RE: Is a career change to Computer Forensics fantasy or can it be reality?

["David Gillett" <gillettdavid () fhda edu>]

  I obviously am not coming from a legal background, but the kind
of testimony that I was referring to is -- so far as I understand
it -- different from the expert testimony Paula refers to here.

  The kind of (vendor) certified user I was referring to would be 
able to testify as to the procedures that were followed and tools 
that were used, to support the claim that the recovered evidence 
faithfully represents the content of the digital media as it was 
seized.
  An additional witness, an expert as described by Paula here,
would be called upon to testify as to the *meaning* of the digital
evidence so recovered, or perhaps (different expert!) as to the
validity of the tools and procedures used (if, perhaps, the 
defence was challenging them, or in rebuttal of such a challenge).
Such a witness is rendering an expert *opinion* rather than testifying
to factual activities and observations.

  I supposed that someone who works in recovery of digital evidence 
could aspire to one day qualify as an expert witness of one of these 
sorts, especially if they have or develop suitable additional background.
But that's definitely not in the realm of overnight career change....

David Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Paula McPherson
> Sent: Friday, December 08, 2006 2:24 AM
> To: gillettdavid () fhda edu; reapersoft () gmail com; 
> security-basics () securityfocus com
> Subject: RE: Is a career change to Computer Forensics fantasy 
> or can it be reality?
>
> To testify as an expert you must be "certified" to do so by the Court.
> Either through a voir dire of your Vitae (examination and 
> cross-examination of one's professional expertise including 
> review of all published works) or stipulation of parties, one 
> way or the other the dude taking the stand has to be a 
> hardware and software God. 
>
> Though I came from a legal background, I did not come to 
> system security late; I had to wait for them to upgrade the abacas.
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of David Gillett
> Sent: Wednesday, December 06, 2006 7:41 PM
> To: reapersoft () gmail com; security-basics () securityfocus com
> Subject: RE: Is a career change to Computer Forensics fantasy 
> or can it be reality?
>
> > There has always been a conflict in my mind that one who persues 
> > Forensics needs to first be a Security/IT type, I have seen 
> where this 
> > looks to be true and where it does not, perhaps someone can 
> comment on 
> > that.
>
>   There are at least two common definitions of "Computer 
> Forensics", which *do* overlap.  Undoubtedly, some of the 
> sources you've seen are using one and some another.
>
> 1.  Investigation of Computer Security Incidents
>   A lot of this is recognizing what's abnormal and figuring 
> out how it came about.  Obviously, someone without an IT 
> background is going to be ill-equipped for this.
>
> 2.  Recovering Evidence from Computer Systems
>   This is all about being able to testify, as necessary, at 
> termination hearings, lawsuits, and even criminal trials, as 
> to things like standard procedures, sanitary methods, chain 
> of custody, and the like.
> Detailed IT knowledge is helpful, but is more essential to 
> tool authors than to tool users.  Although the evidence is 
> stored in a digital information system, the acts of which it 
> provides evidence need not involve any violation of computer 
> security, but are more often evidence of fraud, infidelity, 
> or other sorts of non-computer malfeasance.
>
>   Certifications come in both flavors, too.  My impression is 
> that the particular certs you've listed are attempting to 
> certify expertise under the first definition; under the 
> second, courts have decided to accept evidence retrieved by a 
> few specific tools *when used by a vendor- certified 
> operator*, and so each tool has its vendor certification program.
>   (Jobs in the second category have so far mostly been with 
> law enforcement and prosecutorial agencies, although I expect 
> that at some point there will begin to be a market for these 
> skills on the defendant side as well.)
>
>   To those who use the second definition, activities under 
> the first definition are a subset of "Incident Response", and 
> you may find it easier to get into that general field and 
> then specialize in the particular aspect that interests you, 
> than to try to go directly into specialization.
>
> David Gillett
>
>  
>
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of 
> > reapersoft () gmail com
> > Sent: Tuesday, December 05, 2006 5:04 AM
> > To: security-basics () securityfocus com
> > Subject: Is a career change to Computer Forensics fantasy 
> or can it be 
> > reality?
> >
> > Hello,
> >
> > I am a software engineer working in the VoIP space.  I am 
> looking to 
> > change my career path and get into Computer Forensics.
> >
> > Without any experience its going to be a tough road but I 
> believe my 
> > troubleshooting skills and software experience can help.  My 
> > troubleshooting ability can be valuable on the 
> investigation side of 
> > things, I generally will "chew" on a problem until its solved or at 
> > least until I have another way to debug it and gather more 
> > information.  My programming skills can come in handy for gathering 
> > information during an investigation when its a network intrusion or 
> > for malware analysis, at least this is my reasoning.
> >
> > Some things I am doing now is reading books (File System Forensic 
> > Analysis, Real Digital Forensic etc...) and listening to relevant 
> > podcasts but that only takes one so far.  My other thought 
> is to get 
> > one of the many certifications out there so that when I attempt to 
> > gain employment I am at least showing some initiative and 
> not just a 
> > passing interest in the field.  Spending some of my own 
> money shows a 
> > committment to my goal.
> >
> > There has always been a conflict in my mind that one who persues 
> > Forensics needs to first be a Security/IT type, I have seen 
> where this 
> > looks to be true and where it does not, perhaps someone can 
> comment on 
> > that.
> >
> > I am looking for opinions on what certifications I might spend my 
> > money on.  Should I go with a security cert, a pure forensics cert, 
> > some combination of both or neither.
> >
> > Some of the Forensic specific certs I have been evaluating are the 
> > SANS GCFA and ISFCE CCE.
> >
> > I have posted this to the SecurityFocus Forensics list but it was 
> > rejected because it was off topic.  I did however get some good 
> > feedback from the lists' moderator, thanks for that!
> > I wish to get some more feedback from others so hopefully 
> the Basics 
> > list is the place to post.
> >
> > In a nutshell:
> >
> > Can one get into the field of Computer Forensics thru self 
> study and 
> > getting a certification or is it such a closed field that I should 
> > look elsewhere for a career change and not waste my time/money?
> >
> > Is the field primarily based on experience and not certs?
> >
> > Any and all opinions are welcome.
> >
> > Thanks in advance,
> >
> > MH
> >
> > --------------------------------------------------------------
> > -------------
> > This list is sponsored by: ByteCrusher
> >
> > Detect Malicious Web Content and Exploits in Real-Time.
> > Anti-Virus engines can't detect unknown or new threats.
> > LinkScanner can. Web surfing just became a whole lot safer.
> >
> > http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=s
> > fmaildetect
> > --------------------------------------------------------------
> > -------------
>
>
> --------------------------------------------------------------
> -------------
> This list is sponsored by: ByteCrusher
>
> Detect Malicious Web Content and Exploits in Real-Time.
> Anti-Virus engines can't detect unknown or new threats.
> LinkScanner can. Web surfing just became a whole lot safer.
>
> http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=s
> fmaildetect
> --------------------------------------------------------------
> -------------
>
>
> --------------------------------------------------------------
> -------------
> This list is sponsored by: ByteCrusher
>
> Detect Malicious Web Content and Exploits in Real-Time.
> Anti-Virus engines can't detect unknown or new threats.
> LinkScanner can. Web surfing just became a whole lot safer.
>
> http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=s
> fmaildetect
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------