What are the qualifications for information security forensics?

There are various qualifications in information security. In many cases, qualifications are related to the knowledge and skills required to take countermeasures against cyber-attacks. On the other hand,Qualifications related to "digital forensics" to investigate after a cyber attackalso exists. In this article, we have summarized the qualifications related to "digital forensics".

What is forensics in information security?

Forensic is an English word that means ``scientific investigation.'' Forensics in information security (digital forensics) isAfter a cyberattack or information leak occurs, collect and analyze system logs and data to investigate the cause, crime route, purpose, culprit, etc.refers to

Nowadays, as cyber-attacks are gradually becoming more sophisticated, it can be said that forensics also requires advanced skills and knowledge.

The role of a forensic engineer

There are two main roles for a forensic engineer.“Evidence preservation” to collect data and “investigation” to determine the causeis.

In forensics,It is very important to preserve data left on digital devices that are subject to analysis, such as PCs, without being rewritten or lost.is.

Conservation does not mean copying data at random. It is necessary to avoid careless data modification (access date and time, registry information, etc.) during preservation, and to preserve complete data, including hidden areas and unused areas.

After preserving the evidence,Investigation to determine the cause based on the collected datato hold. In many cases, this is done using specialized forensic software.

By accurately understanding the damage that has occurred and its causes, it can be used as reliable evidence in the event of a legal dispute regarding information leaks, etc., thereby protecting the company from legal risks.

Digital forensics case study

An example of digital forensics that may be a little familiar to the general public is that in the fall of 2016, in the shogi world,Suspicion of "unauthorized use of shogi software"happened. A shogi player was suspended from participating in official matches after being suspected of using AI-equipped shogi software to ``cheat'' during a game. Therefore, in order to prove his innocence, the accused shogi player requested a digital forensics expert to conduct an investigation.

As a result of investigating PCs and smartphones, we found that no shogi app with AI was installed on the smartphone, no function that would allow remote control of the PC was installed, and that the smartphone was turned off during the game. It has been proven that there is a high possibility that the

When we think of an investigation, we have the impression that it is carried out to find fraud, but in this way,It is also used to gather evidence that there was no wrongdoing..

Information security forensics qualification (USA)

Qualifications related to information security forensics are not yet widely available in Japan, but in the United States, which is an advanced country in information security, the following qualifications exist.

• GIAC: Global Information Assurance Certification
• CCE: Certified Computer Examiner
• Vendor qualification

GIAC (Global Information Assurance Certification)is a qualification that certifies security skills that can be used in practical situations, from entry-level to fields that require a high level of expertise, such as basic knowledge, security auditing, intrusion detection, incident handling, firewalls, and forensics. It's covered.

◆Validity period of qualification

4 years (You must retake the exam to continue your qualification.)

◆Qualification provider

SANS Institute

There are several SANS sales partners in Japan, so it may be a good idea to consult them about obtaining qualifications.

List of SANS sales partners

CCE (Certified Computer Examiner)Although few people may know of this qualification in Japan, it is a relatively famous forensic qualification in the United States. This qualification has been in existence since 2003, and includes not only a written exam but also a fairly practical practical exam.

◆Qualification provider

ISFCE (The International Society of Forensic Computer Examiners®)

In addition, many vendors issue qualifications, and many of them are based on the premise of handling specific forensic tools.

・EnCE (EnCase® Certified Examiner)

・ACE (AccessData Certified Examiner)

・CSX (Cyber ​​Security Nexus)

・CCFP (Certified Cyber ​​Forensics Professional)

・CHFI (Computer Hacking Forensic Investigator)

Forensic qualifications in Japan

As mentioned above, many qualifications related to digital forensics come from overseas, such as the United States.

just,More and more companies are starting to offer forensic training.. Therefore, if you feel that there are high hurdles to obtaining qualifications overseas, it may be a good idea to first take a training program in Japan.

Forensic engineers will become indispensable

in Japan,forensic engineeris expected to become indispensable for many companies in the future. This is because with the advent of smartphones and the IoT, the number of companies handling customer information such as personal information and confidential information is increasing, and the number of cyber attacks is also increasing.

In addition, insurance products related to corporate cybersecurity have recently appeared, and forensics is essential when applying for such insurance.Demand for forensic engineers is expected to increase.

However, at present, there are not many forensic engineers with sufficient knowledge and experience, so rather than hiring them in-house,It may also be helpful to consult with a company that has experienced engineers..

[Reference site]
・Forensic/IR qualification status in the US | From a security consultant's diary・The International Society of Forensic Computer Examiners®