Leverage Digital Forensic resources effectively

With many universities offering master's in digital forensics study and with other training, the supply of forensics resources increasing. Not sure if these resources are leveraged in their full potential in enterprises. Also, if all of them are getting the right career, many I met felt disappointed in narrowing their domain expertise in digital forensics, difficulty in finding right job.

Years back essential requirement sought for a person to start their security career was experience and expertise in operating systems or networks based on their prior work experience or studies. But now many start their careers in security out of collages and built expertise over time, which may be impacting the quality of skill to an extent. One reason for this is security resource demand and supply unbalance

Digital forensics resources build forensics capabilities over OS and network fundamentals, essential for each security domain, but most time, their career opportunities shrink to evidence collection, preservation, and documentation or cracking mobiles and systems.

Not saying that out of college, they are fully ready to take up the more significant role soon, but for sure, there is a fantastic career path for them with proper mentoring, broaden reading and attitude. Worked with few forensic experts, they preferred to be only as a technologist, tool experts in Encase and FTK they may be limiting themselves.

Regulations, investigations, audits, and contractual clauses are demanding the role of digital investigators in enterprises. Many a time this role is handled by a non-technical person leveraging forensic analyst for imaging, preserving the chain of custody, and documenting the evidence.

A key objective of a digital investigator to find answers to 6 questions

1. Who, did it?
2. What, did they do?
3. When, did they do?
4. How, how did they do?
5. Where, did they come from and to where?
6. Why, did they do it?

Out of these 6 questions, 5 answers are the output of forensic analyst engaged — the answer to the question 'why' most of the time is a gray area. With a few additional skills, a good business case for a forensic analyst to move as a digital investigator.

Deposition in courts, is expertise very few people have intent and experience to do. Digital forensics personal are a good fit for those engagements, especially since they have a first-hand understanding of the issue and laws related to the domain.

Incident handlers struggle at times when they cannot find indicators to most of the 6 questions mentioned above. The forensic analyst could proactively work with incident handlers to validate and establish if those (most) of questions answered for each of the use cases / potential incident scenarios for which specific data sources and events of interest collected. Forensic experts are an asset in incident handling / SOC team leveraging their OS, registry, rootkit, filesystem expertise.

Enterprise policies, standards, and regulations mandate collection and preserves of logs; the struggle for many is on defining what to collect and where to collect. In some cases, existing applications may not be even generating required logs. The forensic analyst could be leveraged to identify, coordinate, and validate the adequacy in this regard. Forensic experts in Security engineering / Governance function is an asset

Every audit activity has a considerable digital component, good to leverage forensic analyst part of the audit team through the lifecycle of its digital landscape.

Enterprise CERTs, work on potential new indicators, vulnerabilities and threats, which need technical expertise to reverse engineer, validate assumptions and provide recommendations, Forensic experts are right resources to be in the core team

Suggestion to individuals building their careers in digital forensic is to be aware of an ample space available to develop their careers. Your expertise is niche and valuable needs to further enhance with readings to psychology, investigation methods, case studies, standards, regulations, threat intelligence, security blogs, IT laws, changing IT environment and, more importantly, enterprise policies. (intent is not to generalize this field of study)

Sample curriculum of a digital investigator (from a leading US university)

• Computer forensics, mobile device forensics, and malware
• Network forensics
• Fraud investigation
• Digital forensics and the law
• Understanding the legal system
• Psychology of cybercrime
• Incident response and timeline analysis
• Digital forensics in digital archives
• Database forensics, reverse engineering, and malware

Let us work together to make a safer Cyberspace.