I have recently been involved in a case where the argument came to one of who is an expert. This is not an uncommon attack when the issues at hand are not really in dispute and the opposing team wants to focus the case on other things. It may seem strange that a person with multiple post graduate degrees, SANS/GIAC certifications (and others) up the wazzoo and years of experience can be challenged on these grounds, but it is not unusual in this industry.
I did not specify anything stating that I am Forensic focused on my CV. I have too much for that and even for courts it is necessary to limit one's experience. That said, I did list all the SANS certifications and several Master's degrees.
So, how could it be possible to attack one's standing as an expert when you have a GSE, GSM and multiple IT Masters degrees in security?
Simple, none of these are a degree in "forensics". This is the argument I was faced with. It is not a good argument, but it is something that we can expect to see more and more in coming years. In my circumstance, I teach/lecture at an Australian University presenting a Master's degree specialising in Digital forensics. However, I do not have a Master's degree in digital forensics. There is a reason for this, they did not exist when I started in IT Security and Forensics and hence the reason a number of years back for my putting a proposal into the University to create one (which I now teach).
But is that an issue?
This is the issue that is really at point. Many people coming into forensics think that being an expert involves having a digital forensic qualification. There are times when this could be necessary. In the acquisition of data, having a provable skill is essential, but this is not necessarily a degree in forensics.
In the case I am on, I am acting as an expert on software security. I will attest to this due to post graduate qualification in software design and coding as well as numerous peer reviewed papers on the topic.
This is the issue we need to consider and address. An expert is an expert in a particular field. In many circumstances, this is simply an expertise in finding and analysing data, but others will involve analysing software, code and intrusions. This is in part why I tell people that they cannot stop learning in this field. There are so many more things coming up each year, which you cannot ever learn too much.
So, can you be an expert in court without having forensic qualification?
This is something many do not realise; you do not need a forensic qualification to provide forensic evidence to a court. In fact, most expert witnesses do not have forensic training. An expert witness is an expert in a particular field. If you are talking to the court on software integrity or security issues, you need to be an expert in software development and coding, not a forensic expert.
Having both helps, but it is not essential.
We need to start thinking about what an expert really is and not focus on the issue at hand. When analysing and recovering data, we need one set of skills, but this does not provide expertise in everything.
Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.
.png "Anastasia Sentsova")
