Need Help Deciding (Poor Forensic Guy)

Vesalius

So, I'm new to the forensic world, and after some good experience extracting data off of cellphones, HDD's, and etc.
I thought it's time to treat my self with getting some certified certificates.

So, cut a long story short, I've done my research, made an account on this amazing website, did some reading on the GIAC website, and I think nothing beats the Global Information Assurance Certification and so I'm going to start of by throwing questions at you experts out there to help me out on which direction to take.

I've obviously looked at there Forensics section on the website [HTML]http://www.giac.org/certifications/forensics[/HTML]
but only to find categories that were totally un-related to what I do and there ordering of the subjects being really weird, EXCEPT for the ONE.

The GASF: GIAC Advanced Smartphone Forensics

After some reading I found that this is the only field that is related to my current job and work, and this would be the most appropriate course to take immediately.

After reading about the courses above that, such as the (GCFA, GCFE, GREM, GNFA) I was just wondering if any of those are Required prior to taking the GASF, or if not required, required so as to be ABLE personally to take the GASF and successfully pass or to look good on my Resume?

I want to know why the GCFA and GCFE would be necessary to learn prior to the GASF, or even the GREM or GNFA since the GNFA is looking towards a Network Engineers or Technicians perspective Not a Digital Forensics Examiners one, and the GREM being a Network Admin's job?

I'm concerned about this since the GIAC website has ordered these subjects from top to bottom. So if I take a GASF, it would not be anything related to the others?

Also could someone tell me the difference between a GCFA and GCFE, and how one examines and how the other analyzes, like an example would be great, since they both analyze windows?

As I said I'm new to the world, so I apologize if I sound really noob to any of this, I'm just trying to figure out what's best for me!

These 3 sound most right to me and my field of work after reading about them, and to take them in this order below,

1- GCFE (GIAC Certified Forensic Examiner)
2- GCFA (GIAC Certified Forensic Analyst)
3- GASF (GIAC Advanced Smartphone Forensics)

What do you think?

Thanks In Return,

Vesalius

the_Grinch

According to the course website FOR585 has no pre-reqs in order to take the course. So if you are working strictly mobile forensics my assumption is you can take just that course. Someone who has taken the course might be able to shed some more light on whether others should be taken before hand.

cyberguypr

GCFE is basically dead box forensics: log analysis, browser forensics, etc. GCFA focuses on live systems, more incident handling/investigation and memory analysis.

Keep in mind that GIAC exams come directly from the SANS courses. If you challenge the test without taking the corresponding class you could be at a disadvantage. Since the test costs $1,149 I normally recommend going through the Work Study Program where you get the physical class, virtual class, and exam for one low price of $1,100. It's a gamble because it may take a while to get approved/accepted plus you have to commit 6 days to work an event. Anyway, something you may want to explore.

beads

It would be helpful to understand what it is your really doing currently. Sounds like your doing phone forensics now and likely comfortable with the intermediates of DD and the usual "dead box" tools but going farther with phone forensics is what's driving the current need.

The other route would be to suck it up and take one of the vendor based certs from EnCase or FTK which would also give you the in court credentials needed for expert witness.

Learning Android "Marshmallow" now in comparison. Interesting new wrinkles to explore.

- b/eads

PJ_Sneakers

It also depends on whether or not you can afford the SANS classes plus the GIAC certification fee. They are pricey. If you can get over the financial hurdle, I see absolutely no reason why you should not pursue all of the GIAC certs you listed above. If you really want to learn this stuff, there pretty much are no better venues for learning this stuff in detail (in my opinion). I've never attended a SANS class, but I know that I would be better off if I had SANS training.

I know that if I could go to SANS, I definitely would. So if you can, I'd say do it.

TechGromit

Someone please correct me if I'm wrong, but isn't Forensics advanced Incident Response? I would think any potential employer would like you to have some Incident Response experience before giving you an advanced Incident Response position. I believe this is a case where skipping steps isn't a good idea.

jeremywatts2005

@TechGromit you are exactly right in most cases. Every job I have worked even though I was digital forensics/focused operations I had to also be able to work every tier below me. Which includes IR, Monitoring, Analytics, Intelligence and so on. That is in the corporate world I have been in and also a SOC. I did all the collaboration with IR for network forensics, malware and so on. Usually you move through the tiers from monitoring, analytics, IR and then Digital Forensics. Lifecycle goes detection, event, determination, if incident then IR and finally if an investigation is needed it goes to digital forensics. IR guys were not to use the word investigate or use evidence. Instead they use words like analysis and samples or specimens. The other terms imply a higher level of analysis and in depth work that could lead to a legal case.

Vesalius

You have a point and that's the thing, what would be the best order to get CERT's for my career, and how would it impact my workflow?

Vesalius

jeremywatts2005 wrote: »

@TechGromit you are exactly right in most cases. Every job I have worked even though I was digital forensics/focused operations I had to also be able to work every tier below me. Which includes IR, Monitoring, Analytics, Intelligence and so on. That is in the corporate world I have been in and also a SOC. I did all the collaboration with IR for network forensics, malware and so on. Usually you move through the tiers from monitoring, analytics, IR and then Digital Forensics. Lifecycle goes detection, event, determination, if incident then IR and finally if an investigation is needed it goes to digital forensics. IR guys were not to use the word investigate or use evidence. Instead they use words like analysis and samples or specimens. The other terms imply a higher level of analysis and in depth work that could lead to a legal case.

How different is it being someone analytical or someone that is an examiner in the world of forensics? How in-depth can you get in each one and how would it be different, or would mastering both be possible and useful to your workplace?

Vesalius

beads wrote: »

It would be helpful to understand what it is your really doing currently. Sounds like your doing phone forensics now and likely comfortable with the intermediates of DD and the usual "dead box" tools but going farther with phone forensics is what's driving the current need.
- b/eads

So I'm currently working on digital forensics, the majority of my work is based on phones (of all types) and I can say I have very good experience in doing my job really well, with a 90% success rate in examining and then extracting phones.

The thing also is I can derive from other areas to, so that means I may have the opportunity to go through other paths of forensics, and I was wondering what you think would be most beneficial to get into, both money wise and uniqueness wise?

PJ_Sneakers

How are you going to pay for the training? That has a lot to do with what you do.

I had a great plan for getting GIAC certified. I wrote a proposal, and got my management on board. And then they said OH HELL NO when they saw the price tag.

Vesalius

PJ_Sneakers wrote: »

How are you going to pay for the training? That has a lot to do with what you do.

I had a great plan for getting GIAC certified. I wrote a proposal, and got my management on board. And then they said OH HELL NO when they saw the price tag.

Don't worry about payment, but would you be kind enough to send me your proposal?
Hopefully I will make it work and I'll be able to tell the story

IvDogg

How I sum it up:

GCFE - How to actually recover physical data from a box, not sure if the class comes with it still, but used to give out one of those hard drive write blockers and the labs go through the actual steps and tools for gathering forensic data.
GCFA - How to analyze evidence gathered in GCFE, does NOT cover how to actually capture forensic images/data. Covers memory analysis (live system memory capture & hiberfile or vmem/similar as well as disk image analysis. Analyze how to identify malware using forensic data and create a timeline of events. Awesome course capstone.
GNFA - How to analyze/timeline and carve forensic evidence using only PCAP and netflow captures. Really good class, I really liked this one.
GREM - Take the malicious files discovered from any of the above and figure out what it's trying to do.

I haven't done GASF, so I can't say whether any of these are recommended, but hopefully this info helps you decide... If you google the SANS DFIR brochure, it recommends 408 before any of the 500 series DFIR courses.

-Ivan