Digital Forensics Investigator: A Road Few Have Traveled
*Note: This article was originally published by the author on February 10, 2020.
Hunting and finding evil is an incredibly important, fascinating, and equally challenging career path. Perhaps you’ve considered it at one point or another when watching TV shows like “CSI Cyber,” “24,” “NCIS,” or “Dexter.” It takes a special type of person to be able to sift through digital breadcrumbs and attempt to ascertain what transpired. The ultimate goal of digital forensics is for the investigator to be able to put the cybercriminal behind the keyboard. This an extremely technical field that requires a diverse set of skills and knowledge base with a wide array of computer operating systems, memory storage device types, file storage systems, mobile devices, digital media types, computer hardware, network protocols, and familiarization with many, many different hardware and software tools to accomplish the job.
Throughout my career, I’ve been fortunate enough to work in several different roles, a few of which have allowed me the opportunity to hone my DFIR skills along the way. One interesting role I performed was at a university where I had to investigate a couple of high-profile cases involving network forensics pertaining to E-mails that were used illegally. What? Illegal emails? Yep, one case involved a spoofed email that led the Human Resources payroll department to change the direct deposit bank account for an employee who worked at the university. That simple spoofed email resulted in a Lemony Snickets Series of Unfortunate Events type of fiasco wherein the end result was paychecks being stolen. This case allowed me to work with the local FBI branch office which was an eye-opening experience.
At the same university, another case involved hate emails sent to students on campus from so-called ‘anonymous’ email accounts that were sent from computer IP addresses both internal and external to the university. I worked directly with the local police department which was small and couldn’t afford their own digital forensics investigator, so they had detectives that working on the case. That was one of the most fun and interesting cases I’ve worked on, but there have certainly been others in which I’ve been tasked with investigating computer crimes that employees have committed on organizational computers.
One guy billed an entire month’s worth of hours to a contract but was never at work. Eventually, complaints started piling up and I was sent to scrape the various computer system event logs he worked on. I won’t mention specifics publicly, but I didn’t find anything illegal except a massive case of timecard fraud where it turned out that the guy only came into work two days out of the entire month. It’s kind of hard to say you were at work but the badging system and computers you’re assigned to use don’t corroborate your story. He was fired and made to pay back the fraudulently billed hours he was paid.
These are just a few basic examples of some of the things you might encounter in the world of digital forensics.
What is Digital Forensics?
So, what is DFIR? Digital Forensics and Incident Response are commonly abbreviated as DFIR and refer to a particular skill set in computer security and forensics. This article will focus on the digital forensics part of this unholy union of the two fields.
“Computer Forensics is the retrieval, analysis, and use of digital evidence in a civil or criminal investigation” (Hayes, 2019).
Note the emphasis in the definition of the use of digital evidence in a civil or criminal investigation. The importance of understanding the legality of forensics cannot be overstated. Just as there are computer hacking laws that you can be convicted if you hack into a system without authorization such as the Computer Fraud and Abuse Act (CFAA), it is the same with computer forensics investigations. You must be authorized to perform digital forensics by your employer to perform investigations on someone else’s computer, device, or network. If proper evidence collection procedures are not followed to the letter, any digital evidence you obtain may be deemed inadmissible in a court of law. You had better like to write reports also because the name of the game in digital forensics is documenting evidence and writing reports the same as you might imagine a penetration tester (ethical hacker) would do. You are the uncool guy or gal with a badge and a gun (in most cases), you’re the computer geek who is called in when they ‘tag and bag’ the computer devices.
DFIR Career Path Subsets
This isn’t meant to be an exhaustive list, but these are some areas you could specialize in or several areas more likely over the course of a career.
- Incident Response- think Security Operations Center (SOC) analyst, of which there are different levels of SOC analysts based on experience and skills such as tiers 1–3. When there is a data breach, chances are the victim organization will call in an independent team of incident responders to determine what actually happened even if they have their own specialists. Digital forensics is often part of that same DFIR team.
