For a person to call themselves a General Practitioner of medicine, they must register on the General Medical Council’s GP Register and adhere to the qualification and practice standards it requires. Similarly, a person is only permitted to call themselves a solicitor if they complete a set training path and register with The Law Society, practising in line with the Solicitors’ Code of Conduct.
However, for computer forensic experts – specialists who analyse computers and other electronic devices to recover information admissible as evidence in legal trials and tribunals – no such regulation exists. In fact, anyone can refer to themselves as a computer forensic expert, which could mean that sub-standard analysis or testimony is presented at trial at the risk of leading a judge or jury towards an incorrect verdict.
While there is no compulsory regulatory body in place to help impose minimum standards upon the computer forensics profession, there are several bodies that offer non-compulsory registration, which typically involves a vetting procedure that requires an expert to meet certain quality standards.
For example, lawyers or corporate organisations looking to secure the services of a computer forensics expert in support of a case, might choose to select only those who are registered on the Sweet and Maxwell Expert Witness Register. Successful registration on the register is only possible after a robust vetting procedure which looks at their level of knowledge as well as their experience in conducting investigations and giving evidence. Registration also requires agreeing to adhere to a Code of Practice that ensures experts are dependable, reliable and conduct their activities with due diligence.
Similarly, police forces typically follow a set vetting procedure to help reduce the risk of hiring a sub-standard computer forensics expert. For example, practitioners are expected to be able to demonstrate that all investigations are carried out in line with the Association of Chief Police Officers (ACPO) good practice guidelines for computer-based evidence. These guidelines also recommend that any external expert be assessed with regard to specialist expertise, investigative knowledge, contextual knowledge, legal knowledge and communication skills. Vetting might include a visit to the analyst’s laboratory and a full background check on the expert and any other personnel who might come into contact with the evidence.
Another mark of quality that can be sought when engaging the services of a computer forensic expert is British Standard European Norm International Standardisation Organisation accreditation. In particular, BS EN ISO 9001:2000, which signifies adherence to management systems standards, and BS EN ISO 27001, which signifies adherence to Information Security standards.
The various standards set out above would seem to offer the perfect framework for a government backed regulatory body, but a recent attempt to instigate such a body ended in failure. The Council for the Registration of Forensic Practitioners (CRFP) was set up in 1999 with the remit of promoting public confidence in forensic practice in the UK, but was closed on 31st March 2009. The organisers cited a lack of funding from the government, and a lack of support from the ACPO and the Metropolitan Police Service as the reasons behind the closure. For those keen to see compulsory regulation become a reality, the closure of the CRFP represented a significant setback.
Until such time as clear cut regulation becomes a reality, it seems that it will continue to be the responsibility of those engaging computer forensics experts to ensure that they meet sufficient standards. For court cases, careful vetting and due diligence could spell the difference between a safe conviction and a miscarriage of justice.