Digital Forensics, A Need for Credentials and Standards

Journal of Digital Forensics, Journal of Digital Forensics,

Security and Law Security and Law

Volume 14 Number 1 Article 3

3-31-2019

Digital Forensics, A Need for Credentials and Standards Digital Forensics, A Need for Credentials and Standards

Nima Zahadat University of Baltimore, [email protected]

Follow this and additional works at: https://commons.erau.edu/jdfsl

Part of the Computer Law Commons, and the Information Security Commons

Recommended Citation Recommended Citation Zahadat, Nima (2019) "Digital Forensics, A Need for Credentials and Standards," Journal of Digital Forensics, Security and Law: Vol. 14 : No. 1 , Article 3. DOI: https://doi.org/10.15394/jdfsl.2019.1560 Available at: https://commons.erau.edu/jdfsl/vol14/iss1/3

This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected].

(c)ADFSL

http://commons.erau.edu/jdfsl

http://commons.erau.edu/jdfsl

https://commons.erau.edu/jdfsl

https://commons.erau.edu/jdfsl

https://commons.erau.edu/jdfsl/vol14

https://commons.erau.edu/jdfsl/vol14/iss1

https://commons.erau.edu/jdfsl/vol14/iss1/3

https://commons.erau.edu/jdfsl?utm_source=commons.erau.edu%2Fjdfsl%2Fvol14%2Fiss1%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/837?utm_source=commons.erau.edu%2Fjdfsl%2Fvol14%2Fiss1%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1247?utm_source=commons.erau.edu%2Fjdfsl%2Fvol14%2Fiss1%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages

https://doi.org/10.15394/jdfsl.2019.1560

https://commons.erau.edu/jdfsl/vol14/iss1/3?utm_source=commons.erau.edu%2Fjdfsl%2Fvol14%2Fiss1%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

http://commons.erau.edu/

http://commons.erau.edu/

/creativecommons.org/licenses/by-nc-nd/4.0/

/creativecommons.org/licenses/by-nc-nd/4.0/

Digital Forensics, A Need for Credentials and Standards Digital Forensics, A Need for Credentials and Standards

Cover Page Footnote Cover Page Footnote The author acknowledges the kind and professional reviews of the editor and the associated reviewers.

This article is available in Journal of Digital Forensics, Security and Law: https://commons.erau.edu/jdfsl/vol14/iss1/3



Digital Forensics and Credentialing JDFSL V14N1

DIGITAL FORENSICS ANDCREDENTIALING

Nima ZahadatUniversity of Baltimore (UB), Universities at Shady Grove (USG)

[email protected]

ABSTRACT

Despite the phenomenal growth in the digital world and crimes committed using digitaltechniques and tools, there are literally no foundational requirements to perform digitalforensic investigations. While there are several private and mostly for-profit organizationsthat “sell” training and certifications regarding digital forensics credentials, at the federaland state level in the United States, there seem to be nothing of the kind.

Keywords: Digital forensics, certification(s), computer forensics, digital evidence, qualityassurance, licensing requirements, credentials, private investigator (PI), Computer ForensicsInnocence Project

1. INTRODUCTIONDespite the wide variety of areas in the med-ical field and that of the legal field, both re-quiring credentialing and accreditation at thestate and at times the national level, thereare no such requirements for digital forensicinvestigators. It is fair to state that a personcaught practicing medicine without a statelicense or a degree from an accredited insti-tution, would be sued and even prosecuted.It is also fair to state that most people wouldnot trust a doctor or a lawyer who was not agraduate of a properly accredited universitywith proper credentials from a state or fed-eral government. Even becoming a privateinvestigator (PI) usually requires licensing inmost states.

Digital forensic investigation is one of theprominent fields emerging from the broad dis-cipline of forensic science. Though the aca-demic theory and practice of digital forensicshas existed since the 1970s, increased inter-

est in the field has been witnessed recentlyowing to escalated risks of cyber-attacks andcomputer-related crimes (Altheide & Carvey,2011). The field of digital forensics is partic-ularly concerned with the evidence found incomputers, mobile devices, storage devices,social media and cloud services among otherIT related elements that can be used in trialsand other forms of inquiries (Mohay, 2005).Data extraction, collation, carving, and therelease of forensic expert reports are whatencompasses the core of practice in the field.

While there are no national standards fordigital forensic credentialing, and for thatmatter, no state-level ones, some states haveattempted to bring about such standards.As will be seen, these efforts have been half-hearted and somewhat disorganized, manytimes causing more problems on the legalrealm than offering solutions. Many of thesestates lump Private Investigator (PI) licens-ing and forensic credentialing into one in an

