Digital Forensics: The Chance to Play Detective

Work is Hard, But Jobs Plentiful for Professionals Who Like to Follow the Evidence Trail
Digital Forensics: The Chance to Play Detective
After Hurricane Katrina devastated much of Louisiana, the state was granted $9 billion for recovery and disbursement to individual homeowners. Keith Barger, a director in KPMG's Forensic practice in Houston, was put in charge of a forensics and fraud team to ensure verification of insurance claims, investigations and to trace fraud activities. This work kept Barger's team busy for a year and a half.

"Forensics is broader in scope than people anticipate it," Barger says.

He specializes in electronic data discovery, data analytics and investigative services in support of civil litigation and provides advisory services regarding technology related matters. He also provides expert witness testimony when appropriate in connection with these services. His in-house team is involved in high profile investigations, applying tools and methodologies to data analytics, data mining, recovering deleted files, tracing internet activities and many other tasks. Most of his clients are government agencies and large private corporations. The team consists of-

A forensics manager who has direct oversight of the forensics practice and is qualified to certify a forensics lab environment;
Evidence custodians who basically are involved in tracing, recovering and storing evidence;
Research and development individuals who maintain databases and spend time keeping abreast of emerging technologies, software and methodologies;
Cell phone and digital media specialists;
Intrusion detection professionals.

The forensics profession today is fast-growing because of the increasing number of cyber crime activities that occur throughout the world, maintains Barger.

The Emergence of Forensics
"Forensics has become very important in the last 10-12 years since one great disadvantage of technology's integration into society is the capacity for people to use the technology for criminal purposes," says Jill Slay, PhD, CISSP, FACS, PCP, MIEEE

Member, (ISC) 2 Board of Directors. The types of crimes that can be committed using technology can be represented in two distinct categories: crimes committed using a computer (e.g. hacking, fraud) and those committed against computers (e.g. Denial of Service.

"In today's economy more people are working remotely, which provides greater opportunities for malicious employees to create harmful attacks," says Paul Henry, SANS Institute certified instructor in Forensics and cyber crime and President of Forensics & Recovery LLC, an independent network breach and computer forensics investigative company based in Florida.

Forensic computing can be described as the investigation into criminal or unethical activities that may have left digital or electronic evidence. Although this definition appears simplistic, adds Slay, it specifies the existence of digital evidence, which is the very core of 'computing' in the term forensic computing.

In the current job market, demand for such experts is increasing in United States, where many companies are facing real-time cyber crime activities. "We have forensic experts that we are looking for," says Nadia Short, vice president of strategy & business development at General Dynamics Advanced Information Systems, who seeks people that are able to lead the investigation and incident response activities. They primarily focus on the ability to understand file systems, logs, histories, patching and, more importantly, understand chain-of-custody activities as we look to provide that kind of data to law enforcement officials as they look to "put the bad guys away."

Career Options
The typical career path/ responsibilities for forensics professionals include: Entry-level Forensic Analyst: Analyses of hardware, including applications/ operating systems, storage media, file systems, imaging hard drive etc. Forensics professionals need to know in-depth how computer systems work and operate, says, Eric Fiterman, CEO & President of Methodvue, a private intelligence organization specializing in the discovery and deterrence of complex threats to people, commerce, and governance.

Forensic Senior Analyst: Analyses of software, applications, know-how of data capture including volatile and non-volatile data. Recovery of sensitive data whether it is documents, emails, graphics, cookies, etc. Ability to identify the source and origin of a particular disruption or security issue, says Fiterman. Being able to answer "How bad is the damage both in financial and technical terms and who was responsible for this crime?"

Investigation Specialist: Forensic investigation services cover all areas of computer misuse, Internet/email abuse, fraud, pornography, hacking and intellectual property theft. Investigation procedures are needed, and in many cases required, to guarantee that found evidence can withstand examination in court.

Expert Witness: A lot of times forensics investigation requires presentation in court, and needs the services of an expert witness who testifies that evidence discovered in any particular case will withstand examination, says Eric Robi, CCE, an expert witness and President of Federal Forensics Group, an independent consulting firm specializing in computer forensics and analysis. The expert witness is usually required to provide an independent expert testimony in the form of expert opinion, present the findings in laymen terms and in the written reports in court presentation and/or examination. Provide easy to read and well-organized 'expert' reports to support the testimony including reports and statements that are provided to verify where and how data have been recovered, processed etc.

Management Position in Forensics: These days large companies have their own forensics and e-discovery teams that do the required investigation, analysis and recovery of systems and data. Most places require a senior forensics manager to lead and support the team as well as directly report to senior management.

Job Requirements
Forensics experts recommend an undergraduate degree in computer science or engineering, specializing in forensic computing or IT security. Next: a master's degree and specialized training by vendor certification companies including SANS Institute, which offers GIAC Certified Forensics Analyst (GCFA); the EC Council for its Certified Computer Hacker (CEH); and International Society of Forensic Computer Examiners (ISFCE) offering the Certified Computer Examiner (CCE). "Hiring an interesting mix of individuals of technology level professionals with strong IT background and law enforcement professionals has been successful for my team," says Barger.

In addition, vendor product training is essential for forensics professionals from forensics software providers, including EnCase Guidance Software, Access Data, and Microsoft.

"Skills and abilities would be the logical and mathematical ones of science and engineering and the problem solving skills needed in detection as well as in the sciences," says Slay. Capacity to do tedious work with very strong analytical skills and solid background in information technology and network security is required in forensics, adds Henry.

On the Job
Henry indicates that starting salary for a professional in forensics is around $70,000 annually ,assuming the candidate possesses the necessary IT and analytical background and training required. The salary range is high for senior analysts and professionals between $150,000-300,000 annually.

Among the challenges on the job:

Long hours: The work is challenging when data needs to be analyzed and recovered from very large hard drives and applications using varied tools to confirm analysis, says, Henry.
Keeping pace with technology: Things change so fast that maintenance, training and education of tools/software for analysis and investigative support becomes very difficult and at times expensive.
Cloud Computing: With the practice of cloud computing, "We do not have evidence at one place, information is stored in bits and pieces at different times, in different places which gets very challenging," says Fiterman.

For more information on career options in forensics:

The International Association of Computer Investigative Specialists (IACIS)
The International Society of Forensic Computer Examiners (ISFCE)
American College of Forensic Examiners (ACFE)
Cyber Security Institute
Digital Forensics Certification Board (DFCB)

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network