SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

Digital Forensics Recertification (Beyond the Cert)

It was that time again, GCFA recertification. This was going to be my third SANS GCFA recertification attempt. This year I had an option, exam or CMUs (Certification Maintenance Units). I had the CMUs necessary for submission. The problem was, I could apply them to my G7799 Certification or my GCFA certification. I chose the exam option for my GCFA.

I consider the exam and the provided materials an outstanding way to get the least expensive SANS course available. It is one of the real benefits to a certified SANS alum. Anyone who is certified and has used the materials would agree in the value. The newest materials, updated tools provided and the exam cannot be beat for the price.

I am not going to justify certification and computer forensics. There are an abundance of articles which defend and justify certification. Few though discuss the importance of recertification. I consider a recertification just as critical. Those who held a GCFA or even attended SANS 508 does not mean you have maintained your skillset.

Technology change forces renewal and skills update. There have been changes in computer law, digital forensic technique and knowledge. Anyone certified as a GCFA when it began might be rusty in the laws, skills and capability required today. I should know. I speak from knowledge and experience.

Eight years ago, I took one of the earliest SANS 508 courses and became one of the first to receive a GCFA. Not knowing any better, I took that exam closed book. I admit it showed in my scores. I received a 7?%. It was not until after barely passing and working on my Gold paper, I realized the exam was open book.

I cannot compare with authority the SANS training of today versus what I was taught in 2002. I compared my original course books to the most recent. There are significant changes. It would be doubtful I would pass without the material assistance. Computer forensics takes up maybe 10% of my current role. The original course basics are still valid and hold true. The differences and advances though are profound.

There are four core principles which I learned then which still hold true today.

1. You ARE an Expert Witness If you conduct or lead forensic investigations. Use a combination of a "Just the Facts" Joe Friday style mixed with a Heinlein's Stranger in a Strange Land "Fair Witness" perspective. You must remember. Remove all bias from your response and reporting. You may and should use intuition in your investigation hypotheses, but never in the end product. Maintain your ethics and remain factual to your discoveries.

2. There is always a better tool. You must know how to use it though. The results depend upon the investigator skill. The core forensic toolset skills are understanding data patterns, string search and collating it in a consistent manner. Outdated Encase 3 or The Coroners Toolkit can still turn out reputable results if the user is familiar with the tool.

3. Remain on track and in scope legally. The IT forensic investigation carries the burden of litigation potential and legal compliance. System administrators usually do not know the laws related to their job. The forensic investigator should maintain compliance and retain the knowledge of related computer law.

4. Keep consistent and complete investigators notes. Keep consistent and complete investigators notes. Did I mention, keep consistent and complete investigators notes? More investigations are successful or failures due to poor/non-existent documentation.

By the way, I passed and face recertification again in four years. I will state I know I could have done better. It is always that way. Stupid is as Stupid does. Ah, well.

Steven is the senior member of an IT Security team for a Bio-Pharma company. He has presented to a variety audiences including SANS, Midwest Consolidated Security Forum and various local chapters of HTCIA and ISACA. His current focus is Certificate Management, Encryption and Incident Response. With a science degree unrelated to IT, Steven has over 20 years in Information Technology with the past 13 years in Security. He has earned among the various vendor certificates, his CISSP (#3700), CISA (#153869) as well as GIAC G7799 (#151) Silver and GCFA (#18) gold certifications.