Forensic
kmornot
Member Posts: 19 ■□□□□□□□□□
I am currently obtaining my Comp Info Sys degree with a Forensic track. I was wondering what are some good forensic certifications to obtain. Any help will be great.
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□http://www.eccouncil.org/chfi.htm is the only one that comes to mind, but there might be others.
Edit: I got one out of three... weak -
JDMurray Admin Posts: 13,101 Admin
-
shednik Member Posts: 2,005dynamik wrote:http://www.eccouncil.org/chfi.htm is the only one that comes to mind, but there might be others.
Edit: I got one out of three... weak
dynamik you're slipping...get on it!! -
sexion8 Member Posts: 242kmornot wrote:I am currently obtaining my Comp Info Sys degree with a Forensic track. I was wondering what are some good forensic certifications to obtain. Any help will be great.
CCE to be taken seriously
http://www.certified-computer-examiner.com/
CHFI - I won't comment much since I'm now a guest "moderator/speaker/online class flunky" from time to time on EC-Council's online courses... Good for incident response! Court of law? CCE... Working @ say the FBI, NSA, Fortune 100 investigative team... CCE all the way
I'm in the Digital Forensics Association now, and they're sort of figuring out a way to sort out the posers from those in the know. The procedures, processes, etc., are being laid out now. It's difficult putting things like this together because most work and the time involved with it can be overwhelming. The vast majority of "heavyweights" in the field are keeping an eye open and getting together for DFA which is kind of cool - until polit(r)ic(k)s take over. If your serious about forensic though: CCE. If you'd like to join DFA you could ask Suzanne Widup. I'll let you track her information down"Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius -
sexion8 Member Posts: 242kmornot wrote:ALso, how about the EnCase Cert is that any good?
Yes, no, yes, no, yes, no... Let's change this for a second... So you set out to learn mechanics - how to fix an engine in any car correct? Would you sign up at a school that only taught you how to fix say Acura engines?
The problem with vendor specific certifications is just that - they're vendor specific. So you're an EnCE... You know how to use EnCase. So what. There is more to forensics than running a program. There is a lot involved with filesystems, memory, cache, copying, retention of data, metadata. Forensics is not and should not be a "should I get vendor X's cert?"
Semi detailed information about forensic certifications...
http://certification.about.com/cs/securitycerts/a/compforensics.htm
I have EnCase, Stealth Suite, Helix, TCT, FTK, F.I.R.E., Helix and a couple of others... Personally I prefer to use Helix and intuition. I like Foundstone's toolkit, but I prefer good old fashion file carving a-la *nix: Foremost + Scalpel + dd
So ask yourself this question... You invest time and money to learn this only to get interviewed and you're asked on the spot to dissect and analyze something without EnCase... Then what? What steps would you take? See to me, it's all about versatility, a theme I will iterate over and over. Can you do it with say no tools at all? I can and have. Self-taught AFTER the forensics fact. I learned a long time ago to get to know the base of it all, everything else comes easy. Which is why many people nowadays seemed puzzled I have no choice/preference in operating systems: E.g.: "What's your favorite distro!@" ... Are you kidding? I don't have one. I'm in a terminal 90% of the time and anyone who knows me can tell you this...
Because I've been around the block, I've tried to teach myself alternative ways of doing things. Hence me never studying PERL only programming in it when it's beneficial to me. I can do the same in awk, sed, ruby, perl, python... It all depends on my mood. My choice of not settling was because I needed to know an alternative if say I was on a system with no access to perl, etc.... sed + awk would almost always be there...
E.g.: They all do the same thing:
ruby -pe 'next unless $_ =~ /something/' filename
grep something filename
awl '/something/' filename
perl -nle 'print if /something/' filename
However on different systems say one running a database, I might use ruby which might be faster for me... In another instance I might be forced to use say awk or sed or grep because I can't install ruby or perl... The end result is the same for me...
So learn the core of it all, don't rely on point and click to much. The rest comes easy and you're not trapped in a one vendor world. My two cents"Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius