Forensic Certifications Mayuri Shakamuri CS 489-02 Digital Forensics October 31, 2006 New Mexico Tech Executive Summary Digital Forensics is rapidly growing and evolving to become a scientific practice with specific legal and procedural guidelines. Certification of computer forensics is a step in the right direction to ensure that digital forensic examiners are able to meet acceptable criteria in the eyes of the law. It follows that, all such criteria are modeled on those established by criminal investigators for gathering evidence and in presenting the same in a court of law. Some of the certifications that this document will investigate into are: EC-Council's Certified Ethical Hacker, (ISC)2 (International Information Systems Security Certification Consortium) Certification, GAIC (Global Incident Analysis Center) Certifications, SCP (Security Certified Program) Certifications. There weaknesses and limitations in the current certification programs is identified. Some certifications focus strictly on sound forensic evidence collection and analysis. There a very few which cover all core aspects of Digital Forensics. With an increasing number in computer crimes and demand for forensic investigators, there is an urgent need for a centralized standards body. This organization should be capable of integrating all the different guidelines and mold them into common practices that in turn lead to the evolution of certification program(s) from an established accredited institution(s). This document gives an overview of some of the current Digital Forensic certifications available. Shortcomings of the certifications are presented. direction in this field is also made. Page 2 of 11 A proposal for future Introduction There is a dramatic increase in the volume of digital evidence in cases brought before a court of law. There is a growing concern on the admissibility of digital forensic evidence, the tools and methodology that are used for collecting the evidence, as well as legitimate challenges as to the skills of the professionals who collect them. A forensic certificate is a very good gauge to measure an investigator’s capabilities in the field of forensics. It is also a proof that an individual meets a minimum standard of knowledge in the area of evidence collection, analysis, and reporting. The certification process puts into place standards and procedure that adhere to proven criteria. It follows that, all such criteria are modeled on those established by criminal investigators for gathering evidence and in presenting the same in a court of law. Certification of computer forensics is a step in the right direction to ensure that digital forensic examiners are able to meet acceptable criteria in the eyes of the law. The problem arises when trying to meet the same standards for physical evidence gathering as the field of Digital Forensics is relatively new and is coming to the forefront with the recent expansion of personal computers in the USA. With more and more electronic transactions being done on a daily basis, the resultant rise in computer based criminal activities has increased. Intruders are using increasingly sophisticated means to intercept personal information such as social security numbers and passwords for identity theft. Into this breach has stepped a multitude of agencies, some genuine, others intent on making a fast buck. There has been a mushrooming of these institutions, each carving out an area of expertise and setting certification standards based on narrow criteria. Within the last few years, a need to consolidate all these differing standards under one umbrella organization has gained importance. This is still an ongoing effort. State of practice There are various certifications offered by several different institutions and organizations. Some take a comprehensive approach to the certification process; they offer both training and practice tests modeled on the certification exam, while others administer just the exam. I present some of the certifications currently available in the Page 3 of 11 field of Digital Forensics. This list is completely based on my subjective opinion. Please refer to the appendix for a summary of certifications. International Information Systems Security Certification Consortium (ISC)2 [1] (ISC)2 is a globally recognized organization; they are offering Certified Information Systems Security Professional certificate (CISSP). This certification is intended for midand senior-level managers. This certification appears to have global recognition. CISSP exam tests the individual's competence in the following 10 domains: Access Control, Application Security, Business Continuity and Disaster Recovery, Cryptography, Information security and Risk Management, Legal, Regulations, Compliance and Investigation, Operational Security, Physical Security, Security Architecture and Design, Telecommunications and Network Security. EC-Council, Certified Ethical Hacker [2] This program prepares an individual to be certified as an ethical hacker. An ethical hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in network systems. They are trained to use the same knowledge and tools as a malicious hacker from a defense point of view. The nature of work for an Ethical hacker is similar to a penetration tester. Some of these are (ex) hackers that have turned legitimate and see a challenge in catching other hackers using their own skills. This certification is tailored for security officers, auditors, security professionals, site