Security Basics mailing list archives
RE: Is a career change to Computer Forensics fantasy orcanitbereality?
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 15 Dec 2006 08:19:00 +1100
Council may introduce anyone as an expert and the will be allowed in general. This is an issue of weight applied to the evidence. If the expert is discredited, it may severly impact the chances of winning in general even if the expert only plays a small part. For this reason the decision is most likely made by council and not the bench. Voir Dire is really a US thing as well. It is uncommon outisde the US. Further this is a pre trail/hearing motion. The experts are generally accepted by both parties or both have their own prior to the trail. As a witness you are allowed to venture fact alone. An expert is allowed to voice opinion. There is only expert and lay witness. There is black and white in this and there is no room to have a semi or quasi expert. You will have to state that you are an expert to the court and if you are lying this is a crime so you have to at least believe that you are an expert. If you truly believe this than you can be an expert (as poor as this sounds). The catch is that the opposing council have the chance to rip you apart on public record. Regards, Craig -----Original Message----- From: Murda Mcloud [mailto:murdamcloud () bigpond com] Sent: Thursday, 14 December 2006 10:18 AM To: Craig Wright; security-basics () securityfocus com Subject: RE: Is a career change to Computer Forensics fantasy orcanitbereality? So who has the decision to allow the expert to be heard in the trial? Does it lie solely with the judge? And is the opposing counsel allowed to question this or even to carry out a voir dire in a similar fashion to how juries are selected? I know that in the US the whole jury selection process can be so much more involved than in the UK-is the same true of expert selection? I'll defer, of course, to your greater knowledge on this Craig/Justin. This thread interests me for the same reason the OP put the question and also because I may well have to be venturing into court on a case as a witness at some point in the near future. A witness, but from reading this thread, by no means an expert witness. That will, as you've said, take time to build the kind of weight a court would deem necessary. (Is there such thing as a semi expert? Advanced enthusiast witness? Wannabe witness? Passionate amateur witness? I can see it now, "Your honour, Professor Frink is a complete n00b and his argument holds no weight") -----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Thursday, December 14, 2006 7:21 AM To: Murda Mcloud; security-basics () securityfocus com Subject: RE: Is a career change to Computer Forensics fantasy or canitbereality? The issue is that of weight. In a sub-juris trial or pre-hearing motion, the bench will decide on both fact and law (separate to situations involving a jury where the bench decides on law and the jury on issues of fact). There is a distinction as to weight. The applied weight of any evidence is based on the percieved strength of the evidence. The more credible the "expert", the more weight applied to the expert's oppinion (and visa versa). As the weight applied to any piece of evidence is not made public record, there is no way to determine this. The issues in the article is the application of law to the determination (the appeal point) and not the weight of the fact. Craig -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Murda Mcloud Sent: Wednesday, 13 December 2006 5:45 PM To: security-basics () securityfocus com Subject: RE: Is a career change to Computer Forensics fantasy or canitbereality? This is quite an interesting article relating to this point-I thought Paula simply meant that the expert had to be 'tested' so to speak before being allowed to be heard in a trial. http://www.scl.org/editorial.asp?i=1416 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright Sent: Monday, December 11, 2006 8:33 AM To: security-basics () securityfocus com Subject: FW: Is a career change to Computer Forensics fantasy or can it bereality? What planet are you from? The comment "To testify as an expert you must be "certified" to do so by the Court." Is just BS! The parties and the court accept the expert or they counter with other "experts". This allows them to introduce "opinion". Their testimony is weighted based on their credibility. As an example... AU EVIDENCE ACT 1995 - SECT 79 Exception: opinions based on specialised knowledge If a person has specialised knowledge based on the person's training, study or experience, the opinion rule does not apply to evidence of an opinion of that person that is wholly or substantially based on that knowledge. And ... UK "If matters arise in our law which concern other sciences or faculties, we commonly apply for the aid of that science or faculty which it concerns" Buckley v Rice Thomas (1554) The expert witness is, thus, an exception to the exclusionary rule and is permitted to give opinion evidence. In civil litigation this has statutory authority in the UK: "Where a person is called as a witness in any civil proceedings, his opinion on any relevant matter on which he is qualified to give expert evidence shall be admissible in evidence" Civil Evidence Act 1972, S.3 (1). I can keep going on US, ECJ etc if you wish, but the fact is that there is nothing to "certify" an expert. In Sub-juris cases you have to be able to convince the justices of your merit. When in front of a Jury, you need to convince them. At the same time the opposing council will try to tear down your credibility. The duty of an expert is to the court! Not to any party - even the one paying you. Truth first, loyalty to the court. See the guidelines below. And as for how an expert should behave... http://www.fedcourt.gov.au/how/prac_direction.html Regards, Craig -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paula McPherson Sent: Friday, 8 December 2006 9:24 PM To: gillettdavid () fhda edu; reapersoft () gmail com; security-basics () securityfocus com Subject: RE: Is a career change to Computer Forensics fantasy or can it bereality? To testify as an expert you must be "certified" to do so by the Court. Either through a voir dire of your Vitae (examination and cross-examination of one's professional expertise including review of all published works) or stipulation of parties, one way or the other the dude taking the stand has to be a hardware and software God. Though I came from a legal background, I did not come to system security late; I had to wait for them to upgrade the abacas. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Gillett Sent: Wednesday, December 06, 2006 7:41 PM To: reapersoft () gmail com; security-basics () securityfocus com Subject: RE: Is a career change to Computer Forensics fantasy or can it be reality?