- Mobile Forensics- whenever there are crimes perpetrated using cell phones, tablets, iPhones, iPods, SIM cards, mobile operating systems (e.g., iOS, Android, Windows, BlackBerry), digital forensics investigators need to be able to acquire a bit-stream image of the device memory and then perform analysis of the data.
- Mac, Windows, Linux/Unix OS forensics on every single version of these operating systems that have ever existed.
- e-Discovery- short for electronic discovery, think of it as digital forensics for the private sector otherwise known as the corporate business world. Maybe a company doesn’t want to involve the authorities so they maintain their own crew of eDiscovery investigators. They can be used to recover deleted files for litigation in civil court cases (Hayes, 2015, p. 13). Private investigation firms may also retain the services of eDiscovery practitioners for use in any computer-related investigations they are hired to conduct.
- Hardware Forensics- servers, routers, switches, firewalls, encryptors, desktop computers (a.k.a., thick clients), laptop computers, thin clients, mobile devices, and pretty much any type of electronic devices you can imagine fall into this subset. If it has a chip and some type of OS or communication protocol technology, then there’s a good chance it can be forensically imaged and analyzed.
- Network Forensics- DFIR practitioners are also often called out to perform forensics when an organization is infected with ransomware or some other type of network intrusion. More recently there has been a trend in Advanced Persistent Threat (APT) groups attempting to hack into Industrial Control Systems (ICS). Organizations need to be able to pick up the phone and call digital forensics experts who are experienced and knowledgeable about the types of systems they operate and be able to determine if their data was compromised and if so, how? This way they can try to prevent it from happening again.
- Cloud Forensics, CryptoCurrency, Blockchain, & Internet of Things (IoT) devices have been around for a short spell but remain newly emerging fields in the DFIR world as these new technologies are increasingly being used for criminal enterprises.
- Open-Source Intelligence (OSINT)- not necessarily a career path, but it can be depending on what type of organization you work for. Intelligence agencies have folks that focus specifically on OSINT and there are OSINT organizations such as Bellingcat that specialize in online investigations.
Are College Degrees & Certifications Necessary?
As with the information security (a.k.a., cybersecurity) field, industry certifications for digital forensics are helpful to demonstrate a foundational level of knowledge but nothing beats experience. Some DFIR professionals were able to get their foot in the door by simply being very knowledgeable about computer systems and then building their experience and knowledge of computer forensics investigative techniques from that point on. While education cannot be underestimated there is a solid argument to be made that experience is what matters in both digital forensics and other areas of cybersecurity. So, I’ll tread lightly on this topic but I personally think it is foolish to assume that you will be able to just jump right into a career as technical as digital forensics without some type of information technology or computer science educational background. The funny thing is though, many people claim to have done just this. So, make your own decisions and go your own way here. See what works best for you.
SANS stands for SysAdmin, Audit, Network, Security) and has an incredible training and certification program for cybersecurity and digital forensics, and incident response professionals. SANS offers several GIAC certifications such as the GIAC Certified Forensic Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), GIAC Reverse Engineering Malware (GREM), GIAC Network Forensic Analyst (GNFA), GIAC Cyber Threat Intelligence (GCTI), and the GIAC Advanced Smartphone Forensics (GASF) certifications. I will warn you that SANS training is among some of the best training you can get, but it is not cheap. You will pay a high cost so it’s best if you can get your employer to pay for the training and exam costs.
There are other certification authorities such as EC-Council that also offer digital forensics certification options like their Computer Hacking Forensics Investigator (C|HFI). ISC2 used to have a digital forensics certification but it appears that they have since deprecated it. You don’t necessarily need a college degree or industry certification to become a digital forensics investigator, but it does show potential employers that have a foundational level of knowledge and the rest is up to you to prove once you get on the job. Remember, no one knows everything so don’t think that you need to either! All of this stuff takes years of study and experience to learn and the crazy part is that technologies change so frequently that you’ll have to keep up with it all to remain relevant.
What Kind of Salary Are We Talking About Here?
