Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer II


So as one of the co-authors of the CCFP, I was quite surprised that (ISC)2 was killing the certification, and it would be a really good idea to see exactly why this was.


It is actually quite sad because the concept was good, but I think what was needed was more input from actual digital forensics practitioners to make it actually relevant.


Is there anyway that this process could be revived or rebooted?

11 Replies
Newcomer I

Hi again, thank you for all your points and feedback, I am enjoying your input as well as clarifications that make me re-examine what I was trying to articulate.

I think now that my main concern about this field, is that a whole sector of the IT security industry workforce may be overlooked to fill certain positions which are badly needed. There are hundreds of thousands, if not millions of digital forensic jobs that will need filling to manage internal Corporate or Governmental (Municipal, Regional, Provincial/State, Federal) security investigations covering security policy violations, which are administrative in nature, rather than civil or criminal.


I'm hoping that the digital forensic industry will mature to a point where we will see the following streams of positions filled by a multi-tiered workforce:

  1. Digital Forensic Examiners, covering internal Corporate/Government administrative security violation cases, educated through self-paced/online/distance learning training and certifications.
  2. Digital Forensic Investigators, covering internal/external Corporate/Government civil security violation cases, educated through college training and certifications.
  3. Digital Forensic Analysts, covering internal/external Corporate/Government criminal security violation cases (eventually escalated to Police Authorities), and trained/certified through special higher education institutions, approved by Provincial/State/Federal governing bodies.
  4. Digital Forensic Researchers, covering Digital Forensic Research, such as digital forensic artifact profiles, ISO standards, standard operating procedures, digital forensic policies, digital forensic tool testing, etc...educated/certified by higher education institutions, which are approved by Provincial/State/Federal governing bodies.

I know flavours of this may already be in the works but the thrust seems to be more towards the higher education to fill more news worthy criminal case jobs rather than the millions of behind the scenes jobs needed filling that will never warrant expensive higher level education.


In the past few years we've seen the costs of SANS courses rise $1700 (50%) from $3400 to $5100 per course, not to mention the costs of College or University tuitions for IT Security courses, half of which do not cover digital forensics very well, most leaning towards programming and/or security controls administration.


Again, thank you all very much for any feedback we can provide to further this kind of dialogue before we reach a critic workforce deficit due to increasing education costs.



Advocate I



I looked over your framework.  I am a little confused by some of what you presented - and by some of the independent research I conducted.


First, I don't understand the difference between the "Examiner" and "Analyst" work roles.  According to the SANS material an Examiner is someone that conducts forensic examinations at a basic level, while an Analyst is someone that conducts forensic examinations at a more advanced level.


Second, I think that Technologists watched too much CSI, Criminal Minds, and NCIS on TV and then went way outside of their lane in trying to define what Computer, Digital, or Electronic Forensics actually is.  Forensics - is having to do with presenting information to or on behalf of a court of law.  So, regardless of what Technologists think forensics is, it's really what is considered customary by the court that matters.


In the framework that I observe there are really two work roles.

  1. Investigators.  Investigators primary job is to obtain information from various sources, and authenticate the source of that information.  Investigators may be trained to conduct Forensic Examinations.  
  2. Computer Scientists.  Computer Scientists primary job (in applied to forensic investigations) is to conduct research as to the best methods for obtaining authentic information from various computer and electronic sources.  Computer Scientists may be trained to conduct or support Forensic Examinations.

In my framework there are two tasks.

  1. Forensic Examinations.  A forensic examination is the process of conducting a series of tests, by applying the scientific method, in order to answer a legal question.  Either Investigators or Computer Scientists can perform this task as it relates to electronically stored information.  To be effective, Investigators must receive additional training in the technology that is the target of their examinations and methods to recover that information while maintaining its authenticity.  Computer Scientists on the other hand must receive training on authoring legal reports and memoranda, and testifying in court.
  2. Research.  Contrary to Examinations, Research can only really be done by a Computer Scientist.  What I am talking about here is applying the knowledge of Computer Science in developing protocols for performing destructive and non-destructive tests of electronics in order to successfully recover authentic information.

 As far as Forensic Examinations is concerned, what matters is the perception of the court.  The court generally consist of technology lay-persons such as, the Judge, the Attorneys, and the Jury.  A certification merely states that its holder has memorized some process long enough to pass a test.  A degree in the sciences (4 years in the case of undergraduate, and as much as 10 in the case of a Doctoral degree) shows the court that the holder has not only memorized the scientific process, but has applied it successfully over a number of years.  Additionally academics at the higher levels requires authoring research for peer review, and establishes that the holder of a degree has the authority to speak to a subject with the weight of approval of his or her peers.  When attempting to prove to the court that an examiner or fact witness has the authority - which do you think is most appealing to the court?  In a disagreement between two examiners or witnesses, which do you think the court is most likely to believe is correct?


As far as Research goes, what matters is the ability to have your work be repeatable and peer reviewed.  In this case, as long as a researcher is able to publishing their work, have others verify it by following the same process, and reach the same results; then no formal education is really needed here.  The process of others reaching the same conclusion is validation in iteself.




Eric B.