A Career in Forensics: 5 Key Steps Experts Offer Tips Toward Making the Transition

Joseph Naghdi, an experienced computer technologist, transitioned to digital forensics in early 2000 because he was intrigued by how data is stored and discovered on computers. Today, he's a forensics analyst at Computer Forensics Lab, a U.K. consultancy specializing in computer forensic services and advanced data recovery. The high point of his work, he says, is when he solves tough cases, such as a recent phishing attack against a UK bank that almost led to the transfer of 3 million pounds.

See Also: How to Anticipate Breaches & Prevent Data Loss: Avoiding the Fate of OPM

With the rise in cyber-fraud and various breach incidents, digital forensics is becoming a growing field with plenty of opportunities. The job involves determining the cause, scope and impact of security incidents; stopping unwanted activity; limiting damage; preserving evidence and preventing other incidents. Digital forensics experts typically investigate networks, systems and data storage devices.

The average salary for digital forensic professionals is about $81,000 in the U.S., according to the salary research and data website PayScale, but specialization in mobile architecture, devices and cloud computing could lead to higher salaries.

Information security professionals interested in making a transition to a career in digital forensics, as Naghdi did, need to take five key steps, experts say.

1. Develop Windows Expertise

Because 90 percent of the systems that forensics experts investigate are Microsoft Windows-based, practitioners need to understand the core technology, says Rob Lee, director and IT forensics expert at Mandiant, a certified forensics instructor at SANS Institute.

"Kind of like in the Army, you need to know how to shoot a rifle - Windows is the rifle of computer forensics," Lee says. Information security professionals who want to specialize in forensics must understand all aspects of how Windows works, including how information is stored, he contends. He also suggests developing expertise in mobile devices and cloud computing.

2. Obtain Specialized Training

Greg Thompson, security manager at Canada's Scotia Bank, who is also an (ISC)2 advisory board member, believes the best way to learn about digital forensics is to obtain training at schools or certification bodies, including the International Association of Computer Investigative Specialists, Sans Institute and the International Information Systems Forensics Association.

Thompson recently hired two professionals from community colleges in Canada who were trained in applying forensic investigative techniques and skills. "The main skill is developing a creative mind-set to think like an attacker in responding to the situation," says Thompson, who oversees the forensics practice at Scotia Bank.

He also recommends security professionals take online courses, seek help from professionals with law enforcement backgrounds and learn on the job. In particular, he encourages developing expertise in forensic investigations of mobile devices, firewalls and malware.

3. Build a Broad Technical Background

When investigating unauthorized data access, for example, forensics experts must know how to recover lost data from systems, analyze log entries and correlate them across multiple systems to understand specific user activity. "This requires a solid understanding of networks, systems and new types of malware intrusions and analysis," says Marcus Ranum, CSO at Tenable Network Security. "Only a broad IT exposure can help professionals understand the different types of data and what is most critical to capture."

Naghdi emphasizes the need for good computer programming skills to understand how data is stored and how hard disks operate. "Strong programming skills often help the forensic expert in understanding and discovering the different ways of storing and recovering data," he says.

4. Gain Legal Knowledge

Forensics specialists need to understand breach notification regulations as well as the legal implications of not maintaining a proper chain of data custody. They also need to understand, for example, how a cloud computing provider will identify, locate, preserve and provide access to information when the need arises, as well as how to legally preserve data for litigation purposes. "More and more practitioners need to understand the legality around data retrieval, storage and protection," Lee says.

5. Understand Upstream Intelligence

Gathering upstream intelligence involves such steps as observing outgoing messaging patterns or filtering infrastructure for suspicious source rules or inappropriate user behavior. This may provide significant insights into the security posture of an organization.

Forensics goes far beyond relying on recovering pictures, data and e-mails in order to solve a case. "We now require professionals to be engaged in intelligence gathering and analysis and to work across multiple machines, different environments and devices, which could lead to investigating advanced hackers that are moving within the organization," Lee says.

Complexity of Investigations

Digital forensic investigations are becoming far more complex.

For example, Lance Watson, chief operating officer and forensic investigator for Avensic, a forensics and e-discovery consulting company, tackles such challenges as locating information in the cloud or helping clients track and analyze e-mails and text messages on mobile devices. "It's become harder to investigate user activity or discover digital evidence quickly because of remote locations and multiple storage devices used," he says.

The growth in cloud computing and mobile devices has further strengthened the market for forensic pros by increasing demand for eDiscovery services, which involve preserving, collecting, managing and producing electronic evidence relevant for a court case.

The demand for eDiscovery services is leading many companies to establish an internal eDiscovery team rather than relying on an outsourcer. And this is creating new job opportunities. For example, Thompson of Scotia Bank recently transitioned from outsourced eDiscovery to an in-house forensics and data recovery team largely to gain cost savings and get better control of investigations and data.

Naghdi of Computer Forensics Lab says information security professionals can expect demand for forensics experts to grow. "There is definitely an uptake in hires for forensic experts, and this trend will continue," he says. But to make a successful transition to a role in forensics, Naghdi says, security professionals must "have an inquisitive mindset to find new ways of exploring emerging areas and finding digital evidence."


About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network