In the aftermath of September 11 and numerous well-publicized exploits, viruses and worms since 2000, IT professionals are more sensitized to information security matters than ever before.
There are various professional organizations, resources and certifications of potential interest to those who need to learn more about what's involved in securing, protecting, investigating and analyzing the evidence necessary to handle security incidents when they occur, and to prosecute individuals or groups alleged to have perpetrated computer-related crimes or attacks.
The community of individuals involved in such activities is quite interesting, and represents a real cross-section of investigators and analysts from law enforcement, military and classified communities along with full-time IT professionals charged with handling security incidents for their organizations.
All these groups share an abiding interest in information security, but law enforcement-types tend to look at things more in terms of gathering, securing and maintaining the evidence necessary to prosecute malefactors. Other professionals more often look at things in terms of causes, effects, remediation and cures. Both outlooks can benefit from understanding each other's primary concerns, interests and activities.
The roles involved when dealing with possible computer crimes, network break-ins, attacks and so forth, often include the following:
- Incident response: Individual(s) identified in an organization's security policy charged with responding to and handling security incidents (and also, with involving law enforcement where required or necessary).
- Incident remediation: Individual(s) charged by an incident-response team with repairing damage done, restoring lost data or services affected and with taking necessary steps to prevent recurrences.
- Incident investigation: Individual(s), under the direction of a lead investigator, charged with identifying the cause(s) and perpetrator(s) of the incident and with gathering, protecting, maintaining and presenting evidence. This usually involves law enforcement professionals, only if the victim of an incident decides to pursue legal remedies, makes claims for lost income or property or seeks criminal prosecution.
- Incident analysis: Individual(s) who examine the evidence related to the incident to establish a sequence of related events and to prepare a case against one or more perpetrators resulting from such analysis.
A number of certifications aim at the investigation or forensics (analysis of evidence) aspects of security incidents, including the following:
- CCCI -- Certified Computer Crime Investigator (Basic and Advanced)
The CCCI aims at law enforcement and IT professionals seeking to specialize in investigative matters. Basic requirements include two years of experience (or a college degree plus one year of experience), 18 months of investigations experience, 40 hours of computer crimes training and documented experience from at least 10 cases investigated. Advanced requirements bump experience to three years, four years of investigations, 80 hours of training and involvement as a lead investigator in 20 cases with involvement in over 60 cases overall.
Source: High Tech Crime Network certifications
- CCFT -- Certified Computer Forensics Technician (Basic and Advanced)
The CCFT aims at law enforcement and private IT professionals seeking to specialize in forensics matters. Basic requirements include two years of experience (or a college degree plus one year of experience), 18 months of forensics experience, 40 hours of computer forensics training and documented experience from at least 10 cases investigated. Advanced requirements bump experience to three years, four years of investigations, 80 hours of training and involvement as a lead investigator in 20 cases with involvement in over 60 cases overall.
Source: High Tech Crime Network certifications
- CFCE -- Computer Forensic Computer Examiner
The International Association of Computer Investigative Specialists (IACIS) offers this credential to law enforcement and industry personnel alike. Candidates must have broad knowledge, training or experience in computer forensics, including forensic procedures and standards, as well as ethical, legal and privacy issues. Certification includes both hands-on performance-based testing as well as a written exam.
Source: Computer Forensic Certification
- PCI -- Professional Certified Investigator
A high-level certification from the American Society for Industrial Security for those who specialize in investigating potential cybercrimes. Thus, in addition to technical skills, this certification concentrates on testing individuals' knowledge of legal and evidentiary matters required to present investigations in a court of law, including case management, evidence collection and case presentation. Requires seven-to-nine years of investigation experience, with at least three years in case management (a bachelor's degree or higher counts for up to two years of such experience) and a clean legal record for candidates.
Source: ASIS International Certification
In addition, most of the vendor-neutral security certifications and many of the vendor-specific programs include at least high-level coverage of the legal niceties and technical concepts involved in incident handling, investigation and analysis, as well as a high-level description of requirements for gathering, preserving and maintaining a well-documented chain of evidence that meets legal standards.
Likewise, numerous organizations and publications devote themselves to topics related to digital evidence -- which sits at the heart of investigations and forensics for both legal and technical reasons. The best of these include:
- American Academy of Forensic Sciences -- Covers computer crimes and digital evidence along with other forensics matters.
- Computer Forensics Magazine -- Published by DIBS, a computer forensics equipment vendor, it still deals with general issues and topics.
- Computer Forensics Online -- A Web-based publication run by attorneys and technical professionals who specialize in forensics-related computer law.
- International Association of Computer Investigative Specialists (IACIS) -- A non-profit organization dedicated to educating law enforcement professionals about computer forensics.
- International Journal of Digital Evidence -- An online publication that covers the theory and practice involved in handling digital evidence properly.
- International Organization of Computer Evidence (IOCE) -- Provides a forum for law enforcement agencies across the world to exchange information about computer forensics issues; the U.S. component is called the Scientific Working Group on Digital Evidence (SWGDE).
This is just the tip of a large collection of organizations, publications and professional associations devoted to dealing with this topic and its ramifications. A quick search at SearchSecurity.com illustrates that "computer forensics" returns a huge number of hits.
One more thing: Because law is practiced at international, federal, state and municipal levels, you will often find interest groups, training classes and resources on the subject of computer investigation and forensics within the information channels that these various levels offer to law enforcement professionals. Don't overlook the many offerings available from these sources, either -- particularly if you wish to work with or belong to the law enforcement community.
Please let me know if my discussion of certifications, organizations, and resources for those who patrol the boundaries between law enforcement omits anything important. I'm grateful for all input, suggestions, pointers, ideas, questions or comments. Feel free to e-mail me at firstname.lastname@example.org.
Ed Tittel is the president of LANWrights, Inc., a wholly owned subsidiary of iLearning.com. Tittel has been working in the computing industry for 20 years and has worked as a software developer, manager, writer and trainer. As an expert on SearchSecurity, he answers your infosec training and certification questions in our Ask the Expert feature.