Job salaries are dependent on a combination of factors such as experience in similar job roles, specific skills required in the role, industry certifications, and education level. Some will argue that education level doesn’t matter but is usually because they’ve been able to successfully steer themselves throughout their career without a degree. It doesn’t mean that today, an employer will afford you the same opportunities without a college degree. Additionally, generally speaking, professionals with undergraduate or graduate degrees tend to earn significantly more than their peers over the course of their respective careers. Besides, I’ve never been one to turn away from education. It’s hard to go wrong with more education, although at a certain point you need to test your knowledge and the skills you developed in the online labs in real cases. Circumstances are rarely ever as they are portrayed in textbooks or lab environments.
With the background I have in digital forensics and cybersecurity, I was recently offered a DFIR investigator role on the West Coast for a $130,000 base salary plus bonus potential which I, unfortunately, decided to pass on due to the distance from home. I only mention this because it is not impossible to earn six-figure salaries in a DFIR role if you know your stuff and have some decent experience, good references, and perhaps a couple of industry certifications. Now, you’re likely not going to get rich doing this type of work but you can certainly make a decent living at it. Plus, you’ll be helping to put criminals behind bars where they belong!
Not For The Squeamish
If becoming a DFIR investigator is your calling in life, just be aware that there is a very high probability (like a 90% chance) that you will encounter child pornography or torture images and videos throughout the course of your investigations. In fact, if you work for a law enforcement agency this could very well dominate the majority of your investigations. So, if that’s something you don’t think you are equipped to handle emotionally or mentally then the law enforcement DFIR investigator path may not be the right path for you.
It is a job hazard and takes a psychological and emotional toll on digital forensics professionals who encounter it and have to mentally process it on a daily basis. The truth is, there is evil in this world and mentally deranged people who enjoy doing evil things to young children, taking illegal photographs and videos. Once seen, they are not forgotten. These types of images will be seared into your memory forever, they will rock you to your core and haunt you to your last days. It is better to know this going into this profession.
Once you get past that dark fact though and realize the importance of trained computer forensics professionals to help track down cyber criminals so that they can be brought to justice, you will gain an appreciation for just how important the career field of digital forensics is. There are other evils that exist online, some in plain sight, on social media channels, and on the Dark Web. Things like terrorism, torture, criminal services involving hacking, assassins-for-hire, illegal drug sales, stolen credit cards, and private information being sold to and by enterprising cybercriminals.
There are certainly other DFIR paths that you can pursue as well if the law enforcement side of things is not your cup of tea. It’s a mixed bag, but some law enforcement agencies do not hire specifically for computer forensics, they recruit talent from within their own departments in the form of police detectives who are sent for training to learn about computer forensics and tools like EnCase, FTK, Paraben, SANS SIFT, and many other tools. Other times, they are agencies that will hire non-sworn individuals with certain specialties like digital forensics to round out their CSI teams.
Hopefully, this short piece gave you a few options to consider if you’re interested in the field of digital forensics. If you end up not enjoying the career for whatever reason, you can always transition to information security or IT.
Some Additional Resources:
Security Researcher: A Road Less Frequently Traveled
*Note: This article was originally published by the author on May 5, 2019.
Information Security Engineer: A Road More Frequently Traveled
*Note: This article was originally published by the author on September 23, 2020
Why it’s Probably Best to Leave Digital Forensics and Incident Response (DFIR) to the Professionals
*Note: This article was originally published on July 18, 2018. It is republished here by the author for historical…
Mobile Device Digital Forensics
*Note: This article was originally published by the author on November 26, 2018.
Cyber Security Career Roadmap | SANS Institute: Cyber Security Career Roadmap
Want to specialize in Pen Testing? Want to advance your technical skills? Want to specialize in Sys Admin? Want to…
Should you improve your DFIR skills on your personal time?
Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out). I still stand by what I…
Hayes, D. R. (2015). A practical guide to computer forensics investigations. Indianapolis, IN: Pearson IT Certification.