Show me your software and I will tell you…

I while back I overheard a conversation where someone was making a firm statement about vendor based certification: “If you don’t visit the regularly held Guidance Software training sessions, you can’t be a proper forensic examiner nor do a proper forensic investigation”. Excuse me?

As far as I know, software like Encase or FTK or any other product is a tool. As the all-knowing Wikipedia states: A tool or device is a piece of equipment which typically provides a mechanical advantage in accomplishing a physical task, or provides an ability that is not naturally available to the user of a tool.

OK, in digital forensics you hardly ever need “mechanical” advantage (maybe only when you have to lift that 19″ 4U server from the rack ;-) ) but I think you get the picture. What I think is a core skill for a forensic investigator, is the ability to know the nitty gritty details on how the things really work. Once you know that, you can of course use a tool to provide an advantage in accomplishing the task, as it might take some time to investigate the contents of a hard drive using a HEX viewer ;-)

Stating that you need to know the tools in order to show your skills, is completely the other way around: you can buy the same hammer and screwdriver that the professional furniture maker uses, but doing that won’t help you building that perfect table or chair. It might provide you with an advantage in completing this task, but without the basic knowledge and skills you will most likely end up with a table that is not completely level… First the skills, then the tool. That will help you pick the right tool for the right job, or sometimes realizing that for a particular job there just isn’t a tool available yet… (a situation that can easily happen in the ever changing field of IT forensics).

Of course it can be really helpful to take a look in the professional’s toolbox once in a while, as there are some really cool “hammers and screwdrivers” out there that can really make your life a lot easier; but don’t forget to start with knowing and mastering the basics! And once you have done that, you will probably realize there is no such thing as a “perfect tool” for every occasion. Relying on a single vendor’s training session might be good for the certification titles on your CV and to get some discounts on the software, but will not be the holy grail of becoming a better forensic investigator.