Skip to main content

Dabblers v. Professionals


 

March 1, 2025


Dabblers v. Professionals


"If you do the job in a principled way, with diligence, energy, and patience, if you keep yourself free of distractions, and keep the spirit inside you undamaged… then everything you do will be suffused with justice."


-Marcus Aurelius




I recently had a discussion with a colleague or two while attending the American Academy of Forensic Sciences (AAFS) annual meeting in Baltimore, MD.  These discussions revolved around the observation that digital forensics, unlike any other forensic discipline, attracts all kinds of “practitioners” who think they can do the job to an professional, expert-level degree (and tell their clientele they can do the job), but in reality, they are lacking many of the baser elements to practicing a true forensic science discipline.  There are several reasons for this, but first, I think it’s important to draw the corollaries between digital forensics and other “hard” forensic sciences.  For the purposes of this discussion, softer sciences like forensic psychiatry will not be included because the subjective nature and interpretive nuances that go into such a practice are much less well-defined than that of digital forensics or many of the “hard science” forensic disciplines.


Forensic Similarities


I asked GrokAI “what is forensic science?”  Here’s the reply I received:


Forensic science is the application of scientific principles and methods to investigate crimes and analyze evidence for use in legal proceedings. It combines disciplines like biology, chemistry, physics, and mathematics to uncover facts about criminal cases, often helping to identify perpetrators, determine causes of death, or establish timelines of events. Forensic scientists work with evidence such as DNA, fingerprints, bloodstains, ballistics, toxicology reports, and digital data, making it a critical tool in the justice system.

The term "forensic" comes from the Latin forensis, meaning "of or before the forum," referring to its role in public legal debates in ancient Rome. Today, it’s a broad field with specialties like:

  • Forensic Pathology: Examining bodies to determine cause and manner of death. 
  • Forensic Toxicology: Analyzing substances in the body, like drugs or poisons. 
  • Forensic DNA Analysis: Matching biological samples to individuals. 
  • Forensic Entomology: Using insects to estimate time of death. 
  • Digital Forensics: Investigating cybercrimes through electronic data.

For example, in a murder case, a forensic scientist might analyze blood spatter patterns to reconstruct the crime scene, test DNA to link a suspect, or examine gunshot residue to identify the weapon used. It’s all about turning raw data into objective, court-admissible answers.


First, I was pleased to see digital forensics included in the primary list.  It wasn’t too long ago that digital forensics was not included in the list, and well-respected academic and practitioner organizations like AAFS lumped digital forensic practitioners in the “general” category.  But when we dissect Grok’s answer, we see that there are some very basic elements that go into what constitutes a forensic science, like application of scientific principles and thorough analysis of the evidence to lead to conclusions utilizing methods that are defensible, repeatable and suitable for a court of law.  


The analogy I often cite to my students is digital evidence vs. fingerprint evidence.  When fingerprints are discovered at a crime scene, they are secured, documented and photographed.  When we collect fingerprints from a crime scene, do we take the original fingerprint and conduct our analysis on it, or do we replicate the fingerprint and verify it as an exact copy and analyze that?  In most cases, and unless there’s a bonafide reason to do so, we make a copy of the fingerprint by photographing, dusting, lifting or any number of other, more modern methods to obtain a suitable copy of the fingerprint for further analysis.  Side note:, yes, I know I’m showing my age by citing “dusting and lifting”, but the general principles are the same.





Digital forensics is no different in practical application.  We document the evidence by photographs, chain of custody, other notes in our pre-acquisition documentation.  We then use industry-standard tools to acquire (or copy) that evidence and validate that copy as viable and as close to an exact copy as possible, given the technical specifications and limitations of the evidence we’re acquiring (i.e., phone vs. stand-alone computer vs. cloud vs. network data capture).  We then analyze the evidence to help confirm or refute the allegations in the matter, often conduct deeper analysis to attempt to locate potentially obfuscated evidence or trace evidence (artifacts), develop a thorough timeline of events surrounding relevant periods, attempt to ascribe a person to an activity and ensure our findings are accurate and complete.  



Training, Education & Experience


Each of Grok’s cited disciplines involve a large amount of training and education to be able to competently address all of the various steps in the forensic process.  There are several elements, however, that are tried and true across these disciplines that help ensure each of them is a forensic science.  Knowledge and skills in areas such as statistical analysis, pattern analysis, quantitative analysis and experience incorporating those characteristics in your overall workflow is essential.  These skills are often taught in an academic environment and put into place in a lab environment.  They can also be acquired, honed and refined over years of hands-on practice, but they are vital skills that need to be incorporated into every case.  


