That sounds like "deja vu all over again." Despite the calls from certain factions that digital forensics develop, appoint, and/or anoint a body to oversee its development, we are no closer to having a solution than we were 5 years ago. I would like to say that this was due to some complex technical or impassable philosophical schism, but the sad truth is that we are mired in political turf wars, greedy entrepreneurs, and resume padders.

We as a collective discipline do not seem to understand that if we do not address this fundamental issue, we will have a solution thrust upon us. Historically the "thrusting" of regulations or administrative processes has not been beneficial to most groups. We can also look to other professions like the CPA's to find models that appear to work and have somehow overcome all of the so called challenges we are facing.

To date we have become dysfunctional and petty in our attempts to address how we are going to mature and police our own discipline. While the penultimate solution seems to be hidden from us, the stop gap solutions currently being attempted (numerous organizations and companies all claiming they alone speak for the science) are not solutions at all and only further complicate and alienate those of us in the community.

Maybe it is time we call our own detente, collectively sit down, look at the historical record of other forensic sciences and actually come up with a solution! Alas, I fear this will not happen soon as there is far too much money to be made in this area and it seems greed and ego stroking trumps all.

One Big Happy Family?

2011-04-10T21:00:00.001-04:00

I have spent most of my academic career dealing with the problem of how do we combine the different digital forensic communities under one umbrella. I have observed, written, and advocated that we become a homogeneous group. The arguments followed that the different communities/constitutents (i.e., law enforcement, military, private sector/business and academia) shared a common goal and since the evidence that is digital in nature was our purview it was logical that we could identify our common ground and be able to develop standards, certifications, and professional ethics that were universal.

I now think I got it totally wrong. While the communities share some commonalities, the goals, motives, requirements are so vastly different and I will argue, diverging more each year, that to think we can have a community agnostic anything is false. I will use the private sector and e-discovery as a quick example. E-discovery is maturing and developing standards and processes that are unique to civil proceedings and the requirements of civil litigation. There is no necessity to make whole drive forensic images (and in some cases it is strictly forbidden by the discovery order). This is foreign to law enforcement and at odds with the basic tenet of imaging everything – in case we need it at a later date.

Futile efforts to develop a universal code of professional ethics further illiustrates the heterogeneity of the communities. In almost every case, articulated codes of ethics have run imto issues were it would be unethical for private sector practitiioner to follow, or practitiioner who worked for the defense as opposed to the prosecution. An example of such a clause is full disclosure of all findings ( I will leave it to the reader to think up examples that would run contrary to expected conduct of the practitioner examples I indicated).

We may be better served by developing certifications, standards, and codes of ethics that are community specific. I would never thought I would even be considering this, and many of my students would be very shocked by my makiing such an assertion. However, one cannot ignore the realities that seem to continually jump up and slap one in the face.

While this is just a thought experiment for me at the moment, it has some profound implications for the future of our scientific discipline and therefore needs to be seriously considered and discussed.

Does Digital Forensics Suffer from Physics Envy?

2011-03-25T22:00:00.001-04:00

For over a decade we have been fighting to have digitial forensics recognized as a science. Committees have been struck, organizations created and a great deal of blood sweat and tears has gone into having the American Academy of Forensic Sciences recognize us as a new section - Digital and Multimedia Sciences. We have also written numerous papers, conducted workshops and heavily marketed for the covetted recognition as a "SCIENCE".

What if we got it wrong? Can we really make a solid case for digital forensics being a science? The goal of science is the pursuit of knowledge. This is accomplished by using the scientific method or process. Theories are derived, hypotheses created and experiments designed to test these educated guesses. The interpretation of the findings are supposed to be value free and the results reproducable.

The goal of technology on the other hand is to meet the needs of some applied problem, focusing on some short term solution. The major processes include design, implementation, and testing. The deteremination of the success or failure is value ladden and reproducability of findings not necessarily criticial.

If we limit our discussion to the current state of digital forensics which category do we more easily fit into? It is really a no brainer - we are a technology that may at some point in the future move to a science, but we are not their yet.

The next important issue to contemplate is whether we actually have to become a science. Can we still serve our purpose and mandate (as well as the courts') by remaining a technology? Maybe we just have a case of Physics envy.

Who watches the watchers?

