Richard Bejtlich asked where the law enforcement trainees are in information security classes:
"When I teach, there are a lot of military people in my classes. The rest come from private companies. I do not see many law enforcement or other legal types. I'm guessing they do not have the funds or the interest?"I've worked with cybercrime and computer forensic training programs in the past, and my former employer had a very close relationship with both state and local law enforcement. We saw many police officers and federal agents in forensics classes learning system forensics, and we often provided expertise for those who did not have it. What we see was many officers sent to network analysis or other broader information security classes - their jobs were focused on the investigation rather than threat prevention, or digital defense. Many of the classes spent a lot of time looking for predators online, which tends to be a high profile activity for departments when they do make an arrest.
With all of that said, forensic skills are becoming more common, and training for forensics is available from organizations like Purdue's CyberForensics lab and Eastern Michigan University's Staff and Command school. Even with these resources, network forensics and similar skillsets are typically not a focus at the local level, but do become more useful for state and federal agencies.
Does this mean that our law enforcement organizations are unprepared? In some cases, yes - either because the specialized training isn't available, or their budgets or time are restricted. In addition, many police departments continue to use antiquated IT infrastructure, and smaller police departments are reliant on external support, or no formal support at all. These departments are both more vulnerable and less likely to have access to the training and technology needed to do useful forensic analysis of systems. That's what regional forensic centers are seeking to help with.
I think that many security analysts would benefit from spending some time with their local police forensic analysts - perhaps by joining Infragard, or attending a local cyber forensics class. Those contacts can pay off in the future, and will help you understand what they're dealing with.