As the battle goes on about defining the profession, technology is advancing the industry to provide more information to the computer forensic investigator.  The latest trend is memory analysis that is providing detailed information that the investigator did not think of in past investigations.  Memory forensics is providing clear analysis of the whole picture when it comes to the investigation.  The advantage of memory analysis is that it is putting you at the crime spot with your camera in hand.  Vital state information of the machine is becoming key in the process of computer forensics.  The value of live investigations provides rapid response, meets the challenge of large network topology, and circumvents encrypted file systems.  The analysis with live investigations becomes a quick and easy way to find out the state of the system with accessible areas like current user activity, running processes, handles, registered drivers, physical memory analysis, system info, network connectivity and attached peripherals.  The amount of information provides investigators the ability to connect the dots a lot faster and/or provide a pre-incident triage of the computer before arriving on the scene.  The challenge that live investigations creates is a total paradigm shift in the investigation process.  The investigation becomes a proactive thought process to implement.   What comes with the paradigm shift is another level of education for the legal profession and the process of memory analysis is looking at the state of the system in a constantly changing environment.  In a live environment, users are still using the computer and changing the system state all the time.  Remember you have your camera in hand and the snap-shot is a moment in time which is very different than the post-mortem analysis.   Will the courts accept the premises of memory analysis or will they struggle and continue to revert back to the post-mortem process?
 

Reported in ComputerWorld on August 12^th 2008, Belcamp, Maryland based MediaSentry parent company SafeNet had complaints filed against the company for violations of the new Public Act 146 for the investigation of students from Central Michigan University and University of Michigan.  According to the SafeNet website, “they help clients detect and deter unauthorized distribution of copyrighted content and prosecute those who engage in media and software piracy.”  Read more of the details in the article by ComputerWorld: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112467&pageNumber=1

This news is interesting on several levels as the new law takes form in the State of Michigan.  Is the new law actually doing some good by protecting the legitimacy of the profession of Computer Forensics investigations?  Or is this a tactical approach for the defense?  As the Act claims it first victim it will be very interesting how this will play out over the next few months. 

The problem that people in the industry are facing is that the act was implemented/rolled out without any planning or grace period to adjust to the new act.  The impact of this new law has affected our current clients and case load prior to the act passing.  The application time period is not fast enough and there will be no time to compensate for the loss of current and potential business.  We have been one of the lucky ones to have a diversified array of services in information security to absorb the impact of this act passing. 

The Computer Forensics Industry and DLEG will have to work closely together to bring Public Act 146 and the industry into compliance.  The concerning area that will have a greater impact on the industry is the affiliations with other states on computer forensics investigations.  As the network grows and grows in a global economy so does the need for speed and availability of accessing the data in any location.  Public Act 146 has impacted the security and IT industry tremendously from computer forensics, eDiscovery and monitoring of individuals.  According to the act an investigation starts when you are targeting or questioning an individual’s:

(e)(ii) – the identity, habits, conduct, business, occupation, honesty, integrity, credibility, trustworthiness, efficiency, loyalty, activity, movement, whereabouts, affiliations, associations, transactions, acts, reputation or character of a person.

In the IT world this could be the tracking of IP addresses, MAC address, VOIP, email address, etc., that would link the computer to the individual.  This is where I would express extreme caution based on the general statement of targeting individuals.  The impact reaches beyond the computer forensics professional and now applies itself to all investigations as any investigation in today’s working world deals with some kind of computer based evidence that will be used to prove an individual’s wrong doing. 

I believe that Public Act 146 will be good for the industry once we get through the scramble of compliance with the act.  Overall Public Act 146 will become a milestone for the information security industry and serve to increase the amount of professionalism that should be expected by the professionals in the field. 

Forms & Publications – Private Detective Form http://www.dleg.state.mi.us/dms/results.asp?docowner=BCSC&doccat=Private+Detectives&Search=Search

www.michigan.gov/commerciallicensing

• Preparation
  
• Preservation and Collection of evidence
  
• Examination of evidence
  
• Analysis of evidence