HKCSView: Three questions to ask your digital forensic investigators

Paul JacksonA prominent local news story in August 2014 declared “digital forensics skills in Hong Kong are lagging behind the United States and Britain” – an interesting pronouncement with no underlying evidence to support the statement. Nonetheless, it raised a very pertinent question: how does anyone assess the levels of proficiency, integrity and competence of digital forensic investigators in Hong Kong?

In common with most places, there is no requirement for forensic investigators in Hong Kong to be certified. Anyone with minimal training and experience can set themselves up as a (often low-cost) forensic investigator, and hence, discerning how to get the best value for digital forensic services is no easy matter.

A practice beyond collecting evidence

Computer forensics is sought-after in a wide variety of situations, ranging from cyber security breaches through to allegations of impropriety and dispute resolution. It is essentially the practice of identifying, preserving and analyzing digital evidence, which is in a manner that is admissible in courts of law. It does (and should) go far beyond that. A truly competent forensic investigator ought to be able to draw inferences between digital and non-digital evidence, have an inquiring mind that understands where potential evidence may be found, and able to apply lateral (out-of-the-box) problem-solving skills and thinking.

Cyber security data breaches need rapid and highly complex forensics to determine the source of the breach and the types of compromised data. This practice is often painstakingly recreating a timeline of actions taken by those responsible. Sometimes this task lies on the shoulder of the in-house IT team, who are normally untrained for such task and can cause more harm than good via their actions.

Criminal/civil forensics can range from simple recovery of data through complex restoration of all actions surrounding an incident – evidence of which may had been buried in obscure locations within the mountains of digital evidence collected during an investigation. The risks of getting it wrong can be severe. In many cases, the potential of what could have been achieved, if forensics was conducted in a more sophisticated depth, remain unknown.

Assessing forensic investigators

Which brings us to the crux of the issue—without any reliable form of accreditation, what are the questions can you ask that may shed light on the level of quality?

  1. Ask to look at the CV of the forensic investigator. Does it include a background that reflects both technical proficiency and real experience in conducting multi-faceted investigations?
  2. Ask about their most challenging case and how did they solve it? In particular, look to hear examples of where the investigator needed to research a particular issue, rather than relying on a forensic tool.
  3. Is the forensic investigator an active part of the professional community? The body of knowledge and experience has largely grown through peer discussions and sharing. A good example is the High Technology Crime Investigation Association (HTCIA), which has a thriving Chapter in Hong Kong and hosts an important annual conference for learning and development.

No matter where you are based, if you need forensic investigation help and have a great deal at stake, finding an individual/company meeting the above criteria may make the world of difference!

Paul Jackson is committee member of the Information Security SIG of Hong Kong Computer Society and managing director of Stroz Friedberg (Asia).