The Digital Forensics Field

Long gone are the days of storing an entire life’s worth of work on one single device; now any one person may have an entire network of devices linking their data, evolving the way digital forensics experts must approach their investigations. “The Cloud is a major driver due to the way data is shared and synchronised across devices, particularly for investigations. While you may not be able to access data from one device, chances are the information you’re trying to obtain is synchronised with others,” says Cameron Brown, Digital Forensic Investigator and Lawyer (@AnalyticalCyber), who is currently based out of Frankfurt in Germany. “The increasing prevalence of mobile broadband has also changed the way we look at data and evaluate evidence. For example, GPS tracking and the geo tagging embedded within people’s photos can reveal movements and location. This information can be very useful to the law enforcement side of digital forensics.” However, while we revel in the heroic feats of modern technology, adversaries in the underground economy grow equally as strong. Cyber criminals are keeping frightening pace with technological advancements. As more and more cyber-attacks and technology-enabled crimes are being reported, the demand for investigations by those qualified and experienced to execute them increases; thus, creating a wealth of opportunities for individuals pursuing jobs in the field of Digital Forensics.

There is a distinct correlation between those working in Information Security and Digital Forensics, with both requiring a somewhat overlapping knowledge base and specialised level of technical expertise. However, it’s important to bear in mind their respective roles in navigating the threat landscape, with Information Security professionals typically focused on prevention and Digital Forensics practitioners dealing with the post-mortem aspects of an inquiry. “When it comes to information security you have to think like an adversary in as far as knowing WHERE the vulnerabilities lie,” says Brown. “Contrastingly, a forensic analyst focuses more on WHAT to search for and HOW to find it. Ultimately, the skills are complementary and really two sides of the same coin.” While the technical skills required to do the work can be learnt, it is more the soft skills that will set a high calibre candidate apart from the crowd. Fundamental skills include ability to communicate clearly, willingness to collaborate, intuition to know if something is normal or abnormal, knowing what to prioritise, staying calm in a pressurised situation, being fastidious and maintaining punctuality, knowing how deep to go and not being afraid to ask for help, and having a rational, analytical and agile mind. These are all traits that employers revere when hiring in the Digital Forensics space.

“The Cloud is a major driver due to the way data is shared and synchronised across devices, particularly for investigations. While you may not be able to access data from one device, chances are the information you’re trying to obtain is synchronised with other devices"

Far from the glamour of forensic exploits seen in movies and on television programs such as CSI, the reality of a career in Digital Forensics, otherwise known as computer or IT forensics, offers the excitement of fieldwork, uncovering evidence and courtroom appearances on a fractional ratio to the day to day paperwork and stakeholder dialogues which make up the majority of the role. The hard skills pertaining to the area certainly come down to research, such as tapping into the public domain in order to uncover the answers you need as quickly as possible. Awareness is key and “this is not an area that will be sufficed by reading a few text books at university,” says Brown. “There is a constant need for learning. Consistency and attention to detail are also crucial competencies, particularly in positions supporting law enforcement, where the chain of custody or evidence continuity must be maintained.” However, the key technical skill that employers look for when hiring individuals for jobs in Digital Forensics is the ability to write a report from an impartial viewpoint, and presenting facts rather than opinions, in most cases. “Make sure the facts are indeed the facts,” says Brown, “if you’re stepping into territory that’s uncertain, seek clarification because people are relying on these reports to present cases, which may in turn impact the lives of others.”

“When it comes to information security you have to think like an adversary in as far as knowing WHERE the vulnerabilities lie. Contrastingly, a forensic analyst focuses more on WHAT to search for and HOW to find it. Ultimately, the skills are complementary and really two sides of the same coin”

Law enforcement can offer a good grounding for candidates wishing to join the ranks of digital forensic analysts, examiners and officers. Serving as a practical platform from which to perfect many of the skills necessary to become a successful Digital Forensics practitioner, law enforcement exposes individuals to court work, from preparing evidence for trial to being called as an expert witness to deliver testimony. This is where the ability to communicate effectively, both verbally and on paper, comes into play as one of the key skills employers are seeking. Being able to translate complex technological processes into a language comprehensible to both laymen and legal officials is as important to the role as interrogating information systems in order to reveal evidence of a course of conduct. 

