Forensic Certifications

Forensic Certifications

Mayuri Shakamuri

CS 489-02 Digital Forensics

October 31, 2006

New Mexico Tech

Executive Summary 

Digital Forensics is rapidly growing and evolving to become a scientific practice with specific legal and procedural guidelines. Certification of computer forensics is a step in the right direction to ensure that digital forensic examiners are able to meet acceptable criteria in the eyes of the law. It follows that, all such criteria are modeled on those established by criminal investigators for gathering evidence and in presenting the same in a court of law.

Some of the certifications that this document will investigate into are: EC-Council's Certified Ethical Hacker, (ISC)2 (International Information Systems Security Certification Consortium) Certification, GAIC (Global Incident Analysis Center) Certifications, SCP (Security Certified Program) Certifications.

There weaknesses and limitations in the current certification programs is identified. Some certifications focus strictly on sound forensic evidence collection and analysis. There a very few which cover all core aspects of Digital Forensics.

With an increasing number in computer crimes and demand for forensic investigators, there is an urgent need for a centralized standards body. This organization should be capable of integrating all the different guidelines and mold them into common practices that in turn lead to the evolution of certification program(s) from an established accredited institution(s).

This document gives an overview of some of the current Digital Forensic certifications available. Shortcomings of the certifications are presented. A proposal for future direction in this field is also made.

Introduction

There is a dramatic increase in the volume of digital evidence in cases brought before a court of law. There is a growing concern on the admissibility of digital forensic evidence, the tools and methodology that are used for collecting the evidence, as well as legitimate challenges as to the skills of the professionals who collect them. A forensic certificate is a very good gauge to measure an investigator’s capabilities in the field of forensics. It is also a proof that an individual meets a minimum standard of knowledge in the area of evidence collection, analysis, and reporting. The certification process puts into place standards and procedure that adhere to proven criteria. It follows that, all such criteria are modeled on those established by criminal investigators for gathering evidence and in presenting the same in a court of law. Certification of computer forensics is a step in the right direction to ensure that digital forensic examiners are able to meet acceptable criteria in the eyes of the law.

The problem arises when trying to meet the same standards for physical evidence gathering as the field of Digital Forensics is relatively new and is coming to the forefront with the recent expansion of personal computers in the USA. With more and more electronic transactions being done on a daily basis, the resultant rise in computer based criminal activities has increased. Intruders are using increasingly sophisticated means to intercept personal information such as social security numbers and passwords for identity theft. Into this breach has stepped a multitude of agencies, some genuine, others intent on making a fast buck. There has been a mushrooming of these institutions, each carving out an area of expertise and setting certification standards based on narrow criteria.

Within the last few years, a need to consolidate all these differing standards under one umbrella organization has gained importance. This is still an ongoing effort.

State of practice

There are various certifications offered by several different institutions and organizations. Some take a comprehensive approach to the certification process; they offer both training and practice tests modeled on the certification exam, while others administer just the exam. I present some of the certifications currently available in the

field of Digital Forensics. This list is completely based on my subjective opinion. Please refer to the appendix for a summary of certifications.

International Information Systems Security Certification Consortium (ISC)2 _[1]

(ISC)2 is a globally recognized organization; they are offering Certified Information Systems Security Professional certificate (CISSP). This certification is intended for mid- and senior-level managers. This certification appears to have global recognition. CISSP exam tests the individual's competence in the following 10 domains: Access Control, Application Security, Business Continuity and Disaster Recovery, Cryptography, Information security and Risk Management, Legal, Regulations, Compliance and Investigation, Operational Security, Physical Security, Security Architecture and Design, Telecommunications and Network Security.

EC-Council, Certified Ethical Hacker [2]

This program prepares an individual to be certified as an ethical hacker. An ethical hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in network systems. They are trained to use the same knowledge and tools as a malicious hacker from a defense point of view. The nature of work for an Ethical hacker is similar to a penetration tester. Some of these are (ex) hackers that have turned legitimate and see a challenge in catching other hackers using their own skills. This certification is tailored for security officers, auditors, security professionals, site administrators, and anyone concerned about the integrity of the network infrastructure.

GIAC (Global Incident Analysis Center) Certifications [3] 

The SANS Institute (SysAdmin, Audit, Networking, and Security) oversees this particular organization. They validate the skills of security professionals and provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary in key areas of information security. Some of the certifications offered by GAIC are: GIAC Information Security Officer - Basic, GIAC Certified Forensics Analyst (GCFA) , GIAC Security Essentials Certification (GSEC), GIAC Certified Firewall Analyst (GCFW), GIAC

Certified Incident Handler (GCIH), GIAC Certified UNIX Security Administrator (GCUX), GIAC Systems and Network Auditor (GSNA), and GIAC Certified Security Engineer (GSE).

