Friday, January 2, 2015
Certifications vs. Experience
Original Post Date: September 25, 2014
Certifications vs. Experience
Recently, we’ve attended several cell/smart phone forensics courses to try and stay current and up-to-speed on the ever-changing and evolving world of cell forensics. Some of these courses have been offered as informational mixed with some hands-on labs and some go a little further into tool-specific certification. It got us thinking… what’s more valuable in your forensic examiner – Certification or Experience?
There are two decidedly different schools of thought about certification in digital forensics. One is vendor-neutral. That is to say, a candidate certifies based upon information and study, not on a specific tool or suite of forensic tools, rather on the processes and general knowledge of digital forensics. Certifications from professional organizations like the International Association of Computer Investigative Specialists (IACIS), SANS Digital Forensics and Incident Response (DFIR) and the International Society of Computer Forensic Examiners (ISCFE) are all examples of vendor-neutral training and certification organizations. The other track is tool-based certifications. Every reputable digital forensic tool seems to have their own certification. Guidance Software (EnCase), AccessData (FTK), NUIX and X-Ways all offer tool-based training and certifications. Mobile forensic tools also offer them from companies like Katana Forensics (Lantern) and Cellebrite as well as others. The track which an individual examiner wishes to take is often dictated by outside factors such as cost and overall agency or company need. Costs can range from $400 all the way up into the tens of thousands of dollars if a candidate wishes to take a full course of study. But you know what’s free and probably more valuable than any of these combined? Practical, hands-on, “real-world” experience!
If you search on LinkedIn or any other professional networking outlet, you’ll find digital forensic examiners with a multitude of certifications. They’ll come up with letters after their names that doctors, lawyers and academics would almost be scared of… EnCE, ACE, CCFP, CCE, AME, ABC, 123… (ok, I made those last two up, but you get my point). This information tells you they’re good students and good at taking tests, but what it doesn’t tell you is what they’ve accomplished in the course of their digital forensic career. It adds a measure of credibility to a person’s credentials from the start, but any experienced investigator, interviewer and/or examiner can tell within about 5 minutes if a peer is legitimate or full of bologna. We were recently consulted by a friend in law enforcement who seized two smart phones pursuant to a search warrant. The agencies own computer forensic “expert” took one look at the phones and told him there was no way to get into them. Being the universal and professional contrarian, I naturally tested the diagnosis from this “expert” and proved it completely false within about 30 minutes.
In every field there are good apples and bad apples. There are those who know what they’re doing and those who only say they know what they’re doing. Unfortunately, digital forensics is not exempt from this phenomenon. And while an “alphabet soup” of letters following someone’s name may look and sound cool, the practitioners are the ones that usually have a much firmer grasp of the concepts because they’re actually doing the work. Do we make mistakes? Absolutely! But we’re also very reflective and critical of ourselves and the product we put forth. We check, test and validate. We look to others for answers we may not have. We are constantly learning and growing in our ability because that’s the only way to make any discipline accepted, stronger, and more well-respected.
Do certifications have their place? Yes. They serve to further legitimize any field. However, it seems like the more tools that are widely available out on the market and the more people get into a field, the number and varying complexity of certifications just grows exponentially. It’s starting to get a little absurd and, unfortunately, it doesn’t look like it’s going away any time soon. We don’t blame vendors for trying to make more money by offering training and certification courses, but you have to ask yourself in the end, what value does the certification have? Who developed the course(s) and what universal application does the training have? Business is still business, so if you invest in a tool-specific certification and the company goes out of business or gets consumed by a larger company, what value is the certification at that point? These are all thoughts to consider.
So when you’re interviewing your next potential digital forensic expert, take some time to ask some probative questions and try to get a firm grasp on what they really know… you may find out their knowledge doesn’t go much beyond what all the letters after their name stand for.
Patrick J. Siewert
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Ph: 804.588.9877Web: www.ProDigital4n6.com