Hi again, thank you for all your points and feedback, I am enjoying your input as well as clarifications that make me re-examine what I was trying to articulate.
I think now that my main concern about this field, is that a whole sector of the IT security industry workforce may be overlooked to fill certain positions which are badly needed. There are hundreds of thousands, if not millions of digital forensic jobs that will need filling to manage internal Corporate or Governmental (Municipal, Regional, Provincial/State, Federal) security investigations covering security policy violations, which are administrative in nature, rather than civil or criminal.
I'm hoping that the digital forensic industry will mature to a point where we will see the following streams of positions filled by a multi-tiered workforce:
I know flavours of this may already be in the works but the thrust seems to be more towards the higher education to fill more news worthy criminal case jobs rather than the millions of behind the scenes jobs needed filling that will never warrant expensive higher level education.
In the past few years we've seen the costs of SANS courses rise $1700 (50%) from $3400 to $5100 per course, not to mention the costs of College or University tuitions for IT Security courses, half of which do not cover digital forensics very well, most leaning towards programming and/or security controls administration.
Again, thank you all very much for any feedback we can provide to further this kind of dialogue before we reach a critic workforce deficit due to increasing education costs.
I looked over your framework. I am a little confused by some of what you presented - and by some of the independent research I conducted.
First, I don't understand the difference between the "Examiner" and "Analyst" work roles. According to the SANS material an Examiner is someone that conducts forensic examinations at a basic level, while an Analyst is someone that conducts forensic examinations at a more advanced level.
Second, I think that Technologists watched too much CSI, Criminal Minds, and NCIS on TV and then went way outside of their lane in trying to define what Computer, Digital, or Electronic Forensics actually is. Forensics - is having to do with presenting information to or on behalf of a court of law. So, regardless of what Technologists think forensics is, it's really what is considered customary by the court that matters.
In the framework that I observe there are really two work roles.
In my framework there are two tasks.
As far as Forensic Examinations is concerned, what matters is the perception of the court. The court generally consist of technology lay-persons such as, the Judge, the Attorneys, and the Jury. A certification merely states that its holder has memorized some process long enough to pass a test. A degree in the sciences (4 years in the case of undergraduate, and as much as 10 in the case of a Doctoral degree) shows the court that the holder has not only memorized the scientific process, but has applied it successfully over a number of years. Additionally academics at the higher levels requires authoring research for peer review, and establishes that the holder of a degree has the authority to speak to a subject with the weight of approval of his or her peers. When attempting to prove to the court that an examiner or fact witness has the authority - which do you think is most appealing to the court? In a disagreement between two examiners or witnesses, which do you think the court is most likely to believe is correct?
As far as Research goes, what matters is the ability to have your work be repeatable and peer reviewed. In this case, as long as a researcher is able to publishing their work, have others verify it by following the same process, and reach the same results; then no formal education is really needed here. The process of others reaching the same conclusion is validation in iteself.