2011-03-23T19:54:00.001-04:00

We are reaching what could be termed a tipping point in the development/ maturation of digital forensics. We are starting to see an increasing demand for certifications specific to digital forensics. This parallels the historical development of information security and assurance. As the demand for more secure networks and personnel trained to test and defend these systems increased, so to did the need for industry to gauge who was at least minimally qualified to claim they were professionals in this field. This demand spurred on a industry dedicated to certify professional information security professionals. Unfortunately a conflict of interest soon arose. The same companies that were certifying the professionals through some type of examination, were also selling the training and study guides for their tests. One of the cardinal rules of accreditation and certification was broken – no independent accreditation body was setup to provide oversight for the training and testing companies. The fox was and is guarding the hen house.

Digital forensics now has numerous certifying bodies which in fact are thinly disguised training and testing companies. Come take our training, read our guide, take our test and low and behold you are certified in digital forensics. The arguments put forward for using this model yet again is that it if it is good enough for information security then its good enough for us. But wait, we can claim a direct lineage to the forensic sciences. Given this context we can look to the world of forensics and determine what our sister sciences have done. The forensic sciences seem to be very sensitive to the issues of conflicts of interest, whether real or perceived. As such the Forensic Specialities Accreditation Board (FSAB) was developed. The mission of the FSAB is as follows:

"The goal of this program is to establish a mechanism whereby the forensic community can assess, recognize and monitor organizations or professional boards that certify individual forensic scientists or other forensic specialists. This program has been established with the support and grant assistance of the American Academy of Forensic Sciences (AAFS), the National Forensic Science Technology Center (NFSTC) and theNational Institute of Justice (NIJ)."

Currently there about 16 accrediting boards recognized by the FSAB. Unfortunately there are no recognized boards or bodies related to digital forensics. This presents us with a very real problem. The FSAB standards and criteria cover the management structure of the body, examination and certification standards, competency of evaluation personnel, recertification etc. The standards also states that no certified members can be "grand fathered":

"Grandfathering is not an acceptable method of certification. 5.1.4.1 Certification bodies that used grand fathering and which were established prior to February 17, 2001, may apply for accreditation if not more than 50% of its certificants were grandfathered. Note: An individual is considered “grandfathered” if the person was issued a certificate without having taken and attained a satisfactory score in an examination designed to assess the knowledge, skills and abilities in the stated field of certification. 5.1.4.1.1 Any grandfathered certificants must be subjected to the same examination and competency assessment as new applicants (as defined in 5.3 of these standards) no later than the regularly scheduled recertification for that individual, not to exceed a period of five years.5.1.4.2 No certification body established after Feb 17, 2001, may apply for accreditation until all its certificates have been issued according to the standards as defined section 5.1.4 of these standards."

Grand fathering has been a popular method in the Information Security field in order to instantly populate a new credential with a critical mass of members. It would seem that this practice is off the table with forensics.

The lack of any recognized accreditation board for digital forensics (at least by the FSAB, AAFS, NIJ) translates into certifications that may have little if any value. This is not to say that there aren't some first rate digital forensics professional certifications out there, it just means that none are technically recognized by the same standard as other forensic sciences. This fact cannot be lost on opposing counsels and will certainly find its way into the court room in the not so distant future.

More upcoming Pubs

2011-03-21T22:03:00.001-04:00

I am proud to announce that I have been working with the folks at Chelsea House (James Chambers in particular) on a series of edited books for young people ages 12-18 yrs old. The objective of the series is to provide young people with a frank discussion related to "Cybersafety". As the Chief Technical Editor I had the pleasure of working with some of the leading authors and researchers in the areas of cyber stalking, cyber bullying, online addictions, cyber predators, identity theft etc.

The series should make an excellent resource for middle and secondary schools. If anyone is interested in being involved in the second edition of this series, please just let me know.

http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=cybersafety+Rogers&rh=i%3Aaps%2Ck%3Acybersafety+Rogers&ajr=3

Response to Where's the Science

2011-03-20T17:32:00.001-04:00

I appreciate the opportunity to discuss this topic on your blog. I find that my opinion would vary from yours to some degree.

While science and experiments are a vital and necessary part of digital forensics a large part of the evidence uncovered during an exam does not necessarily require an application of science or an experiment. The people who originated the term “Computer Forensics” could have picked a better phrase to define the discipline. I prefer to think of most of the work I do as a “forensic search” of a piece of evidence. I preserve the evidence, the image, in such a way that it is not altered and anyone can duplicate my work from that image and then I search it just as a detective would search a house for a gun, narcotics etc.

