Security Basics mailing list archives
RE: Initial Machine login - Computer Forensics 101
From: Craig Wright <Craig.Wright () bdo com au>
Date: Fri, 8 Feb 2008 13:41:38 +1100
The issue that is always missed with the PI debate is that it is not that a PI license is required; it is that a license is required. In Texas for instance the issue of PI Law for Digital Forensics in Tx is that people read the code in isolation. Chapter 1702, Private Security, of the Texas Occupations Code does not state that everyone needs to have a PI license to engage in forensics. It has exclusions. ยง1702.324. CERTAIN OCCUPATIONS states: "(b) This chapter does not apply to: ...(6) a licensed engineer practicing engineering or directly supervising engineering practice under Chapter 1001, including forensic analysis, burglar alarm system engineering, and necessary data collection;... (9) an attorney while engaged in the practice of law; (10) a person who obtains a document for use in litigation under an authorization or subpoena issued for a written or oral deposition; ... (12) a person who on the person's own property or on property owned or managed by the person's employer: ... (14) a person or firm licensed as an accountant or accounting firm under Chapter 901, an owner of an accounting firm, or an employee of an accountant or accounting firm while performing services regulated under Chapter 901;" "Chapter 901 - Accountants", of Texas Occupations Code covers CPA's in the US. Additionally, there is the exclusion for a "person who obtains a document for use in litigation under an authorization or subpoena issued for a written or oral deposition;" which may be extrapolated to include CCE's and other that are operating under court orders. Next, if you are working under the instruction of "an attorney while engaged in the practice of law", you are also excluded from this code. Many of us will be covered under one or more of these provisions and thus not need to be a PI. The license requirements to be an Engineer are far more stringent then those for a PI, so the subject is where the easiest path lies. I am not stating that you do not need to be licensed at all, but that you do not need to be a PI. A private investigator is not the ONLY licensed person able to do forensic work. A licensed Accountant, a licensed Engineer and many other professions all suffice. These occupations are explicitly excluded from chapter 1702 of the Tx occupations code and similar provisions exist in Sth Carolina as well. This is also not stating that the states can not license forensic collections, just that this does not mean that it is restricted to only PI's. It includes ALL the occupations deemed acceptable. As an engineer, doing work for an accounting firm in the course of an engagement for a law firm I would have no issues at all not having a PI license. In fact, given a choice, I would (if I was not already one) become an engineer BEFORE thinking of being a PI. http://www.txdps.state.tx.us/psb/docs/OccChpt1702.pdf Regards, Craig Wright (GSE-Compliance) Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steven Bonici Sent: Thursday, 7 February 2008 12:27 AM To: security-basics () securityfocus com Subject: RE: Initial Machine login - Computer Forensics 101 --PI Licensing required for computer forensics in court Groklaw blog: the ante is increasing on the credentials required for digital evidence submitted in courts. http://www.groklaw.net/article.php?story=2008013014235863 Possibly related case: Another odd example... Last week, an expert witness was excluded due to a challenge saying an individual who graduated college with a biochemistry major does not have enough expertise to be a computer forensic expert despite having experience and certifications. http://ridethelightning.senseient.com/2008/01/when-logic-and.html [Guest Editor (Robert Lee - SANS Forensics instructor and track lead): Many forensic analysts/experts who testify or examine evidence may not be licensed PIs, and, as a result motions to dismiss the testimony or the analysis will be filed in the court. It will be up to counsel to have a persuasive argument to counter the motion and up to the judge to make fair decisions based on the arguments presented. Even in Texas and South Carolina where state opinions are surfacing on the PI question, it is still ultimately up to the judge in each case to allow the evidence or the analysis to be included in the proceedings. I think logic will eventually win here, but I'm glad to see it brought up in court so more people can discuss it. Buckle your seatbelts; expect many more such cases to keep popping up. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Murda Mcloud Sent: Monday, February 04, 2008 11:10 PM To: 'Michael Condon'; security-basics () securityfocus com Subject: RE: Initial Machine login - Computer Forensics 101 Hi Michael, Sorry, I forgot to give a link http://www.e-fense.com/helix/ or F.I.R.E http://fire.dmzs.com/ You can go for knoppix-std too. http://www.knoppix-std.org/ The closest thing I've come to from a windows standpoint is (not the same as the others in functionality) http://www.nu2.nu/pebuilder/ There may be others. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon Sent: Tuesday, February 05, 2008 2:13 AM To: Worrell, Brian; security-basics () securityfocus com Subject: Re: Initial Machine login - Computer Forensics 101 Well understood. That brings up another subject - is there freeware or a documented procedure for making a bootable CD? Michael Condon ----- Original Message ----- From: "Worrell, Brian" <BWorrell () isdh IN gov> To: "Michael Condon" <mjc001 () juno com>; <security-basics () securityfocus com> Sent: Monday, February 04, 2008 10:06 AM Subject: RE: Initial Machine login - Computer Forensics 101 Michael, Quick sidebar, I recall reading a post about this before on another list. If you are being paid to do this, you need to make sure its all above board as in some states this can be consider illegal. Do not recall the exact issue, but part of the outcome was that you needed to have very clear, signed, documentation on what you were asked to do. Think the case the article was referring too was in California. That said, I would make a copy of the drive, and not alter the original in any way. This helps keep the evidence chain. Brian -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon Sent: Saturday, February 02, 2008 11:15 PM To: security-basics () securityfocus com Subject: Initial Machine login - Computer Forensics 101 Here is a Computer Forensics 101 question. Suppose a distraught woman comes to me with her husband's laptop and wants me to search it for information about a suspected marital indescretion. 1. Assuming it is an XP/Vista machine, how can I log in as administrator? 2. Is the second approach to make a bistream copy of the hard drive using an external USB har drive enclosure and proceed that way?
Current thread:
- Initial Machine login - Computer Forensics 101 Michael Condon (Feb 04)
- Re: Initial Machine login - Computer Forensics 101 Danyelle Gragsone (Feb 04)
- Re: Initial Machine login - Computer Forensics 101 Ansgar -59cobalt- Wiechers (Feb 04)
- RE: Initial Machine login - Computer Forensics 101 Worrell, Brian (Feb 04)
- Re: Initial Machine login - Computer Forensics 101 Michael Condon (Feb 04)
- RE: Initial Machine login - Computer Forensics 101 Worrell, Brian (Feb 05)
- RE: Initial Machine login - Computer Forensics 101 Murda Mcloud (Feb 05)
- RE: Initial Machine login - Computer Forensics 101 Steven Bonici (Feb 06)
- RE: Initial Machine login - Computer Forensics 101 Craig Wright (Feb 08)
- Re: Initial Machine login - Computer Forensics 101 Michael Condon (Feb 04)