Education

Computer forensics training and education opportunities

Deb Shinder considers the likelihood that computer forensics will become a standardized, possibly licensed, job role. Here are the training and education opportunities available if you want to get ahead of the curve.

In my previous article, "So you want to be a computer forensics expert," I discussed the unregulated (and sometimes downright disorganized) nature of the relatively new field of computer forensics and the lack of standardization when it comes to background and qualifications of those working in this role. While it's true that many current forensics examiners are self-trained, it's inevitable that as the profession matures, more formal training will be required by employers. And eventually, those employers may not even have the option to hire you if you don't meet certain educational criteria.

The inevitability of regulatory control

It's likely that there will come a time when computer specialists have to be licensed by the government or a professional organization in the same way that doctors, lawyers, plumbers and hairdressers (and in some states, even palm readers) are today. In fact, many would argue that this requirement is long overdue. The rationale behind licensing is that in some occupations, how you do your job has a profound effect on other people's lives. The original purpose of licensing is to protect the public from incompetents and charlatans, although many have questioned the effectiveness and pointed out the negative consequences of occupational licensing requirements. This opposition has had little impact on the ever-expanding oversight of government over the business world. According to an article on Occupational Licensing by S. David Young on the Library of Economics and Liberty website, in the U.S. almost five hundred different occupations were subject to licensing by at least one state as of 2002.

Forensics experts play a vital part in today's society, although they are largely hidden from the public. Forensics examiners provide expert testimony in criminal trials and civil lawsuits that can affect whether an accused person is found guilty of a crime and subjected to often-severe penalties, or whether a company or individual is found liable and forced to pay sometimes huge awards. Certainly it's tough to deny that forensics experts can have a profound effect on others' lives - arguably at least as much so as librarians, tree trimmers, bill collectors, show promoters, upholsterers, insurance agents, automotive technicians, funeral directors, locksmiths and HVAC mechanics (all of which are licensed in California). You can find out what occupations are licensed in your state by using the tool on this website.

Given this trend, it would seem to be only a matter of time until computer forensics will be another licensed occupation. If and when that happens, entry into the field will be restricted to those who meet the mandated requirements, which will probably include formal education or training and/or on-the-job experience and may also include passing a licensing examination and/or a background investigation. If you're considering a career in computer forensics at this time, you can get ahead of the game by getting the education/training under your belt now. Even if it's not mandatory, it will make you a more attractive job candidate and may result in a higher level of compensation and faster advancement. You may also want to consider documenting your knowledge and skills by obtaining one or more industry certifications.

Computer forensics training options

Currently there are several ways to get the education and training for entering a career in computer forensics, including the following:

  • Complete a two- or four-year college or university degree in computer forensics or a related subject
  • Complete a "trade school" or "vocational school" training program in computer forensics
  • Complete a "boot camp" in computer forensics
  • Complete training provided by vendors of forensics equipment and software
  • Complete in-house training courses offered by your employer
  • Complete a self-study course
  • Obtain on-the-job training through an apprenticeship or internship program

I'm not going to list specific training programs in this article because there are hundreds or even thousands, and it's impossible for me to know the quality of each school or short course. A web search for "Computer forensics training" will turn up many hits. What I want to do is help you decide what type of training is best for you and provide some tips on how to evaluate the different programs within your chosen type.

Degrees

A formal associate's or bachelor's degree in computer forensics is the most impressive educational credential that you can present to a potential employer, but it also requires the most time and usually the largest financial investment. The good news is that you may already have some of the credits you need if you've completed college courses in basic subjects, and/or you might be able to CLEP out of some of the required classes, thereby shortening the time commitment that's required. You might also qualify for financial aid; check with your chosen college or university.

Some schools offer some or all classes online, and some are self-paced so you can attend college without traveling to the campus and work when it's convenient for you. Be sure that the school offering the degree is properly accredited and not a "diploma mill." Check out the reputation not only of the school as a whole but its computer forensics program in particular. This program may be part of the Computer Science program in some schools, and part of the Criminal Justice program in others. The emphasis will probably be slightly different, with the former more focused on the technical aspects and the latter more focused on the legal aspects. Private employers may prefer the CS focus while public/government agencies prefer the CJ approach.

Trade/Vocational schools

If you don't have the time to dedicate to getting a degree, and especially if you already have work experience in the field and want to supplement it with some formal training, a trade school program might serve your purposes. These are also called vocational schools or technical schools.

