Big Galoot Diatribe - Computer Forensics “Specialists”

July 4th, 2007 Drazen Drazic Posted in Big Galoot Diatribe, Forensics, cyber crime |

The rantings of Craig Chapman, Computer Forensics Geek.

The other day I met a couple of guys at a security conference who introduced themselves and announced proudly that they did “Computer Forensics”.  I had no reason at that stage to disbelieve them, since they were wearing some rather impressive-looking nametags, bearing the logo of a very well known global company.

After a bit of big-noting themselves, it was what they said next in relation to investigation techniques that sent my alarm bells ringing;

“We’ve just done a course on interviewing suspects.  We can tell you when someone is lying.”

“Really ?” I said, rather disbelievingly. (Gees, these guys have it 100% - something that takes good police detectives years to develop).

“Aside from your lie detector skills, how do you keep an arm’s length between your forensics role and being the interviewer of a suspect?” I asked, very curious to hear their response.

“Bah! No need to worry about that!” they replied rather boldly, as if that were a mere technicality not worth worrying about.

Unfortunately, as they might discover, the courts don’t exactly share their view on wearing both the hat of the interrogating Investigator and Computer Forensics Expert, simultaneously. See fellas, there this thing that courts are big on, it’s something known as ‘Independence’.

Nor is computer forensics simply a fancy term for checking of audit logs, as they would later try to rather incredulously argue.  Make no mistake, these guys were not computer forensics people in any form.  They were at best, a pair of audit-log-checking, boofheads calling themselves “computer forensics” people.  As the term “forensics” suggests, it also involves the gathering of evidence in a manner that is lawfully admissible to a court.  Judging by their manner, and their high degree of BS, I’d have to conclude that these gentlemen have spent far too much time watching CSI or NCIS, and very little time, if any, in an actual court or in a witness box.

Fellas, if by chance you recognise yourselves & happen to be reading this blog, here’s a really good definition of computer forensics as described at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1007675,00.html

Computer Forensics:
“The application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.”

And by the way, if you’re still reading, perhaps you should remove the “Computer Forensics” label from your nametags and replace it with “Audit Log file checkers”.  Ok, it doesn’t sound as impressive, but it’s perhaps a lot closer to the truth.  and it avoids more potential embarrassment for you.

Chappo