Tuesday, February 4, 2014

Daily Blog #226: Look ma I'm a GCFE

Hello Reader,
             I've been doing digital forensics since 1999, in that time I've only picked up one certification specific to DFIR and that was the ACE exam. I got the ACE exam as I saw a pattern of attorneys asking on cross if the expert was certified in the tool they were using and we do use FTK in our lab. It also doesn't hurt that the ACE is free and entirely online. Since then I've looked at a variety of certifications thinking I should probably pick up one or two.

The two I looked at the most were the GCFE from SANS and the CCE from ISFCE and I do plan to complete both in the long run. I finished the GCFE first though and I'm glad I went through it. Here are a couple of reasons why:

  • I'm no stranger to DFIR but forcing myself to watch all of FOR408 on demand got me to reassess what I knew at a low level and what I only occasionally used. I am weaker in browser forensics than I had suspected!
  • I discovered that while I understood the web technologies and how browsers operated, I did not appreciate some of the differences between the minor versions of IE/Firefox. There is always more data to be found!
  • I actually found some new registry keys that I hadn't focused on in my work and are being added to my 'places to look' list. I'm looking at you WindowsPortableDevices (beyond MTP that is)
  • I rediscovered an appreciation for the event log beyond which I normally looked. I normally use the event logs for time change, user logins, failed services, and the like. I hadn't though to look at the event logs for application installs and forgot about the reading I had done before about the device install detail left within it.
  • I got to approach basic deadbox forensics with a heavy emphasis on intrusions and external attackers rather than the insider threat that my day to day work exposes to me to. Now that does not mean that there isn't plenty of insider case data to work with in the course, but it was nice to exposed to some ideas that I don't typically deal with.
  • I had to seriously prepare myself to take a test, something I haven't done since the CISSP. I haven't had to be judged on my answers forensic questions outside of a formal report and deposition since I last played DFIR Netwars. 
  • I got a better appreciation for what people are being trained on in 408/508 (I've taken both now) and whats left to be learned for those coming to me. Also to make sure all the material we make for FOR668 is fresh and new to those taking it.
So for all those reasons and more I'm glad I took the time to get the GCFE and plan to go ahead and 'Go for Gold'. To those of you looking to do the same I hope to be teaching FOR408 (now that I'm done taking it :) ) in the near future.If you don't want to wait until then, you might want to check out the next big SANS DFIR training, DFIRCON, in Monterey , California. They have a discount that ends today, http://www.sans.org/event/dfircon-monterey-2014.