Joseph Naghdi, an experienced computer technologist, transitioned to digital forensics in early 2000 because he was intrigued by how data is stored and discovered on computers. Today, he's a forensics analyst at Computer Forensics Lab, a U.K. consultancy specializing in computer forensic services and advanced data recovery. The high point of his work, he says, is when he solves tough cases, such as a recent phishing attack against a UK bank that almost led to the transfer of 3 million pounds.
With the rise in cyber-fraud and various breach incidents, digital forensics is becoming a growing field with plenty of opportunities. The job involves determining the cause, scope and impact of security incidents; stopping unwanted activity; limiting damage; preserving evidence and preventing other incidents. Digital forensics experts typically investigate networks, systems and data storage devices.
The average salary for digital forensic professionals is about $81,000 in the U.S., according to the salary research and data website PayScale, but specialization in mobile architecture, devices and cloud computing could lead to higher salaries.
Information security professionals interested in making a transition to a career in digital forensics, as Naghdi did, need to take five key steps, experts say.
1. Develop Windows Expertise
Because 90 percent of the systems that forensics experts investigate are Microsoft Windows-based, practitioners need to understand the core technology, says Rob Lee, director and IT forensics expert at Mandiant, a certified forensics instructor at SANS Institute.
"Kind of like in the Army, you need to know how to shoot a rifle - Windows is the rifle of computer forensics," Lee says. Information security professionals who want to specialize in forensics must understand all aspects of how Windows works, including how information is stored, he contends. He also suggests developing expertise in mobile devices and cloud computing.
2. Obtain Specialized Training
Greg Thompson, security manager at Canada's Scotia Bank, who is also an (ISC)2 advisory board member, believes the best way to learn about digital forensics is to obtain training at schools or certification bodies, including the International Association of Computer Investigative Specialists, Sans Institute and the International Information Systems Forensics Association.
Thompson recently hired two professionals from community colleges in Canada who were trained in applying forensic investigative techniques and skills. "The main skill is developing a creative mind-set to think like an attacker in responding to the situation," says Thompson, who oversees the forensics practice at Scotia Bank.
He also recommends security professionals take online courses, seek help from professionals with law enforcement backgrounds and learn on the job. In particular, he encourages developing expertise in forensic investigations of mobile devices, firewalls and malware.
3. Build a Broad Technical Background
When investigating unauthorized data access, for example, forensics experts must know how to recover lost data from systems, analyze log entries and correlate them across multiple systems to understand specific user activity. "This requires a solid understanding of networks, systems and new types of malware intrusions and analysis," says Marcus Ranum, CSO at Tenable Network Security. "Only a broad IT exposure can help professionals understand the different types of data and what is most critical to capture."
Naghdi emphasizes the need for good computer programming skills to understand how data is stored and how hard disks operate. "Strong programming skills often help the forensic expert in understanding and discovering the different ways of storing and recovering data," he says.
4. Gain Legal Knowledge
Forensics specialists need to understand breach notification regulations as well as the legal implications of not maintaining a proper chain of data custody. They also need to understand, for example, how a cloud computing provider will identify, locate, preserve and provide access to information when the need arises, as well as how to legally preserve data for litigation purposes. "More and more practitioners need to understand the legality around data retrieval, storage and protection," Lee says.
5. Understand Upstream Intelligence
Gathering upstream intelligence involves such steps as observing outgoing messaging patterns or filtering infrastructure for suspicious source rules or inappropriate user behavior. This may provide significant insights into the security posture of an organization.
Forensics goes far beyond relying on recovering pictures, data and e-mails in order to solve a case. "We now require professionals to be engaged in intelligence gathering and analysis and to work across multiple machines, different environments and devices, which could lead to investigating advanced hackers that are moving within the organization," Lee says.
Complexity of Investigations
Digital forensic investigations are becoming far more complex.
For example, Lance Watson, chief operating officer and forensic investigator for Avensic, a forensics and e-discovery consulting company, tackles such challenges as locating information in the cloud or helping clients track and analyze e-mails and text messages on mobile devices. "It's become harder to investigate user activity or discover digital evidence quickly because of remote locations and multiple storage devices used," he says.
The growth in cloud computing and mobile devices has further strengthened the market for forensic pros by increasing demand for eDiscovery services, which involve preserving, collecting, managing and producing electronic evidence relevant for a court case.
The demand for eDiscovery services is leading many companies to establish an internal eDiscovery team rather than relying on an outsourcer. And this is creating new job opportunities. For example, Thompson of Scotia Bank recently transitioned from outsourced eDiscovery to an in-house forensics and data recovery team largely to gain cost savings and get better control of investigations and data.
Naghdi of Computer Forensics Lab says information security professionals can expect demand for forensics experts to grow. "There is definitely an uptake in hires for forensic experts, and this trend will continue," he says. But to make a successful transition to a role in forensics, Naghdi says, security professionals must "have an inquisitive mindset to find new ways of exploring emerging areas and finding digital evidence."