I am pleased to have Scott Moulton as a guest Blogger today regarding some new legislation released from Michigan dealing with Computer Forensics and Private Investigation Licensing. -Rob Lee (SANS Institute - forensics.sans.org)
Many of you might know of my involvement in licensing issues for examiners or have seen the "Forensics is for Private Investigators ONLY" speech by Scott Moulton at Defcon 16 earlier this year or have been listening to Dave Kleinman on Brighttalk speaking on the issue. http://www.brighttalk.com/webcasts/1809/attend
The primary issue is that many states are passing laws requiring forensics examiners become private investigators. Now it seems that the state of Michigan now wants you to also have a CISSP to do computer forensics.
Back in May the state of Michigan passed a law making it a felony to practice computer forensics without a PI License that went into effect immediately on May 28th with no grandfather clauses of any kind. Friends of mine that were working on cases had to shut down their shops overnight and discontinue cases they were already engaged in while the state figured out what "qualification" were going to be acceptable. However, the way I understand the Michigan License is that there are no "new" requirements for existing private investigators. If you had a private investigator license at the time this passed, you could continue to do computer forensics without any additional qualifications and, were in fact, the only people that could legally continue to do the work whether you had a computer forensic certificate, CISSP, or any other certification or not.
I have continued to watch the developments that my friends who own companies in Michigan have to go though. Back in October many people that applied had not heard back from the state on what the requirements would be to make them acceptable to do work under the new PI requirements. At that time, Michigan decided to form a working group to address the requirements.
Today I saw the first of the information released from that group. I will allow you to read it and make up your own minds about the details. Here is the post I received.
From: GCFA <gcfa@lists.sans.org> On Behalf Of Lachniet, Mark
Sent: Friday, December 05, 2008 9:23 AM
To: GCFA <gcfa@lists.sans.org>
Subject:[GCFA] FYI - Licensing requirements for practicing computer forensics in the State of Michigan
Hello all,
This may be of interest to you. As some of you know, the State of Michigan recently amended their private investigator licensing act to make it clear that it is legally required to be a P.I. to practice computer forensics in Michigan. At the same time, they recognized that the traditional requirements of becoming a P.I. (working for another P.I., prior law enforcement experience, or a degree in criminal justice or police administration) were too onerous for the average computer forensics practitioner. To address this, they created an additional criteria by which a person could apply for a P.I. license - computer forensics certification.
Since the law was somewhat ambiguous on what the standard for the certifications should be, the licensing department sought input from a small workgroup of Michigan-based security and forensics practitioners on what standard of certification should be accepted. From these discussions, the State of Michigan has developed the following guidance, which I present below, followed by a little personal commentary:
From the State of Michigan:
PURPOSE OF POLICY To define acceptable computer forensic industry certificated studies per the department.
BACKGROUND: Effective May 28, 2008, the Professional Investigator Licensure Act, PA 285 of 1965, was amended. Per MCL 338.826(1)(f)(iv) of the Act, part of the qualifying education to become licensed as a professional investigator could include "computer forensic industry certificated study that is acceptable to the department." The department held a meeting on August 28, 2008 with professional investigator (PI) stakeholders and determined what is acceptable computer forensic industry certification.
APPLICATION : Bureau of Commercial Services, Licensing Division
STATEMENT OF POLICY MCL 338.826(1)(f)(iv) states:
(iv) A graduate of an accredited institution of higher education with a baccalaureate or postgraduate degree in the field of police administration, security management, investigation, law, criminal justice, or computer forensics or other computer forensic industry certificated study that is acceptable to the department.
Departmentally acceptable certificated studies in the computer forensic industry shall be computer forensic certification programs that are comprised of the following two components:
Component 1
A general information security certification. Such certification must have a peer reviewed, common body of knowledge and must include the completion of 40 hours of general security continuing education per year for 3 consecutive years. Examples of such general information security certification are Certified Information Systems Security Professional certification (CISSP) offered by "(ISC)²"; Certified Information Systems Auditor (CISA) offered by the Information Systems Audit and Control Association or "ISACA"; Certified Information Security Manager (CISM) offered by ISACA; or similar information security certification programs deemed acceptable by the department. And;
Component 2
Computer forensic (as defined at Section 2(b) of the Act) specific certification. The certification program must include:
- 40 hours of training which includes the following curriculum:
- Technical material
- Legal aspects of computer forensics (as defined by the Act)
- Search and seizure
- Preservation of evidence
- Investigative best practices
- A written examination, and
- Either a practical exam or a peer reviewed paper.
Mark's opinion: So, for an example, an acceptable set of certifications might include something like a CISSP, SANS GIAC GSEC, or CISA plus a SANS GIAC Certified Forensic Analyst (GCFA) Gold.
Scott Moulton owns and runs Forensic Strategy Services, LLC. / System Specialist. His popular course on Drive and Data Recovery will be offered at the upcoming SANS Forensic Summit in Washington D.C. July 7-8 2009.