c© 2019 ADFSL Page 1

JDFSL V14N1 Digital Forensics and Credentialing

attempt to add legitimacy to forensic inves-tigators, which is quite a peculiar approach.Below are some of the states and localitiesthat have attempted to bring about someconsistency to forensics investigations and abrief overview of their attempts and method-ologies:Alabama: Alabama offers no forensic licens-ing credentials, but the city of Mobile requiresa city-issued private investigator (PI) licenseto do forensic work (Leonardo, White, & Rea,2012).Colorado: Colorado is somewhat intriguingas the state does not have any digital foren-sic requirement, and PI licensing is voluntary.Because Colorado’s PI licensing is voluntary,anyone can come to the state and be licensedas a PI, even if they have broken the law else-where. According to the Colorado Legislatureitself, there have been numerous instances ofwrongdoing by licensed PIs from Colorado.District of Columbia: Washington, DCrequires a PI investigator license for digitalforensic examiners (Leonardo, White, & Rea,2012).Georgia: Georgia has required that digi-tal forensic examiners obtain PI licensing(Leonardo, White, & Rea, 2012).Indiana: Indiana, as of 2010, has electednot to require any credentialing or licensingfor digital forensic examiners (SANS, 2010).Maine: Maine, like Georgia, has mandatedthat digital forensic examiners obtain PI li-censing (Leonardo, White, & Rea, 2012).Maryland: Maryland requires a PI licensefor private investigations, but neither digi-tal forensic licensing or credentialing is ad-dressed.North Carolina: Like Indiana, North Car-olina has elected not to require licensing ofany kind for forensic investigators (SANS,2010).Oklahoma: Oklahoma is really odd as itpermits that a PI license from another statecan be used to get a temporary license in

Oklahoma. This means if an investigatorneeds a temporary license in Oklahoma, theycan get one from Colorado first (InfoSec &Forensic Law, 2013).Texas: Texas has implemented the notionthat digital forensic examiners/investigatorslicense themselves as PIs in the state. Texashas gone so far as to interpret digital investi-gation to include computer technicians andrepair personnel (Leonardo, White, & Rea,2012).Virginia: Virginia codified in 2011, explic-itly stating that PI licensing requirements didnot apply to any certified forensic individualemployed as an expert witness. Virginia hasreciprocity agreements with several states,including Georgia (Leonardo, White, & Rea,2012).

It is worth pointing out that several statesincluding New York, Nevada, North andSouth Carolina, Washington, and Virginiaare pushing to have PIs handle digital foren-sic investigations. No states were found to beoffering any paths towards an independentdigital forensic licensing and credentialing.

Despite being well established in recenttimes, the discipline of digital forensics con-tinues to face several core problems. A needsanalysis survey by Rogers & Seigfried (2004)indicated training and certification as themain challenges, a claim collaborated by sev-eral stakeholders in the field including the Na-tional Institute of Justice. There are concernsthat the field is largely fragmented, lackinga national framework for curricula trainingand development. Pollitt (2010) in his pa-per “A History of Digital Forensics” starts hiswork by apologizing to his audience, admit-ting there is little reliable data and rigorouslogic that he can bring them regarding dig-ital forensics. He gives a history of digitalforensics based on his 20+ years as a crimi-nal investigator, then proceeds to make somebold predictions, acknowledging he will prob-ably be wrong in many of them. In addition,

Page 2 c© 2019 ADFSL


the field as currently constituted has no goldstandard for certification, a central challengein instilling consistency and professionalismin the field. The National Institute of Stan-dards and Technology (NIST) published spe-cial publication 800-181, a National Initiativefor Cybersecurity Education or NICE as areference structure describing the interdisci-plinary nature of cybersecurity work. NICEattempts to provide a common lexicon, foun-dational frameworks, workforce categories,specialty areas, roles, knowledge descriptions,skills descriptions, abilities descriptions anda host of other well-thought-out guidelines,complete with example systems. This spe-cial publication would serve as part of anexcellent starting point for digital forensicsframework development and digital forensicsacademic development though, by itself, itwould not be sufficient as it is too broadlyfocused on cybersecurity. It is designed as astarting point to be applied in the public, pri-vate, and academic sectors but does not focusentirely on forensic training, credentialing, oraccreditation. NICE framework is comprisedof the following components (NIST 800-181):

1. Categories – a high-level grouping ofcommon cybersecurity functions

2. Specialty Areas – distinct areas of cyber-security work (includes digital forensic)

3. Work roles – detailed groupings of cy-bersecurity work comprised of specificknowledge, skills, and abilities requiredto perform tasks in a work role

While NICE can be one of the solid start-ing points, there is still the egregious issueof credentialing and certification in digitalforensics, which this paper explores, drawingfrom relevant academic literature.

It must be pointed out that various agen-cies such as NSA and DHS have developedprograms that institutions can apply for and

be designated as meeting the bar set by theseagencies. For example, NSA and DHS havejointly developed the Centers of AcademicExcellence in Cyber Defense (CAE-CD) pro-gram. Regionally accredited colleges and uni-versities can apply to this program and ifapproved, have their curricula be designatedas such, receiving formal recognition from theUS government. This is certainly an appeal-ing program for many universities, includ-ing the author’s university which has appliedfor this exact program, but it is still a frag-mented solution and a voluntary one, andone that does not address digital forensicscredentialing and accreditation at a high level;it focuses primarily on what the NSA andDHS consider necessary security processesand controls.

