New Starter / Certification Path to follow
I have just come accross this site and would like to say how resourceful it is, now i ham taking a keen interest in the Security / Forensic area and will shortly but looking to under the EC-Council (www.eccouncil.org) Certified Ethical Hacker and Certified Haker Forensic Investigator.
I have had a quick and also seen the EnCase courses, what i would like to do is build up some courses and exp, i also have my own I.T. company which i would like to start using more for Security / Forensic work..
My main question is what would you guys (the experts!) recomend, any good names of courses and training companies, the one i was currently looking at was www.mile2.com
Once again thanks for your time and help and i look forward to hearing from you..
A warm welcome to Forensic Focus.
If you're actually going to use EnCase I thoroughly recommend Guidance Software's training courses in Liverpool.
It depends on what will be your main software tool? Because depending on which tools you use will usually dictate the training you should undertake. Also will travelling to courses an issue?
Also you possibly need to be aware that there are two fairly distinct areas of computer forensics. There is the post mortem (hands on physical access to the machine) field and the network security/hacking field. I have found that some people tend to specialise is one or the other (and only a few pursue both). Youâ€™ll find that if you are conducting work on hard disk drives in â€˜forensicsâ€™ type investigations then it will be financially more viable for you to do courses relating to this, and leave the other alone.
Yes Guidance do courses in Liverpool, it sounds like Jamie has been on these and so have I. They are good but EnCase is not the only â€˜fruitâ€™ â€“ there are many courses and other software available. I am playing devils advocate here, as I am mainly an EnCase user and much prefer it.
However, there is FTK, and you can do a forensic â€˜boot campâ€™ at NSLEC (National Specialist Law Enforcement Centre) Wyboston, UK. http://www.centrex.police.uk/courses/ncpe_courses/nslec/high_tech_crime/nslec_hightech13.html .
There is also ILook â€“ A fantastic free to law enforcement too (used by the FBI) and written by Elliot Spencer: - http://www.ilook-forensics.org/training.html
Using Linux there is SMART http://www.asrdata.com/tools/ . Some courses are run by Thomas Rude aka â€˜farmerdudeâ€™ ( http://www.crazytrain.com ) who is willing to travel to conduct training course. Pre-requisites are based on knowledge and experience. Students for this course should have a minimum of 2 years experience in conducting data forensic examinations and should be familiar with forensic and scientific methodologies.
I notice you say â€œalso have my own I.T. company which i would like to start using more for Security / Forensic workâ€. Starting out in Forensic Computing is a big step, and I suggest some experience is necessary before actually putting â€˜pen to paperâ€™ and making reports/statements for clients, after all it could be someoneâ€™s liberty or livelihood thatâ€™s at stake as Forensic work usually involves some kind of legal proceedings. IMHO the best course/training I have taken is at the Royal Military College of Science, Cranfield University, UK. Where they do short courses (2 weeks) in Forensic Computing (Forensic Computing Foundation Course).
The course is expensive but is run (or was run) by Prof Tony Sammes and Prof Brian Jenkinson authors of Forensic Computing: A Practitioner's Guide. ( http://www.amazon.com/exec/obidos/tg/detail/-/1852332999/104-6682112-5806351?v=glance ). Prof Sammes is a leading expert on Forensic Computing and gave evidence on the Hutton enquiry ( http://news.bbc.co.uk/2/hi/uk_news/politics/3120462.stm ). I therefore feel quite privileged to be lectured by him, and I would recommend this course to anyone.
Many thanks for the infomation, i have looked over the links you sent - wow thanks for that. Now to answer your question regading the ethical security and forensics to be perfectly honest i do not know which area to foucs my resources…
I am interested in both areas and both seem to offer the challenge i need, overall i would say the security side is more "well known" but i have always wants to find out how and why people do try and comprimise secruty and then how to go about catching and recording the evidence…
I guess i am really after someone in the industry offering advice for a good challenge and career….
