Computer Forensics Certifications

JDMurray

One of the transient InfoSec topics on TechExams.net is that of Computer Forensics (CF). In 2010, I had a chance to dig into this field and ended up writing this blog article on CF certifications:

Computer Forensics Certifications | TechExams.net Blogs

It looks like I'll be continuing with my CF studies into 2011, and maybe picking up a CF cert or two. If anyone is interested in CF, please post here and we'll see what TechExams.net can get going to contribute to the CF cert community.

--JDMurray

ibcritn

I will certainly contribute information when I start studying for CHFI. What sort of information are you looking for?

mark_s0

Great blog post JDMurray!

An interest in digital forensics training was what got me into IT initially. Although my interest now is more network security focused, i'm still interested in any related posts.

During my research into the field, I came across some excellent resources, both forums and tools. I'm not sure on the rules on advertising other forums so I'll leave it up to google for people to find them. I believe SANS do a free linux forensic toolkit to get anyone started with low level data analysis. It comes with FTK Imager.
Real Digital Forensics and File System Forensic Analysis are both books I own and would recommend. I would warn the latter is very in depth.

Mobile phone and PDA knowledge is often required for forensic tech jobs too due to current smartphone capabilities.

I could be wrong, but I heard most states in the US require anyone carrying out forensic work must have a PI license?

mark_s0

JDMurray, what area of forensics do you work in? Private, Gov'ment or Law enforcement?

Bl8ckr0uter

I am interested.

rogue2shadow

Bl8ckr0uter wrote: »

I am interested.

+1. I was thinking CHFI in 2012.

Chris:/*

I am completing my CHFI in 2011.

JDMurray

ibcritn wrote: »

What sort of information are you looking for?

I am just looking for participation by TE member interested in computer forensics. Any input is appreciated!

JDMurray

mark_s0 wrote: »

JDMurray, what area of forensics do you work in? Private, Gov'ment or Law enforcement?

I write software that performs forensics(-like) operations for most any type of situation, but Malware discovery/analysis/attribution is the hot thing right now.

mark_s0 wrote: »

Great blog post JDMurray!

Thanks!

mark_s0 wrote: »

An interest in digital forensics was what got me into IT initially. Although my interest now is more network security focused, i'm still interested in any related posts.

The technical side of CF was what initially pulled me in, but I really like the legal aspects too, although writing all the documentation (chain of custody) is a bit tedious.

mark_s0 wrote: »

During my research into the field, I came across some excellent resources, both forums and tools.

I should write up a blog article on free tools to get people started. There are a lot of them out there. I'm using PALADIN from www.sumuri.com a lot now. The trial releases of commercial packages, like EnCase and FTK, are useful for learning too.

mark_s0 wrote: »

It comes with FTK Imager. Real Digital Forensics and File System Forensic Analysis are both books I own and would recommend. I would warn the latter is very in depth.

Yeah, it's impossible to do "just a little computer forensics." You need to dive right into storage system and file system structures . It gets down into the meat of computer systems pretty quickly.

mark_s0 wrote: »

I could be wrong, but I heard most states in the US require anyone carrying out forensic work must have a PI license?

It does vary by state. Yes for Texas, no for California, and I'm not sure about the rest. There are also exceptions for people who work at law firms, civilian employees of law enforcement agencies, etc. That would be a a good list to compile.

JDMurray

Chris:/* wrote: »

I am completing my CHFI in 2011.

I'm checking if I can do EnCE first then CHFI next. That would take me all of 2011 if I started right now.

Chris:/*

JDMurray wrote: »

I'm checking if I can do EnCE first then CHFI next. That would take me all of 2011 if I started right now.

I hope you have some capital or access to Encase for the EnCE. I have pretty significant experience with the software but it is really for people who have access to it. That being said EnCE coupled with experience as you have shown will quickly vault you into a great position. Best of luck!

