June 1, 2026
Training Philosophy: Law Enforcement vs. Private Sector
"Live like a flock feeding together with equal right in one common pasture."
-Zeno of Citium
This month I’m going to re-visit an old topic, but it’s not so old that it’s irrelevant. In fact, it comes up multiple times per year. Recently, in an exchange with another user on the DFIR Discord server, a training opportunity was posted. Some of it was law enforcement (LE)-restricted, some of it was not. So I posed the question: Why is (some) of this training LE-only?
The answer I got back was less than substantive, but it begs the larger question yet again: What is covered in law enforcement restricted training that is so specialized, secretive or otherwise sensitive that it needs to exclude everyone else?
The Purpose of Training
In order to thoroughly dive into this topic, we must first take a step back and ask, what is the purpose of training, particularly in the field of digital forensics. Much has been debated and bandied about regarding vendor-neutral vs. vendor-specific training, so I won’t re-hash those arguments here, but when we, as a practice, ask “what is the purpose of training in our practice”, the answers must be universal, regardless of who signs your paycheck.
Training should universally:
• Provide a base of knowledge that creates or enhances basic skillsets
• Serve to introduce new topics, tactics, tools, procedures and approaches
• Help students understand the general landscape of the practice, or in some instances, the specific application of aforementioned tools, topics, etc. to a portion of the practice
• Provide a documented background of accomplishment, if not certification or proficiency testing
• Plant the proverbial seed(s) from which skills and expertise grow
While not exhaustive, this listing works as an important definition of what anyone should expect from training. And it is the goal of this article to express why none of these things are or should be restricted to law enforcement.
Providing a Base of Knowledge
What is a base of knowledge in DF/IR? Among many other things, the knowledge of hardware, software, data storage, file systems, mobile architecture, mobile technology, application storage systems, and many other areas. There is nothing that law enforcement does or uses these subject areas for that is generally deemed restrictive. There is nothing about how any of these topics, items or devices works that is a trade secret restricted to law enforcement. It’s essentially computer science 101.
In fact, there are many training courses offered in these topics that are not restricted to law enforcement. I suspect it’s because the information is so basic and documented in academic and engineering text that there’s no tradecraft involved. However, there is one DF/IR subset where this isn’t always the case: Historical cell site location information (CSLI) analysis.
For some reason and somewhere along the way, it became a piece of law enforcement tradecraft to conduct CSLI analysis. Heck, even the first course I ever took as a private sector provider was given at a police training facility and I was the only non-LE in the room. So why is it that this particular subset would be LE-restrictive? What special sauce is taught to LE about this that isn’t available to the private sector. Of course, I’m well aware that certain tools for this work are LE-restrictive, but again we must ask ourselves – why? Is there some privilege that LE gets over CSLI analysis that the rest of the practice group should not?
Introducing New Tactics, Tools, etc
One area in which the government and law enforcement have historically excelled is the development of new digital forensic approaches. They are and have been on the cutting edge of technology, tactics and tools. Look no further than the advent of Graykey several years ago. While it wasn’t developed by a governmental entity, it was (and is) marketed soley for law enforcement use. On that, I sort of understand why. The tool is very powerful, particularly when it comes to the advantage of bypassing phone pass codes. The propensity for that to be abused in the private sector is a huge liability.
Except, for legitimate providers in the private sector, there is hardly ever a need to bypass a pass code. Not never, but almost never. There’s also the outstanding question whether or not the full file system collection performed by Graykey is a 1:1 comparison to those done by similar tools now available to the private sector.
When it comes to ICAC and CSAM investigations, having conducted many of them personally, I understand why the sensitive nature of what is being investigated is at issue. However, also having attended that training, they don’t look for *actual* CSAM in the training environment. The ICAC training trope of looking for “kitty porn” (i.e., pictures of cats) is probably still in use. So what is so restrictive or sensitive about the tactics, tools and methods that this training can’t be available to any vetted legitimate DF/IR professional?
There really isn’t a reason.
