Organizations cannot successfully implement digital forensics readiness without ensuring that all stakeholders involved have an adequate knowledge of how they contribute to its overall success. Once stakeholders have established how they contribute to digital forensics readiness, the level of educational training and professional knowledge required will vary for everyone.
Without proper training and education, the people factor, not technology, becomes the weakest link of a digital forensics readiness program. Knowing this, it is essential for organizations to implement a comprehensive and well-designed program to ensure that all those who have any sort of involvement with digital forensics readiness are knowledgeable and experienced.
Types of Education and Training
Much like other components of a digital forensics readiness program, a successful education and training program starts with the implementation of organizational governance that reflects the need for (1) informing stakeholders of their responsibilities, (2) providing the appropriate level of training and education, and (3) establishing processes for monitoring, reviewing, and improving their level of knowledge.
Having different education and awareness programs in place for all stakeholders, depending on their involvement with digital forensics, is an effective way of distributing information about the benefits and value of digital forensics readiness throughout the organization. Illustrated in Figure 14.1, the following sections describe the difference between awareness, training, and education curricula that organizations should consider as part of their overall continuing education for digital forensics readiness.
Within each education and training curricula illustrated above, organizations must ensure that the information is adapted according to the
Figure 14.1 Continuing education hierarchy.
stakeholder’s role (job function). As an example, a simplified concept for grouping the education and training information for applicable stakeholders has been placed into the following three categories:
• All personnel have a perspective that recognizes the importance of information security enough to positively contribute to the digital forensics readiness program.
• Functional/specialized roles emphasize the importance of performing job duties to support the organization’s digital forensics readiness program.
• Management personnel need to understand the functional, operational, and strategic value of the digital forensics readiness program so they can communicate and reinforce it throughout the organization.
As the first stage of education and training, general awareness is intended to change the behaviors of individuals and reinforce a culture of acceptable conduct. The objective here is not to provide users with in-depth or specialized knowledge, rather it is designed to provide stakeholders with the knowledge they need to recognize what the organization defines as unacceptable behavior and take the necessary steps to keep it from occurring.
With one of the focuses for implementing digital forensics readiness being investigating employee misconduct against the organization’s policies, this type of education and training will reduce the likelihood that an incident will occur and require a formal forensic investigation.
The information provided at this level is generic enough that it can be provided to all stakeholders without being adapted according to their job function. Examples of topics and subject areas that should be included as part of general awareness education and training include the following:
• Policies, standards, guidelines
• Social engineering (e.g., phishing)
• Privileged access
• Data loss prevention (DLP)
Organizations should consider requiring all stakeholders to complete the general awareness program. At a minimum, organizations should require existing stakeholders to complete the general awareness education and training annually. Alternatively, when new stakeholders are identified they should be expected to complete the general awareness program immediately.
As the next stage of education and training, the need for basic knowledge of digital forensics readiness provides stakeholders with the fundamental knowledge that is essential to ensuring they are competent. The distinction between basic knowledge and general awareness is that this level of education and training is designed to teach stakeholders the basic skills they will need to support a digital forensics readiness program.
The education and training provided at this level provides stakeholders with skill set(s) that continue to build off the foundations of the general awareness information. In-house training courses can, for the most part, be designed to contain the same quality of information that could be obtained by enrolling in a formal college or university course.
The information provided at this level becomes more specific, so it must be adapted to meet the knowledge required of each category of stakeholder. Examples of topics and subject areas that should be provided to each stakeholder group include the following:
• Audit logging and retention
• Development lifecycle security
• Incident handling and response
• Logical access controls
Completion of these basic knowledge courses can be positioned as either elective, where stakeholders can enrol themselves at their leisure to improve their professional development relating to digital forensics, or mandatory, where stakeholders must complete the training to maintain their supporting role of digital forensics.
Taking education and training another level higher, there is a need for stakeholders to have a working and practical knowledge of the digital forensics discipline. Essentially, these individuals must have the skills and competencies necessary to ensure that principles, methodologies, and techniques are upheld in support of the organization’s digital forensics readiness program.
