I’m now a GIAC Certified Forensic Examiner (GCFE). Honest! I’ve got a certificate and everything. It even came framed:
According to the blurb:
The GCFE certifies that candidates have the knowledge, skills, and ability to conduct typical incident investigations including e-Discovery, forensic analysis and reporting, evidence acquisition, browser forensics and tracing user and application activities on Windows systems.
I’ve got no idea if I’ll get to use these skills. The company I work for is considering applying for us to offer PCI Forensic Investigator (PFI) services, and in order to become eligible there needs to be a number of us suitably qualified. If I were to become a PFI it would sit nicely beside my current PCI QSA designation, so as well as auditing organisations to ensure they adequately protect credit card information, I could also be called on to conduct a forensic investigation in the event they suffered a breach of cardholder data.
The course was fairly intense but it mainly focused on Windows forensics. I’ll probably need to follow this up with the Advanced Computer Forensic Analysis and Incident Response course so I can thoroughly investigate attacks across the network and on multiple platforms.
I really enjoyed the course. The technical aspects were superb and the forensic toolkit that shipped with the course has already come in useful. The course is not just technical however, it also covers the procedural side of forensics and e-Discovery. This is necessary, but being a US-based course it was based on US federal legislation and procedures. I’ll need to bone up on the related Australian legislation and evidentiary procedures to ensure I’m doing the right things to satisfy chain of custody and admissability of evidence for any investigations here.