New certification: CSFA
I've mentioned this at the end of another thread but thought I'd mention it again in case anyone missed it. A new computer forensics certification, the CyberSecurity Forensics Analyst (CSFA), is in the final stages of testing and can be found here:
From the website:
The CSFA certification test is the only test currently available of its kind. It closely resembles a scenario that an actual forensic analyst will encounter in the real world, with a specific time frame to complete the analysis, and the ability to request additional information relevant to the case.
Candidates will be given three days to take the test, which is currently offered in Lynnwood, Washington. Additional testing locations are planned for 2nd quarter 2006. There is a written component of 60 multiple choice questions, with the majority of the test being hands-on. Candidates will be given a scenario that includes processing an IDE hard drive with a single partition no greater than 4.0 GB in size, and one floppy disk or CDROM. No more than 10 candidates are allowed to take the test at one time.
The written test will comprise 30% of the total score, with the practical comprising 70% of the total score. An overall score of 85% must be attained in order to earn the designation of CyberSecurity Forensic Analyst (CSFA).
Candidates will be allowed to request additional information after reviewing their particular scenario, such as proxy, IDS, and router logs, acceptable use policies, interrogatories, etc.
There is already a forensic certification that requires the same type of test, media examination, etc. so I am surprised that they claim:
"The CSFA certification test is the only test currently available of its kind. It closely resembles a scenario that an actual forensic analyst will encounter in the real world, with a specific time frame to complete the analysis, and the ability to request additional information relevant to the case. "
Steve Hailey mentioned the following in an email to me earlier:
Ours is the
only one I'm aware of that is "hands-on" and has to be completed within a
resonable timeframe, with the test being proctored.
Which cert did you have in mind?
PS I'm neither promoting nor defending this new cert, merely mentioning that it now exists.
Well, the CCE has an online examination. If you pass that, then it also has "hands on" exam components that require examination of three different cases with three different types of media (diskette, CD, harddrive). These require a complete report with documentation of all processes and results. They also have to be completed within a reasonable time.
Ive been waiting for the announcement of the CSFA for over a year.
The CCE hands on portion is done via distance with the hard drive image sent on a CD. I think they give you weeks or months to complete the examination. From what I read, it looks like the CSFA test starts with an actual hard drive being given to the person taking the test, not a hard drive image on a CD. As we all know, properly acquiring the drive and verifying the hashes is one of the most important parts of what we would need to do. The entire test is proctored including the handson. It looks like three days to complete the test and submit a report.
On the surface, it looks like anyone taking the CSFA would already pretty much need to know what they are doing in order to pass the test versus having weeks to research to and get up to speed on anything that they were unfamiliar with.
It looks like the CSFA is a bit more realistic. I like the fact that the person taking the test can request additional information. This is something I have not seen before. There are quite a few requirements though, looks like a difficult test to pull off. I'm going to be attending one of the overview sessions. I'll update this post once I do. Ive attended a free class on security that steve gives and plan on attending the forensics classes at edmonds community college where he teaches. Im pretty impressed with what Ive seen so far. I know he teaches law enforcement in my state.
By the way, check out this document on using tools proven in court. I havent seen anything like this out there yet.
My two and a half cents.
The points you make have merit, Robert.
The hard drive image was on CD. Since I have been doing acquisitions and evidence handling and verification, chain of custody controls, etc. etc.
in my "real job" I understand your point about hash verification of source and image. Part of the test process was to treat that image as a source.
(So, if you did not make a hash verified copy to work from for examination, your were "toast" so to speak 😉
The time frame for completing all of the examination requirements (written and three practicals) was 90 days, however, you could not get practical #2 until practical #1 was completed, completely documented report submitted, and graded. Same goes for #3. So there was interchange time to consider. Frankly, for those of us who work "more than full time" anyway, it allowed scheduling hands-on exam time in between reall cases…(certainly not 90 days to dedicate to working on these exams)
I guess a proctored test will always be considered more reliable, as long as proper conditions and controls are imposed…(but as you mentioned…"been waiting for over a year for CSFA" 😉