Tuesday, 11 December 2007

Why more training?

When going into court, the more papers, accreditations and books etc the better. This helps with Forensics, but it also helps in general. Many in Information Technology get their stock standard collection of 4-5 certifications and if we are lucky maybe a single degree.

I would argue this is not enough.

By doing continual training (I would hope) should also have you learn something. There are far too many forensic practitioners and security people who have not come out of the 90’s. Too many who pull a plug first and then find the answers (can we say hard drive encryption). Too many who do not question.

Get enough behind you and it will become difficult not to learn and develop. In fact, the act of maintaining ones certifications can become an exercise in development in itself. In my case, I have a certification exam every 11 days. I admit that these are not all directly digital forensics or information security related, but they all aid in some manner. In having 20 something SANS certifications I have constant training on these alone. The GCIH helps with incident handling, this also crosses to first response in forensic work (so an overlap exists).

However, I completed a UCP500-600 bridging course last year. This has nothing to do directly with information security. The Uniform Customs and Practices for Documentary Credits is a Trade and Banking issue. It still adds value as I can understand the needs of another group.

GCFW covers firewalls. This seems not to have to much of an impact for most people in the forensic field, but then we forget that traffic passes through these. Email on a server can be spoofed. By understanding the architecture, one can do more than a simple search on a single drive to uncover an email. I have been in court while an “expert” has told the judge that “time on the firewalls drifts like pc’s” and that “NTP only updates time daily leaving the time on the firewall to vary by over an hour”. Well first, NTP will not sync if it is out this far and next this was pure ignorance.

At our best, we provide circumstantial evidence. This is all a drive analysis is. Direct evidence is catching a person in the act (ie physically watching them type and maybe videotaping it). The more we know, the less the stuff-ups that will abound. The fewer cases of FUD that we will believe and the closer we can all come to being professional.

The more you know and understand the better. Yes getting people certified is difficult. I offer 20% training time (i.e. a day per week average) and getting staff to take this becomes difficult. Getting them to them do the exam or write a paper more so. So stick it in a KPI.

No comments: