by Christa Miller, Forensic Focus
In the 30 or so years since the advent of personal computers made digital forensics a viable career path, the profession has matured to the extent of making multiple career paths possible. Now, professionals who are interested in digital forensics have options that range from law enforcement and government investigations, to corporate and self-employed consulting — and often switch between tracks.
Of course, having so many options means that forensic professionals have to be intentional about setting and following their course. The field continues to evolve, so new options may make themselves available in the short or long terms.
On the other hand, whether professionals will be available to fill those roles is a key question. A recent SANS Institute study showed that while nearly one-third of 4,000 surveyed high-schoolers across Europe, the Middle East, and Africa (the EMEA region) were interested in IT as a broad career field, only half of those students were specifically interested in a cybersecurity career, which sees stiff competition from careers in app and software development, IT system design, artificial intelligence and robotics, among others.
Helping students to understand what’s possible and what’s on the horizon, then, will become increasingly important for employers, parents, teachers, and others with a stake in the future of cybersecurity and DFIR. What possibilities exist, and how can forensic professionals flexibly plan for the future?
Identifying DFIR Career Paths
Defining what counts as digital forensics is relatively easy. In 2001, the Digital Forensics Research Workshop (DFRWS) defined it as:
“The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”
Or, as information security expert Lesley Carhart put it more succinctly: “… the exciting science of taking all manner of digital ^stuff^, and finding out what it’s done, when it was done, and who did it.”
Defining where digital forensics sits, however, is a little trickier. Because the skills outlined above are useful to more than just criminal investigations, as a digital forensic professional you might find yourself working:
- Alongside litigation support professionals during e-discovery prior to a major corporate lawsuit.
- As part of a cybersecurity incident response team (CSIRT), analyzing breached systems to find the root cause that will be used to apply patches.
- In support of corporate investigators of insider threats, employee misconduct, and related issues.
That isn’t to say you won’t find yourself squarely working investigations for law enforcement, a national government agency, or a corporation. These roles continue to be in high demand locally, nationally, even internationally. Forensic expertise is also valuable to software vendors in the form of subject matter expertise that can inform training, marketing and sales, product development, and other areas.
Where you end up working may be a function of a particular area of technical expertise. For instance, you might:
- Focus on computers, mobile devices, networks, the cloud, and/or Internet of Things (IoT) devices.
- Or, you might want to understand the interplay of evidence among all these storage locations across networks.
- Develop deep data recovery expertise, which can be valuable to entities needing assistance with unlocking a damaged or unusual device.
- Choose to specialize in certain types of media such as digital images or audio/video.
Deciding Which Career Path To Take
Many forensic professionals evolved their careers along with the profession itself. For example, when mobile devices’ popularity began to take off, law enforcement forensic examiners who had cut their teeth on computer forensics were often the only people in their agency equipped to figure out how to acquire data from phones.
To some extent, evolving along with digital trends still happens. Witness the interest in drone and Internet of Things forensics, developing artificial intelligence-powered forensic tools, and so on. With digital forensics now more mainstream in both public and private sectors, though, figuring out which path to take requires careful consideration.
In his “Life After Law Enforcement” blog series, Eric Huber lays out quite a number of considerations. Among these:
- Mission. “Law enforcement agencies are put upon this earth to put bad people behind bars,” Huber writes, in contrast to private companies, where the goal is to turn a profit.
- Compensation and benefits. One may appear more attractive than the other, but beware hidden costs.
- Job security and the rate of change, as well as your own tolerance for risk, organizational politics of different flavors, and what you’re willing to do to mitigate risk.
- How you feel about where you are currently.
Huber also covers the different flavors of a private-sector career, including both corporate and consulting work.
The Skills You Need For A Digital Forensics Career
To some extent, learning on the job will always be a part of DFIR. Technology changes too fast for forensic professionals to be able to get too comfortable in a particular specialty area. When smartphones fall out of fashion, for instance, in favor of wearable devices that store data in the cloud, “mobile forensics” may just come to mean something new.
At that point, it’s more about focusing on developing your underlying expertise — the foundational skills you’ll need when working with any set of 1’s and 0’s, regardless of where they came from.
In its recent blog post, the EC Council outlined several of these foundational skills, including:
- Technical aptitude, or understanding how computer-based systems work so you can devise the best methods for obtaining data from them. It’s also wise to develop the knowledge of how illicit material gets on a target device, or how it moves around targets, in addition to cybersecurity threats, vulnerabilities, and how different breaches occurred.
- Analytical talent and skill; a prerequisite to both obtaining and maintaining this technical knowledge. Not only acquiring, but also accurately interpreting digital evidence is a must.
- Strong communication skills, both written and verbal. In particular, you’ll need to know how to explain results to the least technical of audiences at numerous levels, such as jurors. As an addendum, a working knowledge of different facets of law and general investigative techniques may be helpful to communicate effectively with attorneys and investigators.
Your willingness to learn is the final takeaway of the EC Council’s article. The industry’s constant evolution demands forensic professionals who are dedicated to continuing education, whether by participating in formal training, informal forum and social media discussions, their own research, or reading academic articles, books, etc.
Meeting Challenges In DFIR Careers
Nothing worth doing is without its challenges, and DFIR is a field that comes with a number of unique ones. When it comes to building your career, for example, you might find that some of the following aspects challenge you.
What you thought you were interested in might not capture your attention after all. At the college level, this might mean changing your thesis topic, your minor, or even your major. At work, it might mean finding a job in a different agency or company, location, or a different profession.
These decisions can be difficult to make because of the “sunk cost” of effort and money you’ve put towards attaining your qualifications. Remaining in a poor fit, however, ultimately does both you and your organization a disservice.
Resource constraints and operational demands in your work environment may mean that you don’t get to do the research you hoped to do, or even focus on the kinds of devices and problems you hoped to be able to work on. You may even, as Huber pointed out, be limited in advancement due to organizational policies. This can happen in both private and public sectors.
You could have supervisors who don’t understand the work you do, making it harder for you to champion growing your lab or even maintaining tools and service agreements. Training is expensive, yet is often one of the first budget line items to be cut in lean times.
The work you do may be psychologically taxing and even harmful. Burnout is a real phenomenon, and the job can result in secondary traumatic stress if you don’t learn and use the tools to head it off.
How do you address these challenges? Many forensic practitioners recommend having a mentor. Whether this person is a faculty member at your college or university, a supervisor, a senior person in your lab, or even someone you connected with online or at a conference, mentors can help you navigate the uniquely challenging aspects of a digital forensics career.
In addition to mentors, it’s wise to build relationships with other practitioners in the DFIR community. Whether you attend one or more conferences in the course of a year, or make the time to connect with others online — here on the Forensic Focus forums, on Twitter, or on a dedicated Slack channel, for instance — regularly talking with others can also help you to set and manage expectations, make good decisions, and even inspire new research or other ways to contribute.
What DFIR Has To Offer
Many longtime members of the profession report a great deal of personal satisfaction in their roles. Stress is considered a small price to pay for the ability to hunt and catch child predators, terrorists, and other bad actors — and to rescue their victims, prevent additional harm, and bring justice. With a career path you intentionally set and follow, acquiring the skills you need, and a plan for addressing challenges that arise, digital forensics can be a lasting career that brings good to the world.