SANS Digital Forensics and Incident Response Blog

What makes an expert?

I have recently been involved in a case where the argument came to one of who is an expert. This is not an uncommon attack when the issues at hand are not really in dispute and the opposing team wants to focus the case on other things. It may seem strange that a person with multiple post graduate degrees, SANS/GIAC certifications (and others) up the wazzoo and years of experience can be challenged on these grounds, but it is not unusual in this industry.

I did not specify anything stating that I am Forensic focused on my CV. I have too much for that and even for courts it is necessary to limit one's experience. That said, I did list all the SANS certifications and several Master's degrees.

So, how could it be possible to attack one's standing as an expert when you have a GSE, GSM and multiple IT Masters degrees in security?

Simple, none of these are a degree in "forensics". This is the argument I was faced with. It is not a good argument, but it is something that we can expect to see more and more in coming years. In my circumstance, I teach/lecture at an Australian University presenting a Master's degree specialising in Digital forensics. However, I do not have a Master's degree in digital forensics. There is a reason for this, they did not exist when I started in IT Security and Forensics and hence the reason a number of years back for my putting a proposal into the University to create one (which I now teach).

But is that an issue?

This is the issue that is really at point. Many people coming into forensics think that being an expert involves having a digital forensic qualification. There are times when this could be necessary. In the acquisition of data, having a provable skill is essential, but this is not necessarily a degree in forensics.

In the case I am on, I am acting as an expert on software security. I will attest to this due to post graduate qualification in software design and coding as well as numerous peer reviewed papers on the topic.

This is the issue we need to consider and address. An expert is an expert in a particular field. In many circumstances, this is simply an expertise in finding and analysing data, but others will involve analysing software, code and intrusions. This is in part why I tell people that they cannot stop learning in this field. There are so many more things coming up each year, which you cannot ever learn too much.

So, can you be an expert in court without having forensic qualification?

This is something many do not realise; you do not need a forensic qualification to provide forensic evidence to a court. In fact, most expert witnesses do not have forensic training. An expert witness is an expert in a particular field. If you are talking to the court on software integrity or security issues, you need to be an expert in software development and coding, not a forensic expert.

Having both helps, but it is not essential.

We need to start thinking about what an expert really is and not focus on the issue at hand. When analysing and recovering data, we need one set of skills, but this does not provide expertise in everything.

Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

4 Comments

Posted July 15, 2011 at 4:01 AM | Permalink | Reply

Ron007

Simply having some sort of degree/diploma/certificate in forensics does not automatically make you a forensic expert on the question at hand. "Computing" is a large subject area.
I think your question is a subset of a larger question facing the computing industry. Has the industry matured enough to establish one or more "Professional" associations to provide accreditation of an individuals expertise. A setup along the lines of medical doctors, engineers, foresters and even lawyers.
Large scale computing has only been around since say the 1960's. Before that exposure to the general public was too limited, it was really still in the experimental phase. That's only 50 years. The other "professions" have been around for several hundred years, as professions, with even longer histories of practical experience. Realistically, computing is still developing. But in this "computer" age, with compute use being so widespread in our economy we may have to just go ahead and setup professional association(s) for computing.
Should any "tom, dick or harry" be allowed to write computer programs for banks or hospitals or aircraft. I don't think so. Just as in the other regulated professions people in computing will have to be held accountable for their "professional" actions (except for lawyers. They lose cases all the time and still get paid for their "work". Incompetent judges get "overturned on appeal" constantly, but don't face any sanctions). If you write bad code, you face professional and legal sanctions. This would go a long way to improving the quality of computer systems.

Posted July 15, 2011 at 9:10 PM | Permalink | Reply

@sharpesecurity

Having a bunch of SANS certs means you have a bunch of certs demonstrating entry level knowledge of various topics. There is nothing wrong with that, but that isn't expert-level knowledge. The degrees are a different story as long as they are from respected and accredited schools, not online diploma mills. The real key is having boatloads of relevant experience in a topic, is it not?

Posted July 16, 2011 at 11:46 PM | Permalink | Reply

TheKernel

Hi ''" which Australian university has a masters in digital forensics?

Posted July 25, 2011 at 8:22 AM | Permalink | Reply

Craig S Wright

Hi ''" which Australian university has a masters in digital forensics?"
Charles Sturt University offers this ''" please see the following link:
http://www.itmasters.edu.au/WhichQualification/MasterofInformationSystemsSecurity/DigitalForensics.aspx
Some SANS courses can be used as credit and we have a good number of international students as well as Australian ones.