Is There a Need for Industry Control?

JesterLadd,

A warm welcome to Forensic Focus first of all.

A VERY interesting post, many thanks. I will certainly try to keep an eye on the site for any updates related to computer forensics but if you hear something sooner do please bring us up to speed in the forums. I would certainly welcome the addition of computer forensics to this register.

Clearly the register is somewhat different from some other accreditation systems discussed here but I like what I read as far as credibility, focus on current practical experience and public interest issues is concerned (within the scope of UK practice).

A quick note to David, whose earlier post I had not responded to…any further info on the CCE would be appreciated, I'd be very interested to learn what kind of interest has been shown from outside the US and what plans the ISCFE may have to spread their net further afield (perhaps through affiliation with foreign government agencies or computer societies). Thanks for your valuable input on this certification to date.

Kind regards,

Jamie

Part of the problem with this lack of an association to vouch for these 'experts' credentials, is that several people are starting their own to fill the vaccum.
ISCFE
IISFA
HTCIA (prosecution only)
IACIS (LE only)
FACT
http://www.e-evidence.info/orgs.html lists a bunch more.

Which ones are truely impartial and helping the community and which ones are just fancy acronyms that get money from people like us that need a cert?

I threw together a list of certifications in the 'getting started' section to answer a question there… it seems relevent to this thread also. I'd really like to see the feedback on which certs are respected and not and why.

Interestingly, I received the following from Steve Hailey yesterday so we now have something else to throw into the mix:

There is a new computer forensics certification available with
testing to begin in November of this year. We believe this certification
will become a de-facto standard and thought you would be interested.

http://certifications.cybersecurityinstitute.biz/

Kind regards,

Jamie

I'm fairly new to this forum and to CF and as somebody else trying to break into the industry this topic is something I find very important. Something that hasn't yet been mentioned is the role and value of university provided degrees. If CF evolves into a fully fledged scientific discipline I think the entry requirements into the industry could be refocused onto traditional academic qualifications such as a three/four year degree. After all aren't most expert witnesses highly academically qualified? If (when) industry wide regulation/accreditation kicks in and when the CF science matures and the spotlight becomes a little more intense, are we really expecting to be able to take the stand as an expert witness to relieve someone of their liberty on the strength of a six week or similiar certification?

No offence meant to those of you who have certification, I'm trying to ignite debate.

Quote "There is a new computer forensics certification available with
testing to begin in November of this year. We believe this certification
will become a de-facto standard and thought you would be interested.

http://certifications.cybersecurityinstitute.biz/ "

I don't believe there will ever be a de-facto standard in this field. Several organizations already say you can't do defense work and be part of our group, or you must not take this type of a case and be in our group. How far off can it be for a group to say you can only have a cert from us and not be involved in xyz?

Whatever happened to the old saying "it is what it is"? You work for the defense, prosecution, private sector, etc and you get the data, offer your report, testify if needed, and move on. Why so many different groups who say you can only play in my sandbox not anyone elses?

Hi All,

After reading Nick's paper I thought it might be interesting to include what someone like myself is considering doing in terms of preparation, to eventually open my own business. I am well aware of the possible consequences to an individual should I be hired and NOT properly trained/educated and as such have set a list of things I believe I need to accomplish before even considering starting up.

I have been working in IT for the better part of ten years and am formally trained/educated as a network administrator and see the following as important steps. Some are obvious but are included all the same:

1- Join and participate in online discussions like this one.

2- Immerse myself in literature such as Brian Carriers File System Forensics as well as other digital forensic type books. (I really enjoyed yours also Harlan!)

3- Finish Digital Forensics Program at a local College.

4- Enroll in Forensic workshops available to me (ex: Canada’s Communications Security Establishment) offers 2-3 days computer forensics workshop. RCMP’s TSB (Technical Service Branch) offers something similar).

5- Complete CCE exam or similar certification.

