Computer Certifications

CISSP - http://www.isc2.org - always a good bet. Broad background in everything security related. Management cert, so even the technical aspects aren't that technical. A little tough to get the required 4 years of experience while still in college, but I know plenty of people that have done it. A paper cert, but easily the most pain the @$$ test you'll ever take - so, where I normally say that paper certs are the ones you don't have to work for, this one is the exception.

GCFA - http://www.giac.org/certifications/security/gcfa.php - used to be awesome, but now that they did away with the practical there are mixed feelings about it. It is tied HEAVILY to the SANS forensics track, to the point that many questions are word-for-word quotes from their course books on topics that you won't find anywhere but in their course books. But, if you can get to a SANS conference (for a starving college student, I recommend the volunteer program), it is a respected acronym to have after your name.

CCE - http://www.certified-computer-examiner.com/ - probably the best bet out there. Excellent practicals (note the plural) that really prove you know how to follow a forensic methodology and write reports that a lawyer will take serious. Incestuously related to the CFCE, which is a law enforcement only cert (and thus not listed). I really like this one. It's written test is a not-even-funny joke, but the practicals more than make up for it.

CCFT - http://www.htcn.org/cert.htm - this one is interesting. You won’t be getting this coming out of college. There is no exam… no practical… you document 10 forensic cases you actually worked for actual lawyers (or whatever), they call the people involved to verify and get character references and award the cert based on that.

EnCE - http://www.guidancesoftware.com/training/ence/index.asp - a vendor specific cert, but that is about the only bad thing I can say about it. Decent test and a pretty practical that really makes you dig for data in places you never wanted to go. It’s also well recognized by law enforcement and lawyer types that use EnCase because they don’t know any better. Normally I don't recommend vendor certs for general topics, but same as with the CCNA - if the market share gap is big enough, you have to go with what's out there.

CIFI - http://www.iisfa.org/certification/certification.asp - to new to tell for sure. They use the word forensics in the name, but the test and the overall feel of the org is not traditional, get to the bit level of a hard drive type forensics but more general security and network incident response. They claim to be “recognized as the only certification that truly represents the abilities of field information forensics investigators and is the benchmark by which they are measured”, but they have only been around a few months whereas the other above have been around for years. It is a paper cert.

CFE - http://www.cfenet.com/cfe/default.asp - not a forensics cert, but a fraud related cert. Doesn’t help you image drives, but does help you figure out what’s wrong with that Quicken file that makes those transfers illegal. I see a lot of Armani and tasseled loafer wearing examiners in the private sector working for those big financial consulting firms (KPMG, Anderson, Deloitte&Touche, etc) with this cert. (not to imply there is money to be made in knowing how to examine fraud and thus knowing what other examiners might examine about your accounts)

I would really like feedback from the rest of the forum on these and any other certs that I might have missed.

CHFI - http://www.eccouncil.org/CHFI.htm - I haven't taken this test yet, so I'm not really sure how it will stack up. The list of items that the test covers includes some tools/topics that are a little obscure (ie. it's a public test, but it covers Ilook which is only available to LE). It's a paper cert.

Hey thank you very much I will look into all this information.

Thanks a lot taylormade , this is Very Useful

If you are going to include EnCe, there are other vendor certs

ACE - AccessData Certified Examiner™ credential is obtained by completing the KBA (Knowledge Based Assessment) and the PBA (Practical Based Assessment). Prerequisites for ACE™ include the AccessData BootCamp and Windows Forensics - XP.

ProDiscover - Three day intensive ProDiscover training and certification classes are available through Technology Pathways or one of our training partners. Contact the Technology Pathways sales department for details.

Probably more.

I like the GCFA. Yeah, its a paper only cert, though you can move ahead and get an upgrade to Gold status by doing a practical.

The nicest part about GCFA is that you use all open source tools. That's not to demean the paid for tools, it just means that you have a toolkit that you can always use at any time anywhere. I did that the other day used autopsy and foremost to help out a friend.

Further the GCFA spends a lot of time on the underlying file system and ensuring that you understand what each tool does.

I enjoyed the course; I took it @home from SANS. That saved me money and it was no different then an extended education course from college (the kind where the school mails you the book and materials and you send back your tests/reports etc.)