This type of school is usually a private commercial enterprise that's regulated and licensed by the state. They must meet minimum standards in regard to facilities, student admission standards, student complaints, and so forth. Unlike a college or university, they offer targeted training in specific programs designed to prepare you for a job, and don't usually offer general, basic or "liberal arts" type courses. Programs typically range from six months to one or two years. Like colleges and universities, some vocational schools offer online training. To confuse matters further, some vocational/technical schools offer associate's or bachelor's degrees while others only offer certificates of completion. It's important to check out the accreditation and reputation of the school before signing up for a course.

Boot camps

When time is really limited, the "boot camp" type of training might appeal to you. This is an intensive, "total immersion" short-term course (usually one or two weeks) that often also includes targeted preparation for one or more certification exams. Prices usually range from a few hundred to several thousand dollars. Be aware that boot camps are usually commercial ventures operated by a company or individual for profit. Quality of the training ranges from useless to excellent.

Vendor training

The makers of forensics equipment and software often offer training in the use of their products. This may be included in the cost of the product or you may have to pay extra for it. These classes are usually short (one day to two weeks) and, like boot camps, may be operated by "traveling trainers" who go from city to city to conduct the training or they may be held in a fixed location. The courses will focus on how to use the specific equipment or software, as opposed to boot camps, which will usually provide more general training. Vendor training may or may not include a vendor certification exam.

In-house training

Many large companies provide training for their employees, so if you already have a job, you may be able to benefit from employer-hosted classes. For example, a company might bring in trainers (or use qualified on-staff trainers) to conduct training in computer forensics for its current IT professionals, to expand their skillsets and train them to handle incident response and administrative investigations of security breaches. A law enforcement agency might likewise provide in-house training in computer forensics for some of its police officers, to allow patrol officers, general crime scene technicians or other interested employees to move into the role of digital forensics specialist. In-house training may be optional or mandatory for particular employees, and it can range from very informal to a formal standardized course of study that leads to an industry-recognized certification or even carries college credits, depending on how it's implemented.

Self-study

If you're an IT pro, you may have obtained various IT certifications such as the MCSE or CCNA by studying on your own and then taking the associated exam(s). You won't find the plethora of self-study material for computer forensics certifications that abound for those other exams. However, it's still possible to devise your own self-study program and you can take some of the computer forensics certification exams without completing a formal course.

You can determine what topics to study by following the guidelines and learning objectives that are provided for most exams, and then dig out the information through web searches and popular books dedicated to the subject of computer forensics.

On-the-job training/apprenticeship and internship

Once upon a time, almost all training for jobs was on-the-job training. Even physicians learned by working under the tutelage of an experienced doctor. The apprenticeship system still exists today in the unregulated occupations (which, at the moment, still include computer forensics examiners in many jurisdictions). Unfortunately, it's rare to find an apprenticeship program in the types of companies and government agencies that employ computer forensics examiners. What you might be able to find is an internship program, where the firm or agency will take you on as an unpaid worker for a few months. You'll get exposed to a real forensics lab and do simple work such as research and "gofer" duties. Unfortunately, these spots are usually reserved for college students who are majoring in forensics, so they serve as a supplement to (rather than a substitute for) formal education.

Evaluating a training program

For any program you're considering, but especially in the case of trade schools, boot camps and vendor courses, before you lay down your money it's important to thoroughly check out the programs and ask lots of questions. Find out exactly what is included in the cost. Some high-dollar boot camps include room and board for the duration. If not, don't forget to figure in the cost of food and lodging (as well as travel) if the training location isn't local. Do you get copies of the forensics software to keep? Here are some other items for your checklist:

  • What are the credentials of the instructor(s)? Find out what experience they have and how they are regarded in the field.
  • How long has the program been in operation? What has turnover in personnel been like during that time?
  • What is the record of the program in regard to its graduates getting jobs in the field? Ask for names and contact information of others who have completed the training and find out what they think about it now.
  • Talk to the employers of graduates and find out how they feel about the level of knowledge and competence of their employees who completed the training.
  • Are certification exams administered at the end of the program? Is the cost included in the training cost? How well are the particular certifications regarded within the industry?

Watch out for schools that seem overly eager to get you to sign on the dotted line. Be cautious about taking on a student loan to pay the tuition, and be sure you understand the terms. If you're offered a grant, make sure that's really what it is, and not a "loan in grant's clothing." That means you should read every contract very carefully - more than once - and seek legal advice if you don't understand it. A forensics examiner must be able to focus on details, so going over every word of the contract is good practice for your new career.