The vast majority of evidence that I have located in exams has come from allocated space. In my report I document the file, its dates and times and its location on the storage medium. As an example I had a case where I was requested to examine a Blackberry for evidence which might link a given suspect to a bank robbery. On the micro SD card in the phone I recovered a photograph of the suspect holding a version of the MAC 10 machine gun. Statements from the witnesses and the video show one of the suspects holding a MAC 10. The prosecutor and the jury found the photograph amusing. My testimony consisted of stating that I found the graphic on the micro SD card. I did not testify that it was a real gun or to any other fact other then I found the picture and where.

Using the image of the SD card the graphic could be located by any forensic tool available. Since the report provides the location of the file I could even clone the image to another SD card. The card could be put in a media reader and anyone computer literate could navigate to the same evidence I found. It was nothing special and anyone could have done the same.

I read the report from the National Academy of Sciences and came out with a slightly different idea of what they found distressing. I believe the central complaint in that report is not that the science in the disciplines is lacking but that the opinions expressed by the experts in court tend to go beyond their literal/explicit findings assuming they bother to do an exam at all.

In a recent discussion in a college class I asked the question if a computer examiner could state that passwords held any evidentiary value. My position was that they hold none except in very limited circumstances. As an examiner I can determine that a password exists or does not exist and I may even be able to determine what it is but that is it. From an exam I cannot tell who in the home or office that the device was recovered knew the password. I cannot tell if someone walked away from their computer etc. In short I cannot testify as a computer examiner to what other people know. It was interesting that many of the students insisted that you might be able to associate a password with a user if they used something personal like a date of birth or used the same password for multiple things. They completely over looked the fact that they would be testifying to information not in their forensic exam but their personal opinion of someone’s computer habits.

Ego can be a problem when testifying. As an “expert” there is a temptation to be willing to provide an opinion to whatever question you are asked on the stand. Judges and attorneys often do not help as they frequently regard anyone with computer knowledge as an all knowing expert on all subjects involving computers. It is up to the examiner to let the attorney/judge know that he or she does not have that knowledge or expertise. It is very difficult to tell people looking up to you as the source of all knowledge that you don’t know. I would say that the science is not lacking in forensics but the willingness of experts to provide opinions outside of the literal results of their findings is the actual problem.

Please don’t get the impression that I believe that science and research have limited value in digital forensics. I do believe that experiments and research are of use and necessary in digital forensics. I have engaged in them from time to time in particular when dealing with files recovered from unallocated space or fragments of files. Determining what program generated the file or fragment, determining the evidentiary value or lack there of, has most of the time required experiments and research. I do believe that much of my work is simply a search which identifies information of value.

Posted by:

Sgt. Kevin Stenger
Orange County Sheriffs Office
Orlando Florida

Request for Authors

2011-03-20T08:07:00.000-04:00

I am proud to announce that the "Encyclopedia of Information Assurance": SBN-10: 142006620X ISBN-13: 978-1420066203 is now out.

Encyclopedia of Information Assurance

We are currently working on the second edition and are actively soliciting authors for this edition. If you are interested in working on the second edition please contact me directly at: rogersmk@purdue.edu or Rich O'Hanley <rich.ohanley@taylorandfrancis.com>.

Where's the science?

2011-03-15T00:19:00.000-04:00

After a long delay, I have finally found time to update the blog (probably due to the knee replacement surgery I had done and I am getting bored laying around). The topic of this posting has its origins from multiple sources. The first being my attending the AAFS conference and sitting through several presentations in the Digital & Multimedia Sciences Section [full disclosure – myself and a student presented 2 papers]. The second source of motivation was the excellent book by Dr. Ben Goldacre "Bad Science". Both of these got me thinking about where the science is in digital forensic science? We seem to have plenty of case study presentations, tools being developed, and novel investigative protocols being proffered. What appears to be missing is any real empirical research!

Very few of the manuscripts I review report any type of hypothesis testing, statistical analysis, or at the very least error rates or reliability estimates. When these oversights get brought up, the typical refrain is that we are an applied science, not basic research. This rings hollow with me. The term applied science should and is not synonymous with a lack of proper scientific analysis, data reporting, validation or replication of findings. It is almost as if we in the community have an inferiority complex and some believe that our field is not worthy of scientific rigor.