2. RESEARCH

METHODOLOGYThe research was qualitative and descriptivein nature, utilizing published research in thefield of digital forensic investigation. A searchwas conducted in major academic databasesincluding Google Scholar and ProQuest, iso-lating articles from reputed journals on thesubject of the federal, state, private, profitand non-profit credentialing of digital forensicinvestigators in the United States. Addition-ally, private recommendations and practicesof private organizations such as ISC2, Guid-ance Software, and AccessData were studied.Each study was evaluated for the relevanceof content and timeliness, with the inclusioncriteria only featuring articles within roughly15 years of publication.

A review of literature focused on the gen-eral fundamental theories in the domain, theproblematic issue of credentialing and pos-sible solutions. Thematic reflections on thefindings on various issues were noted and for-warded as recommendations and conclusionson the present state of the identified problem.



3. LITERATURE

REVIEWThough many studies in digital forensic in-vestigations have identified the bias in avail-able research towards applied aspects of thedomain as opposed to the development offundamental theories, prejudice is justified.This is because of the largely practical na-ture of forensic science at large and the pres-sure mounting from external events such ascyber-terrorism and cyber-crimes, necessitat-ing more applied research (Nelson, Phillips& Steuart, 2014). As it emerges, the issue ofcredentialing of digital forensic investigatorsat various levels falls under applied researchand continues the implied bias. However,there is credence in the fact that several stud-ies identify the lack of a proper credentialingstandard as one of the main challenges facingthe profession today. For instance, a study byFlory (2015) indicated that though the stateof Indiana’s law enforcement agencies was de-liberate about digital forensic training withhalf of their staff trained, their ability couldonly be rated from low to mid-range. Assuch, there was still an overwhelming need tocreate a standard and comprehensive frame-work for locating experts, obtain a forensicinsight with the help of standard operatingprocedures, and finance career advancementin the domain. The above study shows thelongstanding nature of the challenge of cre-dentialing and locating competent experts indigital forensics and thus justifies the focus ofresearch towards that direction (as opposedto fundamental theories).

The issue of credentialing, though vast,seems to be overshadowed by the loomingchallenge of lack of a proper, consistent cur-riculum in the first place. As such, a gooddeal of research is currently dedicated to ad-vancing training and ensuring that there isa teaching framework that can be followedsuccessfully by most universities and colleges.

As noted by Lang et al. (2014), the develop-ment of a digital forensics curriculum shouldprovide a self-contained and comprehensivetool for teaching the discipline in universitiesgiven the failure of many institutions to offersuch courses for missing certain aspects ofthe entry barrier. In their proposed curricula,Lang et al. (2014) offered an introductoryand an advanced course and hands-on labora-tory programs. They, however, failed to focusor mention at any point, the essence of creden-tialing and its role in developing the digitalforensics investigator. This seems to be con-sistent with most curricula and reports on thestatus of digital forensics investigation andrelated disciplines throughout. For instance,a report by West Virginia University Foren-sic Science Initiative (2007) submitted to theDepartment of Justice (DoJ) on training andeducation of digital forensics investigatorshighlights the antecedent qualifications anda detailed career path but omits otherwiseessential information on credentialing. Thereport is comprehensive on other aspects oftraining and career path, highlighting thequalifications, skills, and knowledge needed,the Associate, Baccalaureate, and advancedlevels of learning in the discipline, but makesa major omission on certifications and cre-dentials needed in the profession. This sumsthe whole credentialing challenge in availablestudies- that most of it loom in the shadowof a clear training and education frameworkfor digital forensic investigators.

The literature on building accreditationand credentialing in digital forensics is quiteunappealing. This is primarily due to theconfusion surrounding digital forensics in thefirst place. Losavio et al. (2016) make thebold allegation that digital forensics is notyet a profession and attempts justificationof the claim on several grounds. Accordingto the paper, a profession entails specializedknowledge, specialized training, highly valu-able work, self-regulation, a code of ethics,



high levels of autonomy, and many other sig-nificant elements. Certification and creden-tialing are what offer code of ethics, auton-omy of practice, and evidence of specializedtraining, but lack in the discipline as per thearguments of Losavio et al. (2016). This hashindered the development of digital forensicsas a profession. A large number of studiesindeed recommend that proper standardizedframeworks are brought into the frame forcredentialing of digital forensic investigators.Butler (2015) highlights some of these recom-mendations offered by the National Academyof Sciences (NAS). They include creating astandardized accreditation model for digitalforensic investigators to achieve recognition,consistency, and the “expert” label.

From the reading, it appears that there isa robust framework for providing oversight tovarious accreditation bodies in digital foren-sics. These include the National Instituteof Standards and Technology (NIST), theDepartment of Justice (DoJ) and the Organi-zation of Scientific Area Committees (OSAC)which came together to carry out researchand chart a framework that can operational-ize accreditation bodies. The national com-mission on forensic science on its part actsas an advisory body to the DoJ and car-ries out various roles that form the frame-work for accreditation. These include adviceon training on science and law, testimonyand reporting, provision of interim solutions,and above all, accreditation and proficiencytesting (Garfinkel et al., 2009). Therefore,though there are no consistent accreditationframeworks, the framework to regulate bod-ies that offer credentialing exists and operateswith a clear mandate.