Digital forensics requires individuals to have a significant amount of specialized training and skills to thoroughly understand and consistently follow the established scientific fundamentals. The information provided at this level of training is specific to the digital forensics discipline and requires stakeholders to have strong working and practical knowledge. Appendix B, “Education and Professional Certifications,” provides a list of higher/post-secondary institutions that offer formal digital forensics education programs.
Following completion of formalized education, there are several recognized industry associations that offer professional certifications in digital forensics. It is important to keep in mind that professional certifications are designed to test and evaluate an individual’s knowledge and experience; they do not provide individuals with in-depth training on digital forensics and information technology (IT) as obtained through formalized education. Professional certifications, or professional designations, provide assurance that an individual is qualified to perform digital forensics.
Appendix B, “Education and Professional Certifications,” provides a list of higher or post-secondary institutes that offer formal digital forensics education programs as well as recognized industry associations offering digital forensics professional certifications.
It wasn’t too long ago that digital forensics was considered niche. However, these days if you practice digital forensics you are recognized as somewhat of a generalist in the discipline. With the continuing advancements in technology and how it is being used to support business operations, simply being a digital forensic generalist is no longer practical for most individuals.
Having gained the necessary functional knowledge, the next level of education and training is to become a specialist or professional in a subject area of the digital forensics profession. For this reason, it is common for individuals to expand their knowledge of digital forensics and how it can be integrated with and applied to other disciplines throughout the organization. The following are examples of areas where digital forensic specialization can be achieved:
• Cybercrime, which emphasizes applying investigative techniques and methodologies of digital forensics to subject areas including:
• Electronic discovery (e-discovery), which relates to the discovery, preservation, processing, and production of electronically stored information (ESI) in support of government or litigation matters
• Network forensics and analysis, which relates to the monitoring and analysis of network traffic for the purposes of information gathering, gathering of digital evidence, or intrusion detection
• Memory forensics, which relates to the gathering and analysis of digital information as digital evidence contained within a system’s random access memory (RAM)
• Cloud forensics, which, as a subset of network forensics, relates to the gathering and analysis of digital information as digital evidence from cloud computing systems
• Information assurance, which emphasizes applying investigative techniques and methodologies of digital forensics to subject areas, including:
• Incident handling and response, which relates to reducing business impact by managing the occurrence of computer security events; this is discussed further in Chapter 13, “Mapping Investigative Workflows.”
• Threat modeling builds appropriate countermeasures that effectively reduce business risk impact through the identification and understanding of individual security threats that have the potential to affect business assets, operations, and functions; this is discussed further in Addendum F, “Threat Modeling.”
• Risk management is an examination of what, within the organization, could cause harm to assets so that an accurate decision of how to manage the risk can be made; this is discussed further in Addendum E, “Risk Assessment.”
• Security monitoring applies analytical techniques to identify unacceptable behavior patterns in the organization’s systems and assets to detect potential threats in a more effective and timely manner; this is discussed further in Chapter 12, “Enabling Targeted Monitoring.”
Organizational Roles and Responsibilities
In a corporate environment, there are many people beyond digital forensics practitioners involved with supporting their organization’s digital forensics lifecycle. These people, such as system support personnel and management, all have distinct roles and responsibilities when it comes to their involvement in digital forensics. Overall, every role played is equally important in ensuring that the organization’s digital forensic capabilities operate within established principles, methodologies, or techniques so that evidence will be admissible in a court of law.
The need for separate roles within the digital forensics lifecycle not only guarantees admissibility of evidence, but also helps to support and maintain a separation of duty. Fundamentally, the ability to create distinct roles with respect to digital forensics is subjective to factors such as the size or structure of the organization. Depending on the ability to create these distinct roles, there will be individuals located throughout the organization who will play distinct roles and have varying involvement throughout the digital forensics lifecycle.