Training is essential, but certainly not all-encompassing.  Training differs from formal education in that a training course is usually shorter in duration, slightly less formal, and is designed to give the student participant a mixture of lecture and hands-on experience with the particular topic of the training.  Training can (and often does) go hand-in-hand with certification, but neither are designed to get a practitioner to a level of expertise suitable for thorough analysis and presentation in court, despite what the marketing folks who offer the training may tell you.  One analysis tool on the market offers a “Subject Matter Expert” training & certification course.  They are not the determiners of who is or is not a “Subject Matter Expert”, nor can they issue such a declaration suitable for a court of law.  A prospective student of training and/or certification courses needs to scrutinize what is being taught and by whom.  Tool-based trainings are designed primarily to get you acquainted with the tool, not much else.  This is analogous to an auto mechanic being trained to work on one make of automobile.  That may help them work on that particular make of car, and even provide *some* knowledge about similar cars, but it certainly doesn’t provide a global knowledge of the practice of automobile service and repair.


Most tool-based training courses provide little (if any) education about how data is stored, the nuances of different file types and how that relates to storage and catalog of metadata, common means to hide data, recognition of different file types, different versions of operating systems and how they store and track data, etc.  The best training courses I’ve ever taken have been immersion courses that start from building a computer and installing the operating system, to identifying the hardware components to learning the basics of binary data storage, hexadecimal conversions, file system types and how they work on different storage mediums and how to identify and appropriately analyze data stored on different devices, given these varying parameters.  I dare say I’ve never been to a tool-based training course that offers this type of in-depth background education along with hands-on experience, which is vital to effective analysis in digital forensics, just like understanding molecular biology at its basic levels is vital to DNA analysis.


But as many have echoed in recent years, nothing beats experience.  Case work is king.  The problem is, if you skip a large part of the basic information and jump right into a tool-based certification program then purport to “do forensics”, you’re lacking in a large part of the required knowledge.  Will the judge or jury care?  Maybe, maybe not.  But it could mean the difference between looking what is presented to you vs. locating the truth through an in-depth analysis.  There’s a big difference.  I recently heard another practitioner declare “the evidence speaks for itself!”  No, it really doesn’t.


Watered Down Digital Forensics


Circling back to the impetus for this article, I’m seeing a trend in the DF/IR industry of more and more people thinking they’re doing real forensic analysis when in reality, they’re just dabbling in it – pushing buttons and spitting out results.  And while I admire many of my colleagues in the private investigative industry, PIs are the among the worst at this.  My experience over the past 11 years in private practice has been that PIs don’t want to pay an expert to do what an expert is trained and experienced at doing because they feel that’s taking away from their bottom line.  Many also think there’s little more to it than pushing the button and getting the answer, so why wouldn’t they just do it themselves?  For starters, none of them are in the practice of forensic analysis.  They wouldn’t do this with ballistics or DNA or fingerprint evidence, so why do they think it’s appropriate to do with digital forensics?  


The challenge I’d put forth to anyone “doing digital forensics” is this – Name a forensic discipline, as cited above, where anyone who purchases a tool to assist in conducting said analysis, and perhaps a bit of training/certification in the specific tool, are then capable of conducting that analysis to come to conclusions within a reasonable degree of scientific certainty.  Because I purchase a PCR analysis machine and take a course in how to use it does not make me an expert in DNA, nor does it adequately prepare me to conduct DNA analysis.  



This is where digital forensics is going down a tumultuous path.  If we allow the watered-down, “any Tom, Dick or Harry can do it” mindset amongst some to continue to permeate our industry, we’ll end up losing the trust of the courts and the public in our practice, our findings and our conclusions.  It took years to be accepted as a true forensic discipline, and now the advent of burgeoning undergraduate and graduate programs in digital forensics has meant an even wider acceptance of our discipline, but if we’re not careful, we’ll start to head down the “junk science” path, and no one wants that.  


What’s Next?


We have to be vigilant.  We have to recognize practitioners who are simply pushing a button or throwing a shingle out saying they “do digital forensics” as likely being detrimental to the legitimacy of our practice.  As a community, standards must be set and kept.  Only through diligent application of this will the courts and the public continue to trust our practice and the findings that come from it.  No one would believe a pathologist “expert” who never went to medical school, so by setting the standard as an industry, we work to ensure that only those who are properly trained, educated and experienced in the field are appropriately deemed as experts.


How do you do that?  First, get acquainted with the Best Practice documentation published by the Scientific Working Group on Digital Evidence (SWGDE).  SWGDE is one of our governing bodies, and by familiarizing yourself, adhering your practice, and instituting these as your “policy” with regard to practice, we raise the bar.  Charlatans and fly-by-night analysts don’t want to do this, so professional practitioners, we must.  


