So you want to break into the field of Digital Forensics…

It seems like I am asked this question at least twice a month via email. This week, I was asked 4 times. Instead of telling people the same thing over and over, I figured I would write a blog and refer the next person to it. Having said that, if you have positive experiences to add, please do so in the comments. Remember, we all needed to get our start somewhere. The biggest mistake we can make is not helping those who want to do what we do every single day!

I am often asked, “how did you get into this field and how did you get where you are today?” My response, “I was in the right place at the right time.” I graduated with a BS in Forensic and Investigative Science from WVU and could not get a job in Bloodstain Pattern Analysis, as I had planned. Remember, this was 2002, before CSI! Yes, I am older than 24… hard to believe. 😉 I applied and interviewed with several Government agencies and Police Departments. Nobody would hire a grad with no experience and the Forensic degree was a new thing. I was one of the first 4 with this degree in the United States. This makes me feel old…

So how did I get from here (I actually did this in college):   blood

 

To this?????              PC

This is where the Air Force helped me. I joined the Air National Guard to pay my tuition so I could get my degree. On my way to a drill weekend, flying in the back of a C-130, I met an IT guy from ManTech. He told me he could put me in touch with someone hiring an evidence technician. And the rest was history. Well, not really – they didn’t want to hire me because I didn’t understand digital evidence as my experience was in physical evidence. However, I made them see that it is really the same. How we handle it is the same. They took a chance and my career in Digital Forensics began. I was lucky to have a great boss who was willing to teach me how the tools worked and no just press buttons. Without him (nickname: Lancer), I have no idea where I would be today. I showed the interest and he took the time to teach me.

So, how can you meet your Lancer, you ask? You need to meet people to introduce you to opportunities. You need to network! Emailing someone on LinkedIn is not fully networking.  You need to get out there and go to conferences where these people thrive. Don’t be afraid to introduce yourself and ask for help. There is always someone who will help you. If you get turned away, you haven’t found your Lancer. Keep looking and don’t give up.

When I am approached for help, I ask a few things?

  1. What is your background?
  2. What do you want to do? Most people don’t know, so I point them to webcasts and blogs to see what sparks their interest (see below).
  3. Can you get a clearance?
  4. Are you willing to move?

You need to take the initiative to show your interest. By this, I mean take any training you can. Not all training is cheap and the courses I teach are expensive, but are worth the money. If you cannot pay for training, take free training, watch free webcasts, read forensic blogs and books and practice on your own. This will give show you are trying, show you are passionate about the field and give you some cool stories to share at your interviews.

Your best bet is to pay and attend a forensic conference to meet people who are in the field. My favorite is the SANS DFIR Summit, for the sole reason that examiners present – not vendors. So you are getting a glimpse of different careers, the tools and methods they use and how they fill the gaps that the tools cannot meet. It’s amazing and it’s the best networking experience of the year. But, it’s not free! Can’t afford it, ask a speaker to sponsor you as their guest! Again – back to that networking thing. You have to jump out of your shell and ask! Other conferences that may be helpful (and there are so many) EnFuse, HTCIA, BlackHat, DEFCON, Mobile Forensics World, Paraben and others. Before attending one, I recommend you look at the agenda, the speakers and determine if this is what you want to spend your time and money attending. Each offers something different and all have a target audience.

Take forensic training. It’s that simple. Learn the trade. Some courses are free and some cost a good chunk of change! Again, take what you can and remember it’s better to start somewhere vs. never getting started. Here is a list you can refer to: http://www.forensicswiki.org/wiki/Training_Courses_and_Providers

Shameless plug: I author and teach for the SANS Institute. I recommend FOR585 Advanced Smartphone Forensics. Why? Because it’s fun, cutting edge, vendor neutral and it’s my baby. 🙂 Plus, who doesn’t have a phone? May as well learn how to forensicate it.

