Sunday, March 1, 2009

Computer Forensics Certifications - Are they really worth it?

This is a post that is probably going to garner some negative comments.

What good are certifications. really?

1. They can get you a job interview.
2. You can use them to qualify as an expert in court.
3. You get to put letters after your name.

As far as 1 and 2 are concerned, they aren't really necessary, just helpful.

Certifications are big business.  Considering that certifications tend to be expensive and time consuming to get, do they really offer a return on the investment?

Becoming certified for a piece of vendor specific software such as Guidance Software's EnCE or Access Data's certification does not really make you a better user of the software.

Getting other certifications that are vendor neutral so to speak, don't really make you a better examiner.

Most certification tests are just rote memorization of answers that will allow you to pass the test.

The "practicals" that some require are pretty contrived and become a guessing game as to what the test scorer is looking for.  Since not every agency does reporting the same way, there is not a standardized way of doing a "practical".

I have held both a refrigeration license and a commercial general contractor license.  Both of these required very long tests, up to eight hours.

Neither of the tests reflected anything remotely resembling the skills needed to actually build a building or install a refrigeration system.

They did reflect the skills needed to pass the tests.

Maybe I should put UGCL and RCL after my name.  At least it would be fun to see people's reaction when they ask what those mean.

While I am not against certifications, I question their value in the real world.  At one time the marketplace was flooded with A+ and Microsoft certified folks.  I had a guy that worked for me who held both the A+ and the MCSE certifications.  Sadly, he could not install a modem in a computer and make it work.  Nor could he even begin to set up a router or install a network.

I know guys that collect certifications like some women collect shoes.  Since their companies are willing to pay for them, they just keep going and going to boot camps and various training targeted toward getting the certifications.

I recently did some interviewing for a position I had open.  It was interesting how many people, certified or not, could not explain to me what a router does or answer something as simple as what is a non-routable IP address.

Or the difference between a hub and a switch.  Or how to set up sub-netting.

Or what the probable cause of your DHCP server service shutting down on a MS server.

Let alone port forwarding, NATing, or what a DMZ is.

That is before I ever asked any forensic type questions such as; Can you explain to me, in plain terms like someone who never uses a computer would understand,

1. What does it mean to defragment a hard drive?
2. What happens when you view a web site?
3. What is the internet cache and why is it important?
4. What is unallocated space?
5. What is a file system?

and so forth.

Do I really care if they know that floppy drives use the FAT12 format?  Not really.

I do care that they understand the FAT32, NTFS and have some idea of HPFS and EXT2 systems.  You can look that stuff up in a reference book.

At the end of the day, real knowledge only comes from experience.  Granted, you need to know what a tool is doing so you can explain the process that is used to carve out web pages, or how to verify that you are seeing the entire contents of a hard drive. (Think Host Protected Area)

While I would love to have someone as smart as Brian Carrier or Harlan Carvey or Mark McKinnon working with me, there are not a lot of those guys floating around unemployed.  And I probably can't afford them anyway.

From my standpoint, if you apply for a job with me and I am scanning resumes, certifications plus experience will get you an interview.

But only real, practical knowledge and the ability to communicate is going to get you a job.

And I cannot stress enough how important the ability to communicate clearly is to being successful in this field. (Think court testimony.)


  1. I think you forgot an important point for certifications - marketing. Many customers and clients feel reassured by seeing the alphabet soup behind a person's name. I agree that there are certified individuals who are not up to snuff, but potential clients might not recognize that immediately and still choose them over a non-certified individual.

  2. Experience is by far the very important in this field, but there is ZERO excuse for someone that has "experience" in digital forensics NOT to get at least one form of certification. I am not talking about a vendor specific certification either. I am talking about something like the CCE, CFCE, etc.

    Anyone can be an "expert" by buying EnCase, FTK, CelleBrite, CellDEK, etc. and pushing a few buttons to see if evidence is there or not. But do you really want to sit on the stand as a "button jockey"? A true expert should be able to explain the intricacies of what the program is doing "behind the scenes." Anyone can start a "recover folders" script to recover deleted folders. But not everyone can do so MANUALLY - and explain what these automated processes are doing. Anyone can hook up a cell phone to a computer and pull the file system, but until you do things like carve out the data manually from a physical dump and decode the dates and times of text messages, you should not be considered an expert.

    Again, there is NO EXCUSE for a true expert in this industry to NOT have certifications in what they think they are experts in.

  3. What about the argument that certifications help standardize the forensic process for everyone - whether or not they are certified?

  4. I have heard this argument over and over, and it is offending. I can tell the difference between a router and a hub, I can subnet, I can explain the $MFT; I am a very good forensic analyst.

    So how can I prove that? I get certified.

    Only to have the entire process debunked because folks like to point at that large group of people who are certified but just don't know jack.

    And I end up getting lumped in to the whole lot of 'em.

    So how does a certified person who really does deserve the certification differentiate himself?

    Well if you want to hire me, I guess you can call my employer, because they'll tell you that I kick ass. Too bad there's no certification for that.

  5. Are certifications necessary?

    Please note the following article and in particular the members of the committee listed at the bottom of the article.

    Someone thinks they are necessary.


I have moderated my comments due to spam.