Naturally, the responsibilities carried with each role differ because of how the individuals in them will interact and are (in)directly involved in the digital forensics lifecycle. For example, the following are distinct types of roles whose support in an organization’s environment is a necessity for the digital forensics lifecycle:
• Executive sponsor is an individual within the executive management team, such as a vice president (VP) or senior vice president (SVP), who is ultimately responsible for the organization’s digital forensics program.
• Director is an individual responsible for directly overseeing the funding and resourcing, including people and technology, of the digital forensics program.
• Team is the group directly responsible for the digital forensics program. Within the team, there can be a series of sub-roles depending on the size and arrangement of the organization, including:
• Manager or team lead is an individual responsible for providing task delegation and leadership to team members.
• Members are individuals who are responsible for the execution and delivery of activities and tasks specific to the organization’s digital forensics program.
• Stakeholders are business lines, other teams, individuals, or organizations, both internal or external to your organization, that are impacted or have an impact on the digital forensics program.
In the example roles identified above, roles on the digital forensics team are played by several individuals who are the core individuals responsible for executing the activities and tasks of a digital forensics program. Titles used to describe distinct roles—specific to the digital forensics team—can be subjective and are commonly used interchangeably.
Regardless of the title used, individuals who have a direct role on the digital forensics team, in contrast to the organizational roles outlined above, are much more involved in applying and adhering to the scientific principles, methodologies, and techniques of the profession. For example, the following are titles commonly used for the distinct roles within a digital forensics team:
• Technician is a role that is responsible for identification, collection, and preservation of evidence at a crime scene, as outlined in the gathering phase of the investigative process workflow. In some cases, this role is responsible for gathering and processing volatile data from live systems as evidence. These individuals must be adequately trained in proper evidence handling techniques to establish the chain of custody and guarantee the integrity and authenticity of evidence is preserved. Additionally, it’s critical that these individuals have the knowledge and expertise necessary to make informed decision about the order in which volatile data should be gathered and processed.
• Examiner and analyst are titles commonly used interchangeably to describe individuals who are responsible for the examination and analysis of evidence after it has been gathered, as illustrated in the processing phase of the investigative process workflow. In cases where the role of a technician does not exist, this role will also be responsible for gathering, processing, and handling evidence as described above. In addition to the knowledge and experience required for a technician’s role, individuals in this role must also be educated and trained in the use of tools and techniques to interpret the context and content of evidence to determine its relevancy to an investigation. Not only do these individuals need to be strong technically, so that they can accurately decipher the meaning of evidence, they also need to have a sharp analytical mindset that allows them to establish links between evidence and draw factual conclusions.
• Investigator is another example of a title that is used. Most often, this title is used in place of analyst or examiner and inherits the scope of responsibilities. However, the responsibilities of this role go beyond just processing evidence and include duties such as working with internal (e.g., IT support teams) and external (e.g., law enforcement) entities to identify new pieces of evidence relevant to the investigation. Depending on the organization, individuals who occupy this role might also assume the responsibilities of technician and analyst or examiner as noted above. It is important to note that in some jurisdictions the use of the investigator title requires those individuals to have a private investigator license to validate they meet the minimum requirements for maintaining their education and experience in the field of practice.
• Team lead is any individual who provides members of the digital forensics team with direction, instruction, and guidance on how to execute their responsibilities. In some cases, this role may not exist because the size of the digital forensics team—or organization—does not warrant having it. Where this role does exist, even though the scope of responsibility for these individuals does not directly include gathering or processing evidence, they can be used to assist in performing an investigation when needed. Because there is this possibility, the team lead needs to be educated and have experience in performing the activities and tasks across all roles of the digital forensics team.
• Managers, like team leads, also provide the digital forensics team with direction, instruction, and guidance on how to execute their responsibilities. Also, like the role of team lead, a manager role may not exist in an organization because it is not warranted due to the size of the team. However, a notable difference in comparison to the team lead is that the manager role has expanded leadership responsibilities for the overall success of the digital forensics team, including resourcing and funding. While these individuals do not have direct involvement with the day-to-day execution of the digital forensics program, it is expected that they be educated and knowledgeable about how to consistently uphold the scientific principles, methodologies, and techniques of digital forensics.
