Sunday, March 1, 2009

Part 2 - Computer Forensics Certifications, Are they really worth it.

Apparently my post hit a nerve.  So I thought I would explore this a little more and get to the heart of the matter about certifications in this field.

And I am sure that I am going to get some more comments, because I am going to state the truth as I see it.

Certifications as it stands today, don't mean anything.

Ok, I said it.  Now I have to back it up. Here goes.

Holding a certification would only mean something if it was required for you to practice in the field.  The fact that you can practice "forensics" with no more than a how-dee-do to your credit leaves the field open to "button jockeys".

This ain't IT folks.  No offense to the huge number of computer support people out there, I spent many years doing IT work and still do some of it for selected clients.

But at the end of the day, if Mary isn't getting her email for a few hours, no one is going to prison or going to die because of it.

That is the difference.  When you start tossing around the word forensics, you are entering a totally different arena where what you do has an impact on people's lives.

And certifications, as they stand today, do nothing to standardize the field, because the certifications are not standardized.

I consider myself to be a "kick ass" defense expert.  Is there a certification for that? Yes, there is.  It's call references. And I have a lot of them.  Including some from cases where my work directly kept someone from going to death row.

DanMiami says, "Again, there is NO EXCUSE for a true expert in this industry to NOT have certifications in what they think they are experts in."

I have to reply that there is no real driving reason to get certifications.  Having one will not enable someone to explain the inner workings of how file carving works, or data recovery or how to recover an MS Exchange EDB.

As long as you can buy a book and attend a short boot camp to get a certification with no prior experience, their value is pretty low to me.

And that is the truth about it.  Right now, certifications are as valuable as the individual who gets them thinks that are.

A certification, a professional does not make.

Someone else pointed out an article from the National Academies of Sciences where they state, "Certification and Accreditation Should Be Mandatory
Many professionals in the forensic science community and the medical examiner system have worked for years to achieve excellence in their fields, aiming to follow high ethical norms, develop sound professional standards, and ensure accurate results in their practice.  But there are great disparities among existing forensic science operations in federal, state, and local law enforcement agencies.  The disparities appear in funding, access to analytical instruments, and availability of skilled and well-trained personnel; and in certification, accreditation, and oversight.  This has left the forensic science system fragmented and the quality of practice uneven.  Except in a few states, forensic laboratories are not required to meet high standards for quality assurance, nor are practitioners required to be certified.  These shortcomings pose a threat to the quality and credibility of forensic science practice and its service to the justice system, concluded the committee.
Certification should be mandatory for forensic science professionals, the report says.  Among the steps required for certification should be written examinations, supervised practice, proficiency testing, and adherence to a code of ethics.  Accreditation for laboratories should be required as well.  Labs should establish quality-control procedures designed to ensure that best practices are followed, confirm the continued validity and reliability of procedures, and identify mistakes, fraud, and bias, the report says."

I couldn't agree more.

Most of the vendor neutral certifications require you to sign a "Code of Ethics."  The question is, who enforces that or even oversees it?  No one, that I can find.

As far as I am concerned, for certification to really mean something, and I believe that it should, it should be the minimum bar you must hurdle to practice in the field.

It should be standardized like the CPA exam, the Medical Boards, the Bar Exam or the Professional Engineer requirements  that you must meet to get a license to practice.

You don't see people running around putting their stamp on engineering plans after they run through a boot camp for a week.

Having a real, standardized, practical certification that is recognized by all states, and is a requirement to practice,  should be the goal of every professional in this field.

And I am not talking about us getting Private Investigators licenses.  That is just a dumb idea that unleashes people with fake credentials on an unsuspecting public.

So while having a CCE or EnCE or whatever behind your name does mean something from the standpoint that you got the certification.  It does not accomplish much in the way of improving the field.

As a matter of fact, in every case I have worked, I have never encountered a law enforcement examiner with a certification of any kind.  