Undoubtedly, in a field driven by new and emerging technologies, the demand for experienced Digital Forensics professionals outweighs the preoccupation with education. Having said that, a degree in IT, particularly one focused on networks, hardware and software, would be a step in the right direction for those planning on a career in Digital Forensics. There are some universities offering specialised degrees in eDiscovery and computer forensics, however tertiary education is not a prerequisite for career progression within this field. “While certifications may act as a point of reference for a company at the hiring stage, they don’t ultimately mean you can effectively do the job,” says Brown. “Individuals need to possess a broad base of foundational skills in both hardware, software, networking and scripting, as well as demonstrating extensive technical understanding, a keenness to learn, effective customer service and a solution-oriented work ethic.” Digital Forensics is really a field that requires its experts to learn on the job. “It’s one of those areas where the best skills you develop are the ones you develop through repetition,” asserts Brown.

“There is a constant need for learning. Consistency and attention to detail are also crucial competencies, particularly in positions supporting law enforcement, where the chain of custody or evidence continuity must be maintained”

“Government or law enforcement offer the best grounding and breadth of case exposure for dealing with complex technical issues for aspiring ‘forensicators’,” according to Brown, noting that the public sector usually offers more job flexibility and access to training. However, while law enforcement and crime fighting institutions provide a lucrative launch pad for talented practitioners, Brown warns that this kind of “deep end therapy” that brings one into contact with unsavoury individuals and situations may not suit everyone’s personalities or sensitivities. “Alternatively, going down the commercial route, there is a greater orientation towards client needs straight off the bat,” says Brown, “it demands a stronger awareness of work ethic and budget in order to meet the needs of the client.” There is also the option to go in-house, for example, working for a bank or company intent on protecting their own interests, which establishes a firm expectation of approaching the job with a view to safeguarding the business continuity of your employer. 

Where the corporate world and public sector most differentiate from each other in relation to jobs in the Digital Forensics field has to do with case outcomes. The corporate sphere expects less investment by analysts in terms of the use to which evidence is put, rather requiring its digital investigators to dig up their findings and present them clearly, allowing the company’s legal team or similar to follow through with decisions and conclusions. The public sector often enables greater finality, elevating its practitioners quickly through the ranks to be on the ground from the start all the way through to concluding the case. “It’s important before you make your choice to understand the demands of the different sectors,” says Brown. 

“Individuals need to possess a broad base of foundational skills in both hardware, software, networking and scripting, as well as demonstrating extensive technical understanding, a keenness to learn, effective customer service and a solution-oriented work ethic”

Looking ahead to the next five years with regard to changes in technology, data and the law, the notion of 'push-button' forensics, and the automation of the systems supporting forensic enquiry, the industry is set to be one of the key drivers in how the job is and will continue to be done. “As developments in technology gain speed it is only going to empower and improve the efficiency of the job,” says Brown, though he adds that “the need for subject matter experts to interpret results from fancy black boxes and explain and verify findings will remain.” For entry level jobs in the field, candidates will be able to leverage technological automation to perform much of the time-consuming digging and fossicking for intelligence and evidence, allowing them to focus instead on interpreting results and explaining findings.

Brown also asserts that, rather than businesses nurturing an internal digital forensic investigative capability, the function will instead be increasingly outsourced to specialist companies qualified to shoulder the risk that comes with increased scrutiny from regulators. “The law is driving the industry,” says Brown, adding that the increase in the volume of data is equally key in how the industry will continue to develop. “It calls for a greater focus on rapid forensics to triage cases expeditiously,” says Brown, explaining that with a tremendous amount of data to interrogate, candidates looking to take on Digital Forensics jobs would be wise to demonstrate their ability to make sense of that data quickly as this is what will drive the industry forward. “Mobile devices and cloud computing will be a critical part of that evolution because these technologies are increasingly replacing localised computer resources that we have traditionally used when accessing our digital lives,” adds Brown.

“It’s one of those areas where the best skills you develop are the ones you develop through repetition"

The changing face of data privacy and data protection, and ongoing debates concerning encryption, in Brown’s opinion, represents the biggest challenge to the Digital Forensics field “because if you are not permitted access to the raw data or information then you cannot make sense of it or find probative and relevant evidence.” In a society, continually under threat from extremism, “we’re going to see the eroding of privacy rights for normal consumers of technology,” says Brown, something he says could empower and create enhanced visibility for law enforcement who are essentially the protectors of society. “The question is where that balance is to be struck; whether to extend privacy safeguards to consumers or to create greater transparency for nation-states to facilitate inquiries and gather evidence and intelligence,” says Brown. “This is the great challenge of our time.”

First published 2016 (CareersinAudit.com - “IT Forensics: The Lowdown Part I and Part II”)