Digital forensics, sometimes called computer forensics, is the application of scientific investigatory techniques to digital crimes and attacks. It is a crucial aspect of law and business in the internet age and can be a rewarding and lucrative career path.
Jason Jordaan, principal forensic scientist at DFIRLABS, defines digital forensics as “the identification, preservation, examination, and analysis of digital evidence, using scientifically accepted and validated process, and the ultimate presentation of that evidence in a court of law to answer some legal question.”
That’s a pretty good definition, though there’s a caveat: the term is sometimes used to describe any sort of investigation of cyberattacks, even if law enforcement or the court system aren’t involved. And digital forensics specialists work in both the public and private sectors. Champlain College, which has its own digital forensics program, has a more generalized description: “Digital forensics professionals are called into action once a breach occurs, and work to identify the hack, understand the source, and recover any compromised data.”
Law enforcement was somewhat slow to understand the necessity of applying forensics techniques to computers and high-tech equipment. For the most part, in the 1970s and 1980s early digital forensics pioneers were people who worked at police or federal law enforcement agencies and who happened to also be computer hobbyists. One of the first areas that came to the attention of law enforcement was data storage, as investigators had long worked to seize, retain, and analyze documentation from suspects; it began to dawn on them that much of that documentation was no longer committed to paper. In 1984, the FBI launched the Magnet Media Program to focus on these digital records, the first official digital forensics program at a law enforcement agency.
Meanwhile, many of the techniques used to track down and identify hackers as they intruded into computer systems were developed ad hoc in the private sector. A generally identified seminal moment came in 1986, when Cliff Stoll, a Unix sysadmin at Lawrence Berkeley National Laboratory, tried to figure out a $0.75 discrepancy in an accounting log and ended up fingering a German hacker who was breaking into sensitive systems and selling data to the KGB. Along the way, Stoll created what was probably the first honeypot trap.
Much of the specialization and professionalization of digital forensics over the ’90s and ’00s came about in reaction to two unpleasant realities: the spread of child pornography online, which led to the seizure of huge volumes of digital evidence; and the wars in Afghanistan and Iraq, in which U.S. troops often ended up capturing the laptops and phones of enemy insurgents and had to extract useful intelligence from them. A landmark came in 2006, when the United States Rules for Civil Procedure were overhauled to implement a mandatory regime for electronic discovery.
There are a number of process models for digital forensics, which define how forensics examiners should proceed in their quest to gather and understand evidence. While these can vary, most processes follow four basic steps:
Any digital forensics practitioner will have a wide variety of tools in their kit. At one end of the spectrum you have single-purpose open source tools like the packet sniffer Wireshark or HashKeeper, a free-to-use program that can speed the examination of database files. At the other end, you have powerful commercial software platforms with multiple functions and slick reporting capabilities like Encase, or CAINE, an entire Linux distribution dedicated to forensics work.
The Infosec Institute breaks down these tools into a number of categories, which in and of itself gives you a sense of the sorts of tasks they can complete:
The Institute also maintains a great list of popular forensics tools, which is updated regularly.
Digital forensics degree programs and certifications
Traditionally, digital forensics practitioners came from a more general computer science background, and often were experienced sysadmins who were already comfortable with many of the basic tools used in digital forensics. However, in line with the increasing specialization within the industry, a few schools now offer degrees or concentrations specific to digital forensics — two in conventional on-campus settings and three online:
If you have a more general educational or professional background but would like a leg up in your job search, you might want to consider pursuing a digital forensics certification. Business News Daily curated a list of the five most valuable certs; their top picks are SANS’s Global Information Assurance Certification (GIAC) Certified Forensic Examiner and Certified Forensic Analyst certifications.
Finally, it’s worth noting that, as digital forensics expert John Irvine puts it, “computer forensics is an apprenticeship discipline … You really learn the trade once you’re in a seat working on real cases alongside a senior examiner.”
Jobs in digital forensics tend to have titles like “investigator,” “technician” or “analyst,” depending on your level of seniority and specialization. The majority of jobs in the digital forensics field lie in the public sector — in law enforcement, for state or national agencies, or for crime labs, though the latter might be privately run and contract with public agencies.
However, with public cybercrime labs often overwhelmed — and less nimble than they could be due to bureaucratic red tape — large companies are beginning to run their own labs, creating another lucrative path for digital forensics professionals. As of 2017, there were six digital forensics labs accredited by the American Society of Crime Laboratory Directors at private companies, including Target, Walmart and American Express.
What sort of salary can a digital forensics professional expect? According to PayScale, the average forensic computer analyst makes around $70,000 a year, though there’s a rather wide range that can go from around $45,000 to around $115,000.
With all that being said, you might decide that computer forensics is the career path for you. And it’s a fascinating one! But maybe linger just a little bit on the decision: like any career path in law enforcement, it can put you in touch with the some of the worst of human nature. John Irvine has a somber blog post on the darker side of computer forensics. Remember how we said that much of the computer forensics field became professionalized in the hunt for child pornographers and terrorists? Well, as Irvine describes, that can take a real toll on investigators, as they have to examine and watch much of the material they find. It’s a sobering thought, but a necessary one as you consider a digital forensics career.
This story, “What is digital forensics? And how to land a job in this hot field” was originally published by