Books to read (just Google them – you can buy them in several placed):

These are the books that helped me get into this field and still help me during my investigations:

File System Forensic Analysis – Brian Carrier

Handbook of Digital Forensics and Investigations – Eoghan Casey

Harlan Carvey’s books on Windows and Registry Forensics

Practical Mobile Forensics 2nd Edition – Mahalik and Tamma (again shameless plug…)

These books are necessarily something you would read cover to cover, but they are great reference material. Will show you how to examine your own computer and phones and will get you some hands on experience! Most suggest free and commercial tools, so you can access what we use on a daily basis. There are several others out there, but these are general enough and have helped me.

Blogs:

This is a great place to start because it’s free and you can hop around as you wish. Clearly you are here on my blog, but others I recommend are:

Cheeky4n6monkey –Learning about digital forensics

Az4n6blog – Another Forensics Blog

Mac4n6blog – Mac Forensics (iOS too)

SANS – DFIR Blog

Gillware – Murphy’s Laws of Digital Forensics

Gillware Digital Forensics Blog | Cindy Murphy

Webcasts:

The SANS institute sponsors and hosts webcasts, where professionals give you a glimpse of topics they care about, courses they teach and developments in forensics. Check it out! It’s free and you can refer back to archives and get tons of free training. https://www.sans.org/webcasts/

If you have done all of these things and you are ready to break into forensics, let’s talk. I hope to meet you at a SANS event or conference soon. Good luck and never let anyone tell you it’s to hard to get into. It’s not always what you know, but who you know and how hard you are willing to work!

spok

14 thoughts on “So you want to break into the field of Digital Forensics…”

  1. Here’s a good reference list: dfir.training
    Curated RSS feeds from DFIR blogs
    Lists of blogs, podcasts
    Calendar of DFIR training (on the planet)
    And the best database of DFIR tools.

    Great place for students. Great place for everyone else too.

  2. My personal opinion is that you need to acquire years of experience in a multiple of IT disciplines before dipping your toes into the DFIR waters. “Fresh out of college” with a snappy DFIR degree is next-to-worthless. And I hope this isn’t too long (Heather — PLEASE edit as necessary!)

    Before getting too deeply into it, my background involves operating system test and debug (in college), production code maintenance/enhancement – fresh out of college (yuck), project management, system and network administration, backup/recovery and disaster recovery planning, plus web facing design/architecture/security.

    Based on that, try to find jobs (and rotate through them) that give broad exposure to system/network administration, database administration, operating system test/debug, software test/design, disaster recovery, project management…. plus all of the “key-word flavors of the day” such as big data /cloud/ analytics/ etc.

    My personal entree to DFIR (networking) is similar to the path of Heather, although I’m a few years older and it involved a FORCED career change. I could see my current career (a US-based data center outsourcing outfit) had little-to-zero hope of survival, so I reviewed what interested me within the IT field. It turned out to be my fixation (or “paranoia”?) about keyloggers, spyware, and so on… this was way back around 2002 – 2004.

    Fast forward to 2008 and, via personal networking contacts (NETWORKING as Heather mentioned), a friend at my church got me in contact with a forensics company that needed someone technically versed in tape backups/restorations (hello, “disaster recovery”) so that their DFIR pros could probe the recovered evidence and provide answers to their clients.

    I was hired and from those days onward, I leveraged the position to ever bigger and better opportunities / better paying gigs at other Fortune 500 clientele.

  3. Thanks, Heather. You have thrown a lot of food to us monkeys 🙂
    The note is packed with rich information to start with. One can understand, given your hectic routine, it may not be easy to do these things on a frequent basis. But would say, keep up the good work nevertheless.
    Ajay

  4. Awesome post. I can relate to many points that were covered. I lost count how many times I applied before I got in but it was worth it. It is a great and challenging field with many like minded professionals who are willing to help out others.

    The SANS courses are one of the best and have current examples/labs along with great instructors. Prior to doing them, I would recommend reading a book or two, and trying some free entry courses that will give beginners a feel for the subject.

    PS: This is a great blog. How can the Alumni help improve it?

    1. Thanks for the comment! The best help for this site is submitting any DFIR tool you find that is not already listed. For the courses, encouraging vendors to submit their class would be helpful as well to make sure it remains comprehensive.

      Other than that, enjoy the site and take advantage of it!

Leave a Reply to Heather Mahalik Cancel reply

Your email address will not be published. Required fields are marked *