Hello Reader,
In my last post we talked about the milestones and optional achievements you can look forward to in your forensic career. This post will go into detail on what it takes to achieve milestones 1 and 2.
Milestone 1 - Your tool defines your workflow.
In my last post we talked about the milestones and optional achievements you can look forward to in your forensic career. This post will go into detail on what it takes to achieve milestones 1 and 2.
Milestone 1 - Your tool defines your workflow.
When most of us get our first job as digital forensic examiner it's through an employer where we are transitioning roles and not after graduating with a degree in computer forensics, though, that is now a possibility! Without a 4 year foundation in digital forensics backing you up, you and your employer look to make an investment in your career by purchasing a forensic suite and a training package to learn how to use it.
When you first receive training on how to use a forensic suite, no matter which one, you are amazed at what is suddenly possible. The ability to recover deleted files, carve long deleted data, determine a users activities and all the rest of the data you gain from the tools ability to parse computer forensic artifacts empower you in your first investigations. You are content at this point by what your tool is able to do and what you have been trained to do with it.
So let me be clear because as people grow in their experience in skills they begin to look back at this time with disdain at their former selves. There is nothing wrong with your results at this point, any evidence that you find in your investigation is still good evidence. At this stage in your career though you may be missing evidence, not because the tool is faulty but because you have not yet learned all the artifacts that exist. You may miss evidence at this point that can add more to your findings, with the worst possibility being you miss evidence that would have revealed more about whatever the focus of your investigation was.
In this milestone you also chase the most red herrings as you are still learning to understand what is possible, what the system records, and what's relevant in your investigations. If you are in this milestone I would encourage you to move on to other milestones as quickly as you can. While the results of tool are correct, you are missing artifacts and a bigger picture of the actions of those you are investigating. The only thing you can do to move forward is to get more experience and depending on your budget go to non-vendor training, conferences or read blogs and white papers to start educating yourself on what exists outside of your walled garden.
Milestone 2 - You get certified on your tool.
This is an important milestone in your career, outside of kudos from those who you give your reports this is your first external validation of your skills and abilities as a digital forensic examiner. What is important to remember at this point is what your vendor certification means. It means that you have shown skill and knowledge in how to perform an examination using their tools. It is not a reflection on your overall knowledge of what is possible and your total capabilities. Many people see a vendor certification as an end point in their credentials and I would encourage you to think outside that box.
Let me be clear, there is great value in a vendor certification. Many attorneys are getting smart and asking experts if they are certified in the tools they use as a way to judge competency in the results those tools produce. Being able to pass a written test that shows your knowledge of how the tool works, and the ability to successfully retrieve known artifacts through a practical test is great. You're not done though and if your organization views this as 'being done' in your professional path at this point you should stop and think about what their intentions to grow your skills are.
Once you obtain this certification you'll likely join a mailing list with other certified professionals who can ask each other questions outside of the public view. This is good but remember that there is no confidentiality on those emails and they can be quoted against you in the future. Consider always subscribing and replying from a non-work email address that does not contain your name so your past statements don't come back to haunt you. You have plenty of time to show people how smart you are, you just may not be as smart as you think you are at this point.
The other great perk of this milestone is the normal requirement for continuing education anually. This provides a great justification for your employer to pay for you to go to conferences and other training in order to keep the certification. Most employers like having a certified employee as it allows them to show competence to those that are receiving your reports.
I'll end this daily blog entry by saying, I'm constantly amazed on new artifacts and research that is revealed everyday. Digital Forensics is a science, never forget that, and we have to stay up to date with it to be the best scientists we can be.
Also Read:
Post a Comment