Forensic Certifications Mayuri Shakamuri CS 489-02 Digital Forensics October 31, 2006 New Mexico Tech Executive Summary Digital Forensics is rapidly growing and evolving to become a scientific practice with specific legal and procedural guidelines. Certification of computer forensics is a step in the right direction to ensure that digital forensic examiners are able to meet acceptable criteria in the eyes of the law. It follows that, all such criteria are modeled on those established by criminal investigators for gathering evidence and in presenting the same in a court of law. Some of the certifications that this document will investigate into are: EC-Council's Certified Ethical Hacker, (ISC)2 (International Information Systems Security Certification Consortium) Certification, GAIC (Global Incident Analysis Center) Certifications, SCP (Security Certified Program) Certifications. There weaknesses and limitations in the current certification programs is identified. Some certifications focus strictly on sound forensic evidence collection and analysis. There a very few which cover all core aspects of Digital Forensics. With an increasing number in computer crimes and demand for forensic investigators, there is an urgent need for a centralized standards body. This organization should be capable of integrating all the different guidelines and mold them into common practices that in turn lead to the evolution of certification program(s) from an established accredited institution(s). This document gives an overview of some of the current Digital Forensic certifications available. Shortcomings of the certifications are presented. A proposal for future direction in this field is also made. Page 2 of 11 Introduction There is a dramatic increase in the volume of digital evidence in cases brought before a court of law. There is a growing concern on the admissibility of digital forensic evidence, the tools and methodology that are used for collecting the evidence, as well as legitimate challenges as to the skills of the professionals who collect them. A forensic certificate is a very good gauge to measure an investigator’s capabilities in the field of forensics. It is also a proof that an individual meets a minimum standard of knowledge in the area of evidence collection, analysis, and reporting. The certification process puts into place standards and procedure that adhere to proven criteria. It follows that, all such criteria are modeled on those established by criminal investigators for gathering evidence and in presenting the same in a court of law. Certification of computer forensics is a step in the right direction to ensure that digital forensic examiners are able to meet acceptable criteria in the eyes of the law. The problem arises when trying to meet the same standards for physical evidence gathering as the field of Digital Forensics is relatively new and is coming to the forefront with the recent expansion of personal computers in the USA. With more and more electronic transactions being done on a daily basis, the resultant rise in computer based criminal activities has increased. Intruders are using increasingly sophisticated means to intercept personal information such as social security numbers and passwords for identity theft. Into this breach has stepped a multitude of agencies, some genuine, others intent on making a fast buck. There has been a mushrooming of these institutions, each carving out an area of expertise and setting certification standards based on narrow criteria. Within the last few years, a need to consolidate all these differing standards under one umbrella organization has gained importance. This is still an ongoing effort. State of practice There are various certifications offered by several different institutions and organizations. Some take a comprehensive approach to the certification process; they offer both training and practice tests modeled on the certification exam, while others administer just the exam. I present some of the certifications currently available in the Page 3 of 11 field of Digital Forensics. This list is completely based on my subjective opinion. Please refer to the appendix for a summary of certifications. International Information Systems Security Certification Consortium (ISC)2 [1] (ISC)2 is a globally recognized organization; they are offering Certified Information Systems Security Professional certificate (CISSP). This certification is intended for mid- and senior-level managers. This certification appears to have global recognition. CISSP exam tests the individual's competence in the following 10 domains: Access Control, Application Security, Business Continuity and Disaster Recovery, Cryptography, Information security and Risk Management, Legal, Regulations, Compliance and Investigation, Operational Security, Physical Security, Security Architecture and Design, Telecommunications and Network Security. EC-Council, Certified Ethical Hacker [2] This program prepares an individual to be certified as an ethical hacker. An ethical hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in network systems. They are trained to use the same knowledge and tools as a malicious hacker from a defense point of view. The nature of work for an Ethical hacker is similar to a penetration tester. Some of these are (ex) hackers that have turned legitimate and see a challenge in catching other hackers using their own skills. This certification is tailored for security officers, auditors, security professionals, site administrators, and anyone concerned about the integrity of the network infrastructure. GIAC (Global Incident Analysis Center) Certifications [3] The SANS Institute (SysAdmin, Audit, Networking, and Security) oversees this particular organization. They validate the skills of security professionals and provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary in key areas of information security. Some of the certifications offered by GAIC are: GIAC Information Security Officer - Basic, GIAC Certified Forensics Analyst (GCFA) , GIAC Security Essentials Certification (GSEC), GIAC Certified Firewall Analyst (GCFW), GIAC Page 4 of 11 Certified Incident Handler (GCIH), GIAC Certified UNIX Security Administrator (GCUX), GIAC Systems and Network Auditor (GSNA), and GIAC Certified Security Engineer (GSE). SCP (Security Certified Program) Certifications [4] This certification covers both core security topics as well as advanced security knowledge. There are two levels of certification, the SCNA (Security Certified Network Architect) and SCNP (Security Certified Network Professional). SCNP certification consists of two exams: Hardening the Infrastructure and Network Defense and Countermeasures. SCNA certification consists of advanced security implementation and enterprise security solutions exams. Guidance Software, EnCE [5] The EnCase Certified Examiner Program (EnCE) offers certifications for those who are trained on EnCase Guidance Software. Encase is a widely used commercial forensics investigation software. Professionals who undergo training are eligible to take this certification exam. CSFA (Cyber Security Forensic Analyst) [6] Cyber Security Institute offers this certification. Their testing scenarios are based on actual cases. This certification tests the individual's ability to conduct thorough and sound forensic examination, properly interpret the evidence, and communicate the results effectively. FBI background check is required for an individual to take this certification test. AIS Certification Advanced Information Security Certification (AIS) is an all-in-one security certification divided into 4 main areas: Management, Protection, Detection, and Reaction. The reaction module focuses heavily on computer forensics. Page 5 of 11 Gaps There are some weaknesses and limitations in the current certification programs. Some certifications focus strictly on penetration testing, network security, Incident handling, firewall analysis etc., In my view, there a very few that may cover all core aspects of Digital Forensics, which are preservation, identification, extraction, documentation, and interpretation of digital media for evidentiary and/or root cause analysis. These certifications do not cover all the aspects of Digital Forensics. In other professions like management, medical or engineering, there is one organization overseeing certifications in different specialities. Computer or Digital Forensics is not at that point. There are too many conflicting agencies trying to claim supremacy in terms of the processes and controls to be used in Digital Forensics. Future Practice Once principles and practices of Digital Forensics are codified and agreed to run under one single board which controls accreditation, methodology and practices, the current state of Digital Forensics can be improved upon to further reduce the scope of mistakes and minimizing the chances of evidence gathered being thrown out on challenges to procedures. The American Academy of Forensic Sciences (AAFS) is a renowned organization that is recognized for its work in setting standards for application of science to the legal system. Another organization is the Information Systems Security Certification Consortium (ISC)2. It is an internationally recognized and well established organization for educating and certifying information security professionals. Certification programs accredited by organizations like AAFS and