Hello all
Until recently, I have had my heart set on doing an MSc in Computer Forensics. However, recently I've researched a bit more on other certifications available, particularly CCE and CHFI.
Which do you think would be most advantageous for someone like me who has no prior forensics qualification? I have an IT degree and a year’s worth of IT support experience as well as two MCP certifications.
I am now leaning more towards the CCE certification but would value your opinions.
Thanks in advance.
Im glad you are choosing to get certified at all. It is important to the growth of the profession. Even if you do not choose the GIAC GCFA, Im glad you are taking this step forward. First of all, I work for the SANS Institute and I could understand if this comes across as biased.
I would suggest you consider adding the SANS GCFA to your list. https://
Two new things have occurred this past month making the GCFA really stand out.
1. GCFA is now ANSI 17024 Accredited. This makes it the only accredited Digital Forensic Certification out there.
2. GCFA is a finalist in the SC Awards 2010 best certification. http//
Some additional details on the GCFA Certification.
How is the professional training or certification organization helping to educate and strengthen the knowledge of the IT security professional?
When a person obtains the Global Information Assurance Certification Forensic Analyst (GCFA) it ensures that each recipient has a firm understanding of computer forensics tools and techniques to investigate data breach intrusions, tech-savvy rogue employees, nation state threats, and complex digital forensic cases.
Utilizing advances in spear phishing, web application attacks, and persistent malware these new sophisticated attackers advance rapidly through networks. Forensic investigators must master a variety of operating systems, investigation techniques, incident response tactics, and even legal issues in order to solve challenging cases. The GCFA provides a foundation for critical forensic analysis techniques for solving complex Windows- and Linux-based investigations.
GCFA professionals understand and can articulate fundamental forensic concepts such as the file system structures, evidence handling and acquisition, computer based media analysis, and computer forensic report writing. GCFA professionals are able to demonstrate how commercial forensic tools function step-by-step and can describe the process in a court of law. They are adept at both live and dead evidence acquisition as well as complete deep-dive forensic analysis. In addition, certified analysts are able to articulate and ensure an exact legal and forensically sound process is utilized in the event that they will need to testify in court.
How does the training or certification program differentiate itself from other offerings?
1. Core Fundamental Forensic Knowledge The GCFA arms each individual with a deep understanding of the forensic methodology, tools, and techniques to solve advanced computer forensics cases. The GCFA certification also tests for cutting-edge knowledge.
2. Legal GCFA is the only vendor neutral certification that tests for both technical fundamental concepts in addition to key legal knowledge required both the United States and European Union.
3. Community Outreach Certified GCFA professionals are trying to actively help build the forensic community through encouraging their alumni to give back to the community. The poplar GCFA computer forensic blog (http//
In regards to the GCFA, I have taken the SANS 508 class with Rob Lee and I have to say his presentation of this material is very thorough and very detailed.
Rob uses many real life scenario's he has encountered and does a wonderful job tying the course content around his experiences. There are many commercial tools out there that automate and speed up the process for analyzing data but Rob teaches you what these tools do "under the hood and does an incredible job doing so. This class is fast paced, but, you will walk out of there knowing a vast amount of information.
I have not taken any of the other forensic courses but I have been to several other training courses for certifications and SANS far exceeds any that I have been to! Money well spent.
Thank you both very much for your replies.
Am I able to take the GCFA in the UK? I cant find any UK organisations offering this certification. Also, it seems that the GCFA certification is possibly more advanced than the CCE, is this the case?
I know the SANS institute is the only Organization that offers the training for GCFA. I'm not sure if the SANS has classes in the UK or not. You could check http//
I'm not too familar with the CCE although I did take a practice exam on their site and did fine.
SANS also offers I believe a 408 class which is the intro class (not required) for forensics. I jumped right into the 508 and did fine with some follow up studying. I did this primarily because I wanted the Certification and with 408 you probably wouldn't cover enough material to pass the cert.
Regardless, you will need to study a little some afterwards to comprehend the material. Sans also offers audio of the class, practice tests for a little extra which were really beneficial.
I'm sure Rob could follow up on more of this if he is watching this post, if not, shoot him a PM.
Until recently, I have had my heart set on doing an MSc in Computer Forensics. However, recently I've researched a bit more on other certifications available, particularly CCE and CHFI.
My personal recommendation is to get a MSc.
