Original Post Date: September 25, 2014
Certifications vs. Experience
Recently, we’ve attended several cell/smart phone forensics
courses to try and stay current and up-to-speed on the ever-changing and
evolving world of cell forensics. Some
of these courses have been offered as informational mixed with some hands-on
labs and some go a little further into tool-specific certification. It got us thinking… what’s more valuable in
your forensic examiner – Certification or Experience?
There are two decidedly different schools of thought about
certification in digital forensics. One
is vendor-neutral. That is to say, a candidate certifies based upon information
and study, not on a specific tool or suite of forensic tools, rather on the
processes and general knowledge of digital forensics. Certifications from professional
organizations like the International Association of Computer Investigative
Specialists (IACIS), SANS Digital Forensics and Incident Response (DFIR) and
the International Society of Computer Forensic Examiners (ISCFE) are all
examples of vendor-neutral training and certification organizations. The other track is tool-based certifications.
Every reputable digital forensic tool seems to have their own certification. Guidance Software (EnCase), AccessData (FTK),
NUIX and X-Ways all offer tool-based training and certifications. Mobile forensic tools also offer them from
companies like Katana Forensics (Lantern) and Cellebrite as well as others. The track which an individual examiner wishes
to take is often dictated by outside factors such as cost and overall agency or
company need. Costs can range from $400
all the way up into the tens of thousands of dollars if a candidate wishes to
take a full course of study. But you
know what’s free and probably more valuable than any of these combined? Practical, hands-on, “real-world” experience!
If you search on LinkedIn or any other professional
networking outlet, you’ll find digital forensic examiners with a multitude of
certifications. They’ll come up with
letters after their names that doctors, lawyers and academics would almost be
scared of… EnCE, ACE, CCFP, CCE, AME, ABC, 123… (ok, I made those last two up,
but you get my point). This information
tells you they’re good students and good at taking tests, but what it doesn’t
tell you is what they’ve accomplished
in the course of their digital forensic career.
It adds a measure of credibility to a person’s credentials from the
start, but any experienced investigator, interviewer and/or examiner can tell
within about 5 minutes if a peer is legitimate or full of bologna. We were recently consulted by a friend in law
enforcement who seized two smart phones pursuant to a search warrant. The agencies own computer forensic “expert”
took one look at the phones and told him there was no way to get into
them. Being the universal and
professional contrarian, I naturally tested the diagnosis from this “expert”
and proved it completely false within about 30 minutes.
In every field there are good apples and bad apples. There are those who know what they’re doing
and those who only say they know what they’re doing. Unfortunately, digital forensics is not
exempt from this phenomenon. And while
an “alphabet soup” of letters following someone’s name may look and sound cool,
the practitioners are the ones that usually have a much firmer grasp of the
concepts because they’re actually doing
the work. Do we make mistakes? Absolutely!
But we’re also very reflective and critical of ourselves and the product
we put forth. We check, test and
validate. We look to others for answers
we may not have. We are constantly
learning and growing in our ability because that’s the only way to make any
discipline accepted, stronger, and more well-respected.
Do certifications have their place? Yes.
They serve to further legitimize any field. However, it seems like the more tools that
are widely available out on the market and the more people get into a field,
the number and varying complexity of certifications just grows
exponentially. It’s starting to get a
little absurd and, unfortunately, it doesn’t look like it’s going away any time
soon. We don’t blame vendors for trying
to make more money by offering training and certification courses, but you have
to ask yourself in the end, what value does the certification have? Who developed the course(s) and what
universal application does the training have?
Business is still business, so if you invest in a tool-specific
certification and the company goes out of business or gets consumed by a larger
company, what value is the certification at that point? These are all thoughts to consider.
So when you’re interviewing your next potential digital
forensic expert, take some time to ask some probative questions and try to get
a firm grasp on what they really know… you may find out their knowledge doesn’t
go much beyond what all the letters after their name stand for.
Author:
Patrick J.
Siewert
Owner, Lead
Forensic Examiner
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
Ph: 804.588.9877
Web: www.ProDigital4n6.com