6- Become familiar with software such as dd, FTK, WINHEX & Encase and understand what is being done with each mouse click.

7- Test small second hand HDD as much as possible documenting procedures and testing scenarios.

8- Pick the brains of the few friends I have in law enforcement in hopes of complimenting the basic law courses I will enroll in.

I don’t plan on jumping in blind. I have a salaried position and am more or less comfortable but find this field extremely interesting and would love to make a go of it for many reasons. As corny as it sounds the main reason on being I think I will be doing something positive…I will not however open my doors unless I believe I can measure up to what is already out there.

As a footnote..this isn't something I plan on zipping through and expect it to take a couple of years. Also, if I missed something glaring PLEASE let me know 🙂

Andrew-

Sorry I haven't posted here for a while, case load and holidays have got in the way.

I'd like to pick up on a couple of recent posts.

Firstly from FatRabbit, you make a fair point about the use of 'academic' qualifications but I'm afraid that my experience with highly qualified academics (no offence meant to any, including friends) is that they often have no 'practical' experience which is vital in an investigation. When examining a PC in a fraud case I need to apply approved processes, have a detailed understanding of the technical aspect but also knowledge of the business processes that may have been involved in the fraud. I have found that this comes from years of 'hands-on' experience, not classroom time learning about the Windows registry which changes every few years anyway.

I also find purely classroom qualified people often quite myopic. Academia often follows set processes rather than lateral, creative and constantly developing methods. I'm being overly simplistic and rather unkind, but I would like to see a qualification similar to CISSP that can be achieved by a wide variety of people either studying for it or using experience to pass it. This would encourage new people into the industry without the need for 4 years in a classroom. Can you imagine each Police Force having to send its HiTech Crime Units away for 4 years to be acceptable in Court!

Secondly the post from andy1500mac. I like your method for getting into the industry. Can I also suggest thinking about the area you will specialise in. Will you work with the Police or defend cases or both? Are you willing to defend Child Pornography cases. How do you feel about seeing that type of material? Although we do defend some CP cases we specialise in corporate fraud, this is a fascinating area but also requires some knowledge of fraudulent accounting methods and the like. It is worth reading books on the subject.

That’s all really.

Nick

Nick,

Very interesting response, and a very good read…

I agree that a combination of "book larnin'" and practical experience is a must…which is why I like to look for training (as well as conduct it) that includes both. My IR/Forensics course has hands-on labs and exercises that allow the attendee to practice what they've just been taught.

I have found that this comes from years of 'hands-on' experience, not classroom time learning about the Windows registry which changes every few years anyway.

Point taken. However, if one takes the time to document their "hands-on experience", showing (for example) the differences in the Registry and how they apply, then the community improves as a whole.

I also find purely classroom qualified people often quite myopic.

IMHO, anyone with experience purely in one area (classroom, LEO, corporate, etc), can tend to be pretty myopic. Lots of security- and forensics-"experts" who are self-taught seem to know and/or care very lttle for business processes. In addition, presentation of the data is a real issue for the purely technical folks, particularly those who don't like to document anything.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Good points, well made! You are, of course, right in everything you say. Just about everyone has a slightly binnocular visioned view of the world molded by their experience, I guess I meant that academia can be a little one track. You only have to watch how scientists bicker over new ideas, especially from those 'less qualified'. Room for all I guess.

However, I would hate to see the Courts stipulate a 4 year course (which would be out of date a year in) before they would accept evidence. I agree with you that a reasonable qualification along with practical experience in perhaps law enforcement, security or business could be sufficient.

I must read your book by the way!

I didnt mean that CF would be taken over by stuffy, academics with no practical experience. I meant that in other areas that are the traditional domain of expert witnesses i.e psychology, traditional forensic sciences etc the expert has almost always graduated from university. With the maturity of CF into a fully fledged scientific discipline there could be a requirement that new entrants into the industry have a degree to provide them with a foundation of knowledge upon which to build.