Monday, October 19, 2009

Plain View Doctrine in Digital Evidence Cases — A Common Sense Approach

Seal of the United States Court of Appeals for...Image via Wikipedia
The recent 9th Circuit Court of Appeals of the Western District created some interest around this subject when they suggested eliminating the plain view doctrine from digital evidence.

If you want my usual different take on it, I wrote an article for DFI News. You can read it by following the link below.

Plain View Doctrine in Digital Evidence Cases — A Common Sense Approach October 19, 2009

Reblog this post [with Zemanta]

Thursday, October 8, 2009

Certifications...A Necessary Evil?

51: CSI: Investigates!Image by practicalowl via Flickr
I just couldn't resist the urge to chime in on this topic, especially with the buzz it has created.

As Larry Daniel's son and employee, I have had the great advantage and privilege of learning through the apprenticeship model. I also have the opportunity to incessantly bug him with a plethora of questions more or less every day.

The experience I have had through the apprenticeship model goes far beyond the realm of acquiring technical proficiency in digital forensics. I have learned through observation and emulation many other skills, many of them "soft" skills that would be extremely difficult to translate into a certification curriculum.

Furthermore, I have had the opportunity to work on dozens of cases in a relatively short time, starting at the very bottom and working my way up to being able to act as the lead examiner on cases.

However, I know that my situation is the exception and not the rule. Obviously I like the apprenticeship model, but this model does not work on a large scale. We accept forensic interns here at Guardian. Logistically we can only accept so many requests for internships. Responsibility for the bulk of the training these interns receive falls primarily on my shoulders.

Between my caseload, travel schedule, management duties, and occasional need to sleep, the training of one intern can seem a monumental task.

So my point: The apprenticeship model is not a viable model across the board.

My other point: There is a lot of great training out there and certifications can be useful.

I have taken classes, and some have been fantastic. Most recently I was at a SANS conference and received 12 hours of training on computer forensics and incident response and it was great.

Certifications, at the least, can show an ability to absorb technical information. They can also act as a reality check for those attempting to enter the field who think it is going to be like CSI: Miami. Many of them offer very useful information and experiences as you get to learn from real experts and gain knowledge of real techniques.

Certifications are also the only option to many people who have a desire to work in digital forensics since internships are sparse.

I think there is a deeper issue at the center of this, so here is my take:

Certifications can be extremely useful if, and only if, the participant is passionate about forensics and really wants to learn the material for reasons beyond getting a certification.

Otherwise they are just collecting expensive paper.

Apprenticeships are useful if, and only if, the apprentice is passionate about forensics and wants to acquire the skills and expertise for reasons beyond getting a job.

Otherwise, they are just filling a chair.
Reblog this post [with Zemanta]

Tuesday, October 6, 2009

Certifications are Evil? Maybe

Reading a bookImage via Wikipedia

I was reading a guest post over on Mark McKinnon's blog, Certifications are Evil.....By John McCash , which raises some interesting and controversial questions about the state of certifications.

The problem with certifications and most licensing exams, as mentioned in the post, is that they have little to no correlation with real world work.

Memorizing all the seven OSI layers and what they do might sound impressive, but knowing how to read a log file is more practical in incident response work.

Or being able to recite the structure of an Encase evidence file might be of interest to some people, but how practical is it in working actual cases? Not much.

Even the "practicals" I have seen are really not all that practical. They seem to focus on some specific skills that relate to the certification, but ignore the real world side of how a report would be done. Especially from a non-LE standpoint.

One thing I know from having taught hundreds of hours of various computer and software courses is that training, to be effective, needs to be 20% lecture and 90% hands on practice to really get the concept to sink in.

I would advocate immersion training any day over the standard training I see out there now.

The problem is that you can't cover as much in a short time period. So the cost of the training would be greater since it would take longer.

Developing mental "muscle memory" is much like developing physical muscle memory. It takes repetition, practice and immersion.

If you think about it, training someone in computer forensics, for instance, works much better if they are being trained in an environment where they start with some limited tasks, do those tasks until they master them and then move to the next set of tasks.

Much the same way I learned karate many years ago. I have a few broken bones to remember that by.

John McCash made some excellent points about how certifications as a filter can do the opposite of what an employer wants to do by excluding qualified candidates in favor of certified candidates.

Of course that is pretty much the way of the world these days. Having a college degree is a filter used in many job postings now, even if the degree has nothing to do with the actual job. So an experienced and qualified candidate gets a form letter while the degree holder gets an interview.

Given the choice I would always prefer to train my own people through an apprenticeship model augmented with specific training.

And since I am on the subject, I am going to rant about how overpriced computer forensic training is: $3,500.00 for a week's training? I do remember my math; for 10 students that is $35,000.00.

No wonder so many are not getting properly trained when it is so expensive.
Reblog this post [with Zemanta]