The development of accreditation oversightin digital forensics has since been reported atthe national level. Coordinated by the DoJand with the advice of NIST, such frame-works have emerged as a product of OSAC’sefforts. According to Butler (2017), OSAC

has been involved in the development andpromulgation of technically-appropriate anduniversally accepted documentary standardsthat are used by accrediting bodies to auditforensic laboratories and carry out creden-tialing of forensic investigators. OSAC hassince developed to include a Forensic ScienceStandards Board and various committees andsubcommittees that are responsible for of-fering oversight in the approval process forforensic sciences standards as provided byvarious scientific area committees.

There are several credentialing bodies,many of which are international that are ap-parent in the field of digital forensics. Glady-shev, Marrington, & Baggili (2014) note thatthe bulk of these organizations are eitherfor profit or privately owned, with the gov-ernment only providing the business opera-tional framework that such bodies can usein carrying out certification and accredita-tion. They include companies like Mile2 andISC2. Other entities include the EC-Council,the American Board of Information Securityand Computer Forensics (ABISCF), Interna-tional Association of Computer InvestigativeSpecialists (IACS) and International Societyof Forensic Computer Examiners (ISFCE)(Freiling & Schwittay, 2007). Some of thesebodies, in particular, ISC2, use the standardsand frameworks issued by bodies like NIST tooffer certifications such as Certified Informa-tion System Security Professional (CISSP),Certified Authorization Professional (CAP),and Certified Cyber Forensics Professional(CCFP). For instance, the CAP certification,which includes Digital Forensics Incident Han-dling, Risk Management, Continuous Moni-toring, Auditing, and Assessment, is basedalmost entirely on the NIST guidelines, inparticular the 800 series and more specifi-cally, 800-86 (Guide to Integrating ForensicTechniques into Incident Response), 800-37(Risk Management Framework), 800-30 (RiskManagement Guide), 800-39 (Managing In-



formation Security Risks), 800-53 (SecurityControls), 800-53A (Security Control Assess-ments), and 800-137 (Continuous Monitoring)among others. Other organizations such asEC-Council have had certifications for yearsin the field and continue to add more andrevise already existing ones to make themmore attractive to government agencies andprivate organizations. These certificationsare updated every 3-5 years with more mate-rial added, some outdated material removed,and most are touted as skills that governmentand industry look for in today’s forensic andsecurity professionals. The fact that thereare so many private organizations offering somany certifications, many in digital forensics,is testament to the need for having a creden-tialing and accreditation process as well as atestament to how private organizations areutilizing this opportunity to advance theirown goals, primarily financial, even if theyare labeled as non-profit.

4. CASE STUDIESThe National Academy of Sciences stressesthe importance of quality assurance proce-dures in the practice of forensic science to“identify mistakes, scientific fraud, examinerbias, and to confirm the continued validityand reliability of forensic processes and toimprove on processes that need to be im-proved” (Jordaan, 2012). In digital forensicsspecifically, a comprehensive quality assur-ance/quality management plan is requiredto ensure the credibility of digital forensiclaboratories. Quality assurance in the digitalforensics process is also seen as a critical is-sue in the practice of forensic science by boththe National Research Council in Washing-ton, DC and the Association of Chief PoliceOfficers in London. As the public have seenin recent years, failure to implement qualityassurance procedures in digital forensics can

lead to innocent persons being convicted ofcrimes (Jordaan, 2012).

One particular case which resulted in awrongful conviction was that of Connecticutschool teacher Julie Amero (Jordaan, 2012).According to Alva & Endicott-Popovsky(2012), the case of State of Connecticut v.Julie Amero provides an understanding ofhow a general lack of knowledge of digitalforensic evidence can lead to the wrongfulconviction of an innocent person. In 2004,Connecticut substitute teacher Julie Amerowas monitoring a seventh-grade classroom.Having had to step out into the hallway fora moment, upon her return, Amero foundtwo students browsing a website about hairstyling (Alva & Endicott-Popovsky, 2012).Soon after that, the web browser began open-ing pop-up advertisements depicting porno-graphic images. Amero did not turn off thecomputer, as she was instructed not to andwas unaware that the monitor itself couldbe turned off. Several of the students in theclassroom were exposed to the pornographiccontent. During Amero’s trial, the primaryevidence presented by the state was the foren-sic copy of the hard drive of the computer inquestion. Though the digital forensic inves-tigator, in this case, did not utilize industrystandards to make a copy of the hard drive,the evidence was still admitted into courtby the judge. The prosecution claimed thatdigital evidence would show an Internet his-tory of pornographic links, indicating thatAmero deliberately visited pornographic web-sites (Alva & Endicott-Popovsky, 2012).

Later during the ordeal, a computer foren-sics expert for the defense discovered thatthe school’s antivirus software was not reg-ularly updated nor maintained; also, no an-tispyware, firewall, or current content filter-ing tool was found on the school’s computer(Alva & Endicott-Popovsky, 2012). The de-fense computer forensics expert was HerbHorner, a self-employed computer consultant.



