Tuesday, March 30, 2010

A Little Clarification

In my last post, I mentioned tool specific certifications.  Specifically the EnCE for Encase and the ACE for  Forensic Tool Kit (FTK)

I got a couple of emails and a comment or two, so I thought I would elaborate a little so there might not be any misunderstanding.

I suppose that you can get a certification in Microsoft Word and never learn grammar or learn to be a good writer.  In that case you would only be learning how the program functions and nothing about how to produce a good written product.

In the forensic world that would equate to tools like F-Response or an acquisition tool like Linen.  You can learn to use the tools to acquire evidence and never learn to handle evidence or to analyze evidence.

To take it a step further, you can get your A+ certification and not be able to actually repair a computer.  I know, I have employed some A+ certified technicians in the past who could not actually fix anything.  Not to say this is true of all A+ certified folks, but the ones I have had contact with did not reflect the level of expertise you would expect from someone certified in computer repair.

You can get a Network + certification and not really know how to design and implement a network.

The same holds true for forensic tool certifications.  You can certainly get a EnCE or ACE  and not know how to handle a full forensic examination from start to finish.

One of the issues is that for the EnCE for instance, you can buy the study guide and it comes with a crippled version of Encase.  The exercises you do with the practice copy of Encase are not very broad or even terribly relevant beyond learning what you need to know to pass the certification exam.

Tool certifications focus on how the tool handles a task and by necessity have to be limited to the functionality of that tool.  While the EnCE study guide does a fairly good job of explaining the underlying workings of what the tool is doing, it is not a comprehensive experience or education in computer forensics.

The critical parts of digital forensics is understanding the laws that pertain to the field, professional ethics, evidence handling and preservation, analysis skills and the ability to write clear reports of what you did.

All of that should support the likelihood that what you have done during your acquisition, preservation, analysis and reporting on a piece of evidence will be contested in a court of law, either civil or criminal.

So while I think that having an EnCE or an ACE is a good thing, it is not a critical thing; Don't think that I believe they are a waste of time or money.  Having an EnCE  or ACE can certainly be a good item on your CV when you go to get a job or when you go to court.  Many employers today prefer that you have one of these certifications.

I have attended Encase training in the past and found it to be excellent.  However, it was narrowly focused on the tool with some explanation of digital forensics mixed in.  Not the other way around.  So while they may touch on forensic principals in their certifications, they are not broad enough to be an overall digital forensics certification. Nor do I believe they are intended to be.
Reblog this post [with Zemanta]

No comments:

Post a Comment

I have moderated my comments due to spam.