Police and private sector forensics differences

Due to the nature of work, there is a vast difference between the skillset of a law enforcement cyber forensics analyst and his private sector counterpart. If you are intending to hire an ex-law enforcement analyst, do read on to find out if it is a good fit.

Law enforcement forensics analysts have much better procedural knowledge compared to private sector analysts

Almost all cases worked by law enforcement analysts will eventually end up in court. It is a waste of police time to investigate cases which do not eventually end up in prosecution. Therefore, there is a large emphasis on evidence collection procedures. Evidence must be sealed in evidence bags to prevent tampering, it must go through proper chain of custody procedures, integrity of evidence must be guaranteed through checksums. All actions must be documented and timestamped.

In contrast, cases worked by private sector analysts rarely end up in court. Private sector analysts usually work on cyber incidents such as ransomware attacks, hacking attempts, website defacements. These cyber incidents are normally done by criminals located overseas and it is a challenge to even work out the perpetrator's actual identity let alone prosecute them in a foreign court of law.

The only cases which may end up in court are insider threat cases, where an employee steals intellectual property belonging to the company. In such cases, it is possible for the company to sue the employee for damages in civil court because the identity of the employee is known, the employee is located within the same jurisdiction, and the employee has violated the contract he signed with the employer. Since this is a civil case, the burden of proof is lower compared to a criminal case, proving beyond reasonable doubt is not required and the evidence collection procedures need not be as strict.

Private sector analysts have much stronger technical cybersecurity knowledge compared to law enforcement analysts

Private sector analysts work on sophisticated cyber incidents. It is often a multi-stage attack where the attackers gets an initial foothold into the environment, performs enumeration, laterally moves within the network and finally takes action to achieve his objective, be it encrypting files, exfiltrating files or causing destruction. This requires analysts to be conversant with process data, netflow data, authentication data, DNS data, persistency methods and be able to correlate all that to paint the storyline of the entire attack. Hence, they require much stronger technical cybersecurity knowledge.

In comparison, law enforcement analysts generally work on cyber enabled crimes. Cyber enabled crimes are real world crime with a technological element involved, such as e-commerce scams, credit card theft, harassment over email or messaging platforms and so on. They are usually perpetrated by criminals in the same jurisdiction. You do not need strong cybersecurity knowledge to investigate such crimes, as they just need to copy files. Copy invoice files and browser history as evidence for e-commerce or credit card theft, copy emails or messages for evidence of harassment and so on. There is no further analysis needed. As long as the files are copied in a forensically sound manner and timestamped, it can be presented in court as evidence of the crime. At the very most, they would need some file carving knowledge to recover deleted files.

It is very rare for law enforcement to be involved in sophisticated cyber incidents. To illustrate the point, it took 2 years of collaboration from US, Korea, Ukraine law enforcement as well as Interpol to finally arrest 6 criminals behind Clop ransomware which is alleged to have caused $500 million in damages. Even then, sources believe that the impact to the group is minor as most of the core actors are believed to be based in Russia, which may not be as interested to collaborate due to political reasons. This shows why law enforcement generally work on Cyber enabled crime as it is much more fruitful and likely to end in prosecution.

Summary

I have seen reports from former law enforcement forensics analysts that contained only observations and no analysis, e.g. 25 counts of unauthorized access to xmlrpc.php was observed from 1.2.3.4. This is perfectly fine if the report is going before a court of law. However, in the private sector, we are less concerned over whether it was 21 or 25 or 30 access attempts. What we want to know is what resulted from those attempts? Did the attacker succeed in gaining privileged access, what did he do subsequently? Which are the list of machines and accounts which have been compromised and have to be reseted? If you are intending to hire an ex-law enforcement analyst, do make sure that he can analyse a cyber incident and is not merely providing observations.