Home

ISSA Information

About Phoenix ISSA

Speaker Presentations & Photos

Other ISSA Chapters

Sponsorship

Phoenix ISSA Officers

Employment Opportunities
CISSP Training

Forensics Certifications

Forensics Certifications

 

ISSA’s Phoenix Board was queried for recommended forensics certifications by a member CISO who is starting a forensics team.  We asked our experts and their feedback follows.

 

Contributing Experts:

  • James Mapes of Terre Verdes Services
  • Lee Lane of Terre Verdes Services
  • C.J. Wren of AZDPS
  • William Kalaf

 

QUESTION:

 

What are the premiere certification in forensics?

 

Asked by a local CISO who is starting a new forensics team.


ANSWER:

 

The route to forensics takes two paths. One for law enforcement and the other in the private sector.   However, there are two commercial products that offer training that's generic to everyone.  Access Data and Encase.  You can find more information out on the Internet.

 

ACTIC Computer Forensics Section – is a great resource.

 

A good resource to use is the International Association of Computer Investigative Specialists (IACIS) and the International Society of Forensic Computer Examiners (ISFCE) 

 

EC Council has the Certified Ethical Hacker certification.  Visit:

http://www.eccouncil.org/chfi-cert-path.htm

 

The academic path follows the CCE and EnCE.

 

CCE - Certified Computer Examiner
This cert is a good one to have if you are an examiner- it's kind of like having an MCSE in IT- you'd expect someone with experience in the career to have one.  It is a good starting point for serious examiners.  It requires prior experience and no criminal history.  It has a nice balance of the technical side of data recovery and handling, but the tests and cert standards also stress the importance of "following sound evidence handling and storage procedures and following sound examination procedures" and investigation ethics. 

 

EnCE- EnCase Certified Examiner  (Vendor Cert.  Widely sought.  Tough standards.)

 

The EnCase Certified Examiner Program offers certifications for those who have mastered the EnCase Guidance Software. This might be important to you since EnCase is used by so many law enforcement groups and has been widely accepted in court (however, it's about to be challenged for not protecting hash values of evidence files). Although the application requirements are generally the same as the CCE- There are more training courses and tests required to obtain the EnCE.  You also need a licensed copy of the EnCase software which will run around $4k ($5k if you want the FastBlock Adaptor kit- which I'd recommend).

 

Computer Forensic External Certification (CCE)
IACIS built this program for Law Enforcement but later opened it up to anyone without a criminal record (see CCE) and who had the experience and knowledge to complete the rigorous testing.

 

GCFA - GIAC Certified Forensics Analyst
True to SANS and GIAC form- the GCFA focuses more on incident handling scenarios and breach investigations of networks and hosts. Useful not only for law enforcement but for corporate incident response teams as well. But like all GIAC certs, it's allot of work and fairly costly.

 

Q/FE Qualified Forensics Expert
You come across this cert once in a while- I looked into it. The Q/FE lacks the certification program and rigors that you'll see with the GCFA or the CCE variants. That's not to say it isn't useful- as an in-depth training class covering cause of attack, compiling evidence, and handling corporate repercussions with an exam and certificate at the end. The materials will prepare an individual for a running start in a Forensics career in much the same way that an "ethical hacking course" would help prepare some one for a career in Information Security (if you catch my meaning).

 

CFCE (and CEECS)
If you are an active law enforcement officer, the IACIS offers the Certified Electronic Evidence Collection Specialist Certification (CEECS) and Certified Forensic Computer examiner (CFCE). Both are very intense courses of study.  These are really great certs- but you MUST have law enforcement experience, so they can be hard to find.

 

TruSecure ICSA Certified Security Associate
You might see this cert listed by forensic examiners but it is not directly a forensics certification.  The CSA is a highly respected overall security certification and covers some of the essentials of forensics procedures. Not everyone is a fan of TruSecure, however, and you probably get the same exposure from the CISSP.

 

Compiled by:  Debbie Christofferson, CISSP, CISM                                Sep2008

480-988-4194 DebbieChristofferson@earthlink.net