Computer Forensics certifications

On the mainstream of Computer Forensic market, we have two big players. Access Data and Guidance.

AD is responsible for the Forensic ToolKit, or simply FTK.

Guidance is the creator of EnCase, another solid solution.

As almost any IT / Security tool, they have their certification programs.

You can be an ACE (AccessData Certified Examiner) or EnCE (EnCase certified Examiner), or both, of course.

The exams have some similarities. Both require you to take a phase 1 with multiple choice tests. And both require you to take a phase 2 – practical, where you need to use their tool to investigate an evidence file.

ACE used to be free. EnCE has a cost. But, now, if you sign up for ACE test, you realize it could cost 15x the EnCE price.

I will explain.

For EnCe, you pay 200US, take the phase I, and if you pass, you are going to receive a temporary license for EnCase (dongle), which will enable you to take the investigative (second) phase.

In the other hand, you can take ACE exam phase I for free. Sign up, read their PDF, and you are ready to answer the tests. Now, for the practical questions, they introduced a big change.

Until last year, you could download their FTK 1.x version and investigate the evidence, without costs. So, phase I and II were free, and hence, ACE had the potential to be more popular. Now, for phase II, you will need a FTK license, and at least on version 3.x.

I’ve contacted and confirmed with their Marketing & Certifications departments. They say “if you don’t have a licensed copy of FTK, you should look for someone or some school with it”.

Well, if I want to step on Forensic market, I would hardly find someone with licensed FTK. If I find a school, they would charge me to use their facility. A FTK license costs 3000US (or more, it depends of the country).

In terms of difficulty, EnCE is still known as the hardest one.

You need to have attended 64 hours authorized computer forensic training (online or classroom) OR have 12 months computer forensic experience, before phase I.

Plus, the investigation phase is not straight forward. I’ve heard complains about it.

ACE is easier, but they made up this big barrier. Discontinued the only trial version of FTK and now expects someone would buy FTK or would find a good soul willing to help you.

In my opinion, a step behind for ACE.

Bad move, AD, bad move.

P.S.: I must say, before someone thinks I’m an EnCase guy…  I’m grateful for FTK, the tool that helped me finishing my final paper about OS X / Boot Camp investigation (yet to be published). And, after visiting the FTK 4 World Tour last year, I must say:  the new feature “social network map” (planets + galaxy style) this new version is able to build from artefacts and evidences seems to be really something!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s