Over the past few years several people have asked me what the best route would be to enter the Digital Forensics / Incident Response field. While there is no best method, there may be one that works well for you. I know the path I took had it’s challenges – mainly of acceptance – because in a corporate-world most at a senior-level management roles did not want to believe that the DF role was necessary. For some reason, the IR role was something easier for them to understand. In the non-corporate world, I had zero law enforcement background so obtaining my first South Carolina SLED Private Investigator’s license was challenging to say the least. It was not easy to find a current SC PI that (1) understood what DF was; (2) understood it’s value in a priviate investigation; and (3) could provide proper “oversight” as required by SLED in the field of DF. Most PI’s in SC still conduct photographic or location-based surveillance of some sort and very few (in SC) are properly credentialed and experienced in the digital forensics field. For more information on Digital Forensic licensing in SC see my post from December 17, 2012.
This brings us to the topic of Avenues to Entry into Digital Forensics / Incident Response. As I mentioned from the outset, I answer a several questions each month on how someone can enter the DF field; next month I will be speaking to a group of Network Security students at ECPI University about what employers are looking for in the network security field. That topic will undoubtedly cross into the DFIR arena as they have many commonalities.
Some criteria for becoming a successful DFIR investigator or examiner would include:
- critical thinking;
- willing to ask questions;
- have (or develop) an investigator’s mindset;
- a will-to-learn;
- willing to admit you don’t know it all, nor can you;
- ability to maintain a personal network of like-minded DFIR individuals who you can bounce ideas of off;
Without regard to personal situations and the like, my typical number one response on how someone with little or no experience can inexpensively enter the DFIR filed is via the United States military cyber-divisions. In today’s tech-driven world, many military operations have a digital forensics component whether it be networks, computers, smartphone, “dumb”-phones, recordable media, etc. The US military is the ideal environment to train the highly experienced DFIR technician. I look at it this way, if a solider can survie the acquisition of digital evidence while under combat conditions, they are surely capable of dealing with the civilan public during a forensic engagement. In addition, benefits such as high-quality forensic training, the GI Bill to pursue college studies after service and the intangible of working on some of the more sensitive DF cases in the world on your CV.
If the military is not a viable option for you, then I would suggest pursuing experience via a federal law enforcement agency where you will gain the necessary (1) training; (2) support; and (3) experience to advance your DFIR career path. Join a federal law enforcement agency early enough in your career and you could likely retire with full government benefits while pursuing your chosen field in the private sector. A federal agency will provide the properly educated candidate with additional training in areas of evidence-handling, chain of custody, expert testimony, and an in-house support network to further enhance your skills.
In these first two, options you will not require “special” state-level licensing as I referenced in my December 17, 2012, post. Typically military and law enforcement are exempt from such requirements as long as the individuals are pursuing their official duties.
Remembering that we are introducing the next generation of DFIR analysts to the field, I would suggest one pursue a career in DFIR in the private sector. In doing so, obtain experience and credentials in the following areas in order to become a candidate for those junior-level positions:
- Bachelors’ Degree in a technical field – Computer Science, Math, Engineering, etc.
- Broad-based IT related certifications – from providers like (ISC)2, CompTIA
- A good understanding of networking – from Cisco or CompTIA
- Be familiar with at least one scripting language – this is more about structure than mechanics though both are good
- Be familiar with at least two operating systems – Windows plus MacOS X, Linux, or other Unix-based OS
- Incident handling / digital forensic certification – from The International Society of Forensic Computer Examiners®, SANS/GIAC
- Any investigative experience where evidence handling procedures are established and followed
Of course these are guidelines oriented to the beginner into the field; those seasoned IT professionals with 10+ years experience as a network engineer, SysAdmin, etc. could likely substitue that experience in some of the areas mentioned above.
My recommendations in the private sector would be the security operations center of a major telco/ISP, an incident response service provider or a multi-national company with more than 10,000 users and strong information security practice. I do not want to get to specific here, but I think you make your own judgement on what would be a good fit for your situation.
In closing I want to be clear – no one certification (or degree) will make you an DFIR analyst / examiner / investigator; however, the items listed above will help you make the short-list from an employer’s perspective. As told to me by a now retired 28-year veteran of the FBI who led the first computer forensic case handled by the FBI, “There is no substitue for experience.” While that may be true, gaining experience in the DFIR field takes time; expect to spend 3-5 years in an entry level position progressively working towards your goals before you have seen broad variety of cases and situations that are handled by a seasoned DFIR investigator.