SANS Digital Forensics and Incident Response Blog

Digital Forensics Recertification (Beyond the Cert)

It was that time again, GCFA recertification. This was going to be my third SANS GCFA recertification attempt. This year I had an option, exam or CMUs (Certification Maintenance Units). I had the CMUs necessary for submission. The problem was, I could apply them to my G7799 Certification or my GCFA certification. I chose the exam option for my GCFA.

I consider the exam and the provided materials an outstanding way to get the least expensive SANS course available. It is one of the real benefits to a certified SANS alum. Anyone who is certified and has used the materials would agree in the value. The newest materials, updated tools provided and the exam cannot be beat for the price.

I am not going to justify certification and computer forensics. There are an abundance of articles which defend and justify certification. Few though discuss the importance of recertification. I consider a recertification just as critical. Those who held a GCFA or even attended SANS 508 does not mean you have maintained your skillset.

Technology change forces renewal and skills update. There have been changes in computer law, digital forensic technique and knowledge. Anyone certified as a GCFA when it began might be rusty in the laws, skills and capability required today. I should know. I speak from knowledge and experience.

Eight years ago, I took one of the earliest SANS 508 courses and became one of the first to receive a GCFA. Not knowing any better, I took that exam closed book. I admit it showed in my scores. I received a 7?%. It was not until after barely passing and working on my Gold paper, I realized the exam was open book.

I cannot compare with authority the SANS training of today versus what I was taught in 2002. I compared my original course books to the most recent. There are significant changes. It would be doubtful I would pass without the material assistance. Computer forensics takes up maybe 10% of my current role. The original course basics are still valid and hold true. The differences and advances though are profound.

There are four core principles which I learned then which still hold true today.

1. You ARE an Expert Witness If you conduct or lead forensic investigations. Use a combination of a "Just the Facts" Joe Friday style mixed with a Heinlein's Stranger in a Strange Land "Fair Witness" perspective. You must remember. Remove all bias from your response and reporting. You may and should use intuition in your investigation hypotheses, but never in the end product. Maintain your ethics and remain factual to your discoveries.

2. There is always a better tool. You must know how to use it though. The results depend upon the investigator skill. The core forensic toolset skills are understanding data patterns, string search and collating it in a consistent manner. Outdated Encase 3 or The Coroners Toolkit can still turn out reputable results if the user is familiar with the tool.

3. Remain on track and in scope legally. The IT forensic investigation carries the burden of litigation potential and legal compliance. System administrators usually do not know the laws related to their job. The forensic investigator should maintain compliance and retain the knowledge of related computer law.

4. Keep consistent and complete investigators notes. Keep consistent and complete investigators notes. Did I mention, keep consistent and complete investigators notes? More investigations are successful or failures due to poor/non-existent documentation.

By the way, I passed and face recertification again in four years. I will state I know I could have done better. It is always that way. Stupid is as Stupid does. Ah, well.

Steven is the senior member of an IT Security team for a Bio-Pharma company. He has presented to a variety audiences including SANS, Midwest Consolidated Security Forum and various local chapters of HTCIA and ISACA. His current focus is Certificate Management, Encryption and Incident Response. With a science degree unrelated to IT, Steven has over 20 years in Information Technology with the past 13 years in Security. He has earned among the various vendor certificates, his CISSP (#3700), CISA (#153869) as well as GIAC G7799 (#151) Silver and GCFA (#18) gold certifications.


Posted August 11, 2010 at 1:31 PM | Permalink | Reply

Mike L.

As a newcomer to the forensicating field, I know certifications play an important role but I do not know which to get. There seem to be an awful lot out there- how do I know which to get and which to pass on? I certainly can't afford to get them all (unless I can bamboozle my employer to buy them all for me :D ).
GCFA, ACE, CCE, EnCE, ABCDEFG (ok, I made that last one up)

Posted August 11, 2010 at 10:46 PM | Permalink | Reply


My opinion (And this is strictly my opinion) is that too many certifications are as bad as none when pursuing employment. This has been true in our company's position selection process where I work. We look at experience, formal training and certifications with the certification taking a distant third. We are not biased against certifications. We encourage certification with any training acquired. We just do not think it adds value to have ten certifications and only four years of experience. Bottom line: some do better at taking exams than others.
The same unfortunately can be said for forensics certifications. There seems to be a cert for almost every tool, as well as certs like GIAC and CFE. I would follow my rule for certifications. List only the certs which you can defend in a deposition. Attorneys are not impressed with Certification or the letters at the end unless there is some validated association with the certification. CISA is associated and is derived from AICPA (CPA) CISSP has been around long enough (although diluted) to have a reference point for attribution. The ISO certification for the GCFA lends the same value.
I have been in depositions where over half of the initial deposition was my experience and the related qualification to any certification I referenced in my title. Thus, I limit my certifications to only the relevancy of the communication.
For some, the certs are a badge of honor, for others an ego enhancement. I use them as a tool as needed Most individuals I work with do not realize how many certifications I have or have discarded. Sorry, turn off diatribe mode.
I have not answered your question because, I do not know your interest or experience. Pursue certs that match.

Posted August 12, 2010 at 4:52 PM | Permalink | Reply

Joe Garcia

I agree with Steven. Having certs is great, but only if you can back them up. I believe that going after & gaining certs is a good thing. For me, I feel it shows a level of accomplishment. That being said, I believe that I can back up my certs with knowledge, experience and a desire to learn. If all someone wants is to become a cert whore and they fail to understand the subject matter that the cert is based on, then they have failed themselves. Employers and juries will end up seeing right through them in the end.

Posted September 18, 2010 at 6:16 AM | Permalink | Reply

Ray Sharma

I have been studying for GCFA since past 3-4 months i have purchased the practice test and written many assesments,
as i cant afford the training fee for GCFA training, from sans because it cost high.
finally i attempted the exam and i failed, even though i pursed more that 90% in the practice test could not scored well in final, it seems to be tough exam, i feel it shows a level of accomplishment , it seems the exams are hard to pursue and it was not few years back, thats all

Posted August 3, 2011 at 1:35 AM | Permalink | Reply

Will Jackson

I believe certifications only hold a value of demonstrating a baseline level of knowledge. Work history and experience make up the rest.
For example I took the GREM and passed it, but only after studying, taking the course and I happen to do it at my job. I feel if I did not have that experience and training, I would never have padded the exam.
I also perform forensic analysis, but I know I can do better if I get the training. The certification shows I have at least a baseline level of knowledge. But I have experience also, so the cert will just sweeten the deal. Like Joe said, you have to back up what you say, you need a combo to do it, certs alone don't cut it.