Computer Forensics certifications

On the mainstream of Computer Forensic market, we have two big players. Access Data and Guidance.

AD is responsible for the Forensic ToolKit, or simply FTK.

Guidance is the creator of EnCase, another solid solution.

As almost any IT / Security tool, they have their certification programs.

You can be an ACE (AccessData Certified Examiner) or EnCE (EnCase certified Examiner), or both, of course.

The exams have some similarities. Both require you to take a phase 1 with multiple choice tests. And both require you to take a phase 2 – practical, where you need to use their tool to investigate an evidence file.

ACE used to be free. EnCE has a cost. But, now, if you sign up for ACE test, you realize it could cost 15x the EnCE price.

I will explain.

For EnCe, you pay 200US, take the phase I, and if you pass, you are going to receive a temporary license for EnCase (dongle), which will enable you to take the investigative (second) phase.

In the other hand, you can take ACE exam phase I for free. Sign up, read their PDF, and you are ready to answer the tests. Now, for the practical questions, they introduced a big change.

Until last year, you could download their FTK 1.x version and investigate the evidence, without costs. So, phase I and II were free, and hence, ACE had the potential to be more popular. Now, for phase II, you will need a FTK license, and at least on version 3.x.

I’ve contacted and confirmed with their Marketing & Certifications departments. They say “if you don’t have a licensed copy of FTK, you should look for someone or some school with it”.

Well, if I want to step on Forensic market, I would hardly find someone with licensed FTK. If I find a school, they would charge me to use their facility. A FTK license costs 3000US (or more, it depends of the country).

In terms of difficulty, EnCE is still known as the hardest one.

You need to have attended 64 hours authorized computer forensic training (online or classroom) OR have 12 months computer forensic experience, before phase I.

Plus, the investigation phase is not straight forward. I’ve heard complains about it.

ACE is easier, but they made up this big barrier. Discontinued the only trial version of FTK and now expects someone would buy FTK or would find a good soul willing to help you.

In my opinion, a step behind for ACE.

Bad move, AD, bad move.

P.S.: I must say, before someone thinks I’m an EnCase guy…  I’m grateful for FTK, the tool that helped me finishing my final paper about OS X / Boot Camp investigation (yet to be published). And, after visiting the FTK 4 World Tour last year, I must say:  the new feature “social network map” (planets + galaxy style) this new version is able to build from artefacts and evidences seems to be really something!


Not you, Linux!

Linux 2.6.x, 3.x, Ubuntu 10, 11, 12, all vulnerable to a race condition within ptrace.

Linux 3.3 to 3.8 vulnerable at netlink messages.

C’mon, Penguin, we always had you as the strongest brother. If you start getting sick, people would get really scared. I mean, zombie apocalypse style.

Edit 1: the race condition / ptrace has some workarounds, that would give you sometime before that “simple” Update-Kernel task… Hiding your Linux from Internet direct connections (could be hard, in some cases) and using strong authentication to all accounts with tokens (could be even harder, plus $$$).

We close our eyes…

…and the world has turned around again (thanks, Danny Elfman).

It’s seems like it happened yesterday, but no. The world is changing, but I don’t feel it in the water or air (sorry, Galadriel).

I met very nice people at companies that became other companies, or have been swallowed by giants.

You can call me a melancholic. Or simply old. But I saw:

– Internet Security Systems, and the entire X-Force team, a security reference in early 2000’s, to almost disappear into IBM;

– Ciphertrust being acquired by Secure Computing, which was acquired by McAfee, together with the good people of SafeBoot, which is now an INTEL division;

– Sonicwall becomes Dell;

– Netscreen becomes Juniper;

– Cisco acquired Linksys (and now wants to sell it again), together with other tens of companies. Just check their website, they need to organize their acquisitions by year;

– Tipping Point became 3Com, which is now HP;

– NetIQ and Novell purchased by Attachmate;

And what I think about all those moves?

Well, the smallest effect was my trash can filled with old business cards.

The worst? Good people being let go or buried into giants bureaucracy, not to mention less competition in the market.

10x Rolling Eyes

I was wondering this morning if I could build a list of 10 lies bullshits InfoSec “professionals” and C-Levels make up to use as an excuse to their security decisions. Let’s see:

1 – “There is a risk in this project, but I don’t have time to explain it to you in details”;

2 – “Users productivity is an InfoSec concern, so we need to monitor how much time each one is spending on Internet browsing”;

3 – “There is a norm against this” (but if you push them to see it, you will eventually hear they are still writing it to be published);

4 – “There are 415 high vulnerabilities related to this software and they are all relevant in our environment, according to our specialists” (you mean, according to your McAfee Vulnerability Scanner?);

5 – “We must be involved in every single project and acquisition, but we can’t take ownership of anything”;

6 – “If we have ZERO in any of our security measures, we need to check it again. Showing issues is important to make the board realize how important is our work”;

7 – “I can’t pay training sessions to my staff, or they will put it in their resumes and leave the company” (OK, I agree this is not an InfoSec exclusive line);

8 – “We need to keep the 27001 certification, so I cannot approve this project / software / printer supplier / risk exception / coffee brand / underwear colour”;

9 – “3-pass wipe? Are you insane? Data can be EASILY recovered. Make sure you do 27-pass, as DoD! And after wiping, pulverize it”;

10 – “Let’s investigate that employee, because the company needs some excuse to fire him”.