Does that mean they are "button jockeys"?  Not from what I saw.  And I certainly would not call them that since they have a gun and I don't.

I personally know some "button jockeys" out there and it pisses me off that people are paying them good money for a job they cannot do.  So, tell me, what professional board or oversight committee do I report them to?

That my friends, is THE problem.


  1. Well let's just get rid of bachelors and masters degrees, law degrees, medical degrees. From what you're saying, the only thing that matters is experience.

    Funny world we live in.

  2. Paul, you are just missing my point, my friend. I want to see our industry evelvated to the same level and standards as other professionals. Having the appropriate education and experience is the key. However, there was no such thing in the US as a Masters in Digital Forensics six or seven years ago. The whole system needs to catch up with the current trends.

  3. I think the overall issue here, and really anywhere in the IT industry is where do you strike the balance. I grew up with computers, my Dad was training people on TRS-80's and Pet computers (and the like). So I learned most of my stuff by just playing with the equipment. But I didn't even look to do IT when I went to college. Once I graduated, I saw that I would do better career wise in IT than what I WAS doing. Along the way I was offered to go to training and get certified in things that I was doing for my job. But it was still the hands on experience that helped me all along the way. As I grew more knowledgeable and well rounded in the field, I broadened my skill set. I just tried things out (mostly open source and free software) to see what they could do. And I started to meet a lot of people that had certifications and didn't have a clue what they were doing in the real world. THAT started to turn me off to getting certifications. So I became more interested in getting training to understand the fundamentals, but let me break the server/desktop/software/whatever to see how it ticks. I would get more information from mailing lists, newsgroups, whatever (no blogs yet at the time) than I ever would at a training class. But that wasn't the point of the training class. All it was supposed to do is get me started, that's it. So I never bothered to get my MCSE, CCNA, or whatever unless the company I worked for wanted me to. I didn't see the reason to when I knew how to use the equipment.

    A few years ago something happened at my job where I got a taste of computer forensics. That sparked an interest and I began to read all I could about it. Then I had the opportunity last year to take a CHFI class. It was the most reasonable class I could take that would give me some type of forensic training, and at least get me started. I hoped I would have the opportunity to start moving into that field within my company.

    However I was laid off from that company last year. So I then became faced with the realization that you can't get past the "HR screener" without certification letters on your resume. They don't look at your experience they look at the results of a keyword search. I decided I was going to make an effort to get into computer forensics. It's what I want to do with my life. However you run into the "chicken and the egg" scenario. You don't have the experience so we won't hire you, but you need the work to get the experience. And most of the people I've talked to never had an interest in computer forensics. They "inherited" the job somehow because a manager asked them if they wanted to do it.

    So through a friend I had lunch with someone that does computer forensics for a big company. I was hoping maybe I could get in the door there, but instead he told me to work towards a certification (in his case he told me either EnCase or FTK) and that would help. So I bit the bullet, took part of my severance and started training on EnCase. As of this point I've taken nine of Guidance's classes. I soaked up all the information I could. I'm halfway through my EnCE certification. But I don't consider myself a Computer Forensic professional...yet. THAT comes with experience, and someone willing to take a chance on me, because I have the drive and the desire to learn all I can about this industry.

    Someone did that, and I start working with them tomorrow. I was one of the lucky people who wasn't laid off for a long time.

    But here's the crux of it, you can have the x number of years experience, or you can have more certifications that fit on a business card/resume, or both. If you don't care about the work you do or have the passion for the job, you're going to be a "button jockey" no matter what. And I've seen it in the EnCase classes I've been taking. I will say that the instructors in EnCase that I have had made a point to teach you how to find something on a hard drive, or pull the information out manually before they taught you which button to push. And they made a point of telling you that.

    You have to love what you do, have fun with what you do, and enjoy what you do in order to be good in ANY field. THAT'S what defines how good someone is. And THAT'S what defines if the certification matters.

    (ok, I'm off my soapbox, going to bed now :p)


I have moderated my comments due to spam.