The keystone kops

Mark Mckinnon of CFED-TTF, in a response to my Peer Review entry mentions that "One thing I was thinking about was by publishing this information you are letting every Tom, Dick and Harry have the information, they would then throw out there own shingle and state that they are a computer forensics professional because they know how to acquire a drive"

Today I heard a reference to the keystone kops and I guess I wasn't surprised but it was referring to image acquisition by untrained personnel. I found this reference to "incompetent cops" to be very fitting and I've seen this problem with a lot of folks who "do forensics" as part of other job duties yet they have no training and perhaps even more detrimental, they have no interest.

Forensics work is tedious, sometimes boring and requires dedication, attention to detail, and the person doing the work must be meticulous about everything. There is a side of forensics that has been called "Nintendo forensics" by Harlan Carvey, and unfortunately that's what a lot of IT and IT security staffs are practicing. There is no understanding of the underlying process, and the margin of error in the procedures used by these security teams is too high. I firmly believe that just about anyone with common sense and a basic understanding of computing can become a forensic investigator (it's not rocket science), but some people just are not cut out for the work.

If you lead a security team or are a member of one and you are commonly involved in forensics tasks you need to ask yourself and the other members if there is interest in performing forensics work. If the interest isn't there, then for the sake of your organization, assign them to another task. There is simply too much at stake to continue putting your organization at risk. Utilize the skills of your team members where and when it makes sense to.

To quote Martin Sheen from the Departed:
"What I'm asking you is this - Do you want to be a cop, or do you want to *appear* to be a cop? A lot of guys just want to appear to be cops: gun, badge, pretend they're on TV."