Summary

In part one of this article, we took a look at the different types of training you can get to prepare you for a career in computer forensics, and how to evaluate the individual training programs. Next month, we'll examine some of the popular certifications that are available for computer forensics examiners, which are most recognized and respected by employers, and what you have to do to obtain them.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

9 comments
michael
michael

The article mentions part 2 which will discuss forensic certifications, but I cannot seem to find it. Can anyone give me a link to part 2? Thanks, -Michael

lshanahan
lshanahan

Licensure for IT forensics may be inevitable, but it isn't necessarily a Good Thing, nor does it guarantee any level of competency. Case in point, my wife is currently in school to become a licensed cosmetologist. It takes some 1500 hours of classwork and practice in a supervised salon, then both a written and practical exam before the licensure board. Believe me, the bulk of the students she's training with may end up passing their boards, but you would NOT want them working on your hair. She has excellent instructors, but the learning discipline and work ethic of most of the students borders on the pathetic. They do just enough to get by and no more.

Con_123456
Con_123456

It looks so that such profession will be requested more and more in the future.

HAL 9000
HAL 9000

I can not even believe that this is a good idea. At best it will be trailing current happenings and could make matters considerably worse than they currently are. For instance with the exponential rise in Infections someone with last years training could incorrectly identify someone or a entire department as the source of a leak and they would be held responsible for something that they had nothing to do with. The real problem has occurred because of an Infection which the [b]Classically Trained[/b] system has no knowledge of or has taught their students anything about. I saw an instance of this with Kiddy Porn years ago where some so called [u]Forensic Expert[/u] had sworn in court that they found this material on a HDD so the user was responsible for it being there. Didn't matter that it was the user who complained about this material to the Authorities he had it on his HDD so he was guilty. That person meet all of the Criteria to work for the Government in the Government Regulated Evidence Gathering Section of the State Police. When I got a cloned image of the Drive it took me all of 30 minutes to find out what had occurred and 3 weeks in court 4 years after the fact to point out the error that had been made. The problem here was that legislation and Bureaucrats where involved who didn't know any better and had made what to them appeared Straight Forward Legislation which punished the Victim not the Perp. The idiot thing here was that even those Investigating the Case accepted that they had made a mistake but as it had been handed over to the Prosecution side they where powerless to pull the case from trial. The thing here is that the guilty party got away with their crimes and was never pursued even though the Authorities knew who was responsible very early on in the piece after I was involved. Col

Charles Bundy
Charles Bundy

Licensing in the technology field would cause quite a bit of thrashing due to the rapid change we deal with. I'm not certain how you regulate an industry that turns over every 18 months...

apotheon
apotheon

That's pretty common for any licensure. In fact, what I have found in practice is that certification doesn't guarantee (or even strongly suggest) the certified individual is any good, but it does keep some very good professionals from getting a job sometimes, because the certified imbecile gets the job instead.

apotheon
apotheon

From what I've seen so far, if you're innocent of a crime of which you are accused and it involves information technologies, law enforcement will damned well find an "expert" who really really thinks you did it. Hell, I think they like it when a mistake like that is made, because it means they don't have to actually do the work of investigating.

apotheon
apotheon

Our society has an obsession with "professional certification" that typically adds no value at all to a given profession. In most cases, professional regulation is basically just professional certification with most of the supposed positives crushed under the weight of bureaucracy. IT fields are even more subject to negative effects of mal-regulation thanks to how quickly it moves, as you pointed out.

HAL 9000
HAL 9000

But it's typical of a Bureaucratic System. The [b]Expert[/b] that they have in place can not be questioned and because they where trained to a standard by the System which doesn't recognize change occurring its a recipe for disaster. What I did find interesting was that at the Time the Law said if you have it on your HDD you are Guilty, they made no allowance for the person who had it on their drive reporting it and wanting it removed completely. Maybe it wasn't such a bad idea at the time because when it was framed there was no [b]Known[/b] way to deposit data onto a HDD that you didn't control. But things change and the Law doesn't change anywhere near fast enough and is always reacting to what happens in the [b]Real World.[/b] The Law is like AV Products always reacting never leading. ;) Anyway if you want to be involved in any sort of Computer Forensic Work you better be ready to believe that you are going to be involved in [b]Precedent Setting Cases[/b] most of your working life. It's the way that things work in this industry. Col