Refer to Chapter 2, “Investigative Process Methodology,” for more details about the investigative workflow and the order of volatility.
Just as some of the roles above are interchangeably used to illustrate the separate roles within the digital forensics team, the following titles were not referenced in the above list because of the subtle differences in how they represent an individual’s achievement in (non-)technical skills, as discussed in the section below:
• Practitioner is an individual who is actively engaged and occupied in the field of digital forensics. These individuals are recognized as a result of their documented qualifications (i.e., diploma or degree) and possess both the technical and non-technical skills to directly support an organization’s digital forensics program.
• Specialist is any individual who is highly skilled and concentrates on one (or more) focus areas of digital forensics. An argument could be made that the digital forensic discipline can be viewed as a focus area, but given how broad it has become (e.g., computer systems, gaming consoles, mobile devices), using this title is better suited to describe a specific area of digital forensics, such as malware forensics, cloud computing, or e-discovery.
• Professional is an individual who has a paid occupation in the digital forensics discipline. Not only are these individuals highly skilled and possess formal education in the technical execution of digital forensics, but in some occupations (e.g., enterprise environment) also have significant non-technical business skills as described later in this chapter.
• Expert is an individual who has been authoritatively recognized for knowledge and experience in digital forensics. Applying the word “authoritative” to this title suggests that this title is held by those individuals who have established themselves in a court of law.
As noted above, these three titles do not articulate a function or responsibility; therefore, they are not used to illustrate a role on the digital forensics team. Generally, they are more often used to describe individuals who have gained extensive knowledge and experience in digital forensics.
Ask around and most likely you’ll get unique perspectives about what education means. To some, it means graduating from college or university to earn a degree, diploma, or certificate. To others, it means attending training sessions put on by some third party such as a vendor. And yet, there are those who prefer the self-taught methods using resources at their fingertips (e.g., books, webinars).
A common question posed to those people already in the field of digital forensics is “What type of knowledge and training is needed to get into the field?” The reality is that there is one best way for someone to gain their digital forensics education, acquire new skills, or keep current those skills they already have. Rather than setting out a development plan that people should follow on their educational roadmap, the following sections provide building blocks for several types and levels of education a person can gain.
The intention of the following sections is to provide people with the generalized subject areas for which continuous education and training will provide a catalyst for growing themselves within the digital forensics profession. While the below subject areas contribute to understanding digital forensics principles, methodologies, and techniques, it is important to remember that these topics are pertinent in organizational settings and do not necessarily reflect the knowledge or experience required in law enforcement or other industries.
When developing a digital forensics skill set, the most common type of training provided through education programs (i.e., academic institutions, books) are the technical components. Within this context, the word “technical” isn’t used to reference specific information technology, but rather to the practical execution of digital forensics which includes putting into practice its principles, methodologies, and techniques.
Entering the field of digital forensics means starting out somewhere. There are volumes of resources, such as books, that provide people with an excellent way of building a foundation for their educational roadmap. As a sample, the following subject areas are essential knowledge for all digital forensics practitioners to have:
• Investigation principles are the values that a digital forensics practitioner must consistently follow and apply throughout the investigative process, including forensic soundness, evidence authenticity and integrity, and chain of custody. Refer to Chapter 1, “Understanding Digital Forensics,” for further details about the principles of digital forensics.
• Evidence management includes the technical, administrative, and physical controls necessary to safeguard digital evidence before, during, and after a digital forensics investigation.
• Computer systems are made up of interconnected hardware components that share a central storage system and any number of peripheral devices, such as printers and scanners.
• Operating systems (OS) are software programs that are perhaps one of the most important components of a computer systems. Essentially, an OS is a collection of software that manages hardware and performs basic tasks, such as controlling peripheral devices, managing input devices (e.g., keyboards), and scheduling tasks. Recognizing that there are several types of OS software available in the market today (i.e., Microsoft Windows, Apple MacOS, Linux, Unix), at a minimum a digital forensic practitioner should understand the more popular platforms that are commonly used by consumers and those that are present throughout their organization.
