SANS Digital Forensics and Incident Response Blog

Computer Forensic Examiners: PI Licensing Requirement Revisited

Do computer forensic examiners have to be licensed as private investigators? Well, that varies by state. Benjamin Wright has discussed the PI requirement here and Texas PI legislation here. Scott Moulton provided some insight to Michigan and the CISSP requirement here. I do not plan to regurgitate their research or viewpoints, but rather continue the discussion and provide some additional information in regards to another state and the PI licensing requirement. I want to thank Larry Daniel of Guardian Digital Forensics for providing his North Carolina legislation model, which I used as a framework for my position paper that I completed and sent to the Indiana Private Investigator Licensing & Security Guard Board earlier this year.

According to Indiana law, IC 25-30-1-2

(1) "Person" means an individual, a firm, a company, an association, an organization, a partnership, or a corporation.

(2) "Licensee" means a person licensed under this chapter.

(3) "Private investigator firm" means the business of:

(A) making, for hire or reward, investigation or investigations for the purpose of obtaining information with reference to:

(i) a crime against the state or wrongs done or threatened;

(ii) the habits, conduct, movements, whereabouts, association, transactions, reputation, or character of a person;

(iii) credibility of witnesses or other persons;

(iv) the location or recovery of lost, abandoned, unclaimed, or stolen property;

(v) the causes, origin, or responsibility for fires or accidents or injuries to real or personal property; or

(vi) the truth or falsity of a statement or representation;

(B) securing, for hire or reward, evidence to be used for authorized investigation committees or boards of award or arbitration or in the trial of civil or criminal cases; or

(C) providing, for hire or reward, undercover investigators to detect and prevent fraud and theft in the workplace or elsewhere.

(4) "Board" refers to the private investigator and security guard licensing board established under section 5.2 of this chapter.

(5) "Licensing agency" refers to the Indiana professional licensing agency established under IC 25-1-5-3.

(6) "Business entity" means a firm, a company, an association, an organization, a partnership, or a corporation.

In my position paper, I clearly outlined the distinct differences between roles of a private investigator and a computer forensic examiner. While there are some roles that both professionals share such as gathering evidence and preparing reports anticipating courtroom presentation, a computer forensic examiner applies a technical expertise using scientific methodology. Therefore, if Indiana were to get involved in regulating computer forensic examiners, a separate governing board handling licensing and requirements should be created instead of classifying computer forensic examiners as private investigators.

Those in law enforcement that practice computer forensics, from small to medium-size jurisdictions wear multiple hats, juggling the duties of both the investigator and forensic examiner. Having the ability to separate the duties of the investigator and the forensic examiner aid in maintaining a neutral viewpoint when it comes to examining digital evidence. A colleague and I while recently discussing a case shared our views in regards to neutrality when it comes to a computer forensic examination. It doesn't matter if we are in the business of bad guy suppression (thank you Rob), defending the bad guy, e-discovery, or incident response it is important to remember that we are examiners/analysts/fact finders. At this point in time, Indiana has decided NOT to get involved in regulating computer forensic examiners practicing computer forensics.

The Private Investigator Licensing & Security Guard Board concluded that as long as the computer forensic work being completed does not qualify as Private Investigator or Security Guard work then no PI license would be required. The board also stated, "Neither the Board nor the Indiana Professional Licensing Agency (for a variety of reasons) has an interest in establishing license requirements for Computer Forensic Examiners, or pioneering a new professional board for Computer Forensic Examiners. I appreciate the research you've done for the presentation provided to this board. We will continue with the present requirements for firms to obtain a private investigation license whose principal qualifier must meet certain experience requirements which may include, but not limited to specific computer forensics." So let's tie it all together. Do computer forensic examiners have to be licensed to practice PI & SG work in Indiana? Yes! Do computer forensic examiners have to be licensed to practice "computer forensics" in Indiana? No! As always consult with an attorney for legal advice and guidance. I commend Indiana's Professional Licensing Agency and the Indiana Private Investigator Licensing & Security Guard Board for deciding not to regulate computer forensic examiners at this point, but feel this is still vague in several facets and will only need to be revisited in the future. I believe it is imperative for computer forensic examiners/practitioners to know the law in their state(s) of operation and get involved. Contact your legislature or your state's licensing board (if applicable). I chose to get involved because of the influx and demand for our expertise and the increasing number of times I'm contacted outside the law enforcement community for private sector engagements.

**Disclaimer: This information is being provided "AS-IS" on an informative basis and SHOULD NOT be considered legal advice. Always consult with an attorney for legal advice.**

Mr. Brad Garnett, CCE, GCFA is a law enforcement officer specializing in computer forensics. You can follow Brad on Twitter @bgarnett17


Posted June 22, 2010 at 3:57 PM | Permalink | Reply

Ken Pryor

Good work''now we just need to get someone in Illinois to change our ridiculous rules.

Posted June 25, 2010 at 3:00 PM | Permalink | Reply

Giovanni Masucci

Thank you for writing this article however there is some adjustment when it comes to NC Law. I have been providing Digital Forensic Services for 8yrs in North Carolina and across the Country working with Law Enforcement & Government Agencies among Law Firms. Employing Law Enforcement as well. Last year licensing was defeated in North Carliona for Digital Forensic Examiners and this year a report was being addressed to the NC General Assembly as asked by them from the NC Private Protective Services Board to address concerns on licensing Digital Forensic Examiners in this State. I have been working for almost five years with this Board to make them understand what is entailed with our field compared to that of the PI Industry. Here is the passed update on legistation regarding Digital Forensic Examiners in our State and PI Licensing.
2009/2010: North Carolina General Statutes 74C-3 Private protective services profession defined
(b) "Private protective services" shall not include any of the following:
(17) A person engaged in (i) computer or digital forensic services or in the acquisition, review, or analysis of digital or computer based information, whether for the purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or (ii) network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.

Posted July 30, 2014 at 10:29 AM | Permalink | Reply

Randy Andrews

So I have some questions more than a comment. If a forensic examiner is exposed to confidential work product of the attorney how is the information protected if the examiner is not a licensed investigator or a statutory employee of the attorney. Second what guides the forensic examiner from unethical behavior that results in damage to an individual? Are we talking about gathering information blindly and providing it to the customer or is this focus on the actual review of the findings and rendering conclusions based on the content of those findings? At what point does a Forensic Technician hold responsibility for mistakes and intentional breaches of trust? It seems to me that Forensic Technicians should be restricted to the recovery and presentation of content to the customer but prohibited from an investigation, summation, or review of private information unless they are licensed or under the direct supervision of a licensee as an employee. I know about the NDAs and confidentiality agreements but where is the bite in reality when the industry is unregulated and there is nothing to create and obligation to protect?