A Career in Forensics: 5 Key Steps

Experts Offer Tips Toward Making the Transition

By Upasana Gupta, February 9, 2012.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
A Career in Forensics: 5 Key Steps

Joseph Naghdi, an experienced computer technologist, transitioned to digital forensics in early 2000 because he was intrigued by how data is stored and discovered on computers. Today, he's a forensics analyst at Computer Forensics Lab, a U.K. consultancy specializing in computer forensic services and advanced data recovery. The high point of his work, he says, is when he solves tough cases, such as a recent phishing attack against a UK bank that almost led to the transfer of 3 million pounds.

See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

With the rise in cyber-fraud and various breach incidents, digital forensics is becoming a growing field with plenty of opportunities. The job involves determining the cause, scope and impact of security incidents; stopping unwanted activity; limiting damage; preserving evidence and preventing other incidents. Digital forensics experts typically investigate networks, systems and data storage devices.

The average salary for digital forensic professionals is about $81,000 in the U.S., according to the salary research and data website PayScale, but specialization in mobile architecture, devices and cloud computing could lead to higher salaries.

Information security professionals interested in making a transition to a career in digital forensics, as Naghdi did, need to take five key steps, experts say.

1. Develop Windows Expertise

Because 90 percent of the systems that forensics experts investigate are Microsoft Windows-based, practitioners need to understand the core technology, says Rob Lee, director and IT forensics expert at Mandiant, a certified forensics instructor at SANS Institute.

"Kind of like in the Army, you need to know how to shoot a rifle - Windows is the rifle of computer forensics," Lee says. Information security professionals who want to specialize in forensics must understand all aspects of how Windows works, including how information is stored, he contends. He also suggests developing expertise in mobile devices and cloud computing.

2. Obtain Specialized Training

Greg Thompson, security manager at Canada's Scotia Bank, who is also an (ISC)2 advisory board member, believes the best way to learn about digital forensics is to obtain training at schools or certification bodies, including the International Association of Computer Investigative Specialists, Sans Institute and the International Information Systems Forensics Association.

Thompson recently hired two professionals from community colleges in Canada who were trained in applying forensic investigative techniques and skills. "The main skill is developing a creative mind-set to think like an attacker in responding to the situation," says Thompson, who oversees the forensics practice at Scotia Bank.

He also recommends security professionals take online courses, seek help from professionals with law enforcement backgrounds and learn on the job. In particular, he encourages developing expertise in forensic investigations of mobile devices, firewalls and malware.

3. Build a Broad Technical Background

When investigating unauthorized data access, for example, forensics experts must know how to recover lost data from systems, analyze log entries and correlate them across multiple systems to understand specific user activity. "This requires a solid understanding of networks, systems and new types of malware intrusions and analysis," says Marcus Ranum, CSO at Tenable Network Security. "Only a broad IT exposure can help professionals understand the different types of data and what is most critical to capture."

Naghdi emphasizes the need for good computer programming skills to understand how data is stored and how hard disks operate. "Strong programming skills often help the forensic expert in understanding and discovering the different ways of storing and recovering data," he says.

4. Gain Legal Knowledge

Forensics specialists need to understand breach notification regulations as well as the legal implications of not maintaining a proper chain of data custody. They also need to understand, for example, how a cloud computing provider will identify, locate, preserve and provide access to information when the need arises, as well as how to legally preserve data for litigation purposes. "More and more practitioners need to understand the legality around data retrieval, storage and protection," Lee says.

5. Understand Upstream Intelligence

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE U.S. Charges 6 Chinese with Insider Theft

Federal authorities have arrested a Chinese professor, accusing him of pilfering trade secrets from...

Latest Tweets and Mentions

ARTICLE U.S. Charges 6 Chinese with Insider Theft

Federal authorities have arrested a Chinese professor, accusing him of pilfering trade secrets from...

The ISMG Network