• File systems are the methods and structures used by an OS to organize, track, and retrieve data. Recognizing that there are several types of file systems used today (i.e., FAT12/16/32, NTFS, ext2/3/4, iOS), at a minimum a practitioner should understand the more popular platforms that are commonly used by consumers and those that are present throughout their organization.
• Networking protocols are the mechanisms by which devices, such as systems, define rules and conventions for communicating with each other.
• Scripting is an interpreted programming language designed for integrating and communicating with other programming languages in support of task automation. Recognizing that there are several scripting languages (i.e., BATCH, Visual Basic [VB] Script, Perl, Python), a practitioner should understand at least one scripting language.
• Legal studies includes knowledge of the precedence set forth by the rules, standards, and directives of legal systems. Refer to Chapter 16, “Ensuring Legal Review,” for further details about the application of law to forensic science.
As a practitioner, these subject areas are considered foundational knowledge required for the technical execution of digital forensic principles, methodologies, and techniques throughout the investigative process workflow, which is discussed further in Chapter 2, “Investigative Process Methodology.”
With foundational knowledge acquired, practitioners can decide to further their education by expanding the scope of knowledge beyond those topics directly linked to the execution of digital forensics. The following are examples of subject areas where knowledge gained will enhance a digital forensics practitioner’s educational roadmap:
• Cryptography: While one of its purposes is to protect the confidentiality of information, it has also been used as a means of hiding—or concealing—data and communications. Knowledge of cryptography’s use for security and anti-forensics is valuable when examining and analyzing digital evidence.
• Mobile devices have proliferated in the past decade, which has allowed for growth in the mobile workforce community and supported the concept of “always connected, always available.” Recognizing that there are countless manufacturers that have their own proprietary devices (e.g., Apple, Blackberry, Samsung), at a minimum a practitioner should understand the platforms used predominantly throughout the organization.
• Cyber and security investigations can encompass a broad scope of digital evidence that must be gathered and processed from systems and applications located throughout the Internet. Also, understanding the different laws, standards, and regulations that govern accessing and gathering evidence is important; refer to Chapter 16, “Ensuring Legal Review,” for further details about the application of law to forensic science.
• Incident response is the structured approach by which organizations address and manage computer security events. Digital forensics practitioners are key stakeholders throughout the entire methodology.
• Electronic discovery, or e-discovery, refers to the use of a structured approach by which organizations identify, gather, and process ESI for producing evidence per legal or compliance requests.
• Cloud computing is changing the landscape of how business operations are conducted and how digital evidence is gathered and processed. It is important to be proactive in developing strategies for adapting and expanding their organization’s digital forensics capabilities into these environments.
• Network forensics, a sub-discipline of digital forensics, consists of monitoring and analyzing the network traffic and communications of computer systems and devices for the purpose of gathering evidence. Like RAM, network forensics largely involves volatile data that is only available for a brief period. The ability to forensically gather digital evidence from networks can help to corroborate and correlate digital evidence from other devices and computer systems.
• Malware reverse engineering, as it relates to digital forensics, is the process of analyzing computer systems to (1) identify malicious software, (2) establish conclusions for how it got there, and (3) what changes it caused on the host system. Building this skill requires learning and using a variety of systems and network tools designed to isolate, disassemble, and analyze the properties of malware.
Leveraging what was learned previously, this level of education further expands subject areas of other disciplines and professions into the application of digital forensics. The following are subject areas that can elevate a digital forensics practitioner’s education to the highest level of technical and practical execution:
• Systems development, also referred to as application development, describes the process for planning, creating, testing, and deploying information systems. Knowledge about the system development life cycle (SDLC) is important for practitioners to understand the ways in which systems and applications interact with data.
• Security architecture complements enterprise architecture, focusing on the necessities and potential risk involved in certain scenarios or environments throughout the organization. Knowing how and where the implementation of administrative, technical, and physical security control can create greater capabilities for digital forensics is valuable knowledge for a practitioner to have.