SCP (Security Certified Program) Certifications [4]

This certification covers both core security topics as well as advanced security knowledge. There are two levels of certification, the SCNA (Security Certified Network Architect) and SCNP (Security Certified Network Professional). SCNP certification consists of two exams: Hardening the Infrastructure and Network Defense and Countermeasures. SCNA certification consists of advanced security implementation and enterprise security solutions exams.

Guidance Software, EnCE [5]

The EnCase Certified Examiner Program (EnCE) offers certifications for those who are trained on EnCase Guidance Software. Encase is a widely used commercial forensics investigation software. Professionals who undergo training are eligible to take this certification exam.

CSFA (Cyber Security Forensic Analyst) [6]

Cyber Security Institute offers this certification. Their testing scenarios are based on actual cases. This certification tests the individual's ability to conduct thorough and sound forensic examination, properly interpret the evidence, and communicate the results effectively. FBI background check is required for an individual to take this certification test.

AIS Certification

Advanced Information Security Certification (AIS) is an all-in-one security certification divided into 4 main areas: Management, Protection, Detection, and Reaction. The reaction module focuses heavily on computer forensics.

Gaps 

There are some weaknesses and limitations in the current certification programs. Some certifications focus strictly on penetration testing, network security, Incident handling, firewall analysis etc., In my view, there a very few that may cover all core aspects of Digital Forensics, which are preservation, identification, extraction, documentation, and interpretation of digital media for evidentiary and/or root cause analysis. These certifications do not cover all the aspects of Digital Forensics. In other professions like management, medical or engineering, there is one organization overseeing certifications in different specialities. Computer or Digital Forensics is not at that point. There are too many conflicting agencies trying to claim supremacy in terms of the processes and controls to be used in Digital Forensics.

Future Practice 

Once principles and practices of Digital Forensics are codified and agreed to run under one single board which controls accreditation, methodology and practices, the current state of Digital Forensics can be improved upon to further reduce the scope of mistakes and minimizing the chances of evidence gathered being thrown out on challenges to procedures. The American Academy of Forensic Sciences (AAFS) is a renowned organization that is recognized for its work in setting standards for application of science to the legal system. Another organization is the Information Systems Security Certification Consortium (ISC)2_{. It is an internationally recognized and well established organization for} educating and certifying information security professionals. Certification programs accredited by organizations like AAFS and (ISC)2 _{would bring better standards in the area} of Digital Forensics. Since the area of Information Technology is rapidly changing, it is important that the certification programs need to be designed to allow for flexibility and revisions as the technology such changes.

Conclusion 

There are several Digital Forensics certifications available currently and there are many different organizations offering them. In this paper we have looked into some of the

certifications and their scope. It appears to me that all the certifications I have looked at focus on only some of the security aspects in Information technology. To my knowledge there is no one certification program that addresses all the core aspects of Digital Forensics. Certification program(s) from established accredited institution(s) will help resolve the dilemma of Digital Forensics professionals in choosing a right certification program.

References

[1] International Information Systems Security Certification Consortium: https://www.isc2.org/cgi/content.cgi?category=7

[2] EC_Council: www.eccouncil.org/CEH.htm

[3] Global Information Assurance Certification: www.giac.org [4] Security Certified Program: www.securitycertified.net/

[5] EnCase, Guiance Softwarw: www.encase.com/training/ence/index.asp, EnCase Certification exam: www.prometric.com

[6] Cyber Security Institute: http://certifications.cybersecurityinstitute.biz/ [7] ElementK Courseware: www.elementkcourseware.com

APPENDIX 

Organization  Requirements  Web site  Cost 

Certified Ethical Hacker   This certification is for security officers,  auditors, security professionals, site  administrators, and anyone who is  concerned about the integrity of the  network infrastructure.   www.eccouncil.org/CEH.htm     GIAC Certifications:   a. GIAC Information Security Officer – Basic (GISO – Basic)   b. GIAC Security Essentials Certification (GSEC)   c. GIAC Certified Firewall Analyst (GCFW)   d. GIAC Certified Incident Handler (GCIH)   e. GIAC Certified Intrusion Analyst (GCIA)   f. GIAC Certified Unix Security Administrator (GCUX)   g. GIAC Certified Windows Security Administrator (GCNT)   h. GIAC Information Security Officer (GISO)   i. GIAC Systems and Network Auditor (GSNA)   j. GIAC Certified Security Engineer (GSE)     www.giac.org     SCP Certifications  ‐ SCNP  ‐ SCNA   Note:  CompTIA Security+ certification is a prerequisite for both  SCP certifications.  SCNP certification consists of two exams:  Hardening the Infrastructure and Network  Defense and Countermeasures   SCNA consists of the Advanced Security  Implementation and the Enterprise Security  Solutions exams.   www.securitycertified.net/     EnCE  EnCase Certified Examiner Program offers  certifications for those who have taken the  EnCase Guidance Software.  www.prometric.com  $150  CSFA, Cyber Security Forensic Analyst  FBI Background check  http://certifications.cybersecurityi

nstitute.biz/    

GCFA  (GIAC Certified Forensics Analyst)  GCFA deals directly with incident handling 

