{"id":49,"date":"2012-12-23T15:46:27","date_gmt":"2012-12-23T20:46:27","guid":{"rendered":"http:\/\/www.sc4n6.com\/?p=49"},"modified":"2012-12-23T15:46:27","modified_gmt":"2012-12-23T20:46:27","slug":"avenues-to-entry-into-dfir","status":"publish","type":"post","link":"https:\/\/www.carolinacomputerforensics.com\/blog\/avenues-to-entry-into-dfir\/","title":{"rendered":"Avenues to Entry into DFIR"},"content":{"rendered":"<p>Over the past few years several people have asked me what the best route would be to enter the Digital Forensics \/ Incident Response field. \u00a0While there is no\u00a0<em>best<\/em> method, there may be one that works well for you. I know the path I took had it&#8217;s challenges &#8211; mainly of acceptance &#8211; because in a corporate-world most at a senior-level management roles did not want to believe that the DF role was necessary. \u00a0For some reason, the IR role was something easier for them to understand. \u00a0In the non-corporate world, I had zero law enforcement background so obtaining my first South Carolina SLED Private Investigator&#8217;s license was challenging to say the least. \u00a0It was not easy to find a current SC PI that (1) understood what DF was; (2) understood it&#8217;s value in a priviate investigation; and (3) could provide proper &#8220;oversight&#8221; as required by SLED in the field of DF. \u00a0Most PI&#8217;s in SC still conduct photographic or location-based\u00a0surveillance\u00a0of some sort and <strong>very<\/strong> few (in SC) are properly credentialed and experienced in the digital forensics field. For more information on Digital Forensic licensing in SC <a title=\"Topics of Necessary Evil -- Licensing\" href=\"http:\/\/www.sc4n6.com\/2012\/12\/topics-of-necessary-evil-licensing\/\" target=\"_blank\">see my post from December 17, 2012<\/a>.<\/p>\n<p>This brings us to the topic of\u00a0<em>Avenues to Entry into Digital Forensics \/ Incident Response.\u00a0<\/em>\u00a0As I mentioned from the outset, I answer a several questions each month on how someone can enter the DF field; next month I will be speaking to a group of <a title=\"ECPI University - Network Security Program\" href=\"http:\/\/www.ecpi.edu\/technology\/program\/network-security-associate-degree\/\" target=\"_blank\">Network Security students at ECPI University<\/a>\u00a0about what employers are looking for in the network security field. \u00a0That topic will undoubtedly cross into the DFIR arena as they have \u00a0many commonalities.<\/p>\n<p>Some criteria for becoming a successful DFIR investigator or examiner would include:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">critical thinking;<\/span><\/li>\n<li>methodical;<\/li>\n<li>willing to ask questions;<\/li>\n<li>have (or develop) an\u00a0<em>investigator&#8217;s mindset<\/em>;<\/li>\n<li>a <em>will-<\/em>to-learn;<\/li>\n<li>willing to admit\u00a0<em>you don&#8217;t know it all, nor can you;<\/em><\/li>\n<li>ability to maintain a personal network of\u00a0<em>like-minded<\/em> DFIR individuals who you can bounce ideas of off;<\/li>\n<\/ul>\n<p>Without regard to personal situations and the like, my typical number one response on how someone with little or no experience can inexpensively enter the DFIR filed is via the United States military cyber-divisions. In today&#8217;s tech-driven world, many military operations have a digital forensics component whether it be networks, computers, smartphone, &#8220;dumb&#8221;-phones, recordable media, etc. The US military is the ideal environment to train the highly experienced DFIR technician. \u00a0I look at it this way, if a\u00a0solider\u00a0can <em>survie<\/em> the acquisition of digital evidence while under combat conditions, they are surely capable of dealing with the civilan public during a forensic engagement. \u00a0In addition, benefits such as high-quality forensic training, the <a title=\"GI Bill\" href=\"http:\/\/www.gibill.va.gov\/\" target=\"_blank\">GI Bill<\/a> to pursue college studies after service and the intangible of working on some of the more sensitive DF cases in the world on your <i>CV.<\/i><\/p>\n<p>If the military is not a viable option for you, then I would suggest pursuing experience via a federal law enforcement agency where you will gain the necessary (1) training; (2) support; and (3) experience to advance your DFIR career path. \u00a0Join a federal law enforcement agency early enough in your career and you could likely retire with full government benefits while pursuing your chosen field in the private sector. \u00a0A federal agency will provide the properly educated candidate with additional training in areas of evidence-handling, chain of custody, expert testimony, and an in-house support network to further enhance your skills.