Computer Certifications

CISSP - http//www.isc2.org - always a good bet. Broad background in everything security related. Management cert, so even the technical aspects aren't that technical. A little tough to get the required 4 years of experience while still in college, but I know plenty of people that have done it. A paper cert, but easily the most pain the @$$ test you'll ever take - so, where I normally say that paper certs are the ones you don't have to work for, this one is the exception.

GCFA - http//www.giac.org/certifications/security/gcfa.php - used to be awesome, but now that they did away with the practical there are mixed feelings about it. It is tied HEAVILY to the SANS forensics track, to the point that many questions are word-for-word quotes from their course books on topics that you won't find anywhere but in their course books. But, if you can get to a SANS conference (for a starving college student, I recommend the volunteer program), it is a respected acronym to have after your name.

CCE - http//www.certified-computer-examiner.com/ - probably the best bet out there. Excellent practicals (note the plural) that really prove you know how to follow a forensic methodology and write reports that a lawyer will take serious. Incestuously related to the CFCE, which is a law enforcement only cert (and thus not listed). I really like this one. It's written test is a not-even-funny joke, but the practicals more than make up for it.

CCFT - http//www.htcn.org/cert.htm - this one is interesting. You won’t be getting this coming out of college. There is no exam… no practical… you document 10 forensic cases you actually worked for actual lawyers (or whatever), they call the people involved to verify and get character references and award the cert based on that.

EnCE - http//www.guidancesoftware.com/training/ence/index.asp - a vendor specific cert, but that is about the only bad thing I can say about it. Decent test and a pretty practical that really makes you dig for data in places you never wanted to go. It’s also well recognized by law enforcement and lawyer types that use EnCase because they don’t know any better. Normally I don't recommend vendor certs for general topics, but same as with the CCNA - if the market share gap is big enough, you have to go with what's out there.

CIFI - http//www.iisfa.org/certification/certification.asp - to new to tell for sure. They use the word forensics in the name, but the test and the overall feel of the org is not traditional, get to the bit level of a hard drive type forensics but more general security and network incident response. They claim to be “recognized as the only certification that truly represents the abilities of field information forensics investigators and is the benchmark by which they are measured”, but they have only been around a few months whereas the other above have been around for years. It is a paper cert.

CFE - http//www.cfenet.com/cfe/default.asp - not a forensics cert, but a fraud related cert. Doesn’t help you image drives, but does help you figure out what’s wrong with that Quicken file that makes those transfers illegal. I see a lot of Armani and tasseled loafer wearing examiners in the private sector working for those big financial consulting firms (KPMG, Anderson, Deloitte&Touche, etc) with this cert. (not to imply there is money to be made in knowing how to examine fraud and thus knowing what other examiners might examine about your accounts)

I would really like feedback from the rest of the forum on these and any other certs that I might have missed.

I can't aggree on the CCE being "the best bet". I remember looking at taking the online course when I became interested in the field. It was all widows (or DOS) based, at least where it came to the actual forensic activities, and still is like that. I just checked one "Authorized Training Partner".
It also heavily uses only one vendor's forensic suite, and it has a dependency on several commercial utilities (passware kit, norton utils, norton ghost, quickview …) all of which the student must purchase.

It's obvious the course content hasn't been update in awhile. They still list Hardware requirements like a 300MHz Win 95/98 computers, say Laptops aren't suitable, want you to have a a supply of 3.5 diskettes, and a "modem" for internet access.

I'm not kidding, see http//www.guardianconsulting.ca/courseoutline.pdf

That's just nonsense.

The exam does not require or utilize any one software.

Looking at the "What's Included" at several of the authorized training facilities I see that some software is included
Access to a range of FULLY LICENSED software
-SMART for Linux- http//www.asrdata.com/store/store.html
-Simple Carver–excellent carving utility you can use in actual forensic examinations.
-Passware Kit–password cracking tool

Perhaps Guardian has not updated their brochure?

I can't aggree on the CCE being "the best bet". I remember looking at taking the online course when I became interested in the field. It was all widows (or DOS) based, at least where it came to the actual forensic activities, and still is like that. I just checked one "Authorized Training Partner".
It also heavily uses only one vendor's forensic suite, and it has a dependency on several commercial utilities (passware kit, norton utils, norton ghost, quickview …) all of which the student must purchase.

It's obvious the course content hasn't been update in awhile. They still list Hardware requirements like a 300MHz Win 95/98 computers, say Laptops aren't suitable, want you to have a a supply of 3.5 diskettes, and a "modem" for internet access.

I'm not kidding, see http//www.guardianconsulting.ca/courseoutline.pdf

That's just nonsense.

But you have to be able to distingush between the teaching (guardian), and the testing (CCE). While the guardian details reflect badly, the CCE was the most interesting, challenging, and rewarding certs I ever earned.

The testing process is pretty simple - there is a trivial knowledge-based multiple-choice exam, followed by 3 simulated cases. And here is the best part - they seems to be more interested in the investigative process than the actual results. it's like the math teacher who doens't care that the answer is 42, but rather is more concerned about how you arrived at it. As they said on their website at one point - Don't just run Norton Tools, and give us a list of deleted files. You have to show them your mastery of the digital forensic investigative process - wiping media, checksums, chain-of-custody - and document all of it, and then link it all together. In one of the floppy disk examinations I did, the resulting documention was about 18 pages long - Overkill? Maybe… but I passed with flying colors.

And yeah, as others have said, they don't demand certain tools, because the focus here is on the process, not the tools. One of the reasons I liked this so much was becuase I wasn't locked into a single vendor's tool.

Don't judge a cert by the single vendor's implmentation.

I agree, although perhaps some CCE components could be updated a bit (actually I think they have) people shouldn't be put off b/c of the DOS level stuff. Staying as close to the machine as practical (being able to write or modify a Perl script when necessary) while avoiding vendor specific tool focus is a good way to go. Being tied to pretty icon driven environments is OK for the general public, but not for someone that calls themselves a computer forensic investigator - like all good "investigators," one needs to be adaptable, out of the box driven, & resourceful. My two cents…

you missed the certificate CFCE (Certified Forensic Computer Examiner) from IACIS (The International Association of Computer Investigative Specialists) . More details see www.cops.org. This certificate is very common in Law Enforcement areas.