There has always been a conflict in my mind that one who
persues Forensics needs to first be a Security/IT type, I
have seen where this looks to be true and where it does not,
perhaps someone can comment on that.
There are at least two common definitions of "Computer Forensics",
which *do* overlap. Undoubtedly, some of the sources you've seen
are using one and some another.
1. Investigation of Computer Security Incidents
A lot of this is recognizing what's abnormal and figuring out how
it came about. Obviously, someone without an IT background is going
to be ill-equipped for this.
2. Recovering Evidence from Computer Systems
This is all about being able to testify, as necessary, at termination
hearings, lawsuits, and even criminal trials, as to things like
standard procedures, sanitary methods, chain of custody, and the like.
Detailed IT knowledge is helpful, but is more essential to tool authors
than to tool users. Although the evidence is stored in a digital
information system, the acts of which it provides evidence need not
involve any violation of computer security, but are more often evidence
of fraud, infidelity, or other sorts of non-computer malfeasance.
Certifications come in both flavors, too. My impression is that the
particular certs you've listed are attempting to certify expertise under
the first definition; under the second, courts have decided to accept
evidence retrieved by a few specific tools *when used by a vendor-
certified operator*, and so each tool has its vendor certification
program.
(Jobs in the second category have so far mostly been with law enforcement
and prosecutorial agencies, although I expect that at some point there will
begin to be a market for these skills on the defendant side as well.)
To those who use the second definition, activities under the first
definition are a subset of "Incident Response", and you may find it
easier to get into that general field and then specialize in the particular
aspect that interests you, than to try to go directly into specialization.
David Gillett
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of
reapersoft@gmail.com
Sent: Tuesday, December 05, 2006 5:04 AM
To: security-basics@securityfocus.com
Subject: Is a career change to Computer Forensics fantasy or
can it be reality?
Hello,
I am a software engineer working in the VoIP space. I am
looking to change my career path and get into Computer Forensics.
Without any experience its going to be a tough road but I
believe my troubleshooting skills and software experience can
help. My troubleshooting ability can be valuable on the
investigation side of things, I generally will "chew" on a
problem until its solved or at least until I have another way
to debug it and gather more information. My programming
skills can come in handy for gathering information during an
investigation when its a network intrusion or for malware
analysis, at least this is my reasoning.
Some things I am doing now is reading books (File System
Forensic Analysis, Real Digital Forensic etc...) and
listening to relevant podcasts but that only takes one so
far. My other thought is to get one of the many
certifications out there so that when I attempt to gain
employment I am at least showing some initiative and not just
a passing interest in the field. Spending some of my own
money shows a committment to my goal.
There has always been a conflict in my mind that one who
persues Forensics needs to first be a Security/IT type, I
have seen where this looks to be true and where it does not,
perhaps someone can comment on that.
I am looking for opinions on what certifications I might
spend my money on. Should I go with a security cert, a pure
forensics cert, some combination of both or neither.
Some of the Forensic specific certs I have been evaluating
are the SANS GCFA and ISFCE CCE.
I have posted this to the SecurityFocus Forensics list but it
was rejected because it was off topic. I did however get
some good feedback from the lists' moderator, thanks for that!
I wish to get some more feedback from others so hopefully the
Basics list is the place to post.
In a nutshell:
Can one get into the field of Computer Forensics thru self
study and getting a certification or is it such a closed
field that I should look elsewhere for a career change and
not waste my time/money?
Is the field primarily based on experience and not certs?
Any and all opinions are welcome.
Thanks in advance,
MH
--------------------------------------------------------------
-------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=s
fmaildetect
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
