This was all very valuable to me, and I do believe that my information is more protected now that we have documented procedures in place to respond to incidents. But I was hungry for more. I wanted to learn more about forensics, I wanted to be involved in more investigations, mysteries, and experiments. It takes a lot of work to keep up on the various digital forensics techniques, but I was willing to do the work because I really liked what I was doing. A few months ago I gave my first presentation at a national IT conference and it was on computer forensics for universities.
But it seems like things are getting harder. It is a lot of work, but I can keep up with the new developments in registry analysis, memory acquisition, and network forensics. What I can't get past is the forces in the industry that seemed determined to shut me out. For example, there are some great forensic conferences each year where outstanding new information is presented, but you can only show up if you're connected to a law enforcement agency. In April Microsoft released COFEE, a USB thumb drive that dramatically cuts the time necessary to gather evidence from a Windows machine. That's all I know about it though, because it was only released to law enforcement agencies. Sure, you can find it on the Internet, but I shouldn't have to steal knowledge. Last month I read about this on the Windows Incident Response blog:
I received an email from AccessData the other day in my work inbox, advertising something called the National Repository for Digital Forensic Intelligence, or NRDFI. ... The AccessData email said that NRDFI is a "knowledge management platform for collecting and sharing digital forensic information." The email goes on to say that the repository has been seeded with over 1000 documents - examiner tips and tricks, whitepapers, digital forensic tool collections, etc.There is also the trend of states making it so that you have to have a Private Investigators license to perform digital forensic work. In my state, that means that I have to have 6000 hours of work experience with a government investigative service or law enforcement agency. EDIT: I should point out that my state hasn't passed such legislation as other states have done. But if my state should go that route then I would need the 6000 hours with an investigative agency.
Sound interesting. Too bad it's completely off-limits to non-LE such as myself, those who have an interest and desire to contribute, but are not sworn officers.
So I'm starting to feel like I should just give the whole forensic community the finger. Clearly they don't want any of us non-law-enforcement nerds gaining any of their sacred knowledge. You have to be chosen to join their forensics priesthood and everyone else is a dirty protestant. Am I wrong about all of this? Am I blowing the problem out of proportion?