In his examination of the hard drive, imagedfrom the school’s computer, Horner foundevidence that spyware had been installedon the computer, thus causing pornographicpop-up images to continuously appear on themonitor (Alva & Endicott-Popovsky, 2012).Despite the evidence found by Horner, thejudge, in this case, refused to allow the fulltestimony of defense expert witness, HerbHorner, into evidence, claiming that the in-formation to be presented by Horner wasnot made available during discovery priorto the trial proceedings (Alva & Endicott-Popovsky, 2012). Ultimately, Amero wasfound guilty of “Risk of Injury to a Child,”and at one point, faced the possible fate ofa 50-year prison sentence. Fortunately, theState Court of Appeals reversed the decisionmade by the lower court, and a motion fora new trial was accepted. In an effort toput the events behind her, Amero eventuallypled guilty to a misdemeanor and agreed tohave her teaching license terminated (Alva &Endicott-Popovsky, 2012). The events lead-ing up to and during Amero’s trial causedgreat emotional, social, and financial stresson her and her family. Amero and her familyhave also experienced several health prob-lems due to the stress caused by the eventsleading up to and during her trial (Alva &Endicott-Popovsky, 2012).

While the case detailed above shows thatdigital forensics is not foolproof and can leadto the conviction of innocent persons, digi-tal forensics handled poorly has also led toguilty persons being acquitted in court. Oneexample of this is the case of Aaron Caf-frey. On September 20, 2011, less than twoweeks after the September 11, 2001 (9/11)terrorist attacks, Aaron Caffrey was chargedwith “carryout of a denial of service attack onthe computers of the port of Houston, Texas”(Brenner, Carrier and Henninger, 2004). Dur-ing trial proceedings, Caffrey claimed thatthe evidence brought against him had been

installed on his computer without his knowl-edge by malicious actors, installing a Trojanhorse program to gain control of his computerand launch the DDoS attack. A forensic ex-amination of his computer by prosecution’sexpert witness, Professor Neil Barrett, foundtools that could be used to launch an at-tack, but no trace that a Trojan horse hadbeen planted, despite Caffrey’s claim (George,2003).

Nevertheless, Aaron Caffrey was acquittedof launching a distributed denial-of-service(DDoS) attack in the United States, eventhough both prosecutorial and defense attor-neys confirmed that Caffrey’s computer wasresponsible for the DDoS attack (Brenneret al., 2004). It is assumed that Caffrey’sdefense was able to convince the jury thata Trojan horse armed with a “wiping tool”was responsible for the attack, which resultedin the editing of the system’s log files anddeletion of all trace of the Trojan; the pros-ecution claimed that no technology existedthat could perform such sophisticated tasksbut without success. Caffrey’s case is partof the phenomenon commonly known as the“Trojan horse defense,” which became popularin the UK during the early 2000s (Brenneret al., 2004).

5. KEY FINDINGSThere were a number of findings from theresearch conducted on digital forensics inves-tigation. First, it became apparent that cre-dentialing was a major issue in digital foren-sics and featured some of the main issuesthat were on the radar of major stakeholderssuch as the National Academy of Sciencesand NIST (Casey, 2009; 2011). It, there-fore, qualified to extend the bias on appliedresearch over fundamental theorizing in thegeneral domain of forensic science. In ad-dition, the field in the broader scope wasfragmented and lacking in proper curricula,



which was the preoccupation of various stake-holders and educators, rather than the for-mation of credentialing frameworks (Nance,Hay, & Bishop, 2009). As such, the issue ofcredentialing while important, had been over-shadowed by the lack of proper, standardizedcurricula in the domain.

It was also apparent that the state and fed-eral levels of governments were largely non-actors in the credentialing of digital forensicinvestigators. According to Garfinkel (2010),the majority of the bodies involved in accred-itation and certification were private compa-nies, including non-profit and for-profit orga-nizations. They included Mile2, EC-Council,and ISC2 among others, offering a number ofaccreditations such as the Certified ComputerExaminer (CCE) to digital forensic experts.The scarcity of literature on accreditation andcredentialing makes it difficult to determinethe repute and ratings of these organizations(Lillard, 2010). However, they appeared to bethe main players in the credentialing in theabsence of state and federal governments ac-tors. Instead, at least in part, the federal gov-ernment offered guidelines which these bodiesused for their curricula and certification de-velopment, giving frameworks and standardsto be applied in the operationalization of thecredentialing bodies. These guidelines werecarried out by the DoJ, National Academy ofSciences and other affiliates working closelywith the DoJ such as OSAC and NIST.

According to Lundquist (2016), there areseveral instances where private digital foren-sics have failed in assisting DoJ investiga-tions, leading to the incarceration of the in-nocent and mistrials in some cases. Theseinclude the case of State of North Carolinavs. Bradley Cooper and the previously men-tioned case of State of Connecticut vs. JulieAmero among others. In each of the high-lighted cases, there were anomalies in theprocess of collection, collation, submission,and reporting of evidence. Oversight bod-

ies can improve this by coming up with astandardized framework for digital forensicsthat can be applied in all cases. This en-tails credentialing of experts that the courtcan rely upon as experts in cases requiringdigital forensic evidence (Kessler, 2007). Atthe moment, oversight appears fragmenteddue to the lack of a singular, unifying, andstandardized curriculum to build on at thenational or even at the state level.

6.