administrators, and anyone concerned about the integrity of the network infrastructure. GIAC (Global Incident Analysis Center) Certifications [3] The SANS Institute (SysAdmin, Audit, Networking, and Security) oversees this particular organization. They validate the skills of security professionals and provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary in key areas of information security. Some of the certifications offered by GAIC are: GIAC Information Security Officer - Basic, GIAC Certified Forensics Analyst (GCFA) , GIAC Security Essentials Certification (GSEC), GIAC Certified Firewall Analyst (GCFW), GIAC Page 4 of 11 Certified Incident Handler (GCIH), GIAC Certified UNIX Security Administrator (GCUX), GIAC Systems and Network Auditor (GSNA), and GIAC Certified Security Engineer (GSE). SCP (Security Certified Program) Certifications [4] This certification covers both core security topics as well as advanced security knowledge. There are two levels of certification, the SCNA (Security Certified Network Architect) and SCNP (Security Certified Network Professional). SCNP certification consists of two exams: Hardening the Infrastructure and Network Defense and Countermeasures. SCNA certification consists of advanced security implementation and enterprise security solutions exams. Guidance Software, EnCE [5] The EnCase Certified Examiner Program (EnCE) offers certifications for those who are trained on EnCase Guidance Software. Encase is a widely used commercial forensics investigation software. Professionals who undergo training are eligible to take this certification exam. CSFA (Cyber Security Forensic Analyst) [6] Cyber Security Institute offers this certification. Their testing scenarios are based on actual cases. This certification tests the individual's ability to conduct thorough and sound forensic examination, properly interpret the evidence, and communicate the results effectively. FBI background check is required for an individual to take this certification test. AIS Certification Advanced Information Security Certification (AIS) is an all-in-one security certification divided into 4 main areas: Management, Protection, Detection, and Reaction. The reaction module focuses heavily on computer forensics. Page 5 of 11 Gaps There are some weaknesses and limitations in the current certification programs. Some certifications focus strictly on penetration testing, network security, Incident handling, firewall analysis etc., In my view, there a very few that may cover all core aspects of Digital Forensics, which are preservation, identification, extraction, documentation, and interpretation of digital media for evidentiary and/or root cause analysis. These certifications do not cover all the aspects of Digital Forensics. In other professions like management, medical or engineering, there is one organization overseeing certifications in different specialities. Computer or Digital Forensics is not at that point. There are too many conflicting agencies trying to claim supremacy in terms of the processes and controls to be used in Digital Forensics. Future Practice Once principles and practices of Digital Forensics are codified and agreed to run under one single board which controls accreditation, methodology and practices, the current state of Digital Forensics can be improved upon to further reduce the scope of mistakes and minimizing the chances of evidence gathered being thrown out on challenges to procedures. The American Academy of Forensic Sciences (AAFS) is a renowned organization that is recognized for its work in setting standards for application of science to the legal system. Another organization is the Information Systems Security Certification Consortium (ISC)2. It is an internationally recognized and well established organization for educating and certifying information security professionals. Certification programs accredited by organizations like AAFS and (ISC)2 would bring better standards in the area of Digital Forensics. Since the area of Information Technology is rapidly changing, it is important that the certification programs need to be designed to allow for flexibility and revisions as the technology such changes. Conclusion There are several Digital Forensics certifications available currently and there are many different organizations offering them. In this paper we have looked into some of the Page 6 of 11 certifications and their scope. It appears to me that all the certifications I have looked at focus on only some of the security aspects in Information technology. To my knowledge there is no one certification program that addresses all the core aspects of Digital Forensics. Certification program(s) from established accredited institution(s) will help resolve the dilemma of Digital Forensics professionals in choosing a right certification program. References [1] International Information Systems Security Certification Consortium: https://www.isc2.org/cgi/content.cgi?category=7 [2] EC_Council: www.eccouncil.org/CEH.htm [3] Global Information Assurance Certification: www.giac.org [4] Security Certified Program: www.securitycertified.net/ [5] EnCase, Guiance Softwarw: www.encase.com/training/ence/index.asp, EnCase Certification exam: www.prometric.com [6] Cyber Security Institute: http://certifications.cybersecurityinstitute.biz/ [7] ElementK Courseware: www.elementkcourseware.com [8] American Academy of Forensic Sciences: http://www.aafs.org/ Page 7 of 11 APPENDIX Organization Certified Ethical