One thing i would say looking over the links they mainly require either min exp or the students working in a Law Enforcement role, my question is how can one get the role without any exp or qualification. I have tried to look around my local Police site for the last few months, plus the Met and H.T.C.U but to no avail…
Would anyone be able to recommend ideas, tips etc…. as i truely do not want to stay a Network Administrator and need to look at specialisng in a field. I noticed the Cranfield courses need a degree as a backgroud all i basically have is the Professional I.T. qualifications…
Arr they must be a way to break into the field..!
Thanks for the information…
Good post, Andy, some very solid advice advice there. I think the question of which tool to use as far as the independent (i.e. non LE/large firm) investigator is concerned is a good one. I also think your comments about the benefit (necessity?) of having previous experience in this field are very valid. Computer forensics involves the "double whammy" of potentially having life changing consequences for those involved (e.g. defendants, victims, companies, etc.) and also being something of a procedural minefield where one slip up can scupper an investigation. There is a growing interest in computer forensics training and a growing number of courses to support this interest, but can any training (other than that done "on the job" under supervision) ever be enough to fully equip someone to competently handle their first investigation on their own? I'm not suggesting that it can't but think it bears reflection at least. Dare I suggest that forums such as these might even play a part in supporting the less experienced investigator who might not have more experienced colleagues to rely on?
BTW I didn't realise that Sammes and Jenkinson were teaching part of the course at Cranfield…you're a lucky chap!
I understand your predicament, where to start?
I think I have given an opinion (for what its worth) in another post similar to this. I do deal with both types of the forensic work I mentioned, however my personal preference is, hands on, data acquisition storage and subsequent investigation. I like the challenge of dealing with difficult cases involving lots of different media and using various tools to image and investigate. I prefer paedophile cases to hacking and fraud, simply because the end result is more rewarding to me i.e. bad/sometimes dangerous guys going to prison. Also I feel â€˜post mortemâ€™ data investigation more demanding especially if the suspect has been crafty and attempted to hide evidence.
Fraud (although I deal with them a lot) and hacking offences bore me. Network investigation likewise bores me. I would not like to deal solely with Ethical Network security, poring over event and firewall logs. But if this type of work floats your boat then there is a market for it.
Forensic Computing (as opposed to network security) is a newer science, therefore less people involved. There are more business opportunities for those in the private sector whereas being in the police I am a bit restricted in this side of things. You are caught in a chicken & egg situation where you want to gain experience but this can only easily be achieved by doing real forensic work and/or forking out for very expensive training. My advice would be to keep reading the board and any information advice you find relating to technical matters make a note of and build your own database of knowledge (I use WinPM and GKB - General Knowledge Base to keep a record of all the tip, tricks & techniques I come across). This way if you get an interview you can draw upon it.
Of course there are many â€œForensicâ€ computing businesses sprouting up all over the place (on the back of a recent increase in workload â€“ Operation Ore), you could always apply to one of these for employment, as I already said itâ€™s a new science and a growing industry and some companies want to branch into it. They may take you on with you network I.T Skills and your desire to learn forensics. This may be a long drawn out process.
There are many top forensic computing consultants/specialist who are purely self taught and have built themselves formidable reputations. However there is one way to prove to a potential employer you have the skills and thatâ€™s through qualifications.
I also agree with Jamie if you are going use EnCase it is an advantage to go on their basic course. And again Jamie is right - this board may well prove extremely useful for those not in a position to draw on the knowledge of experienced colleagues.
One thing that did bother me initially is that ethically there is the question of whether posts on this, or any forensic bbs could be exploited by an offender to learn techniques for covering up their tracks and perverting the course of justice. My answer is I donâ€™t think it is too much of an issue nowadays as most techniques in evidence elimination are well documented and easily found doing a Google, and this and other bbs on computer forensics help increase the impartial knowledge of the forensic computing community as a whole (which must be a good thing).
OK HERE WE GO…….
Thanks for the info on your views, i fully understand what you are saying and perhps i need to contact my law enforcement establishment. I did like the Cranfield spec and have asked for more information.