RECOMMENDATIONSBased on the research presented, clearly,more attention needs be paid to credentialing,which entails research, funding, and advocacyat the national and state levels. A nationalframework for developing and teaching dig-ital forensics in order to bring standardiza-tion to the field is a necessity. This needsto be followed by a complementary creden-tialing system which would set the base forprofessionalism in digital forensics investiga-tion methodology, processes, and techniques.Finally, state and federal governments mustassume active roles in the oversight and ac-creditation of credentialing bodies with mea-surable results.

Meyers and Rogers (2004) identify the fol-lowing three areas where the computer foren-sics field needs improvement: the creation ofa flexible standard, qualification of expert wit-nesses and standards regarding the analysis,preservation, and presentation of digital evi-dence. Any standard(s) developed for use inthe computer forensics discipline, must allowfor flexibility, so that the standard may adaptto the continuous changes in technology andthe forensic process. It is also important thatcomputer forensic standards cover all aspectsof the forensic process; from the search andseizure of digital evidence to the analysis andexamination of the evidence.



The second area identified by the authorsas needing improvement is the qualification ofexpert witnesses. Because computer forensicsis still considered to be in its infancy, it doesnot have any formal credentialing bodies, nora formal educational process. Therefore, inadjudication processes, the courts accept per-sons as expert witnesses based on their skillsand previous professional work experience.While this process has not been challengedthus far, Meyers and Rogers (2004) anticipatethat in the future, expert witnesses’ qualifi-cations will be more commonly challenged.

The final area identified by the authors asneeding improvement is standards regardingthe analysis, preservation, and presentationof digital evidence. Meyers and Rogers (2004)state that there should be “rigorous” stan-dards and requirements along with contin-uous updates to the forensic process. Cur-rently, the common method used to analyzedigital evidence relies mostly on the softwareand/or hardware an expert uses in the anal-ysis of the evidence; the authors challengethat relying solely on the software/hardwaredoes not allow experts to fully understandthe digital forensics process so that they mayarticulate the process to a judge in courtproceedings.

Finally, Meyers and Rogers (2004) stressthe importance of the implementation of auniversal system for certifying those whoclaims to be computer forensic profession-als, as a continuous lack of professional cer-tification, investigative standards, and peerreview process may eventually result in com-puter forensics being labeled as “junk science”instead of an accepted scientific discipline(Meyers & Rogers, 2004).

7. POSSIBLE

OUTLINES FOR A

FRAMEWORKThe topic of presenting a potential full solu-tion and/or framework for digital forensicscan arguably be a doctorate dissertation inits own right. It is a large undertaking andrequires a great deal of research. One canargue that even then it truly requires theefforts of governments, law enforcement, andacademics to put forth a viable solution. Nev-ertheless, the following possible outlines areintended to present the reader with some pos-sibilities that are currently lacking in the fieldand could serve as starting points.

Abdalla, Hazem, and Hashem (2007) offera guideline model for digital forensic investi-gation in their paper presented at the annualADFSL Conference on Digital Forensics, Se-curity and Law (Abdalla, Hazem, Hashem,2007). In it they first present several existingmodels to include:

1. US Department of Justice’s ElectronicCrime Scene Investigation: A guide tofirst responders

2. An Abstract Digital Forensic Model (Re-ith & Gunsch, 2002)

3. The Integrated Digital InvestigationModel consisting of 5 groups of 17 phasestotal (Carrier & Spafford, 2003)

4. A Hierarchical, Objectives-Based Frame-work for the Digital Investigation Pro-cess (Beebe & Clarke, 2004)

The authors then proceed to offer theirown model which includes the following:

1. Preparation phase which includes pre-preparation, case evaluation, prepara-tion of detailed design for the case, anddetermination of required resources.



2. Physical forensic and investigation phasewhich has the goal of collecting, preserv-ing, and analyzing the physical evidencewith an attempt to try and reconstructthe crime scene.

3. Digital forensic phase which needs toidentify and collect electronic events thatmay have occurred and proceed withanalyses.

4. Reporting and presentation phase whichneeds to be based entirely on the pol-icy and laws of each jurisdiction (e.g.,state, county, country) and presents theconclusions and corresponding evidencefrom the investigation.

5. Closure phase which requires reviewingthe whole investigation process, deter-mining whether the evidence found andcollected solve the case in a forensicallysound manner.

The model presented by Abdalla, Hazem,and Hashem (2007), can be considered to beuniversal, meaning that the authors try tohave a model that is applicable in every pos-sible locality. The model does not addressissues when dealing with national securityand intelligence systems that require highersensitivity. Nevertheless, it, together withNICE from NIST mentioned previously aswell as the other models mentioned can forma solid starting point for the development of adigital forensic investigation framework thatonce formulated, should be sophisticated andflexible enough to apply to a wide range oflocalities and entities. Part of the frameworkwould need to discuss how to properly edu-cate and credential would-be investigators.