AIS Certification  This is an all‐in‐one security certification  divided into 4 main areas: Management,  Protection, Detection and Reaction. The  reaction module deals heavily with  computer forensics.        Computer Forensic, Cybercrime and Security Training  Curriculum:   a. Certified Cybercrime First Responder (CCFR)  b. Internet Crimes Against People ‐ (ICAP)  c. Internet Crimes Against Children ‐ (ICAC)  d. Presenting Digital Evidence at Trial ‐ (PDET)  e. Network Security Intrusion and Detection ‐ (NSID)  f. Personal Digital Device Forensics ‐ (PDDF)  g. Advanced File System Recovery Seminar ‐ (AFSRS with  Certification)  h.High Tech Crime Investigator Level 1  i. High Tech Crime Investigator Level 2           Computer Forensic External Certification (CFEC)    Designed for law enforcement by the  IACIS, this certification is now open to  those with the experience and knowledge     $750  a. Certified Forensic Computer examiner (CFCE).    b. Electronic Evidence Collection Specialist Certification (CEECS)  active law enforcement officers     $1400  Online  training cost  for both  CFCE and  CCE  $2750.00  Certified Computer Crime Investigator (CCCI) and Certified  Computer Forensic Technician (CCFT)    60 hours of classroom training and 100  hours of CBT training.  www.whitehatinc.com   $3,000   National Institute of Standards and Technology (NIST)           TruSecure ICSA Certified Security Associate   Although not a forensics certification, this  overall security certification is highly  respected and covers essential forensics  procedures.         

Advanced Computer Forensics Boot Camp  3‐day boot camp in the complexities of  digital forensics  www.infosecinstitute.com    Computer Forensic Training Center Online   Online training and CCE certification  through Kennesaw State University     $2,700.00  Certified International Information Systems Forensics Investigator  (CIFI)           The International Information Systems Forensics Association  (IISFA)   Member’s in this association can take  Certified International Information Systems  Forensics Investigator (CIFI) exam.     _$450.00   National Cybercrime Training Partnership (NCTP)  Programs specifically for law enforcement  agencies only. The NCTP offers training on  basic and advanced data recovery. This is  primarily intended for law enforcement  and is offered free to qualifying agencies.        National White Collar Crime Center (NW3C)   See above.         International Information Systems Security Certification  Consortium (ISC) 2         CISSP ‐ Certified Information System Security Professional   1 Exam (250 questions, 6 hours).      $450.00  SSCP ‐ Systems Security Certified Practitioner   1 Exam (125 questions, 3 hours).  $295.00  CIW ‐ Security Professional  Master CIW Administrator Certification,  which includes 4 exams.   $500  ($125/exam)  GSE ‐ GIAC Security Engineer: 7 Exams.   $1,750.00  RSA Security      RSA/CSE ‐ RSA Certified Systems Engineer       RSA/CA ‐ RSA Certified Administrator       RSA/CI ‐ RSA Certified Instructors       Requires: CSE or CA Cert + Workshop.    Requires: CSE or CA Cert + Workshop.    www.rsasecurity.com $150.00  $150.00    $300.00  CheckPoint:    CCSA ‐ Checkpoint Certified Security Administrator.       CCSE ‐ Check Point Certified Security Engineer         www.checkpoint.com $150.00  Cisco:     _{www.cisco.com}    Cisco Firewall Specialist     CCNA + 2 Exams.   $375.00 

Cisco VPN Specialist  CCNA + 2 Exams.     $375.00  Cisco IDS Specialist      _{CCNA + 2 Exams.     $375.00}  CCSP ‐ Cisco Certified Security Professional.    CCNA + 5 Exams.      $750.00 ($125  per exam)  TruSecure:      www.trusecure.com    TICSA ‐ TruSecure ICSA Certified Security Associate     _{1 Exam (70 questions, 90 minutes).      $295.00}  TICSE ‐ TruSecure ICSA Certified Security Engineer  TICSA Cert + 1 Exam         BrainBench:     www.brainbench.com    BIS ‐ BrainBench Internet Security Certification   _{Requires: 1 Exam.   $25.00}  BNS ‐ BrainBench Network Security Certification   Requires: 1 Exam.    $25.00  Learning Tree:  www.learningtree.com NSCP ‐ Network Security Certified Professional    3 Core Courses, 1 Elective Course and  associated exams      $937.00 ‐  $2,645.00  CompTIA Security+   Requires: 1 Exam.   $199.00  Security Certified Program:  SCNP ‐ Security Certified Network Professional   2 Exams.             $300  ($150 per  exam)  SCNA ‐ Security Certified Network Architect    2 Exams            $360  ($180 per  exam)