In the context of the National Academy of Sciences report to congress on forensic sciences and the pending bills being floated around the Whitehouse (e.g. Senator Leahy's), we need to step up and step back to cast a critical eye on the science of forensic science across all of the fields, ours being no exception. I have commented before how there seems to be a lack of scientists actually involved in charting the direction of digital forensic science, a fatal mistake in my opinion.

It should be very interesting to see if external bodies such as the proposed Office of Forensic Science and the Forensic Science Board will push us in the direction of being more scientific or if they will be the typical political lame ducks and produce only the illusion of science. Unfortunately based on the historical record I predict the latter will happen. Therefore it is up to we in the community to push for better accountability and research based on proper scientific methods (even a focus on reproducibility would be a giant leap in the right direction).

Here is an interesting interview with Ben Goldacre on the booming age of pseudo-science:

Pseudo Science

Ben Goldacre

The Coming Storm - Cloud Computing and Digital Investigations

2010-02-07T11:23:00.001-05:00

By now we all heard how cloud computing will revolutionize the Internet and be the next best thing to happen to online businesses, consumers, education and the world at large. But we haven't heard much of what investigative concerns the so-called cloud brings with it. As most of us realize, the concept of cloud computing is nothing new. Technically we have been living with this "cloud" since the inception of the Internet and the World Wide Web. What this new cloud concept seems to add to the equation, is the ability to have various levels of distributed storage and application services.

While there are numerous security concerns being discussed by various cyber security "Czars," there seems to be little if any discussion about how the cloud will affect digital forensic investigations. Just off the top of my head I can think of several concerns that are generic to the concept of cloud computing to say nothing of specific concerns related to specific implementations or hardware and software applications.

Some basic questions are related to:

a) Jurisdiction - which sovereign nation or nations has/have authority?

b) Ownership - who actually owns the data in question?

c) Expectations of privacy - what will be the standard for reasonable expectations of privacy in the cloud?

d) Location of evidence - where do we even begin to look for data that may be classified as evidence for the investigation?

e) International cooperation - will countries housing/storing the data be willing to cooperate during an investigation?

f) Localized evidence - what artifacts will be left on the client machine?

To me these seem like obvious questions/concerns that we need to think about, debate and start working toward some answers. As I stated in the opening paragraph, the cloud is being touted as the greatest thing since "sliced bread," whether this is actually the case or not.

We as investigators will soon find ourselves truly immersed in the world of "virtual" evidence; a very sobering thought. One can only imagine how a judiciary who has trouble wrapping its mind around the concept of e-mail, will be able to keep up with the various technical solutions that make up the concept of cloud computing.

It behooves the digital forensics community to weigh in on discussions related to cloud computing and provide input as to what this latest technology savior will eventually become.

Reactions to the NAS report on the State of Forensic Sciences

2010-01-13T10:11:00.001-05:00

As we get ready for the upcoming American Academy of Forensic Sciences conference in Seattle February 2010, I am struck by a rather interesting debate that is coming to a head in both the forensic sciences and legal communities. As many are aware, the national academies of sciences report to Congress on the state of forensic sciences really shook the forensic sciences discipline and legal community at its very core. Most commentators have focused on the negative components of the report, but few if any have really looked at the positives and or the gaps in knowledge of those drafting the report.

During a recent discussion with several colleagues who are at the forefront of international and national standards and credentialing, we were struck at the lack of mention both in the report and the follow-up conversations by the different government and quasi-government agencies, of any of the ongoing work by the numerous forensic sciences bodies that were initiated long before the report was tabled.

I think I will leave the discussion regarding the knowledge gaps that appeared in the report for another day. A corollary issue is the heated debate over the role government has in the regulating of forensic sciences. Some post-report camps wholeheartedly support the notion that state, local, tribal and federal governments should be more closely involved in the regulation, standardization and funding of the forensic sciences. A second camp is diametrically opposed to this recommendation. The gist of this camp's argument is that by including government in a regulatory and standardization role, we will end up with an even more fragmented forensic community. It would appear that these folks endorse more of the free market economy approach and believe the scientific community will correct itself albeit under the direction of the legal justice system.

