Archive for May, 2009

AccessData Certified Examiner now free (part 2)

Thursday, May 14th, 2009

Having reviewed the videos from AccessData, it seems that you do still need to own a copy of FTK to undertake the new “ACE Test-Out”. The specific wording is:

be exempted from the class attendance requirement

Clearly this is a little bit more than the promo email promise which is “NO PREREQUISITES!” This amounts to a little under $4k pre-req of requiring that members own a current version of FTK, with current meaning your support contract or “SMS” is up to date. Of course, you weren’t actually expecting a free lunch were you?

Now here is where my comments about this free test being a good way for AccessData to channel people into their training comes true:

  • If the candidate fails a Test-Out session, they must complete the ACE Prep course to attempt the Test-Out session again.
  • If the candidate fails a second Test-Out session, they must complete the class pre-requisites to challenge the ACE process.
  • So basically, they encourage you to try to get ACE certified, and then if you fail, they channel you back into the training that you used to have to take originally anyway. I am totally OK with this since in my mind, it behooves AccessData to make the cert challenging to get more people to their training. And as I said, their training is very good.

    The other smaller issue is that it looks like the ACE is heavily focused on FTK2. I expect that you could complete the practical component with FTK1 – and probably with the other forensic suites out there – but a whole raft of the knowledge test component questions are about functionality specific to FTK2.

    Personally, I’ve been holding off using FTK2 because of the teething problems, and the resource hog reputation it had acquired in the computer forensic community. I’m hearing however that the latest iterations of FTK2 are much faster. It looks like it’s time to move on up to FTK2 then get the ACE done.

    Accessdata Certified Examiner now free

    Wednesday, May 13th, 2009

    Accessdata has announced (via email only thus far, I haven’t seen an announcement on their site) that the Accessdata Certified Examiner (ACE) will now be free (as in beer). At first I thought this was a scam or a joke until it arrived on both the email account associated with my ownership of FTK and my unassociated FTK forums account email.

    Additionally, it appears they have removed all the pre-requisites for undertaking the cert, including ownership of an FTK product. The ACE Preparation page has been updated to reflect this. This is a major change since previously, you were required to own FTK (which costs over $3k plus the yearly subscription for support/updates) plus have attended 2 of their training sessions – BootCamp and Windows Forensics – which is thousands more in training costs.

    Additionally, they have put up training videos for free download that cover the course material.

    Now this would seem to potentially hurt their revenue stream, however it could increase the user base to off-set this, and their 3-day training courses are still very worthwhile. I attended their Internet Forensics course in 2005, and despite having 5 years experience at that time, I still learned a lot.

    What this may do is somewhat elevate the certification against the competing EnCE from Guidance. One of the big criticisms of tool certs is that because you have already bought their product, and paid for their training, they have a vested interest in you passing. By making the ACE free, AccessData now has a vested interest in people not passing, since that would tend to move them towards undertaking the training courses to get skilled up.

    Computer Forensics Ethics, Inculpatory & Exculpatory Evidence

    Friday, May 1st, 2009

    I’ve been wanting to do a post on ethics since I started the blog, but my spare time has been somewhat overrun with the recent rush of licensing issues. A recent article from John J Barbara of FDLE over at DFI News addressed the issue of Ethics in Computer Forensics, and in particular, the ethical requirement for a Forensic Computer Examiner to search for exculpatory evidence as well as inculpatory evidence.

    For those new to evidence in general, inculpatory evidence is that which supports a charge or accusation of wrongdoing, whilst exculpatory evidence is that which would cast doubt or prove innocence. In the computer forensic world, perhaps the best known example of exculpatory evidence is a virus which downloads content, or rootkit allowing surreptitious access by a third party to a computer. Although it is rare to find these in an examination, it’s well within the realms of possibility, and so must be ruled out before the examination is complete. EDIT: I meant to say that it must be ruled out in certain cases where it is applicable, for example, those cases where possession or distribution is an element of the crime.

    Barbara refers to the Code of Ethics of the California Association of Criminalists, however there are more widely accepted ethics statements in the computer forensics community. One of the first is from IACIS (of which I am a member) and is displayed on their site at

    The portion covering impartiality is fully 2/3 of the code:

    # Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved.
    # Thoroughly examine and analyze the evidence in a case.
    # Conduct examinations based upon established, validated principles.
    # Render opinions having a basis that is demonstratively reasonable.
    # Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted.

    One of the issues that Barbara raises is the impartiality of examiners who also happen to be investigators. Computer Forensics is still an evolving discipline in the law enforcement world, despite having been around in some sense for over 20 years. In the USA in particular, because of the prevalence of local law enforcement – vs countries such as Australia where local law enforcement responsibility is vested in the states – many agencies don’t have a dedicated computer forensic analyst who solely performs examinations. Most local police examiners are investigators who also conduct examinations, and often conducts exams in support of their own cases.

    This potential dual role aspect is why it is so important for examiners to follow the code of ethics. When a detective is pursuing a suspect, they tend to focus their energy on finding the evidence of guilt. Many people may have heard of the 48 hour rule. Basically, if you don’t catch your perp in the first 48 hours after a crime, your odds of success drop dramatically. Forensic examinations however take time. Pressure to achieve results in a given time period can result in missed evidence. I have personally experienced pressure from investigators to only search for inculpatory evidence and leave it at that.

    I have more than once refused to produce final results without a search for exculpatory evidence. (I have however given progress reports in time sensitive cases before completing the case.) Why? Notwithstanding the importance of being ethical, and the ethics requiring your impartiality and completeness: If you miss something on a case, you shoot your credibility in the foot.

    The computer forensic community is still relatively small, we all know people who know people. If you make a mistake on an examination, or give bogus evidence in court, someone will make a note of it. It’s commonplace to request background info on your opposition examiner from your colleagues in the field. Your mistakes will come back to haunt you and potentially end your career. An examiner is only as good as their reputation.

    Although I may work for one side in a case, I remain at all times impartial with regards to my evidence. I have told detectives that there is evidence of innocence or a lack of evidence, and (in other cases) I have told defendants that there is evidence of guilt. This is what the ethics requires.