CHFI is just a multiple choice test certification, and if you look (not to hard), you can find brain dumps and cheat sheets for it.
The CCE is an excellent certification, but it is just that - a certification, not training. There are training programs available for it, but they vary in quality.
Now an MSc IMHO beats them all - you will (should) get plenty of hands on training, spread over months (as opposed to one crammed week in the SANS prep course for the GCFA).
One of the big difference between all these is that your MSc dosen't have an expiration date, unlike training and many certifications. You don't have to renew it every 3 to 5 years. If the MSc is done right, what you will learn will transcend the current OS, apps, tools and systems, and focus on overarching themes of forensics, as well as providing hands on with the current technology. Too often training just focuses on the current tools. For example for many students, if they learn C++ (or Java, etc), then they typically only know how to write in that lanaguge. But if you learn programming and algorithms, then the language you write in is simply a question of syntax - I've been able to debug code in almost any programming langauge out there, because the algorthms trancend the language.
Good Luck,
bj
Of course, myself and some of my colleagues had dealt with Uni graduates with "computer forensic" degrees who were a complete waste of space in the field. The good certs in the field, CFCE, CCE etc do give you an overall view of the field and focus on the core skills that let you adapt to new problems. The idea that you get your qualification, and don't need to update it for years is a fallacy. This field is changing so fast that re-certifying your skills periodically should be mandatory, and the NAS seems to agree.
I don't deny that my B.I.T. gave me some great underlying skills that still inform my knowledge of computers and assist in dealing with developing issues, but I value my CFCE much more when it comes to computer forensics.
The idea that you get your qualification, and don't need to update it for years is a fallacy. This field is changing so fast that re-certifying your skills periodically should be mandatory, and the NAS seems to agree.
I don't deny that my B.I.T. gave me some great underlying skills that still inform my knowledge of computers and assist in dealing with developing issues, but I value my CFCE much more when it comes to computer forensics.
And that is what I was kind of trying to say - if you start with the MSc and get the certs (even along the way), that's better than just certs or just degrees alone. But many of the certs are just certs, not training, so where does one acquire the underlying knowledge. The CCE was my favorite cert, but I doubt it could be passed with "no prior forensics qualification, an IT degree and a year’s worth of IT support experience as well as two MCP certifications".
My recommendation was based on that, for this specific person, based on what they told us.
But as for any degree, training, or certifications, there are going to be "losers" in all of them - you only get out of it what you put into it… As I tell my students, the degree, training, or certifications will get you the interview, but you being able to think on your feet, and being able to solve problems you have never seem before, is what is going to get you the job.
Which of the following would you most likely choose for an interview?
A an IT degree and a year’s worth of IT support experience as well as two MCP certifications + CHFI
B an IT degree and a year’s worth of IT support experience as well as two MCP certifications + MSc in Digital Forensics
The CHFI tell me that the person was able to pass a single, short, multiple choice test (possibly with the assistance of a cheat-sheet or brain-dump), while the MSc tells me the person was able to complete a multi-year program of study.
I got my BS & MS over 25 years ago, and have used certifications and experience in the field to keep my skills up to date… but I would never trade a certification for a degree - In my opinion, they are complementary, not a substitution.
bj
Certification may be useful in getting a job, although while I respect Rob Lee and his work, I think that vendor specific rather than vendor neutral certification might be better for an entry level position. Many of the job postings that I have seen will expect proficiency with at least on of the better known commercial tools.
The other problem that I have with certification is the lack of a practical examination in many cases. Multiple choice questions test memory but not know-how and I have yet to see any certification that prepares you for testimony.
The first thing that you need to do is get your foot in the door and to do that, I'd be looking at the requirements for the available jobs in your area and focusing on meeting these. Unless you have unlimited resources, there will be time to add further certifications, later.
Thanks for your replies guys.
There is no mention of specific certifications or degree's (other than needing an IT degree) for the majority of vacancies I have seen for the UK.
seanmcl, you mentioned that certifications lacks practical examinations but the CCE has an exam element and also three practical exercises.
The GCFA looks like a good certification but may be too advanced for me at the moment, it is something I will definitely be looking into later on.
So I guess it’s really between MSc and CCE. I have weighed up the pros and cons for each and I am leaning more towards the CCE certification as I think it would be the best choice in terms of knowledge gained, costs and studying flexibility.
Would you guys recommend doing a 5 day intensive course or self paced study?