JDMurray

The hitch with the EnCE (and EnCEP) is that attending some sort of training in EnCase is a requirement for the certification. I'm not sure if the college classes I'm taking now will qualify me to take the exam, but I'll find out soon. You can waive the training requirement if you have professional computer forensics examination experience, but I'm not that far yet.

Chris:/*

It should full fill the requirement they really like seeing DCI training though. DCI has a webcast training you can get you into if you can show your employer has a need for you to understand Forensics.

thebogman87

I'm in a master's program in High Technology Crime Investigation (a mouthful for what's simply computer forensics) at George Washington University. I am hoping to knock out a few certifications while I'm still in school.. I just don't know which certs I wanna get yet. I'm hoping to get some guidance before I take the plunge haha don't wanna waste time getting certs that aren't going to help me yet.

veritas_libertas

I would enjoy getting involved in Computer or Network Forensics eventually. The only hitch with Computer Forensics is that appears to still be heavily bent towards folks with past law enforcement or legal experience.

-Foxer-

Thanks for this thread, there's some useful info. I'm planning on doing CHFI this year as a part of the WGU Masters program.

JDMurray

veritas_libertas wrote: »

The only hitch with Computer Forensics is that appears to still be heavily bent towards folks with past law enforcement or legal experience.

If you actually want to earn a living in CF then you'll need to learn how to write legal documentation, interact with attorneys and law enforcement personnel, and testify in depositions and court as an expert witness (litigation support specialist). Doing only the technical side of CF will only land you employment as a $15/hr lab tech imaging hard drives, managing the property room, and filling out lots of paperwork.

thebogman87

JDMurray wrote: »

If you actually want to earn a living in CF then you'll need to learn how to write legal documentation, interact with attorneys and law enforcement personnel, and testify in depositions and court as an expert witness (litigation support specialist). Doing only the technical side of CF will only land you employment as a $15/hr lab tech imaging hard drives, managing the property room, and filling out lots of paperwork.

I'd agree this is true only if you're looking to do what's considered traditional forensics. Computer forensics can also branch out into other fields such as malware forensic research, reverse engineering, and incidence response. I particularly don't have very much interest in law enforcement and criminal justice. I'm more interested in ripping things apart and learning every detail.

veritas_libertas

JDMurray wrote: »

If you actually want to earn a living in CF then you'll need to learn how to write legal documentation, interact with attorneys and law enforcement personnel, and testify in depositions and court as an expert witness (litigation support specialist). Doing only the technical side of CF will only land you employment as a $15/hr lab tech imaging hard drives, managing the property room, and filling out lots of paperwork.

Agreed (my Father-In-Law has done some electronic forensics) but how do you get into an IT position that opens the door for this other than having a legal or Law Enforcement position?

JDMurray

thebogman87 wrote: »

Computer forensics can also branch out into other fields such as malware forensic research, reverse engineering, and incidence response.

True, but you need to consider just how much forensics is--or isn't-- used in other fields.

For example, Malware research uses forensics for identifying and collecting Malware from endpoints, midpoints, and networks, and somewhat for the attribution of the Malware's origin. However, the majority of the work in Malware research is falls under the categories of software engineering, computer science, historical research, and report writing/presentation. These fields are probably not what most people interested in computer/network forensics want to be doing most of their time. They are likely to be disappointed by how little true forensics work they end up actually doing as a Malware researcher.

JDMurray

veritas_libertas wrote: »

but how do you get into an IT position that opens the door for this other than having a legal or Law Enforcement position?

The way in now is through the field of Electronic Discovery (eDiscovery). In eDiscovery, forensics techniques are used to collect information from organization to be used in litigation. You work either for the corporation being sued or for a law office that is either on the prosecution or defense. The majority of the hard work is in communicating with the different organizational departments that own the information that is needed. Get use to working with email and database servers, file storage systems (NAS, SAN), AD, LDAP, BlackBerry Enterprise Server (BES), and all sort of software apps used to store and retrieve information. eDiscovery is not true computer forensics (e.g., physical disk imaging, chain of custody, common forensics tools), but it's what gets your foot in the door.

veritas_libertas

JDMurray wrote: »