Hacker GIAC Certifications: a. GIAC Information Security Officer – Basic (GISO – Basic) b. GIAC Security Essentials Certification (GSEC) c. GIAC Certified Firewall Analyst (GCFW) d. GIAC Certified Incident Handler (GCIH) e. GIAC Certified Intrusion Analyst (GCIA) f. GIAC Certified Unix Security Administrator (GCUX) g. GIAC Certified Windows Security Administrator (GCNT) h. GIAC Information Security Officer (GISO) i. GIAC Systems and Network Auditor (GSNA) j. GIAC Certified Security Engineer (GSE) SCP Certifications ‐ SCNP ‐ SCNA Note: CompTIA Security+ certification is a prerequisite for both SCP certifications. EnCE CSFA, Cyber Security Forensic Analyst GCFA (GIAC Certified Forensics Analyst) Requirements This certification is for security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. Web site Cost www.eccouncil.org/CEH.htm www.giac.org SCNP certification consists of two exams: Hardening the Infrastructure and Network Defense and Countermeasures SCNA consists of the Advanced Security Implementation and the Enterprise Security www.securitycertified.net/ Solutions exams. EnCase Certified Examiner Program offers certifications for those who have taken the EnCase Guidance Software. www.prometric.com FBI Background check http://certifications.cybersecurityi nstitute.biz/ GCFA deals directly with incident handling scenarios and investigation www.giac.org $150 AIS Certification Computer Forensic, Cybercrime and Security Training Curriculum: a. Certified Cybercrime First Responder (CCFR) b. Internet Crimes Against People ‐ (ICAP) c. Internet Crimes Against Children ‐ (ICAC) d. Presenting Digital Evidence at Trial ‐ (PDET) e. Network Security Intrusion and Detection ‐ (NSID) f. Personal Digital Device Forensics ‐ (PDDF) g. Advanced File System Recovery Seminar ‐ (AFSRS with Certification) h.High Tech Crime Investigator Level 1 i. High Tech Crime Investigator Level 2 Computer Forensic External Certification (CFEC) a. Certified Forensic Computer examiner (CFCE). b. Electronic Evidence Collection Specialist Certification (CEECS) This is an all‐in‐one security certification divided into 4 main areas: Management, Protection, Detection and Reaction. The reaction module deals heavily with computer forensics. Designed for law enforcement by the IACIS, this certification is now open to those with the experience and knowledge active law enforcement officers Certified Computer Crime Investigator (CCCI) and Certified Computer Forensic Technician (CCFT) National Institute of Standards and Technology (NIST) 60 hours of classroom training and 100 hours of CBT training. TruSecure ICSA Certified Security Associate Although not a forensics certification, this overall security certification is highly respected and covers essential forensics procedures. Page 9 of 11 $750 $1400 Online training cost for both CFCE and CCE $2750.00 www.whitehatinc.com $3,000 Advanced Computer Forensics Boot Camp 3‐day boot camp in the complexities of digital forensics www.infosecinstitute.com Computer Forensic Training Center Online Online training and CCE certification through Kennesaw State University Certified International Information Systems Forensics Investigator (CIFI) The International Information Systems Forensics Association Member’s in this association can take (IISFA) Certified International Information Systems Forensics Investigator (CIFI) exam. National Cybercrime Training Partnership (NCTP) National White Collar Crime Center (NW3C) International Information Systems Security Certification Consortium (ISC) 2 CISSP ‐ Certified Information System Security Professional SSCP ‐ Systems Security Certified Practitioner CIW ‐ Security Professional $2,700.00 $450.00 Programs specifically for law enforcement agencies only. The NCTP offers training on basic and advanced data recovery. This is primarily intended for law enforcement and is offered free to qualifying agencies. See above. 1 Exam (250 questions, 6 hours). $450.00 1 Exam (125 questions, 3 hours). Master CIW Administrator Certification, which includes 4 exams. $295.00 $500 ($125/exam) GSE ‐ GIAC Security Engineer: 7 Exams. RSA Security RSA/CSE ‐ RSA Certified Systems Engineer RSA/CA ‐ RSA Certified Administrator RSA/CI ‐ RSA Certified Instructors Requires: CSE or CA Cert + Workshop. $1,750.00 Requires: CSE or CA Cert + Workshop. www.rsasecurity.com $150.00 $150.00 $300.00 www.checkpoint.com $150.00 Cisco: www.cisco.com Cisco Firewall Specialist CCNA + 2 Exams. CheckPoint: CCSA ‐ Checkpoint Certified Security Administrator. CCSE ‐ Check Point Certified Security Engineer Page 10 of 11 $375.00 Cisco VPN Specialist CCNA + 2 Exams. $375.00 Cisco IDS Specialist CCNA + 2 Exams. TruSecure: CCNA + 5 Exams. $375.00 $750.00 ($125 per exam) www.trusecure.com TICSA ‐ TruSecure ICSA Certified Security Associate 1 Exam (70 questions, 90 minutes). TICSE ‐ TruSecure ICSA Certified Security Engineer BrainBench: TICSA Cert + 1 Exam www.brainbench.com BIS ‐ BrainBench Internet Security Certification Requires: 1 Exam. $25.00 BNS ‐ BrainBench Network Security Certification Requires: 1 Exam. $25.00 CCSP ‐ Cisco Certified Security Professional. Learning Tree: $295.00 www.learningtree.com NSCP ‐ Network Security Certified Professional 3 Core Courses, 1 Elective Course and associated exams CompTIA Security+ Requires: 1 Exam. $937.00 ‐ $2,645.00 $199.00 Security Certified Program: SCNP ‐ Security Certified Network Professional 2 Exams. SCNA ‐ Security Certified Network Architect 2 Exams Page 11 of 11 $300 ($150 per exam) $360 ($180 per exam)