Re: Computer Forensic Requirements

["Pace, Guy" <gpace () CIS CTC EDU>]

Any incident, whether it ends up in civil or criminal court, should be treated and processed as if it will from the 
beginning. That means that your staff should have specific training and/or certifications to perform in a manner that 
will preserve evidence and not corrupt the "crime scene." If your state requires that a certified forensic specialist 
or analyst who will conduct investigations and provide expert testimony in court must also be licensed as a private 
investigator, then your staff who are expected to perform this role as forensics specialists will also need to be 
licensed as private investigators. It is even possible that the office they work out of will need to be a licensed 
agency--depending on the various state regulations. Some states license PI's separately for carry (armed) or non-carry 
(unarmed), as well.

This can get into a deep wormpile when it comes to educational institutions requiring staff to be unarmed PI's, and 
institutional security offices to be licensed as PI agencies. This should trigger a serious review of incident response 
standards and procedures. How far do you want your staff to go, what liability do you want your institution to carry 
with "investigations," and wouldn't you really rather just bring in the necessary trained and certified professionals 
when needed? At least, they are--or should be--cognizant of the applicable laws regarding evidence, privacy, and legal 
investigation.

A key in many of the state requirements--as I understand it--is if the person is certified as a forensic specialist or 
analyst, they must apply for, qualify and be granted a license as a PI before they can conduct an investigation 
(forensic examination) that would be admissible (or at least believable by a jury) in court and not run you afoul of 
various privacy and other laws. The operative terms are "investigation" and "certified forensic analyst."

I'm not a lawyer, so you still need to get some input from that faction. This is still a relatively new field. You're 
likely to get some wildly varying viewpoints.

Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724

gpace () cis ctc edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Douglas 
Gale
Sent: Monday, May 26, 2008 10:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Computer Forensic Requirements

A number of states, including New York, South Carolina, and Texas, either require or are considering requiring computer 
forensic specialists to have a private investigator (PI) license.  A cursory reading of the various regulations in 
those states (I am not a lawyer) implies that this applies to a college or university employing an external firm for 
digital forensics.  What is less clear to me is whether or not it applies if internal staff is used for analysis.  Do 
they have to be licensed?  Or do they have to be licensed only if the findings are used in civil or criminal 
proceedings?  What about non-profit consortiums (e.g. state networks) that provide security services to their higher 
education members?  Has anyone had any experience with this issue or obtained legal opinions?