The way in now is through the field of Electronic Discovery (eDiscovery). In eDiscovery, forensics techniques are used to collect information from organization to be used in litigation. You work either for the corporation being sued or for a law office that is either on the prosecution or defense. The majority of the hard work is in communicating with the different organizational departments that own the information that is needed. Get use to working with email and database servers, file storage systems (NAS, SAN), AD, LDAP, BlackBerry Enterprise Server (BES), and all sort of software apps used to store and retrieve information. eDiscovery is not true computer forensics (e.g., physical disk imaging, chain of custody, common forensics tools), but it's what gets your foot in the door.

How does someone get into this kind of position? What kind of certifications and education would help? I would assume that at the least an A+ and Bachelor degree?

JDMurray

veritas_libertas wrote: »

How does someone get into this kind of position? What kind of certifications and education would help? I would assume that at the least an A+ and Bachelor degree?

Look up eDiscovery jobs on dice.com and check what hiring managers are asking for in terms of education, certification, and experience. I would suggest first searching on the term "electronic discovery" and then going on from there.

Chris:/*

You really want a degree in either Electrical Engineering or Computer Science if you want to get into reverse engineering and malware analysis. That is not to say that is the only way to get there. When I received my forensics training the two gentlemen were ex-army with a ton of experience. If you are in the military you can join one of the special police units to get your foot in the door.

There are a number of certification providers but you do need a solid foundation in the way the world of computers works. It also depends as JD pointed out in what part of the forensics world you want to work in.

thebogman87

JDMurray wrote: »

They are likely to be disappointed by how little true forensics work they end up actually doing as a Malware researcher.

I think I was more disappointed finding out that a lot of computer forensics work is just running grep tools on EnCase haha (not being entirely serious)

JDMurray

Chris:/* wrote: »

You really want a degree in either Electrical Engineering or Computer Science if you want to get into reverse engineering and malware analysis.

All of the people I know who do genuine Malware research--including reverse engineering--have neither of those degrees. They are just programmers with a genuine desire and aptitude to completely understand how executable binaries are constructed, what they do when run, how they got where they were found, and discover who built them. That (and Google) is all it takes.

Chris:/*

That is interesting because of the people who I have talked to who do the work for FBI and DOJ told me to earn a degree in CS or EE otherwise they would not pick up the candidate. The exception they did state was of course lots of previous experience but starting out they suggested the degrees.

JDMurray

thebogman87 wrote: »

I think I was more disappointed finding out that a lot of computer forensics work is just running grep tools on EnCase haha (not being entirely serious)

There is a lot of boring, tedious work like that. Much of the time you are only collecting information that a lawyer tells you to look for. You won't be interpreting the information or performing many Sherlock Holmes-like deductions. But it can be quite a challenge to find and reconstruct hidden or damaged information, much like a coroner trying to reconstruct a murder from the condition of from a body. You also need to decide when to stop looking for stuff, because 80% of the systems you'll examine won't have what your lawyer is looking for, so you can waste a lot of time exploring a "sterile field." The biggest problem can be finding ways not to be bored with the work because it's usully not a very creative activity.

JDMurray

Chris:/* wrote: »

That is interesting because of the people who I have talked to who do the work for FBI and DOJ told me to earn a degree in CS or EE otherwise they would not pick up the candidate. The exception they did state was of course lots of previous experience but starting out they suggested the degrees.

Every hiring organization has their own requirements. I guarantee you someone working in reverse engineering for a few years at a place like McAfee or Symantec who doesn't even have a degree would be snapped up by the DoJ or DoD (or a subcontractor) pretty quickly. It's a proven track record in the ability to do the work that gets you in the door.

Chris:/*

Oh I agree! Too often HR Goons create speed bumps or unnecessary road blocks.

Broodmdh

CF is something I've developed quite an interest in, and I'd love to see my career move in that direction. I'm looking into my CHFI for 2011, but I'm not sure how realistic that is. I'd be interested in seeing my CF topics on these boards, too.