Computer Forensics Certifications

24567

Comments

  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    FYI: Anyone interested in CF should know about Scott Moulton's hard drive repair and data recovers site: http://myharddrivedied.com/

    Scott Moulton has lots of videos on YouTube, offers classes in the USA, and is a SANS instructor.
  • mark_s0mark_s0 Member Posts: 82 ■■■□□□□□□□
    A great post on getting started with some tools is: Windows Incident Response: Getting started, or forensic analysis on the cheap

    The blog belongs to Harlan Carvey who writes some very well recommended forensics books. In other posts he also mentions open source tools such as The Sleuth Kit, Helix and Autopsy which would be useful for anyone not able to fork out for the Encase or FTK licensing.

    Another blog I'd recommend is:

    A Day in the Life of an Information Security Investigator

    If you're considering CF in law enforcement, I really would read this post:

    http://johnjustinirvine.com/post/339744451 (it appears down at the moment, but you can view the cached version at google)

    Whilst this post isn't supposed to scare you away from CF, it's an interesting post on the realities of being in the industry.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    mark_s0 wrote: »
    (it appears down at the moment, but you can view the cached version at google)
    Computer Forensics Eated Mah Soul
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    I just posted a new blog article: Making Hash Sets from VMware Virtual Machines | TechExams.net Blogs

    It's a forensics article on making hashsets; it has a lot of information about mounting VMware virtual disks and ISO files.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    The 11th Annual CEIC (Computer Enterprise Investigations Conference) is in Orlando in May. It features the ability to attend EnCase and EnCEP classes and get the certs.

    Computer and Enterprise Investigations Conference - CEIC 2011
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Speaking of EnCase training at universities:
    "To help academia handle the increased demand for new training and courses, Guidance Software's EnCase Academic Program includes everything an educational institution needs to incorporate EnCase effectively into their curriculum. In addition to classroom software, participants in the program can add a license of EnCase Forensic software and self-paced Internet-based on-demand training. This training mirrors the in-class instruction taken by more than 5,000 professionals annually at Guidance Software training facilities. Upon completion of their school's forensic program, students can opt to become an EnCase Certified Examiner (EnCE), giving them a competitive advantage as they enter the workforce."
  • MCSEismeMCSEisme Registered Users Posts: 8 ■□□□□□□□□□
    I am very intersted in computer forensics. Pease keep us "posted".. lol

    THanks
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    The SANS Forensics Blog is a good resource too: http://computer-forensics.sans.org/blog/
  • holysheetmanholysheetman Member Posts: 113 ■■■□□□□□□□
    I'm very interested in computer forensics, I've used Backtrack, EnCase, Knoppix for a while and love them... I have a blog that I'm hoping to start posting more on... check it out, leave a comment if you wish (constructive criticism please!)

    Beyond Defensive Hacking

    v/r

    Phillip
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Whoa, very MySpace-ish! Providing both useful information and a creative outlet. ;)
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    For anyone who uses EnCase and is interested in the EnCE certification, EnCase 7 will soon be released as a "Community Technology Preview." This will take the place of a beta release. The official EnCase 7 product release will be by CEIC 2011 in May. It is expected that the EnCE exam will be changed to EnCase 7 six month after, but this not final. Based on prior sales, it is expected that upwards of 80% of EnCase 6 owners will have upgraded to EnCase 7 by that time.

    The bottom line is if you are an EnCase 6 user and have been thinking of getting your EnCE cert, you better consider doing it soon, or you'll need to learn EnCase 7 before getting it. If that appeals to you, the EnCase 7 Study Guide is due out in the next 2-4 weeks.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    I got a look at EnCase v7 preview and here's a collection of hastily-written notes about it: Notes on the Preview of EnCase Version 7 | TechExams.net Blogs
  • holysheetmanholysheetman Member Posts: 113 ■■■□□□□□□□
    yeah that's me messing around with the background hehe
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    I bought Harlan Carvey's Windows Registry Forensics book, but I haven't thumbed through his Open Source tools one. His works are very well respected. In the computer forensics world, all you need do is say "Harlan" and everyone knows who you are talking about.
  • rogue2shadowrogue2shadow Member Posts: 1,501 ■■■■■■■■□□
    JDMurray wrote: »
    I bought Harlan Carvey's Windows Registry Forensics book, but I haven't thumbed through his Open Source tools one. His works are very well respected. In the computer forensics world, all you need do is say "Harlan" and everyone knows who you are talking about.

    I grabbed that a bit ago as well. I haven't been able to touch it since CEH and CPT :P

    Everyone I've talked to about that book says its the defacto for Windows forensics books right now.