At its heart, a digital forensic frameworkmust address the following areas:

1. Preparation phase

2. Acquisition phase

3. Analysis phase

4. Reporting phase

5. Legal phase

6. Education phase

7. Credentialing phase

8. Accreditation phase

This means that digital forensic investiga-tors must be trained in these 8 main phases.At the state and/or federal level, interestedinvestigators must be required to register andtake rigorous exams. These exams must ad-dress the phases of digital investigation andevaluate would-be investigators understand-ing of the ideals and processes involved in do-ing digital investigations. These exams mustfocus on assessing a test taker’s ability to un-derstand the digital forensic processes withthe realization of its legal and ethical impor-tance. The passing of these exams must bemade necessary to receive a state or federal li-cense to practice digital forensic investigation.This would form the backbone of the creden-tialing process of investigators. Given thatsuch frameworks would have to be turnedinto curricula at the academic level in or-der to prepare interested applicants in digitalforensics, that, in turn, would bring aboutthe accreditation phase required for digitalforensics as all reputable universities teach-ing the field must be appropriately accredited.Existing private sector certifications must bemade moot and removed as they generallyserve the financial interest of the organizationand not that of the general public.

8. CONCLUSIONThe present research brings to light obstinateissues in the credentialing of digital foren-sic investigators. The status quo reveals atroubling scenario of governments’ lack of full



participation, lack of proper certification bod-ies, and oversight. This has, however, beenovershadowed by the apparent lack of a con-sistent curriculum at the national and statelevels to guide the teaching of digital forensicsat the university level and other institutionsof higher learning. The findings at a glanceshow that there is a lot to do to instill profes-sionalism and inspire further development ofdigital forensics not only as a branch of foren-sic science but as an independent domainemerging in contemporary scholarship. If therecommendations issued are to be followed,there shall not only be a solution at the aca-demic level of digital forensics but also at theprofessional level, which remains a cause forconcern. The governments should spearheadcurricular reinvention and development andtake their active roles in the promotion ofa unified credentialing framework to guideother bodies in the same direction.

To be sure, federal agencies such as FBI,Secret Service, IRS, and DoD have theirown certification and accreditation processes.NIST also offers excellent certification and ac-creditation guidelines in its 800 series SpecialPublications. External certification and ac-creditation processes supported and approvedby governments are desirable as they bringconsistency and professionalism to the profes-sion of digital forensics. Programs developedby DoD, NIST, DHS, etc. are certainly use-ful and at times quite necessary, but theseefforts are not coordinated and often targetthe specific needs of the agency developing it.Many times, they are too broad, attemptingto address too much. What is needed is acollective and coordinated effort by the gov-ernments, and this cannot come soon enough.The recent breaches of the federal Office ofPersonnel Management (OPM) which leakedover 22 million classified personnel recordsand Equifax’s breach resulting in over 146million private records of Americans beingstolen show the tremendous need for proper

education, credentialing, and accreditationof professionals in digital forensics investiga-tions.

Finally, there will never be perfect solu-tions to digital forensics, and any attemptat designing a framework with perfection inmind would be futile. This is because itis impossible to plan out every imaginablescenario. The framework should create theneeded structure, academics would providethe proper education and lab skills lumpedup as credentialing, and accrediting bodieswould provide oversight of the whole thing.With that in place, there is still the profes-sional outlook and behavior of the investiga-tor, along with how much creativity he or shebrings to the job. Consider the simple case ofwhether during an investigation, a computerthat is running should be left on while it isbeing triaged or be turned off and taken to alaboratory first.

There cannot be a single answer or a simpleanswer to such situations. Part of the educa-tion and design has to be teaching would-beinvestigators that each situation is uniqueand while requiring proper and professionalsteps to be taught and to be followed, casesalso need the proper application of judicialprudence on the part of the examiner. An-other situation that is a major issue is theapplication of encryption to devices. It is stillthe case that most devices are not encryptedand can be analyzed without the worry ofdealing with encryption. That being the case,investigators will come across devices thatmay be encrypted and then would have tomake decisions as to what to do. For instance,if coming across a Windows machine that“might” be encrypted but is currently on andrunning, a professional investigator shouldhave the skills to take a memory dump ofthe running system since memory is never en-crypted. Given the large memories of today’scomputers, a wealth of information may beavailable just from the memory dump alone.



Having properly dumped the memory, the in-vestigator can then determine from the mem-ory whether the computer is using encryptionat all and then make a proper assessment onhow to take the next steps. Skills such asthis are taught in proper accredited curriculaand also come by with some experience andcreativity. It should go without saying thatsuch skills are best taught and tried in theacademic and laboratories, in a structuredand controlled environment, instead of rogueinvestigators botching up investigations whilethey learn on the job!

REFERENCES

[1] Abdalla, S., Hazem, S., & Hashem S.(2007).Guideline Model for Digital ForensicInvestigation. Conference on Digital Foren-sics, Security and Law, 200

[2] Alva, A. & Endicott-Popovsky, B.(2012).Digital evidence education in schoolsof law.The Journal of Digital Forensics,Security, and Law, 7.

[3] Altheide, C., & Carvey, H. (2011). Dig-ital forensics with open source tools. Elsevier.

[4] Beebe, N. & Clark, J. (2004), “Ahierarchical, objectives-based frameworkfor the digital investigations process”,Paper presented at the DFRWS, June 2004,Baltimore, MD.

[5] Bradshaw, K. & Jordaan, J. (2015).The current state of digital forensic prac-titioners in South Africa: Examining thequalifications,certifications, training andexperience of South African digital forensicpractitioners. 2015 Information Security forSouth Africa (ISSA).

