Hello,
I have been working in the IT field for 15 years and have had an interest in forensics, since having to go through employee's email/internet etc. for my employers.
I am now in a position to take some time out of working to train up in the forensics field. Question is, which will be the most beneficial? It appears that EnCase, FTK and IACIS all have very good programs. These are the three I have been told to look at by law enforcement / private forensic examiners.
EnCase do a year passport that allows you to do as many courses as you like for a flat fee, although this is only if spaces are available on the course at that time. Has anybody done this? did you get on the courses without issue? I also hear most police departments also rely on EnCase.
Any help would be great, as I don't want to waste money on the wrong choices.
Simon
I think that the EnCase track is a good way to go since it teaches you the EnCase product, as well as best practices for computer forensics in general - it's not just a software training course.
I used a passport for my training and I didn't have problems scheduling classes. The other perk is that you'll be able to get the OnDemand classes as well as the classroom ones, so if you take a classroom course, you can then take the OnDemand course at home when you leave and it's all covered in the passport.
Not familiar with the IACIS track, but I've taken the FTK bootcamp which was a straight FTK how-to class that introduces you to FTK and what it is capable of (that was for 1.x)
Why not start training on your own? Doing so would give you the opportunity/ability to make informed choices regarding your follow-on training.
There are a number of options available, all free, and all depending on where you want to start. If you would like to start in image analysis, then you have options from HoneyNet, Lance Mueller's practicals, even NIST. If that's not enough, there are tools available that will let you create your own images…FTK Imager Lite, bootable Linux disks, etc.
There are network traffic capture/analysis tools available…Wireshark, Network Miner, etc.
If it all seems overwhelming, pick a place and start. Grab one of the freely available images and start with the file system, and progress on from there. Need books? Libraries are a good place to start.
The fact is that in the current economy, attendance to high-dollar vendor training is at a premium. What employers and team members are going to look for is employees that aren't going to use "…I can't go to expensive training…" as an excuse.
HTH
In the interest of full disclosure, I hold a committee chair position with IACIS. However since I've both been through the CFCE process, and also coached others through CFCE, as well as had some small input in the certification process, I think I can speak pretty strongly about it.
If you're in law enforcement, IACIS training and CFCE certification will give you the strongest bang for your buck since they are not driven by having to make a profit, and because the instructors volunteer their time. (And some instructors teach CF for a living for AD, Guidance or NWC3, then volunteer for IACIS.) The standard of the certification is also very high. CFCE is tough, but it's also going to strengthen your skillset, help you identify and develop areas that you may be weak on, and give you a solid grounding in the whole of computer forensics, regardless of what tool you need to use. CFCE teaches fundamentals, and is not tied to a specific tool. The aim is to give you skills such that you could be given any forensic tool, validate it yourself, and then apply it to your case with confidence.
Whilst EnCE is a good cert, imho it's too focused on what EnCase does for forensics, and doesn't spend substantial time giving you the skills to do stuff that EnCase doesn't do. This is based on reading the EnCE study guide book, and my discussions with numerous people who hold both an EnCE PLUS either a CFCE or CCE. (I'm not at all against EnCase, I have some friends working for Guidance, but you need to understand the difference between a certification based around a specific tool, and a certification based on the underlying principles of computer forensics.) If your agency uses EnCase inhouse, it's certainly worth getting an EnCE at some point, but I recommend a general cert (CFCE, GCFA or CCE) or degree first.
Thanks for you info all.
Tony, with regard to IACIS, I am not in law enforcement. This is something I am going to pursue on my own for the time being. I did hear from another forensic examiner that IACIS is opening up to non law enforcement people soon. Is this correct?
Many thanks
IACIS is considering various options right now about how it should grow and/or change. Nothing definite at this time and I do no think opening will provide training. It will likely just be the certification process if that is approved by the organization.
As has been mentioned already, EnCe & FTK focus specifically on their tools respectively and if budget is an issue you might want to look elsewhere. I recently attended the SANS FOR408 course and it was great. You are given essential forensics knowledge as well and get introduced to a bunch of freeware tools to help with examinations.
If money/budget is an issue, then you can start out with some books like keydet89 mentioned. Here are a few
- Windows Forensic Analysis 2/E (keydet89's book)
- File System Forensic Analysis by Brian Carrier
- Digital Evidence and Computer Crime 2/E by Eoghan Casey
There are other books you can pick up that deal with specific digital forensic topics, but these are the starting point (as far as books go) that I would recommend.