To be honest I have mixed feelings about this issue. Being both a forensic scientist and member of international and national bodies attempting to draft a universal code of ethics, nationally recognized credentials and standards etc., I see little if any real positive development by the scientific community if left to its own devices. Part of this lack of development, or probably more appropriately dysfunctional development, is the result of the interference by the vendor community and other private-sector interests who in fact often have goals contrary to the altruistic goal of developing "good science." Yet I have also seen how completely dysfunctional and self-serving government interference can be in the leadership of the forensic sciences.

Still others would argue that government interference in this domain is no different from what has been historically done. While I agree with this assertion, just because it has been done historically, doesn't mean that it has been successful or should be continued in the future. I believe a more pragmatic solution falls within the realm of what could be termed a "centrist approach". By this I mean a combination of government oversight as it relates to funding and nationally/internationally standardizing the forensic sciences and the introduction of a non-governmental agency who has ultimate oversight of the scientific community; free from influence and interference from both the government and the private sector. I fully realize that such an idea is rather utopian.

The last thing the forensic sciences community needs at this juncture is to become fragmented and bogged down in petty disputes and knee-jerk reactions to an as of yet un-acted upon NAS report. Given the current and near-term economic conditions, it is doubtful that any of the major recommendations of the report (e.g., the creation of the National Institute for Forensic Sciences) will come to fruition. I personally believe that if we look at the bigger picture we soon realize that the "moral of the story" here is that if the forensic sciences community does not get its collective house in order, we will have far less than perfect solutions thrust upon us from external bodies that more than likely will only been given a limited or, agenda biased, view of the domain in question.

If history is any indication, we will likely find ourselves in a situation where the NAS report, while garnering media attention currently, will soon be forgotten, archived, and never acted upon, as has been the fate of other forensic sciences reports that have preceding this one. Only time will tell, but regardless, this should make for a very interesting meeting in Seattle.

ISSUES IN DIGITAL EVIDENCE INVESTIGATION

2009-01-28T09:05:00.000-05:00

Cyber crime is an illegal electronic operation that targets the security of computer systems and data processed by them. Hacking, cyber fraud, phishing, identity and data theft come under cyber crime. Bank accounts can be hacked and credit card details can be stolen. When such cyber crimes are committed, we need digital evidence investigators to catch the culprits. Though cyber forensics is doing a great deal to find out who is responsible for misusing computer systems, it faces many issues that have to be handled with care. Listed below are some issues in cyber forensics.

A digital evidence investigator must keep in mind the privacy and secrecy of the clients’ data and information while performing the investigation. But in some cases when the information has to be produced as evidence in the court of law to prove a crime, it is not possible for the cyber forensics expert to maintain the secrecy and privacy of the clients’ information.
Sensitive data and information that are very important to the client maybe lost or damaged while finding evidence. But it is the duty of the expert to take additional care to ensure that the possible evidence is not destroyed or damaged. Typically this involves making a forensic image or forensic copy of the original media, and conducting the analysis on the copy versus the original.
While the investigations are on, it is possible that some malicious computer programs or computer viruses are released into the computer system. These viruses may corrupt the existing software and they may have the potential to damage the hardware system too. It maybe necessary to use high quality anti-virus software before the investigation is commenced.
Once the evidence is found, it must be preserved very carefully. It must be protected against any kind of mechanical and electro-magnetic damage. Any evidence found relevant to the situation at hand will need to be extracted from the working copy media and then typically saved to another form of media as well as printed out. The information that is obtained as evidence is the responsibility of the computer forensic team.
When the case is on, the evidence information maybe stored in court and, in some cases, the concerned partied may not be able to use that information. This may affect the business operations. In order to avoid causing any inconvenience and loss to the parties involved, the digital evidence investigator must make sure that justice is delivered as soon as possible.
Whatever is done during the analysis has to be documented along with the findings. The findings and reports need to be based on proven techniques and methodology, and any other competent investigator should be able to duplicate and reproduce the results. It is also important that the information acquired during the analysis is ethically and legally respected.
The operations cost of digital evidence investigations may some cases exceed regular investigations.

In spite of all these issues, cyber forensics or digital evidence investigation has gained a lot of importance in today’s computer world largely due to its vast application in varied situations.

By-line:

This post was contributed by Holly McCarthy, who writes on the subject of forensic science careers. She invites your feedback at hollymccarthy12 at gmail dot com

Digital Evidence Investigators Required to be Licensed PI's!