I haven't used the others, but I also recommend that you start pursuing a CISSP. It takes time. The CISSP is kind of a humanities cert. The value is that it gets your resume past HR….

I like the GCFA. Yeah, its a paper only cert, though you can move ahead and get an upgrade to Gold status by doing a practical.

The nicest part about GCFA is that you use all open source tools. That's not to demean the paid for tools, it just means that you have a toolkit that you can always use at any time anywhere. I did that the other day used autopsy and foremost to help out a friend.

Further the GCFA spends a lot of time on the underlying file system and ensuring that you understand what each tool does..

Another vote for the GCFA. It is not a tool-based course. It will really teach you the nuts and bolts of the forensic process. It is true that the certification does not /require/ a paper, but the tests are proctored. So it isn't a trivial test to take, and no cheating. If you pass the GCFA, then you probably know what you are doing, and why. Most of us know people with tool-based certifications who are lost without their preferred software application. The GCFA isn't like that at all.

Full-disclosure - iamnowonmai (GSEC,GCIH,GCFA)

I agree with the other posters about the GCFA - it is a good cert. It is good in that it is "vendor agnostic" and requires you to really understand the underlying concepts. A minimal amount of time is spent on the GUI and syntax of specific tools. For that reason, I believe that a LOT more time is spent on true education than in any vendor-specific cert. I have read, for example, the official EnCe study guide, and it was total fluff compared to the GCFA materials (though I should confess that I haven't taken EnCe training personally, nor sat for the test). There is a lot of good information on Windows forensics that is informed by Harlan Carvey's work (the best Windows forensics guy I've ever met). There is also a full day on legal issues, which is a critical component, in my opinion.

I also liked that the hands-on exercises in the class were helpful in supporting the material. Some of them were downright mean, like having to manually fix a FAT-16 file allocation table with a sector editor, including manually re-creating about 30 sector linkages. That sucker kept me up late in the hotel reading Brian Carrier's filesystem forensics book and getting it to work right, I can tell you.

That said, I would not outright trust a person with just a GCFA to be qualified, but I wouldn't for any other cert either. For example, the GCFA test is (was anyway) open book. I got high scores on the test because I had organized the course material and made it really easy to find the sections I was looking for. I could have theoretically been a genius at filing and a novice at forensics and passed.

I would, however, think pretty highly of someone who got the GCFA gold and completed a quality practical paper that I could read. In the past I have hired someone with a GIAC Gold practical paper, and being able to read their paper before the interview was invaluable, and ended up being a major factor in me hiring them. It would go a lot further if they also had a generalist cert such as a CISA or CISSP to round out their credentials.

NOTE A previous poster stated that the GCFA did away with the practicals. This not actually true. You can get a GCFA "silver" with just a test, but you have to do a peer reviewed paper to get the "gold". That said, your experience will probably vary a great deal depending on who your mentor / paper reviewer is.

Lastly, I would say that despite being expensive, the in-person training is very good. I took Rob Lee's section last fall (2007) in Vegas, and I can honestly say that it was the most interesting I.T. class I have taken in over 8 years. For people who already have a general or moderate background in forensics and think it will be easy, you will probably be challenged.

Best regards,

Mark Lachniet

The original poster from 2005 indicated that he/she was working toward a college degree in forensics. That is probably the most valuable thing you can do. If you only have a bachelor's degree consider working toward a masters. A masters degree or higher in forensics or IT security probably has the highest long term payback of anything. For IT certs, one possible way to gauge the relative value of each of the certs mentioned above would be to do a keyword search for each on job search sites like indeed.com for your area (or for large whole IT employer states like Virginia, New York, Texas, or California). That should give you an idea which certs are most requested in actual job postings for each state. You won't find things like GCIH, GCFA, or EnCE ranking nearly as high as CISSP or CISA by doing that. I say all of this as a holder of CISSP, GCFA, GCIH etc. Everything listed by everyone above has its good and bad points, but in my opinion the advanced Information Assurance/Security college degrees are far and away better choices for your career. Sometimes I also feel that the various SANS/ISC2/ecCouncil certs unfortunately are more of an effort to get money from you than a genuine effort to provide a differentiating certification, and the courses and tests tend to cover out-of-date material a little too much.