Practice Landscape
Having more than a passing 17+ year (and counting) fancy with DF/IR, it’s a truism of the field that the landscape of the practice changes regularly. It is the thing that draws many of us to the practice – the fact that the paradigm changes with every new device, operating system, landmark case, etc. Look no further than AI and all of the conversations around how to best incorporate it into our work (if at all).
But this is yet another area where there is no special secret for which only law enforcement can hold the answers. The practice also grows as a whole when we all work toward solving problems, regardless of who is working the case.
Understanding the particular application of tools is yet another area where CSLI stands out as being law-enforcement restrictive. TraX/ZetX is LE-restricted – and given for free to those who attend NCFI. NDCAC cell site lists and tools are also LE-restricted, and in almost every case, NDCAC is the most effective resource at obtaining cell site listings. Sometimes, it’s the only resource. So unless there’s some top-secret security clearance-level data of which I’m unaware in a cell site listing, why is access to them restricted to law enforcement? The same question applies to the other NDCAC tools.
There is no articulable reason, other than somebody doesn’t want non-LE to have it because they said so.
The last two bullet points are fairly self-explanatory, so for added context, let’s compare DF/IR to the other forensic sciences…
DF/IR vs. Other Forensic Sciences
I’m fortunate to be adjunct to a fantastic university system teaching digital forensics, and almost all of my students are all forensic science majors. This allows not only for decent perspective and a fair amount of “a-ha!” moments in class, but it affords the ability to compare what we do in digital forensics with what is studied, tested, reported and testified to in the other forensic sciences… We’ll call them the “traditional forensics”.
What other area in traditional forensics is there training, education, analysis tools or other forms of information/data that would assist in determining the scientific facts of the case restricted to law enforcement?
DNA… Nope.
Fingerprints… No.
Forensic Toxicology… No.
Forensic Pathology… No.
Toolmark identification… No.
Firearms & ballistics… Nada.
….And the list goes on. One only needs attend an AAFS conference to see the wide swath of practitioners in the traditional forensic sciences.
While I’ll grant that specialized training in some of these areas are facilitated by governmental entities, that’s about where the “restriction” ends. To their credit, whenever the Virginia Department of Forensic Science sponsors a DF/IR class, they invite everyone. But that may be the exception, not the rule. Most of the above examples are taught to anyone who wants to learn them through the University system because they are based in scientific principles, just like DF/IR is… or should be.
The point is, that nowhere else in the practice of traditional forensic science is there a notable exclusive restriction for certain types of training, education, data or tools other than in DF/IR. This post isn’t intended to complain. It’s intended to keep the conversation going about WHY this is the case, and further the scrutiny over this approach.
The evidence doesn’t know good guy from bad guy. The truth isn’t found more often by those using law enforcement-restricted training & tools than those using non-LE training & tools. In the practice of forensic science, we let the science and the evidence lead us to the truth. In many of the above examples, there is space for opinion much more often than with DF/IR, which further bolsters the argument for openness and transparency in training, tools and techniques.
We’re all after the same thing, but unless we’re playing with an equal deck of cards, one “side” will always have the upper-hand and to continue the analogy, the “house” will continue to prevail. There’s nothing scientific about this approach.
About the Author:
Patrick Siewert served 15 years in full-time law enforcement and investigated hundreds of high-tech crimes to precedent-setting results, Patrick is a graduate of SCERS & BCERT and is a court-certified expert witness in digital forensics, mobile forensics and historical cell site location analysis. He has published dozens of articles and is cited in numerous academic papers. He was the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA) and currently serves as Director of Digital Forensics and E-Discovery for a Nationwide (US) provider of DF/IR and e-disco litigation support services, while keeping in touch with the public safety community as a Law Enforcement Instructor in multiple disciplines.
Email: Patrick@ProDigital4n6.com
Patrick Siewert on LinkedIn: https://www.linkedin.com/in/patrick-siewert-92513445/
Patrick Siewert on X/Twitter : @RVA4n6
Pro Digital (old) blog site : https://prodigital4n6.blogspot.com/