[6] Brenner, S.W., Carrier, B. & Henninger,J. (2004). The Trojan horse defense

in cybercrime cases. Santa Clara HighTechnology Law Journal 21. Retrievedhttp://digitalcommons.law.scu.edu/

cgi/viewcontent.cgi?article=1370\

&context=chtlj.

[7] Butler, J. M. (2015). US initiatives tostrengthen forensic science & internationalstandards in forensic DNA.Forensic ScienceInternational: Genetics, 18, 4-20.

[8] Butler, J. M. (2017). Recent activitiesin the United States involving the NationalCommission on Forensic Science and theOrganization of Scientific Area Committeesfor Forensic Science. Australian Journal ofForensic Sciences, 49, 526-540.

[9] Carrier Brian & Spafford (2003), “Get-ting Physical with the Digital InvestigationProcess”, International Journal of DigitalEvidence, Volume 2 (Issue 2):3.

[10] Casey, E. (2009). Handbook of digitalforensics and investigation. Academic Press.

[11] Casey, E. (2011). Digital evidence andcomputer crime: Forensic science, computers,and the internet. Academic press.

[12] Flory, T. A. C. (2015). Digital forensicsin law enforcement: A need based analysisof Indiana agencies, (Doctoral dissertation,Purdue University).

[13] Freiling, F., & Schwittay, B. (2007). Acommon process model for incident responseand digital forensics. Proceedings of theIMF2007.

[14] Garfinkel, S. L. (2010). Digital forensicsresearch: The next 10 years. Digital investi-gation, 7, S64-S73.



[15] Garfinkel, S., Farrell, P., Roussev, V.,Dinolt, G. (2009). Bringing science todigital forensics with standardized forensiccorpora. digital investigation, 6, S2-S11.

[16] George, E. (2004). UK ComputerMisuse Act – the Trojan virus defence:Regina v Aaron Caffrey, Southwark CrownCourt. Digital Investigation.

[17] Gladyshev, P., Marrington, A., &Baggili, I. (Eds.). (2014). Digital Forensicsand Cyber Crime: Fifth InternationalConference, ICDF2C 2013, Moscow, Russia,September 26-27, 2013, Revised SelectedPapers, (Vol. 132). Springer.

[18] Jordaan, J. (2012). A sample of digitalforensic quality assurance in the SouthAfrican criminal justice system. InformationSecurity for South Africa (ISSA) 1-9.

[19] Kessler, G. C. (2007, March). Anti-forensics and the digital investigator.In Australian Digital Forensics Confer-ence,(p. 1).

[20] Lang, A., Bashir, M., Campbell, R.,DeStefano, L. (2014). Developing a newdigital forensics curriculum. Digital Investi-gation, 11, S76-S84.

[21] Leonardo, Thomas; White, Doug; andRea, Alan (2012) “To License or Not toLicense Updated: An Examination of StateStatutes Regarding Private Investigatorsand Digital Examiners,” Journal of DigitalForensics, Security and Law: Vol. 7: No. 3,Article 5.

[22] Lillard, T. V. (2010). Digital forensicsfor network, Internet, and cloud computing:a forensic evidence guide for moving targetsand data. Syngress Publishing.

[23] Losavio, M., Seigfried-Spellar, K. C.,Sloan III, J. J. (2016). Why digital forensicsis not a profession and how it can becomeone.Criminal Justice Studies,29, 143-162.

[24] Lundquist, R. (2016). An Examinationof Failed Digital Forensics and the CriminalJustice System (Doctoral dissertation, UticaCollege).

[25] Meyers, M., & Rogers, M. (2004). Com-puter forensics: The need for standardizationand certification. International Journal ofDigital Evidence. 3, 1-11.

[26] Mohay, G. (2005, November). Technicalchallenges and directions for digital forensics.In Systematic Approaches to Digital ForensicEngineering, 2005. First InternationalWorkshop on (pp. 155-161). IEEE.

[27] Nance, K., Hay, B., & Bishop, M.(2009, January). Digital forensics: defininga research agenda. In System Sciences,2009. HICSS’09.42nd Hawaii InternationalConference on (pp. 1-6). IEEE.

[28] Nelson, B., Phillips, A., & Steuart, C.(2014). Guide to computer forensics andinvestigations. Cengage Learning.

[29] Pollitt, M. (2010, January). A historyof digital forensics. In IFIP InternationalConference on Digital Forensics (pp. 3-15).Springer, Berlin,Heidelberg.

[30] Reith, M., Carr, C., & Gunsch, G.(2002), “An Examination of Digital ForensicModels”, International Journal of DigitalEvidence, Volume 1(Issue 3):6.

[31] Rogers, M. K., & Seigfried, K. (2004).The future of computer forensics: a needsanalysis survey. Computers & Security, 23,



12-16.

SANS Digital Forensics (2010), https://

digitalforensics.sans.org/blog/2010/

06/21/computer-forensic-examiners-pi

-licensing-requirement-revisited

[32] West Virginia University ForensicScience Initiative. (2007). Technical workinggroup for education and training in digitalforensics. US Department of justice.


Documents

Digital Forensics, A Need for Credentials and Standards