For the most part, academic institutions focus more on the technical aspects of digital forensics to provide practitioners with the knowledge and skills necessary to directly support their role and responsibilities. However, it is equally important to balance these technical skills with non-technical (soft) skills. Within this complementary set of non-technical skills come varying levels of knowledge that, depending on a particular educational roadmap, can elevate someone’s career to the next level.
We already know that getting into the digital forensics profession means starting out somewhere. While there are resources available to provide people with knowledge about these non-technical (soft) skills, perfecting them comes with practice and experience over time. For example, the following subject areas are foundational knowledge for all digital forensic practitioners to have:
• Time management is about planning and controlling time spent to effectively accomplish a task or goal. With respect to digital forensics, this means being able to prioritize the tasks and activities required to work through the investigative process methodology and establishing fact-based conclusions.
• Analytical skills involve the ability to extract meaning and relevance from masses of data to find hidden patterns and unexpected correlations so that fact-based conclusions can be established. While learning about analytical styles can be gained academically, perfecting these skills requires practitioners to continuously refine and improve their capabilities.
• Technical writing is any form of writing that is used to communicate in a clear and concise manner the findings and conclusions of a digital forensics investigation. It is important to avoid the over-use of technical jargon or slang that can create confusion amongst non-technical readers.
• Communication skills are essential to have in any career and are complementary to technical writing skills. This means being able to illustrate complex technical information in a natural, logical business language that is simple to understand.
• Critical thinking is a person’s ability to remain objective when analyzing digital evidence during an investigation. Possessing this skill is essential for upholding a standard of professional conduct and ethics; refer to Chapter 4, “Ethics and Conduct,” for further discussion.
Continuing to build and develop the foundational non-technical skills outlined above, practitioners determined to enhance their educational roadmap can seek to expand skills into new subject areas. As mentioned previously, acquiring a new skill is not a “one and done” process but more of a continuous development plan. In addition to refining and improving existing skills, the following are examples of subject areas where knowledge gained will enhance a digital forensics practitioner’s educational roadmap:
• Interrogation is a form of interviewing used to obtain information from people during an investigation. This is a skill that can range from simple techniques, such as building rapport, to more advanced techniques, such as deciphering (non-)verbal cues. Being another skill that requires ongoing development, it can elevate a person to the next level of their non-technical career.
• Interpersonal skills are used when a person interacts with other people. This skill can be viewed as beneficial in a few ways: the first is in demonstrating leadership and professionalism when getting along with others as a means of getting the job done, and the second is complementary to interrogation (i.e., rapport building) to obtain useful information.
• Leadership within an organization could be viewed as either taking on any form of leadership role, such as a team lead or manager, or being able to effectively communicate the importance of digital forensics throughout the organization. Learning how to lead both people and the future of a digital forensics program is essential knowledge if the education roadmap is to elevate into a director or executive sponsor role.
• Project management involves the application of knowledge, skills, methodologies, and techniques to complete defined activities to meet pre-defined requirements. Project management is related to time management, and possessing this skill expands a practitioner’s ability to effectively execute (multiple) investigations by consistently following the same investigative process methodology.
When an educational roadmap is intended to grow someone into the role of director, or eventually into executive sponsorship, the focus turns from skills directly related to digital forensics and moves into subject areas that are intended to bring about heightened business-centric proficiencies. In addition to refining and improving existing skills, the following are examples of subject areas where knowledge gained can move a digital forensics practitioner into a management role:
• Conflict resolution is how two or more parties find a solution to a disagreement between them. For the most part, this skill is better suited for a leadership role (e.g., team lead or director), and other skills such as negotiation and interrogation are more beneficial to other digital forensics roles (e.g., investigator).
• Budget management involves adhering to corporate protocols to analyze, organize, and provide oversight to the costs and expenditures of the digital forensics program. Knowledge in this subject area is critical for ensuring sustained delivery of operations and continued growth.
• Resource management involves the deployment and allocation of people when and where required. In the context of a digital forensics program, this skill builds upon the previous leadership knowledge to move into more of a management role.