    CHFI/CCFE wise I'm looking into grabbing this:
    Amazon.com: Computer Forensics Library Boxed Set (9780321525642): Keith J. Jones, Richard Bejtlich, Curtis W. Rose, Dan Farmer, Wietse Venema, Brian Carrier: Books
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Make sure that a new edition of any of those books isn't due out soon. That set will be heavily discounted if new releases are eminent.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I've been thinking more and more about network forensics, seems difficult and interesting though I don't see a whole lot on the subject. My guess I'd have to focus more on networking monitoring and apply it to network forensics.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Remember that "forensics" is about collecting, analyzing, and documenting evidence that may be used in a court of law. You would need to think about the kinds of evidence that is traveling around a network that needs collecting, analyzing, and documenting.

    You would start with the topology of the network and the kinds of systems and services available on it. Next you would look at the network traffic and determine what kinds of useful data and meta-data you could derive from it (that is, what would a prosecuting or defense attorney ask to see).

    Time-lines are usually very important in a case, so knowing "who was doing what when and where" is something that needs to be discovered too. Either you are collecting this information as part of your normal business operations (Operational Forensics) or you are sifting it out of log files and databases after the fact.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Nice, thanks JD!
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    JD had two questions for you. What are your thoughts on the CHFI? Worth going for? Finally, what are your thoughts on getting a Masters in Digital Forensics as a way to get into the field?
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    the_Grinch wrote: »
    JD had two questions for you. What are your thoughts on the CHFI? Worth going for? Finally, what are your thoughts on getting a Masters in Digital Forensics as a way to get into the field?
    I've have those same two questions myself. I'm not sure if I have my final answers, but...

    When looking at the CF certs held by "real" CF people, I never see the CHFI; it's always EnCE, ACE, CCE, CCFE, CFCE, etc. Considering how expensive EC-Council cert have gotten, for myself I would probably only go after the CHFI if someone else paid for it and the training. However, the course material still looks good enough to learn from even if you don't take the exam.

    Most CF people do not have a Masters degree, let alone one in CF/DF, so it's not necessary to go to that extreme to learn, or get a job in, CF. It's such a highly specialized Masters degree that I would really consider something more security-generic, such as MSIA or MSIT-IS. That way, if you decide to switch to a different security field, your Masters doesn't seem only relevant for CF.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    I've been looking at the ACE cert, but it appears to require experience with Acess Data's FTK. The only certification I can think of that might have value while also being vendor neutral is the GCFA from GIAC. I spent a couple evenings thoroughly looking through ForensicFocus.com icon_lol.gif

    Your thoughts JD?
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    I think most CF certs will be mostly vendor-neutral with some material about the most popular CF software packages (it's like trying to make a cert exam that doesn't mention Windows, Cisco, etc.). A few CF cert are highly vendor-specific and usually created by companies that make CF products. These are simply to provide a level of assurance that people have a minimal level of competency for using specific CF products.

    The ACE is specifically for testing the candidate on the use of FTK for conducting a forensics investigation. The EnCE is the same but for using EnCase. I would not attempt either of those certs unless you have done actual casework using them. The Sybex EnCE Study Guide supposedly has all of the information needed to pass the EnCE written exam, but the experience of knowing how to apply that information is what you need to pass. And then, after you pass the written exam, there is the practical exam, where you actually use EnCase to perform a simulated examination and make a written report. During the exam should not be the first time you attempt to use the software.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    So would something like the GIAC GCFA or EC-Council CHFI be a good beginning point? I'm starting to get more and more interested but I'm not sure how someone would get hired without any experience with EnCase, etc.

    edit: I've read through much of ForensicFocus.com, but I would be curious to hear your thoughts or anyone else on TE that might have some experience with computer forensics.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    You usually get into CF by being a member of a legal firm, law enforcement, or being a civilian working for law enforcement, or military law/police. CF requires you to know a lot about working with law enforcement and the court system, so they like people with that background. eDiscovery is a side-way to get into forensics, but they usually want people who already have experience.

    I have asked around about internships and volunteer positions, but because of the current economic situation, programs like that have been scaled back or indefinitely suspended. Doing real CF for criminal/civil cases requires an extensive background check, which is rather expensive, and most agencies don't have the money for that right now.

    In addition to looking for commercial forensics and eDiscovery jobs on dice, monster, etc., have a look at city, county, state, and federal job sites for forensics examiner and analyst positions. That will give you a good idea of what's being looked for. Here is a typical CF job at my local DA's office.
  • notnownotnow Member Posts: 7 ■□□□□□□□□□
    I just took the CSFA & it is a hard test. You receive a case and have less than 3-days to perform an analysis and write a report. Edmonds Community College in Lynnwood, WA has a 2-year program in information security, forensics is a huge part of it. The head of the department is Steve Hailey, a recognized expert in the field of forensics. After you finish the computer forensics classes you can take the AccessData certification, which I successfully completed for FTK/PRTK.

    City University in Bellevue, WA has a program in reverse-engineering/malware analysis, I don't know as much about it.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    notnow wrote: »
    City University in Bellevue, WA has a program in reverse-engineering/malware analysis, I don't know as much about it.
    It looks like those courses are part of City U's MS InfoSec program: Master of Science in Information Security (MSIS) - City University of Seattle
Sign In or Register to comment.