2009-01-14T22:32:00.001-05:00

We are witnessing a very interesting and disturbing trend in the digital evidence domain. Many states are enacting or amending legislation that will require anyone conducting any type of an "investigation" where a computer is involved to be licensed as a Private Investigator – Michigan being one of the latest examples. This is interesting as it was predicted several years ago that, unless the digital evidence community came up with some sort of gold standard/professional designation with a professional code of ethics, the ability to censure unethical professionals etc. the government would intercede with a less than perfect knee jerk reaction in order to protect consumers of these services.

The American Bar Association has taken a stand on this issue and the Science & Technology Law Section has issued a resolution arguing against this requirement:

AMERICAN BAR ASSOCIATION ADOPTED BY THE HOUSE OF DELEGATES AUGUST 11-12, 2008

RECOMMENDATION

RESOLVED, That the American Bar Association urges State, local and territorial legislatures, State regulatory agencies, and other relevant government agencies or entities, to refrain from requiring private investigator licenses for persons engaged in:

computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or

network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.

FURTHER RESOLVED, That the American Bar Association supports efforts to establish professional certification or competency requirements for such activities based upon the current state of technology and science.

Unfortunately it appears that most states are ignoring the advise of the scientific and legal community. The cynical side of my nature wonders whether the motivation for moving toward the PI License requirement is driven primarily by an economic motive (It appears that the PI community has a strong lobbying presence in many of the states that have already passed these requirements) as opposed to any real concern over an unregulated "industry" and consumer protection.

This issue is shaping up to be a watershed event for the digital evidence community and the final outcome will have a long lasting impact on this maturing field.

In case you were wondering, there is a concerted effort underway to address the issue of a neutral, board like certification for digital evidence professionals supported by the forensic science accreditation board. The Digital Forensics Certification Board (www.DFCB.org) housed at the University of Central Florida's National Center for Forensic Science will offer its certification exam early in the spring of this year. This non-partisan body represents the collective effort of law enforcement, private sector, government, military and academia. For the sake of full disclosure, yes I am part of this effort.

More information about this effort will be presented at the Digital Sciences & Multimedia Section of American Academy of Forensic Sciences Annual Meeting in Colorado this February.

SWGDE's position on standards and controls for computer forensics

2008-12-13T17:11:00.001-05:00

The scientific working group for digital evidence, in response to a series of articles by John Barbara that appeared in Forensic Magazine:

http://www.forensicmag.com/articles.asp?pid=138

have taken a very interesting stance. In a published document, the SWGDE claim that computer forensics is different than other forensic sciences because in computer forensics "false positives are non-existent". Therefore controls are not applicable to this field.

I am deeply troubled by what I consider to be a false belief system – computer forensics and its tools are infallible. This position is not supported by the larger scientific community and in fact numerous examples are available that contradict this position (e.g., orphan files and folders in NTFS, misrepresentation from data carving).

What is equally as disturbing, is the notion that has been proffered that somehow using a hashing algorithm to verify the integrity of a forensic copy of the original, is a control against false positives at the data abstraction and presentation layer during the analysis and examination phases.

Most of the examples of false positives occur due to an error in the data abstraction layer. Since we rely on tools (software) to abstract the data (we cannot see the ones & zeroes etc.) an error in the tool becomes problematic, as we trust the tools output. To date, none of the commercial computer forensic tool vendors are willing to share the error rates of their tools, so we are left to experimentation in order to try and determine this for ourselves.

I have weighed in on this issue with the SWGDE (full disclosure - I am a non-voting academic associate member). Since the SWGDE has publicly released their position paper, I think that in the spirit of open discussion and debate, we in the digital forensics community need to weigh in on this. I believe this is a watershed issue and it needs to be addressed.

Here is the link to the SWGDE position paper:

http://www.swgde.org/documents/swgde2008/SWGDEStandardsandControlsPositionPaper.pdf

Journal of Digital Forensic Practice

2008-12-13T16:25:00.001-05:00

As the Editor-in-Chief of the Journal of Digital Forensic Practice I would like announce the latest round of a call for papers for the Journal. Author instructions for submissions can be located at:

http://www.tandf.co.uk/journals/journal.asp?issn=1556-7281&linktype=44

National Center for Forensic Sciences Announces Certification Body for Digital Forensics

2008-12-13T16:20:00.001-05:00

By way of full disclosure, I am the Chair of Certification Committee for this Body. This effort is an indirect result of the AAFS recognizing the new section of Digital and Multimedia Sciences.

