Michael Turner describes and comments on a new scheme for the
registration and validation of forensic computer specialists
On 1 November 2005 the Council for the Registration of Forensic
Practitioners ("CRFP") opened the first UK registration scheme for
forensic computer specialists . The first
specialists in forensic computing, who join over 2,000 forensic
practitioners registered in such diverse fields as Scenes of crime,
Fire scenes, Fingerprints, Forensic Science, Anthropology and Archaeology,
have now been registered.
What does registration mean?
CRFP registration means that the forensic computing specialist:
- is committed to high standards of professional conduct, and
- has been independently accredited as currently competent
In essence the scheme provides the courts and users of forensic
services with external validation of a practitioner's current forensic
competence against relevant and agreed assessment criteria.
Registered Forensic Practitioners are expected to keep up to date
and maintain their competence. Registration is time limited - to
four years - after which an applicant can apply for revalidation.
As the courts gain experience of the significance and value of
registration, it is to be expected that it will become increasingly
important to secure registration.
Scope of the scheme
The CRFP registration scheme applies to computer specialists who
give professional/technical evidence or expert evidence in the judicial
process; they may work for, or be instructed by, parties in civil
cases, by law enforcement agencies or by the defence in criminal
cases or by the courts.
CRFP defines computer specialists as "practitioners who are involved
in the retrieval, identification, examination and assessment of
data held in computing equipment". Forensic fora include the criminal
and civil courts and tribunals.
Readers will know that computing is a very broad church. In order
to get a registration scheme off the ground, CRFP have chosen initially
to limit the scope of the scheme to practitioners who capture and
examine hard disks and data media associated with stand alone PCs
with an internet connection or to interpreting such data in the
context of a case. The present scheme does not include communications
data traffic, network investigations or evidence derived from mainframes
and minicomputer systems.
The register also does not extend to opinion evidence on computer
software and systems in IT contract disputes given by computer expert
witnesses. However if such an expert conducts forensic examinations
(for example, a software version control comparison in a Compliance
with contract specification claim), (s)he would be eligible for
Three Stage model
The scheme is based on a three stage model of the computer forensics
- Data capture
- Data examination
- Data evaluation
The CRFP registration process distinguishes between these three
stages of work.
Data capture is defined as "the retrieval of relevant data from
the subject equipment by a forensically sound process and the creation
of check data and logs to permit future verification".
Data examination is defined as "the identification and examination
of data that may be relevant to a case and the production of information
or exhibits to assist investigators or the court".
Data evaluation is defined as "the assessment of data in the context
of other evidence in the case and the past computing environment,
the drawing of deductions, construing significances, the consideration
of alternative hypotheses, and the expression of opinions, particularly
about the actions of users".
Applicants may apply for registration in one, two or all three
What is assessed?
The registration scheme has been carefully designed to allow an
applicant's current competence to practise to be assessed fairly
An applicant for registration needs to submit:
- Personal/professional details
- Declarations on character and conduct
- Professional referees
- Recent casework details
The applicant must provide evidence of their identity and relevant
qualifications, experience and training; make declarations about
his/her past record and commitment to the principles in the CRFP
Code of Conduct; and submit references from people who can provide
information about his/her professional performance.
However the main focus of the CRFP assessment process is on assessment
of the material that the applicant prepares in the normal course
of practice - real casework.
Assessment by Peer review
Assessment of the real casework is against agreed essential elements
of competence that have been designed to enable anyone doing safe,
competent work to achieve registration.
The assessment procedure allows for the context in which the applicant
works (for example, whether the applicant works mainly for the prosecution
or the defence).
Applicants are required to list their most recent casework, from
which the assessor chooses cases for detailed scrutiny. For each
case, the applicant provides sufficient (anonymised) case documentation
to give the assessor a clear picture of the work done by the applicant.
In many cases, the assessor will ask for further information or
raise questions with the applicant. The assessor assesses the case
material provided against the essential elements, using detailed
sector-specific assessment criteria, before recommending that CRFP
grant or refuse registration.
Assessors are themselves subject to the same peer review assessment
process as other Applicants. The Assessment process itself is subject
to scrutiny by process verifiers to ensure that the assessors are
An Application Pack of all the registration documents is available
for download on the CRFP website at www.crfp.org.uk
or by email request to firstname.lastname@example.org
Computer evidence is used every day in the courts and in almost
every type of case. The registration scheme for forensic computer
specialists heralds a future where such evidence is treated fairly
and consistently by the courts. All users of forensic computer services
and the courts should welcome the launch of the CRFP registration
It has been a long time coming. It is 30 years since doubts were
first raised about the quality of the forensic evidence in the Birmingham
Six case. It is six years since the author recommended to CRFP that
a registration scheme for computing be given a high priority.
It is important to acknowledge the scale of CRFP's achievement.
Six years ago computer forensics was in its infancy. Practitioners
came from highly diverse communities (including computing, computer
security, systems administration, software development, law enforcement
agencies and forensic science) and there had been a history of bad
blood between several of them.
From the inception of this scheme, CRFP have skilfully and successfully
adopted an inclusive (for example with representation from ACPO,
BCS, DEG, NHTCU and FSS as well as leading practitioners) and consensual
approach. A new and systematic classification was made of how forensic
computing work is structured. A pilot scheme, described as "a long
and winding road", was completed in 2005.
The proof of the pudding will be in the eating. I guesstimate that
there are perhaps 500 - 1000 potential applicants in the UK alone.
There is considerable interest in the scheme among practitioners,
but to be judged a success CRFP will need to translate that interest
into registrations. The scheme will of course also require constant
maintenance and dynamic updating of the assessment criteria to reflect
the state of the art - of both computer technology and forensic
CRFP's experience with computing will undoubtedly pay dividends
with other digital evidence specialties, for example forensic imaging
My only criticism is that the CRFP web database search is very
limited - there is currently no way to identify computing specialists
in all three computing sub-specialities with a single search.
It may also be significant that within weeks of the launch of the
scheme a new CPS Disclosure Manual was published that includes a
whole chapter on the disclosure obligations of prosecution expert
witnesses  and it was reported that the CPS
had issued a confidential warning to police and prosecutors against
a high profile computer expert witness . Taken
together with the launch of the CRFP registration scheme, these
events may well mark the beginning of the end for the Hired Gun
in forensic computing and expert evidence.
 CRFP - News Forensic Computing:
 CPS Disclosure Manual - Chapter
36 Expert witnesses: http://www.cps.gov.uk/legal/section20/chapter_a.html#237
 The Guardian January 18 2006 -
CPS questions credibility of child porn witness: http://www.guardian.co.uk/crime/article/0,,1688682,00.html
Michael J L Turner MA FBCS CITP MAE FEWI is an experienced forensic
computer examiner, a Registered Forensic Practitioner and an established
independent expert witness on computer evidence. He is also a CRFP