This brings up a frustration, for at least mine, whereby certification explicitly implies knowledge.
So far, I have seen few certification which truly provided evidence of real knowledge.
I think most multiple-choice tests lend themselves to show, specially which require low percent passing, more to good test taking skills than true forensic understanding.
You have to bootstrap somewhere… examiners aren't birthed with the experience and skills needed for this job.
I would agree. But unlike many other professions, there are few barriers to entry. After all, with a computer, some storage and a hex editor, and a lot of time, you can certainly discover much of what is known by the profession.
You can't say that about neurosurgery.
And unlike other professional apprentiship programs, you don't have to risk harming or cheating someone while you learn.
This brings up a frustration, for at least mine, whereby certification explicitly implies knowledge.
I'm with you on that one. I recently attained a certification that I know others have, and yet I do not even see the basic knowledge required to pass the exam in what some of those "certified" individuals do and say.
I am aware, however, that this has little to do with the certification of the certifying organization, and everything to do with the individual.
Also, Sean's absolutely correct…there are sample images and even packet captures available for analysis as part of challenges posted out there on the 'net. Beyond that, there are a number of free tools available for data collection and analysis…if you can't find what you need, ask someone. I often can't find what I need, so I write my own tool… 😉
IMHO, an examiner with no skills and no experience is a known quantity, whereas one with a tool cert presents management with the challenge of "what did you miss?"
Harlan,
Would you mind expanding on that thought? I'm not quite sure where you are going with that. Thanks!
Greg,
Sure.
When I'm working with an analyst on my team that I know has limited experience in a particular area, I outline an analysis plan for them to follow, or I ask them to provide me with specific data, which I will then structure and send back to them, so that we can walk through it together, and develop their understanding. This does take longer to work through the exam than if I were doing all the same things myself, but ultimately, it's a force multiplier, because I've shared my knowledge.
Now, in the case where an examiner has been assumed to have a certain level of skill due to certifications, those examiners may be unsupervised, or not as closely supervised, and after a week/40 hrs of analysis, may issue a report of "no findings", when that simply isn't the case. This then requires that someone go back over the data, restructure and possibly even rewrite the report, thereby taking even longer to complete the engagement, and possibly even reducing the hourly rate (48 hr engagement at a billing rate of $100/hr is reduced to an hourly rate of less than $67/hr if it ultimately takes 72 hrs to actually complete) to a point where money is actually *lost*.
I've worked with people with experience in, say, EnCase since version 3 who insist on compiling an EnCase hash file rather than run an EnCase condition to find a handful of hashes. Yes, there may be several ways to do things, but at some point, you get to a level of complexity where the analysis and findings are incomplete, and simply not communicated clearly.
Greg,
Sure.
When I'm working with an analyst on my team that I know has limited experience in a particular area, I outline an analysis plan for them to follow, or I ask them to provide me with specific data, which I will then structure and send back to them, so that we can walk through it together, and develop their understanding. This does take longer to work through the exam than if I were doing all the same things myself, but ultimately, it's a force multiplier, because I've shared my knowledge.
Now, in the case where an examiner has been assumed to have a certain level of skill due to certifications, those examiners may be unsupervised, or not as closely supervised, and after a week/40 hrs of analysis, may issue a report of "no findings", when that simply isn't the case. This then requires that someone go back over the data, restructure and possibly even rewrite the report, thereby taking even longer to complete the engagement, and possibly even reducing the hourly rate (48 hr engagement at a billing rate of $100/hr is reduced to an hourly rate of less than $67/hr if it ultimately takes 72 hrs to actually complete) to a point where money is actually *lost*.
I've worked with people with experience in, say, EnCase since version 3 who insist on compiling an EnCase hash file rather than run an EnCase condition to find a handful of hashes. Yes, there may be several ways to do things, but at some point, you get to a level of complexity where the analysis and findings are incomplete, and simply not communicated clearly.
Ah, I get it now. When we bring new members onto our team, whether certified or not, they all tend to go through the same process wherein we test their skill level and gradually over time give them more and more responsibility. We don't assume they have a specific skill level because of a certification as there are so many ways to skirt any certification process. If they aren't certified, we give them the option of getting a certification in which they are interested. We encourage certifications, however, because the industry, and more importantly our clients, see certifications as being important.
That being said, I don't think I've seen a correlation between computer forensic efficiency and the type of certification. I think I've seen equally bad work in vendor-neutral and vendor-centric certifications.
Thanks a lot for all of your tremendous response to my query D
I can appreciate the uncertainty over what certification(s) to pursue as a new or aspiring examiner. After considering several, I opted for the ISFCE's CCE (http//
Shifting gears a bit…has anyone heard of or formed opinions on the new DFCP and DFCA sponsored by NIJ and Univ. of Cent. Florida?
At my place of employment, we have been advised that we all will be required to have it in the foreseeable future (i.e. ~1 year). Until this Fall, they are taking applications and a fee from experienced (>3 years) examiners that desire to be founding members. They appear to have stringent criteria for membership/certification.
http//
I would be interested in experienced examiners' comments on DFCB certifications.
I would be interested in experienced examiners' comments on DFCB certifications.
A previous discussion on DFCB.
Thanks…I should have searched first, eh? oops