<\/p>\n<p>In these first two, options you will not require &#8220;special&#8221; state-level licensing as I referenced in my December 17, 2012, post. Typically military and law enforcement are exempt from such requirements as long as the individuals are pursuing their official duties.<\/p>\n<p>Remembering that we are introducing the next generation of DFIR analysts to the field, I would suggest one pursue a career in DFIR in the private sector. In doing so, obtain experience and credentials in the following areas in order to become a candidate for those junior-level positions:<\/p>\n<ul>\n<li>Bachelors&#8217; Degree in a technical field &#8211; Computer Science, Math, Engineering, etc.<\/li>\n<li>Broad-based IT related certifications &#8211; from providers like <a title=\"(ISC)2 - Home of the CISSP\" href=\"https:\/\/www.isc2.org\" target=\"_blank\">(ISC)2<\/a>, <a title=\"CompTIA Certifications\" href=\"http:\/\/certification.comptia.org\/getCertified\/certifications.aspx\" target=\"_blank\">CompTIA<\/a><\/li>\n<li>A good understanding of networking &#8211; from\u00a0<a title=\"Cisco - CCNA \" href=\"http:\/\/www.cisco.com\/web\/learning\/le3\/le2\/le0\/le9\/learning_certification_type_home.html\" target=\"_blank\">Cisco<\/a>\u00a0or\u00a0<a title=\"CompTIA Certifications\" href=\"http:\/\/certification.comptia.org\/getCertified\/certifications.aspx\" target=\"_blank\">CompTIA<\/a><\/li>\n<li>Be familiar with at least one scripting language &#8211; this is more about structure than mechanics though both are good<\/li>\n<li>Be familiar with at least two operating systems &#8211; Windows <i>plus\u00a0<\/i>MacOS X, Linux, or other Unix-based OS<\/li>\n<li>Incident handling \/ digital forensic certification &#8211; from \u00a0<a title=\"ISFCE - Home of the Certified Computer Examiner (CCE)\" href=\"http:\/\/www.isfce.com\/\" target=\"_blank\">The International Society of Forensic Computer Examiners\u00ae<\/a>,\u00a0<a title=\"SANS\" href=\"http:\/\/sans.org\" target=\"_blank\">SANS<\/a>\/<a title=\"GIAC - Home of GCFA, GCIH, GSEC, GSE\" href=\"http:\/\/giac.org\" target=\"_blank\">GIAC<\/a><\/li>\n<li>Any investigative experience where evidence handling procedures are established and followed<\/li>\n<\/ul>\n<p>Of course these are guidelines oriented to the beginner into the field; those seasoned IT professionals with 10+ years experience as a network engineer, SysAdmin, etc. could likely substitue that experience in some of the areas mentioned above.<\/p>\n<p>My recommendations in the private sector would be the security operations center of a major telco\/ISP, an incident response service provider or a multi-national company with more than 10,000 users and strong information security practice. I do not want to get to specific here, but I think you make your own judgement on what would be a good fit for your situation.<\/p>\n<p>In closing I want to be clear &#8211; no\u00a0<em>one<\/em> certification (or degree) will make you an DFIR analyst \/ examiner \/ investigator; however, the items listed above\u00a0will <em>help<\/em> you make the short-list from an employer&#8217;s perspective. \u00a0As told to me by a now retired 28-year veteran of the FBI who led the first computer forensic case handled by the FBI, &#8220;There is no substitue for experience.&#8221; \u00a0While that may be true, gaining experience in the DFIR field takes time; expect to spend 3-5 years in an entry level position progressively working towards your goals before you have seen broad variety of cases and situations that are handled by a seasoned DFIR investigator.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over the past few years several people have asked me what the best route would be to enter the Digital Forensics \/ Incident Response field. \u00a0While there is no\u00a0best method, there may be one that works well for you. I know the path I took had it&#8217;s challenges &#8211; mainly of acceptance &#8211; because in &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.carolinacomputerforensics.com\/blog\/avenues-to-entry-into-dfir\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Avenues to Entry into DFIR&#8221;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":296,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,34],"tags":[35,26,28,36,37,10,38,39,12,23,40],"_links":{"self":[{"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/posts\/49"}],"collection":[{"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/comments?post=49"}],"version-history":[{"count":0,"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/posts\/49\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/media?parent=49"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/categories?post=49"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.carolinacomputerforensics.com\/blog\/wp-json\/wp\/v2\/tags?post=49"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}