• strategic mindset demonstrates that you are aware of the importance of digital forensics capabilities for an organization. This proactive approach includes an aptitude for establishing and maintaining strategic relationships, building and nurturing strategic relationships, and applying previous skills towards strategic influencing.
The subject areas outlined above, both technical and non-technical (soft), are building blocks of the knowledge and experience someone would need to have as part of their educational roadmap. However, one should recognize that all organizations are different and that some of the intermediate or advanced topics may or may not be applicable in that specific environment. But this doesn’t mean these items shouldn’t be considered for someone’s educational roadmap. Progressing through the educational roadmap is not a simple task; it requires people to invest themselves by dedicating their time and effort into furthering their career.
Piecing it all together, as new knowledge and experience are gained as people progress through their educational roadmap, naturally they will be better equipped to evolve their role within digital forensics into something greater, such as from analyst to investigator. Using the map illustrated in Figure 14.2, the relationships between the multiple elements of the education roadmap have been laid out in a manner that shows how an individual’s competencies, both technical and non-technical, represent the roles and titles within the digital forensics profession.
Portrayed in the map above, the following methodology was applied as criteria for representing both the role and title of individuals as they increase their technical and non-technical competencies throughout the educational roadmap.
• The x-axis represents the technical knowledge of an individual starting with the introductory skills (left) and progressing into the advanced skills (right). Progressing on this axis, as characterized by the increase in technical skills, is depicted by the alphabetic representation of the digital forensics role found in the accompanying legend.
• The y-axis represents the non-technical knowledge of an individual starting with the introductory skills (bottom) and progressing into the advanced skills (top). Progressing on this axis, as characterized by the increase in non-technical skills, is depicted by the color scheme representing the digital forensic titles.
Absent from the map above is the use of the title expert. As discussed previously, we understand that an expert is any individual who has been authoritatively recognized for knowledge and experience in digital forensics. The need to be authoritatively recognized implies that the use of the expert title is then respectively held by individuals who have established themselves in the digital forensics profession and have been granted use of the title by a person or group qualified to do so. In turn, this begs the question of “Who is qualified to decide whether an expert is really an expert?”
For the longest time, there was an ongoing debate about whether it makes sense that the legal system, judges and juries, is the authoritative body
Figure 14.2 Educational roadmap.
qualified to decide when a person is an expert. At the core of this debate is the fact that judges and juries might have limited technical knowledge and may not easily understand the technical issues in question; so how can they be qualified to determine when an expert is an expert?
At the simplest level, this debate can be settled by accepting the consensus of the digital forensics professional community that an individual is qualified to use the title of expert. There are numerous certifying bodies and institutions that the courts look upon to demonstrate that an expert has some type of relevant certification or accreditation; refer to Appendix B, “Education and Professional Certifications,” for a list of digital forensics certifications. Yet, doubt can still arise about holding a credential as a qualifying means of being an expert because the courts are simply placing their trust and reliability in the certifying bodies or institutions to qualify individuals as an expert.
Under U.S. Federal Rules of Evidence Rule 702, any person is qualified as an expert if he or she possesses “knowledge, skill, experience, training, and education” on the subject relating to his or her testimony beyond common experience. However, determining if a person qualifies as an expert in a legal proceeding depends on whether his or her “scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine the fact in issue.” Therefore, academic degrees and certifications are not necessarily requisite to expertise. So how does someone qualify as a digital forensics expert?
For the most part, because roles and titles are used quite interchangeably to describe a person in the digital forensics profession, it is challenging to find authoritative reference material that outlines what is required of someone to become a digital forensics expert. In fact, the qualifications and skills required of a digital forensics expert remain an issue because there are no standards by which expertise can be measured. Establishing a set of standards that qualify individuals as digital forensics experts requires creating policies and requirements that addresses expected education and qualifications.
Over the course of an investigation, there can be a wide range of individuals involved at any given time. Through the implementation of various levels of education and training programs, organizations can prepare stakeholders for the various roles they may play before, during, or after an investigation.