I understand it is a 3yr Degree but can this be undertaken by Self Sponsorship? I believe the path first would be to do the basic Ec Council Ethical Hacker Forensic Invesigator or the C.C.E from ( http://www.trainingcamp.co.uk/uk/forensics_roadmap.asp ) - could you please advise on the Professionally Reconised…..
I will also contact Encase and see what they can advise but my question again (sorry for the all the questions, but if one is going to spend this sort of personal money i need to make sure i am doing it as per the Field!) after this and signing up maybe in March for the Cranfield Degree what next…..! Are there specialist recuirment agencies for this, would my County Law Enforcement has such a department. Would these basic courses and determination alone get my a junior role etc…
I would also agree with you on the BBS's but then for someone like myself (even though i know you are unsure, feel free to check my web site out www.promo-it.co.uk) this is the perfect information. How do you become a specialist expert if you can not ask the experts…!!!!!!
A great thank you again for all information, once i know where to start then out come the savings….
The full MSc course at Cranfield just yet (Â£15,000). Itâ€™s very very expensive. What I suggest is the short foundation course to begin with (2 weeks residential) â€“ titled The Forensic Computing Foundation course.
I am reluctant to recommend courses because my tastes might be different to yours, but if someone says to me they have done the Forensic Computing Foundation Course (2 weeks) at Cranfield, I am impressed â€“ because I done it and thought it was quite hard to pass.
P.S. I like your site â€“ the flash intro is quite cool.
Thanks once again mate for the details i did not know the MSc was that price - guess i wont be doin g that. I will get some more info on the 2 week foundation…
The Training Camp is "ok" i did my MCSE with them and the setup was a little "amature" but i am sure they will improve. The cost is not worth the course though, at present they are trying to sell me the CEH and CCE course - to little avail i might add. Also +VAT in this world…
I will email Encase for further information and pricing i did notice that to pass this i would need a personal licensed edition of EnCase - och $2,400 a lot of moeny…
If you get time could you just check the content of the Ec-Council CHFI course and see if this is worth doing. At present i am happy to pay around Â£3k for a few courses but that is my limit….
I guess then update CV and try and look around for something…..
Just a quick follow up to Andy's earlier comment:
One thing that did bother me initially is that ethically there is the question of whether posts on this, or any forensic bbs could be exploited by an offender to learn techniques for covering up their tracks and perverting the course of justice.
A very fair point and certainly something I considered too. Some may remember that in a previous incarnation of these forums we had a forum for investigators only. It was hardly ever used and the burden was always on Forensic Focus to vet the membership…tough to do given fairly limited resources (including time). With that in mind I decided to get rid of that forum entirely when we upgraded the forums and rely on our members' common sense as far as the disclosure of potentially sensitive information is concerned. In addition, as Andy states, most forensic/anti-forensic techniques are well documented elsewhere.
At the end of the day I think the benefits outweigh the risks but, of course, nothing is ever certain. If anyone is keen to have an investigators only forum again then by all means let me know.
I agree with everything said about Cranfield. Anybody in the UK wanting to do Forensic Computing should do at least the three initial courses. Extremely hardwork but worthwhile. I also use Encase as my major tool but also like to corroborate results by using other methods like FTK. For UK based Examiners I would also recommend a series of three courses run by 7safe (Dan Haagman) These deal with (and you get three professional qualifications) with Forensic Networks Security in the main hacking and the effects it has on a computer, registry files and traces that trojans leave behind etc and for someone trying to prove or disprove a Trojan defence to a charge of downloading Child Abuse images they are quite honestly the most worthwhile courses I have ever been on. You also get a good grounding into the use of creating virtual networks (VMWare is used) which is quite handy now with the Emulated drive addition in Encase 4.18 (PS I am not employed by any of the above mentioned organisations I just believe in giving credit where credit is due) 😀
Thanks for the email, i have seen the 7safe website before but did not know how good there where. I was looking into the CCE and / or the CHFI course….
Do you have a contact at 7safe i could email for details as i would like to try and "discuss" a price as this would be self funded, in the hope to get me the basic qualifications needed for a junior Forensic position.