Viewing posts from : July 2012



Are certifications necessary for eDiscovery and eForensics experts and technicians?  While the strict answer is “no”, because we’re managing okay at the moment, as a profession, the long term answer is “yes”, because of the number of mistakes made by ignorant parties, wether it be the collector, the processor, the lawyer, the client, or the opposition.  The only person paying the prices for screw-ups is the legal client.  Worse, the technical people screwing up (who aren’t really all that technical) usually don’t carry insurance, because they have no idea what they are doing to begin with.  While any bar to entering a field is a last resort, here, as in law enforcement, medicine, and law, it appears necessary.

People who have never gone through a grueling evidence deposition cannot comprehend what they are up against.  In some cases, they may be backing up data using “copy.com”, while in others, they may be skipping deleted files.  The opportunity for mistakes that end up costing the client the case is nearly endless, and now that lawyers are beginning to get acclimated to the new materials, negative outcomes are going to increase if the integrity of the profession isn’t maintained.

Those of us in the field for a time have seen how it’s evolved.  We know that we do things differently now.  We’ve been educating legal teams since the beginning, and now they’re starting to ask really good questions.

We can’t allow some tech-school dropout with a boot disk to take on clients.  While there is room for error and room for a wide variety of techniques, we all know that there’s some people who are doing it wrong, and the client pays the price.

So certification becomes necessity.  Or perhaps voluntary.  Although any attorney who voluntarily worked with an untested, uncertified technician might be skirting professional misconduct.  We all have a duty here.

The certifications can be from multiple sources, and should be, to keep the market competitive.  In every market where a single standard has come to dominate, pricing becomes fixed and quality suffers.  There are quite a few, sometimes called paper tigers, sometimes called barriers, but they all lower the quality of work in those areas.

The certifications shouldn’t be long or overly burdensome.  It’s okay to assume a baseline knowledge and to test based on that.  Computer science isn’t a bad place to start, although there are specialty degrees now.  Assuming at least a college level education is warranted, since these experts need to document and testify.  Could be law, law enforcement, or other related disciplines with additional experience and/or training.

One thing it shouldn’t require is PI licensing.  This should be optional, but required for experts working aside law enforcement.  Or an LE background.  For non-criminal legal cases, it’s completely unnecessary.  Digital Trust’s entire practice is civil litigation and compliance issues, what good will a PI license do us, other than create a barrier to work?  So don’t mandate PI licensing.

But some certification is warranted, and it needs to be beyond vendor specific certification.  While nVendor might include some non-technical topics in their training, it would be better if tool vendors stuck with tool training and left legal training to outside agencies.  Unless they enjoy the liability that follows along.

While certification may be a pain for professionals, it does provide the client with a reasonable assurance that they are being assisted by adequate technical experts and not some person who’s going to cost them the case.  And without the client, what’s the point?  So let’s get this certification thing figured out right, and not just throw PI at it.

This post is for the INFOSEC people that we know, and especially for the ones we haven’t met yet, as it’s about traveling, meeting fellow professionals, and maybe getting leads and/or valuable new contacts.

This profession, more than any other, seems to thrive on ‘cons (conventions), but sometimes, you want to travel someplace that doesn’t have a ‘con or just doesn’t have one going on at the right time.  In these cases, there are places you can turn to, to make the best of a bad situation.

First, do you have friends there from con’s that you can visit?  If so, Bob’s your uncle.

Second, while there might not be an INFOSEC show of any sort, there are plenty of other options.

There are local user groups, in particular, chapters for the ISC2, ISACA, and AITP.  While it might not be as much fun as hack3rcon, it’s a business connection you can use.

There are local hacking groups, as well as maker groups.  Any of these can usually be reached out to for a get together.

A good source of event lists is here: http://infosecevents.net/  Just plug in your city, and it should give you a list of possibilities.

So if you need to travel, you can usually tie it to business.  You get to write off the trip, and you get to meet new folks in the industry.