Hi
I did mention this question at the end of another topic…and was going to post this weekend. I realised, am away visiting, so going to post now.
I am going to try and make this as uncontentious as possible…but think may generate an interesting discussion
Looking through job profiles - there seemed to be an emphasis on the applicant (DF examiners) pretty much knowing 'everything about everything', to do with a whole range of technologies. I am already aware, that to some degree, mobile device forensics has branched off a bit…but the main question is
"Whether DF examiners' skills are becoming too thinly spread with different/emerging technologies - and whether it would be better that the DF industry starts following mainstream IT - and specialise even further, with specific certification (not DF tool based), and by having more than 1 DF examiner on a case e.g. one an email specialist, one peer-2-peer specialist, one a specialist on the particular O/S etc…"
Discuss…!
Benefits…issues…must be plenty!
Very interesting point you make. I think that right now, however, company and team sizes are not to the point where you can have people specializing in one area. Even in IT this doesn't always exist. There are programmers, system admins, security folk and helpdesk individuals. But that is only in the larger companies. Most companies have room for 1-4 people to run IT and therefore need generalists.
Specializing in an aspect of computer forensics is beneficial. In my organization, we have people specializing in Macs, mobile devices, intrusion detection, etc. But almost all of them are generalists because I need them to be flexible. That being said, when a situation calls for a specialty, we know where to turn.
Hi Greg
Think you have found me out… coming from experience with an organisation with over 3500 IT staff!
However, you made some great points. Think being a generalist and then additionally one or two areas of specialism - is the best mix.
Steve
I was fortunate during my first 7 years in CF to work in a team of 8-11 examiners, each of whom brought differing skillsets. I had access to people with expertise in Mac, Linux, some flavours of Unix, and it really helped. But I agree with Greg that you mostly want supergeneralists with expertise in forensics. Until you scale up to a certain point, it's impractical to have multiple examiners working the same case, and you're better having resources you can have consult on a case if you need to address specific issues outside the main skillsets of your examiners. That and of course good research skills and the ability to validate the results you get from your consulting resource or research.
I think the nature of digital forensics is more "jack of all trades, and master of some".
That is, I am expected to know way more about every layer digital devices and their communication methodologies, from physical to all the way to application layers than anyone - on the other hand, I can be only expert in a few at a time.
Which is why, I think, the most important part of a compensation package for a forensic investigator is education.
. . .and I am in a firm with over 25K employees . . .
Too often people try to be experts in lots of areas.
There are several people who I think are incredible CF examiners on Windows machines, but don't do cell phones or don't do intrusion. In the same breath there are several Intrusion guys who try to make the jump to criminal cases and can't do it or don't like it. Each has it's own specific set of skills and it's nice to be able to have access to many different people.
Do they know enough to do basic to intermediate things in either or both? Yes, but we aren't called Intermediates, were called Experts and for that I think people overextend themselves.
From my talks with people at conferences and classes they don't call in for extra help in these areas for fear of seeming like they don't know something, or that the person they call in will make a side deal with the company they are doing the work at and pass their card so all future CF work goes to the guy they brought in to help = Loss of income for them.
Thanks again…shows what a passionate community DF is!
"generalists", "supergeneralists", "masters of some", "intermediates" - great stuff!
Definition of an Expert
"a person who is very knowledgeable about or skilful in a particular area"
- Oxford dictionary.
My view is though…"that depends of who the recipient is!"
I am an expert in DIY, to a monkey watching in a boiler suit.
Steve
armresl - do you think the failure to call in extra help - is more prevalent in DF than maybe other IT-related areas? Is it that in DF, there is an innate culture with an expectation to know 'everything' - as originally discussed? Just a thought…
There's a perceived risk that a question you ask in a forum will come back to bite you on the stand, or in a deposition.
This risk does not exist in IT.
-David
Yep Dave.
I remember going against someone and I said I believe I've seen them ask how to do what we are talking about on a forum, ask him about that. He said he learned it through his training as opposed to the forum.
A simple jaunt over to the forum and a print of his post and voila el bustedo.
Asking questions is perfectly ok, I always have a problem with someone who takes a case knowing it is way over their head and then going to multiple forums (spreading the questions out) to get answers for every step of the case.
There's a perceived risk that a question you ask in a forum will come back to bite you on the stand, or in a deposition.
This risk does not exist in IT.
-David