Forensics: Computer Forensics – Police or Civil?

Historically computer forensics has always been lead by law enforcement. The technology, the methods, and the cases; all driven by criminal cases.

Who in the 1990’s would be able to afford, or even find, a computer specialist to investigate a HR issue within company? If the sales guy left, and took a the company contact list with him, then computer forensics would never be considered. In the police, things were different. In 1999 the now defunct National High Tech Crime Unit was created (now replaced by SOCA), police forces got funding for high tech crime units of their own and laws (in the UK) were created and amended to help the prosecution of those looking at child pornography on a computer. Not just those taking the pictures but those viewing the images.

These laws meant that thousands of new criminals were created and, combined with Operation Ore, more and more computer forensics work was created. The police were overwhelmed, so got bigger budgets. More people reported incidents of crime involving computers. The police were overwhelmed. The internet grew, and so did the offences, and so the police forensics units continued to grow.

In the UK as the police forces grew so did the industry of computer forensics dedicated to supporting the police. Many reputable companies make a huge proportion of their income from police work – which is outsourced. People many not be ware of this but, in the UK, the police regularly out source computer forensics work, including the child abuse investigations.

In addition to this, for every criminal case there is a defense lawyer, and therefore a defense expert witness.  This means that another industry of computer forensics specialists, defending people against prosecution, was created.

So from the police, to the companies conducting police work and those defending police work, there was an entire industry of forensics created, much of it from child abuse images.

This meant the software industry responded, and anybody attending an EnCase or FTK course would know this. The courses were heavily focused on recovering images and police work, with the vast majority of those attending courses working in law enforcement – this was a sensible decision by Guidance and AccessData.

Over the years computer forensics companies have expanded and moved into the areas of electronic discovery, civil investigations, and data theft investigations. But, because their original technology, training and staff, had a police basis these companies are often entrenched in law enforcement methodology and technology.

Even today, as we are hurtling towards 2010, many employers actively seek “ex-law enforcement” for computer forensics employment. It’s seen as the gold standard to measure the industry by.

But is it?

There is no doubt that the police standard of evidence handling are as high as they need to be, because they work in a criminal environment, rather than a civil. But are they the most effective? Are governments known for efficiency or bureaucracy?

What about technology? The police, as a standard use EnCase and FTK, and a few widgets. Civil companies can recover deleted files, keyword search, match hash values and all that good stuff. But while the civil sector has all of this, they also have a lot more.

  • Civil companies are able to cluster together similar documents, to help find the key files.
  • They can de-duplicate emails (which Encase or FTK cannot), therefore reducing the data set massively.
  • Civil companies are able to have hundreds of people reviewing and marking documents, around the world, on the same case, securely, in a live environment.
  • Technology is now deployed, in civil companies, to keyword search audio files and tape recordings, on the fly.
  • Near de-duplicates can be identified, by civil companies, to further reduce the size of data sets.
  • Concept searching is on the increase, and indexing is a de rigueur.

Most of these terms would never be used within law enforcement; so much so that the UK government states that they need 90 days to look at couple of computers and change the laws to detain people for that long. Law firms do that in a matter of days, and go to court on the results, because they are using far more advanced technology.

Civil companies are able to collect huge volumes of data. On the SANS twitter today there was the following statement:

  • Chris discusses the largest seizure by police: 14 locations; 50 investigators; 33 computers; 44 mobile devices; 400 media #forensicsummit

That is not a lot of computers. The largest collection this author has been involved with had over 5,000 pieces of media, a couple of hundred, for one case, is certainly not unique. With others doing many many more  Some firms have imaged over a petabyte of data, for one case.

The big investigations, the really big ones, the Madrid bombing, the Madoff investigation, Enron, WorldCom, etc – these all have a major civil investigation technical component, if not entirely civil.


There is a change on the EnCase courses, they are more “civil” friendly, but the course are still run, and dominated, by law enforcement demands. But with technology being led by the civil side, and the economics dominating the civil industry, is it not time to change our perspective on what the “gold standard” is?

Note: The author has worked on both sides of the argument.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: