CXO

Making the case for forensics training

Computer-based evidence can be important in proving a misuse of company resources, but knowing the technical side of using forensics tools may not be enough. These resources can help you find a forensics training program for key staff members.


Many IT departments have tools to detect and prevent corporate breaches, but oftentimes, key staff members may not have a good background in investigative computing techniques.

Training staff in forensics makes the best use of tools and also helps companies handle liability and legal issues in which information on computer data, access breaches, and user log-in details play a role in criminal and civil court actions.

The need for forensics training and certification is increasing due to various factors, according to trainers and certification organizations.

“Companies are getting a lot of problems with theft of trade secrets, misappropriation of corporate assets, and wrongful-dismissal lawsuits,” explained Rich Radford, software and training coordinator with Oregon-based New Technologies, Inc. (NTI).

Who’s studying forensics today?
The events of Sept. 11 have also increased certification program and forensic class enrollments, although at this point, the majority of students come from military, customs, or intelligence agencies. About one-third of students are active in law-enforcement industries. Most of the IT students come from Fortune 1,000 companies, with a few coming from corporate security departments or law firms.

The mix of professional backgrounds enhances the learning process for students, said Radford. “Folks from Boeing or from Verizon… really gain a lot from being around the military and law-enforcement folks,” Radford said. The IT professionals who attend are often system administrators or MCSEs—and session leaders try to pair up students according to various abilities.

“After the first few hours of training, if we discover we’ve got two really hot computer jockeys together and two people maybe that are struggling, we’ll split them up,” Radford said, adding that the goal is to pair a person with computer expertise with another who has a stronger investigative background.

NTI offers four types of classes. Corporate tuition for the three-day computer forensics/security risk course is $2,730, and includes 20 DOS-based forensics tools that the student may keep. The two-day NTFS/Windows 2000 course is $1,750, and includes 13 pieces of software. An NTI course on presenting expert testimony in court is $3,000.

Russ Walton, a TechRepublic member who is seeking to enter computer forensics from his current IT career, said the majority of his new colleagues are from non-IT fields.

"I have attended conferences where I was the only nonsworn person, and believe me, I can dance around most forensics people when it comes to technical knowledge,” wrote Walton. “Most became interested in forensics—or defaulted to it—because they where seen as the best computer user in the department.”

Walton has worked with computer security tools, and while vendors do offer their own training classes leading to certification, Walton believes the forensics experience is something employers are gaining interest in.

Forensics certification
In some situations, forensics students are more interested in an independent study approach than in attending a formal course. The International Association of Computer Investigative Specialists (IACIS) is a volunteer organization that offers the Certified Forensic Computer Examiner (CFCE) certificate. At this point, only law enforcement officers or employees are eligible to join the organization and pursue certification. However, IACIS has established an external certification process that nonmembers may pursue, although IACIS President Jack Mattera said that to date, ”There have not been a lot of non law-enforcement personnel taking the external certification route.”

The testing process costs $1,250 and begins with a series of six assignments to uncover two or three technical problems. Each assignment is mailed on a disk to the participant. A coach reviews the participant’s written report of the task and, if the coach is satisfied, the participant moves on to the next problem. After completing the disk series, IACIS sends a small hard drive to the participant for him or her to examine. The participant must locate and discuss the eight technical problems on the drive with the coach. If the participant succeeds at that step, he or she then moves on to an 85-question written exam.

The High Tech Crime Network (HTCN) also offers several levels of a Computer Crime Investigator Certification, which takes into account either corporate or law-enforcement experience as well as the types and hours of training a candidate has completed. In April 2002, the organization increased its requirements and also upped the cost of certification to $500.

With high-profile cases of corporate malfeasance and increased attention paid to cybercrime and cyberterrorism, interest in forensics will grow. Even if staff members have the technical expertise to use the tools well, tech leaders may want to consider deeper training to boost internal security mechanisms and operations.

Editor's Picks