Digital Forensics Certification/course of study advice?

Hi all--

I almost posted this in the certifications thread, but wanted to go a bit broader with it.

I'm wondering if anybody who's currently in the industry can give me some advice on possible courses of study for digital forensics.

Some background: My current job is actually as a librarian/archivist, but with a strongly technical bent. I worked in straight up IT for a good 10 years since about 1999, mostly including Higher Ed IT, before making the jump to the academic stream a few years back. In my current job, I oversee the curation and preservation of digital materials for the Ontario academic library consortium.

One growth area for us is in the restoration and recovery of materials that may have been born digital, but are in the process of imminently becoming inaccessible. This often includes files donated to a University by retiring profs or disbanding research groups, but can also include "historical" digital materials, or just sh*t that somebody found in the basement of their building. We in archives currently don't have much in the way of tools to deal with this stuff, and I'd like to change that. I'm trying to put together a program to build a competency center around recovering and dealing with this abandoned digital material, and I think I'd like to build my own competency in this area first.

I've looked briefly at a program offered by a local continuing ed dept here in town. However, it's all online so there's really no benefit to going with that one vs. a more well-respected one if they are both remote learning. Of course, as soon as you start Googling around for anything that's certification-worthy, you just get inundated with all kinds of crap. So, I'm wondering if anyone with a bit more current context can point me in the right direction.

Specifically, what are the best-in-breed certifications or schools of thought in the forensics field right now? In the certs thread, I've seen some talk of the CISSP, but that appears to have a strong component of security, which is OK but not really what I am looking for. Does anyone know of any other, less full-spectrum, certs out there?

The certification is not as important to me as the actual material, so I'd be interested in just courses as well.

Thanks!

As you noted a CISSP is not what you need, that cert is more tailored to managers and giving them an understanding of what IT security looks like though not necessarily how to get there.

Most digital forensics courses are going to cover things you aren't going to be too much worried about like chain of custody and preservation of evidence. For instance you're not going to be interested in retaining the event logs and ACLs on a system if files in a kidpr0n investigation were put there by the person that is accused of putting them and that is what most digital forensics courses are going to be teaching you.

It seems you are wanting to do file recovery off of old hardware. This can get spendy quick. There are some software tools depending on the state of the original medai (BartPE/WinPE, File Scavenger, disk sector reading software of many forms) but when it comes to opening the drive and repairing it, well that's why people pay the big bucks.

Of course digital archiving carries with it its own hurdles to long term storage like bit-rot, file corruption, safe/verifiable restores of a large amount of data and like any large media library, who is going to play the thing once in a while to verify it still works. Codecs and players are fashion choices not forever choices. This is similar to the analog world as well, who has a VHS anymore (not that you would use a VHS as an archival source unless you absolutely had to but you see what I am saying).

Add in the fact that the DMCA makes it ILLEGAL to bypass ANY DRM that may be sitting between you and the media and you may be getting into a legal gray area as well. So if that local bar band released a video on a non-DRM DVD (just file structure), no problem archive the hell out of it, but if there is CSS on the DVD (CSS is the dvd encryption method) it is technically illegal for you to bypass that.

I would make inquiries to people that do this sort of thing and ask them how they got there. I wish you success because there is going to be quite the black hole of things reaching the public domain from this point on unless some of this gets taken care of.

Eezy_Bordone wrote:

Most digital forensics courses are going to cover things you aren't going to be too much worried about like chain of custody and preservation of evidence. For instance you're not going to be interested in retaining the event logs and ACLs on a system if files in a kidpr0n investigation were put there by the person that is accused of putting them and that is what most digital forensics courses are going to be teaching you.

Thanks! It's interesting, actually, but chain of custody is *huge* for archives, because it ties into the archival concept of provenance, but yeah, I dig what you're saying that the focus of these courses is going to be different.

It seems you are wanting to do file recovery off of old hardware. This can get spendy quick. There are some software tools depending on the state of the original medai (BartPE/WinPE, File Scavenger, disk sector reading software of many forms) but when it comes to opening the drive and repairing it, well that's why people pay the big bucks.

This is part of it, and I've used a lot of these tools to some extent back in my sysadmin days. I guess I'm interested in figuring out what the state of the art is on this stuff, but there's probably no substitute for just rolling up my sleeves and doing it.

Of course digital archiving carries with it its own hurdles to long term storage like bit-rot, file corruption, safe/verifiable restores of a large amount of data and like any large media library, who is going to play the thing once in a while to verify it still works. Codecs and players are fashion choices not forever choices. This is similar to the analog world as well, who has a VHS anymore (not that you would use a VHS as an archival source unless you absolutely had to but you see what I am saying).

Yeah. We do a lot of this already through use of checksums to detect bitrot and corruption, and a set of fairly library-specific tools to characterize and check validity of file formats, which we then track to make sure our user communities still know how to deal with it. I guess again what I'm looking for is some standards coming from outside our community, as our impression is always that the private sector, having what looks to us like unlimited resources, has come up with better ways of doing this and we are behind the curve.

Add in the fact that the DMCA makes it ILLEGAL to bypass ANY DRM that may be sitting between you and the media and you may be getting into a legal gray area as well. So if that local bar band released a video on a non-DRM DVD (just file structure), no problem archive the hell out of it, but if there is CSS on the DVD (CSS is the dvd encryption method) it is technically illegal for you to bypass that.

Happy to live in Canada! Oh wait, our new copyright bill also has a provision for digital locks. Nevertheless, we have a couple things going for us in that there are strict limits for monetary damages for non-commercial use, and the prevailing opinion right now seems to be contract law overrides copyright law, so depositors signing an agreement with us can allow us to break digital locks in service of preserving their content. (Usually this is for format migration, etc.) Add to that, we just don't get much material of the type that would necessitate breaking digital locks....we're more interested in correspondence, documents, original research data, etc. Somebody's Farscape DVDs sitting in the box they bring us for ingest are just likely to get pitched....er, deaccessioned.

I would make inquiries to people that do this sort of thing and ask them how they got there. I wish you success because there is going to be quite the black hole of things reaching the public domain from this point on unless some of this gets taken care of.

The National Archives are nice, but they are fairly close-mouthed about their processes. Still, there's a pretty good worldwide community of people working on this stuff, I was just hoping it was the same in the private sector. Sounds like maybe not in the way I was hoping for.

Also: what's a public domain? Just kidding. Ask again in 25 years.

Thanks for taking the time to respond.