Join and get involved in reputable organizations like SWGDE, the International Association of Computer Investigative Specialists (IACIS) and the American Academy of Forensic Sciences (AAFS), Digital and Multimedia section.  AAFS in particular has a robust, growing Digital and Multimedia Sciences community and it challenges practitioners to take a purely scientific approach to their analysis and findings.  There is also a vetting and promotional process associated with AAFS, and it’s an internationally respected organization.  


Grok was also kind enough to offer some etymology for the word “forensics”:  The term "forensic" comes from the Latin forensis, meaning "of or before the forum."  The forum is relayed as the pursuit of justice (i.e., the courts), but it doesn’t have to be solely that.  As a community, we are a forum of professionals that bears the responsibility of administering, and sometimes policing, our practice.  How do we continue to do this?  Participate!


I see a ton of participation from a very few people in our industry.  These are fortunately all good, smart, capable, experienced professional digital forensic practitioners, but they won’t be around forever and if we want to grow, we have to decide to participate and cultivate the knowledge base and next generation leadership that exists within our industry, lest it get further watered-down, fizzle away and die off.  


Do I think that would really happen?  No, but I don’t’ like some of the trends I see in our practice and if we’re not careful, it could lead to bad outcomes for us all.



About the Author:

Patrick Siewert served 15 years in full-time law enforcement and investigated hundreds of high-tech crimes to precedent-setting results, Patrick is a graduate of SCERS & BCERT and is a court-certified expert witness in digital forensics, mobile forensics and historical cell site location analysis. He has published dozens of articles and is cited in numerous academic papers. He was the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA) and currently serves as Director of Digital Forensics and E-Discovery for a Nationwide (US) provider of DF/IR and e-disco litigation support services, while keeping in touch with the public safety community as a Law Enforcement Instructor in multiple disciplines.

Email:  Patrick@ProDigital4n6.com

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Patrick Siewert on X/Twitter : @RVA4n6

Patrick Siewert on Substack :  rva4n6.substack.com 

Pro Digital (old) blog site :  https://prodigital4n6.blogspot.com/ 

Labels:
Location: Richmond, VA, USA

Popular posts from this blog

  January 1, 2025 What Is “The Philosophy of DF/IR” ? “If it is not right, do not do it, if it is not true, do not say it.” -Marcus Aurelius Welcome to the newest Digital Forensics/Incident Response blog (for now)!   I created this space for several reasons.   First, I have a passion for writing about our industry and the nuances that reside within it and come about because of our practice of forensic data analysis.   The intersection of data, evidence and the law is a fascinating thread on which to pull and the more we pull on it, the more we unravel the tapestry of our practice and work to hone and refine how we conduct our work.   Second, I have been inspired lately by the likes of Brett Shavers (DFIR Training) and others to continue writing.   For those of you who are not already familiar, I wrote a DF blog for my company, Pro Digital Forensic Consulting, before the company and I were acquired by a Nationwide Digital Forensic services provider.   ...
Read more

Effective Advanced Communication in DF/IR

  January 12, 2025 Effective Advanced Communication in DF/IR “Nothing important comes into being overnight; even grapes or figs need time to ripen.” -Epictetus As my bio and LinkedIn page relay, I teach a lot.   One of those teaching roles is as an Adjunct Professor in the Department of Forensic Science teaching an Intro to Digital Forensics course at Virginia Commonwealth University , which also happens to be my Alma Mater.   I teach one semester per year, which, when combined with a list of other responsibilities, is quite enough. For those of you who teach, you know that most semesters start off with excitement and energy and by the time the 15 or 16-week course starts to wind down, it can be a bit of a grind.   Even teaching once a week for 3 hours is grueling at times, especially with regard to assignments, grading, testing, etc… Oh, and FT work too!   Teaching at VCU is also one of the most rewarding roles I fill.   Not only does it help keep me up-to...
Read more

The Pyramid of DF/IR Expertise

The Pyramid of DF/IR Expertise "First say to yourself what you would be; and then do what you have to do." -Epictetus I woke up one day and realized I’m an Executive at a Nationwide Digital Forensic & E-Discovery professional services firm.   How did that happen?   I also woke up one day and realized I have 25 years in the justice system.   If I’d stayed in law enforcement, I could retire this year.   All of these things are simultaneously shocking and sobering.   They cause one to really reflect on the steps that it took to get them to where they have arrived.   It also causes one to take inventor of all of the opportunities, successes, mistakes, failures, training, experience, case work and daily practice – both mental and practical – that go into building a body of work.   It also makes one feel old all of a sudden, but “old(er)” doesn’t have to equal bad, as I’ve come to learn. But how does one get to this point?   As many of my colleagues...
Read more