Armresl,
After you add travel + hotel stay + training fee + lost work / time away from work = pricy. I am fan of vendor neutral training, like CCE, SANS etc.
There is no wrong answer here. It's personal preference.
IMHO two main issues have been identified in this post
I think most examiners/practitioners will say that you need more than one main forensic tool, mainly in order to compare and validate results
Dual tool verification is extremely important in this field. You only need to check the bug fixes and versions of the common software to see why this can affect your result, add this to the fact that some tools perform better in different areas (for example handling email, decoding certain filetypes) and you see why this is important.
while testing and verifying the results yourself is really nice, you can't put that on your CV and prospective clients wont give that much weight at all.
armresl is right, it won't add any weight to your CV, BUT You only need to read this and other forums to see why testing and verifying the results yourself is SO important. Having confidence in; and understanding of; your results will show through if you are ever questioned on them for example in the enviroment of a court or tribunal; and it will build your own knowledge and skills if you know what the tool is actually doing
just a thought…
Paul Slater
IMHO two main issues have been identified in this post
while testing and verifying the results yourself is really nice, you can't put that on your CV and prospective clients wont give that much weight at all.
armresl is right, it won't add any weight to your CV, BUT You only need to read this and other forums to see why testing and verifying the results yourself is SO important. Having confidence in; and understanding of; your results will show through if you are ever questioned on them for example in the enviroment of a court or tribunal; and it will build your own knowledge and skills if you know what the tool is actually doing
Paul Slater
I am interested in the general consensus that personal research is of no value on the CV or to clients. Why should this be? In the academic world research and published papers/books is one of the main ways that one is judged. If your CV shows a period of self study or research should this not be something that enhances one's value to a client?
At a slight tangent if asked in Court how it is known that results are valid would not a reply that one had written and validated the software one's self (and submitted it to peer review) be as impressive as saying that a standard package had been used?
If your CV shows a period of self study or research should this not be something that enhances one's value to a client?
I think there is a distinct difference between a period of research/self study, and the process of testing/verifying the results obtained during a forensic examination using other tools/methods.
I think there is a distinct difference between a period of research/self study, and the process of testing/verifying the results obtained during a forensic examination using other tools/methods.
Of course there is, the latter should be a routine part of any examination and, hopefully, paid for by the client. The former is normally undertaken at one's own (or one's employer's) expense and is not for the benefit of any particular client. The point that I was trying to make was simply to question the generally negative view of this type of research activity
Any scientific project or investigation, especially computer forensics should always be personally verified by the expert of investigator.
This for many of the reasons mentioned, more specifically for credibility when called upon to anwer depositions and court proceedings. Experts are like craftsman who must stay sharp and on their "game" if you will. if you have ever delt with attorneys, one knows where I am coming from.
Two methods are always better, just to say what you have atated and more importantly to hear that attorney say, "No firther questions" when you are prepared for the challenge.
Take care
Mark
I personally like both products. I would also suggest a copy of Encase version 5. Remember a mechanic doesn't disassemble an engine with just a small box of tools. He/she has a whole tool chest and uses the best tool for each individual job. Just my 2 cents.