There has always been a conflict in my mind that one who
persues Forensics needs to first be a Security/IT type, I
have seen where this looks to be true and where it does not,
perhaps someone can comment on that.
There are at least two common definitions of "Computer Forensics", which *do* overlap. Undoubtedly, some of the sources you've seen are using one and some another. 1. Investigation of Computer Security Incidents A lot of this is recognizing what's abnormal and figuring out how it came about. Obviously, someone without an IT background is going to be ill-equipped for this. 2. Recovering Evidence from Computer Systems This is all about being able to testify, as necessary, at termination hearings, lawsuits, and even criminal trials, as to things like standard procedures, sanitary methods, chain of custody, and the like. Detailed IT knowledge is helpful, but is more essential to tool authors than to tool users. Although the evidence is stored in a digital information system, the acts of which it provides evidence need not involve any violation of computer security, but are more often evidence of fraud, infidelity, or other sorts of non-computer malfeasance. Certifications come in both flavors, too. My impression is that the particular certs you've listed are attempting to certify expertise under the first definition; under the second, courts have decided to accept evidence retrieved by a few specific tools *when used by a vendor- certified operator*, and so each tool has its vendor certification program. (Jobs in the second category have so far mostly been with law enforcement and prosecutorial agencies, although I expect that at some point there will begin to be a market for these skills on the defendant side as well.) To those who use the second definition, activities under the first definition are a subset of "Incident Response", and you may find it easier to get into that general field and then specialize in the particular aspect that interests you, than to try to go directly into specialization. David Gillett
-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of
reapersoft () gmail com
Sent: Tuesday, December 05, 2006 5:04 AM
To: security-basics () securityfocus com
Subject: Is a career change to Computer Forensics fantasy or
can it be reality?
Hello,
I am a software engineer working in the VoIP space. I am
looking to change my career path and get into Computer Forensics.
Without any experience its going to be a tough road but I
believe my troubleshooting skills and software experience can
help. My troubleshooting ability can be valuable on the
investigation side of things, I generally will "chew" on a
problem until its solved or at least until I have another way
to debug it and gather more information. My programming
skills can come in handy for gathering information during an
investigation when its a network intrusion or for malware
analysis, at least this is my reasoning.
Some things I am doing now is reading books (File System
Forensic Analysis, Real Digital Forensic etc...) and
listening to relevant podcasts but that only takes one so
far. My other thought is to get one of the many
certifications out there so that when I attempt to gain
employment I am at least showing some initiative and not just
a passing interest in the field. Spending some of my own
money shows a committment to my goal.
There has always been a conflict in my mind that one who
persues Forensics needs to first be a Security/IT type, I
have seen where this looks to be true and where it does not,
perhaps someone can comment on that.
I am looking for opinions on what certifications I might
spend my money on. Should I go with a security cert, a pure
forensics cert, some combination of both or neither.
Some of the Forensic specific certs I have been evaluating
are the SANS GCFA and ISFCE CCE.
I have posted this to the SecurityFocus Forensics list but it
was rejected because it was off topic. I did however get
some good feedback from the lists' moderator, thanks for that!
I wish to get some more feedback from others so hopefully the
Basics list is the place to post.
In a nutshell:
Can one get into the field of Computer Forensics thru self
study and getting a certification or is it such a closed
field that I should look elsewhere for a career change and
not waste my time/money?
Is the field primarily based on experience and not certs?
Any and all opinions are welcome.
Thanks in advance,
MH
--------------------------------------------------------------
-------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=s
fmaildetect
--------------------------------------------------------------
-------------
------------------------------------------------------------------------ --- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec t ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec t ------------------------------------------------------------------------ --- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ --- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec t ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec t ------------------------------------------------------------------------ --- Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- RE: Is a career change to Computer Forensics fantasy orcanitbereality? Craig Wright (Dec 14)
- RE: Is a career change to Computer Forensics fantasy orcanitbereality? Paula McPherson (Dec 25)