Certification of Digital Forensics Professionals - Becomes a Reality

Introduction to Certification
The Digital Forensics Certification Board (DFCB) will offer digital forensics practitioners the opportunity to achieve a professional certification. DFCB is headquartered at the National Center for Forensic Science at the University of Central Florida’s Research Foundation, in Orlando. This certification will require more than paying a fee and passing a test; successful completion of the certification process will require a peer-group validation of knowledge, skills and abilities in the analysis and evaluation of digital evidence. Certification will be based on successfully meeting core competency requirements identified by a community of experts.
Attaining certification will require strict adherence to an ethics component. Continuing education and other related professional activities will be required for all digital forensics professionals recognized by the DFCB.

Certification and Application Overview
Professional core competencies in digital forensics will be evaluated in the application and examination process: foundation knowledge, acquisition knowledge, examination knowledge and analysis knowledge and reporting (written and testimonial) knowledge. The “Founders”
graded application process will begin in the fall of 2008 and continue to the end of the calendar year. One type of certification will be offered for both managers and practitioners: the Digital Evidence Practitioner (DEP) Certification will include those who are practitioners and managers in digital evidence programs in law enforcement or the private sector. For applicants to qualify for the DEP certification under the Founders provision, an applicant must provide evidence of digital evidence practical experience. Note that, in general, an applicant’s experience should include a mixture of both digital forensic acquisitions as well as analyses. A total of at least five (5) years experience is required which will include full-time practical experience conducting digital forensics. One year of current experience in the last three years is required to apply for practitioner status.

Goals and Objectives
The goals and objectives of the DFCB are as follows:

1. To promote trust and confidence in the Digital Forensics profession
2. To provide an objective certification process in digital forensics which will help the maturation of digital forensics as a science
3. To encourage, promote, aid, and affect the voluntary interchange of data, information, experience, and knowledge about methods and processes among the membership of DFCB
4. To establish, encourage, and enforce observation of a Code of Ethics and Standards of Professional Conduct
5. To publish and distribute books, pamphlets, periodicals, papers and articles supportive of activities and purposes of DFCB
6. To establish and conduct such committees, bureaus, and offices as are necessary and incidental to the activities of DFCB
7. To conduct surveys, studies, hold conferences, symposiums, seminars, and forums
8. To arrange for the presentation of lectures and papers on matters and problems of interest
9. To foster, promote, encourage, study, research, facilitate discussion, collect and disseminate information of service or interest to the members of DFCB or the public at large
10. To conduct (such other) related activities as may be necessary, desirable, or incidental to gaining recognition of accomplishments in the field of investigations and analysis involving advanced technologies within government, business and academia.

Every person certified by DFCB will be required to demonstrate excellence, integrity, and objectivity in every forensic analysis where conclusions are formulated and reported for presentation in the judicial system.

For more information, please contact:

Sam Guttman – DFCB President sguttman@mail.ucf.edu
Mark Pollitt – DFCB Vice-President mpollitt@mail.ucf.edu
Carrie Whitcomb – Director, NCFS whitcomb@mail.ucf.edu
Telephone number for all officers: 407-823-6469

NIJ Announces New Round of Funding for Electronic Crime & Digital Evidence

2008-12-13T16:13:00.001-05:00

The NIJ has finally posted their RFP for funding related to E-Crimes and Digital Evidence Recovery!

http://www.ojp.usdoj.gov/nij/funding/current.htm

Welcome to My Blog

2008-12-13T16:00:00.001-05:00

Welcome to my blog on all things related to Cyber Forensics. I intend this blog to be a resource to discuss what we are currently doing in the field of digital forensics and digital evidence. Many of my students requested a resource that they could go to to discuss and keep up to date on happenings in the field. I figured X-mas break was a good time to start the blog!

As an educator, program chair, research scientist, journal editor-in-chief (shameless plug – Journal of Digital Forensic Practice) and committee board member at the national and international level, I hope to share what is current and maybe more importantly, what is coming down the pipe.

I hope this blog encourages frank and open discussion and allows us to shine a light on this burgeoning scientific field. While vendor responses etc. are encouraged, this is not a venue for direct or indirect marketing..no exceptions.