This post is intended to generate discussion related to the professional development of a digital forensic professional based off discussion as to whether certifications are evil.
Why certify at all?
Certifications are not intended to ensure that someone is awesome at their job, but that they pass the minimal qualifications for someone in the field. Much like basic training teaches you the basics to fight in combat, but hardly makes you an Army Ranger.
For the sake of the profession, something similar to the bar or medical exams has to ensure that a basic set of knowledge exists for an entry level individual. CPAs, doctors, lawyers, all need to pass a test. However, the best professionals in those fields have the most experience. However, in order to even begin the first day in those professions, they have to prove that they at least know enough not to make a critical error on day 1.
I know many smart lawyers or doctors. However, none of them cannot do their jobs unless they passed their tests. Their IQ does not matter. You cannot fly a plane without passing tests. In fact, you cannot drive a car without a license. I know many people that can drive a car without it, but the test is geared to show you understand the basics of road safety and vehicle control.
That is the point of certification.
Professionalization for Digital Forensics
Unfortunately, licensing will be barreling down on our profession faster than you think for everyone in both information security and computer forensics. There are bills in congress as well as legislative actions that are taking place in many states.
We live in a society where you need to be licensed to cut hair, be a plumber (Joe the unlicensed plumber) or babysit (Michigan). Do we really believe that we will not need a license of any sort to do the job we love?
Good certifications are needed as a counter to that. The organizational efforts of the CDFS are a part of that solution as well, but the states want educational/testable proof that someone doing the job has jumped through a couple of hoops so they are not snake oil salesmen.
For the profession overall to be recognized, certifications are needed. Personally, I respect many certifications. EnCE, CCE, the potential of the DFCA/DFCP , and the CFCE. Last year I sent out a Common Body of Knowledge to over 80 practioners, the CBK comment process outline which skills are needed and which skills are "nice to have." I received much feedback, but we need more people that we can reach out and involve in these discussions.
As a profession, we will need to become tested to perform our work. It is not a matter of "If", but "when".
Your call on how we should get that license. Leave it to biased industry groups such as the PI lobby or have digital forensic professionals (you and I) to decide together what the minimal qualifications are.
How many professions that have been around for a while do not have at least an entry-level test?
I personally am not advocating any specific certifications. There are many good ones out there that are recognized, but professionals should consider certifications in their profession of choice. Get certified to show we are a true profession.
Do we need to back only one certification now?
In my opinion no. If we back one too soon, creativity and ingenuity will begin to languish. We need the certifications to continue to evolve and become better. Competition will do that for us. However, having said that, I think all the certifications should understand that it is in our best interest to cross promote all the certifications. We are in this together, that is the mantra of the CDFS. For example, SANS , HTCIA, and ISFCE have routinely worked together. The SANS digital forensic courses are certified as CCE Bootcamps even though we offer a competing certification? Why? The CCE certification might be more useful in your specific industry such as Law Enforcement vs Information Security. We respect their certification objectives and as a friend in the industry.
The key is understanding that the current discussion is not "Which Certification?" The battle is "Should we certify at all?" This is why I am adamant about pushing individuals to certify in a respected certification. There are many I realize. Get certified that will help you in your specific career in Law Enforcement, Litigation Support, or Information Security.
We need your help
Help us decide what the qualifications are needed for a minimally qualified professional in digital forensics we do not think we have the best idea, but we need to come together and help professionalize digital forensics. Any additional ideas on how to foster professionalization in this community? Send comments back to me at rlee@sans.org and Ill share thoughts periodically.
Help mold the future of your profession.
Rob Lee is a Director for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
