Push for more forensics experts
31st October 2003 (Computimes)
By By Rozana Sani

GREATER efforts are needed to produce more computer forensics experts to assist in the investigation of computer crimes carried out by tech-savvy criminals. This is critical as most official and business transactions rely heavily on computer-based systems and as such, are more susceptible to attacks from cyber crooks who know how to avoid law enforcement and are able to hide their activities, say industry experts.

"Lack of cases being prosecuted may lead to the increase of the number of computer crimes. Computer forensics experts need to provide testimonies in court to help them develop cases and help convict the criminals," said National ICT Security and Emergency Response Centre (Niser) computer forensics manager Ahmad Ubaidah Omar.

To have a credible expert witness in the court for forensics area, Ahmad Ubaidah said computer forensics experts need to have relevant experience and specialised training which are now lacking in Malaysia.

"Computer forensics is a specialised field which requires continuous skills and knowledge improvement. Academic courses alone will not suffice. It would be good if local universities and training institutions could provide a postgraduate degree as offered by overseas institutions," he said.

Ahmad Ubaidah added that local universities are about to start offering postgraduate courses in information security but computer forensics is more specialised than that.

"So, perhaps it would take some time before they would be able to offer the course. More research in this area must be conducted, so that we can be a step ahead of cyber criminals," he said.

Ahmad Ubaidah said at present, most training courses in computer forensics provided by the industry either come from the tools vendor such as Guidance Software and NTI or independent organisations such as SANS Institute or HTCIA.

"Unfortunately, most of them are only available overseas. At Niser, we do provide training to law enforcement agencies to help them grow and produce more experts in the area. To be a credible expert witness, a computer forensics expert should preferably have a MSc/Ph.D degree in the related field, solid three years experience of handling related cases, professional certifications and attended training courses such as GCFA, CFE and ENCE."

Meanwhile, Wordware Distributors (M) Sdn Bhd's managing director Wilson Wong said law enforcement agencies and relevant staff within organisations can take advantage of the support given by the Human Resource Ministry through the Human Resources Development Fund to pursue professional courses like the computer hacking forensic investigator (CHFI) to develop the experts needed.

"The course will soon be launched by the International Council of Electronic Commerce Consultants (EC-Council), which is a professional organisation established in the United States, with headquarters in New York hosting members and affiliates worldwide. The CHFI course will give participants the necessary skills to identify an intruder's footprints and to properly gather the necessary evidence to prosecute," he said.

Wong said the CHFI course will benefit police and other law enforcement personnel, defence and military personnel, e-business security professionals, systems administrators, legal professionals, banking and insurance professionals, government agencies and IT managers.

"Computer hacking forensics investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence," he said.

Wong said evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud.

"CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information."