I recently read a Forbes article titled “6 Skills Required For A Career In Digital Forensics” (link to the original article can be found here). Although the article did touch on some important areas, in my humble opinion, it missed a few critical areas.
Instead of repeating what was stated in the original article, I will simply add to the points to the points made;
- Analytical talent: This, of course, goes well beyond average analytics. It has been my experience in this industry that police officers have been easier to teach the tech than tech professionals in the investigative process. I may have some bias here, being a full-time officer/investigator for 15 years and another five as an auxiliary, but day-to-day people lied to us, presented themselves in a better light or flat out gave misleading information to mask their guilt (not saying everyone was guilty). It took a “street” smart investigator to take the proverbial big ball of knotted string, untangle it and lay it out in a nice timeline of events and facts with “reasonable” conclusions.
- Computer science/tech skills: I have written academic programs for universities and this type of education is critical in the industry. There are many “digital examiners” that rely too much on the “magic” button and do not have a real understanding as to what is going on behind the scenes. This to me is like getting on an elevator, pressing the desired floor and believing you were teleported to a new location (I often play this game with my kids). It’s not magic, it’s science. It never took much for an attorney to make me look silly on the stand (DNA had the first shot at it), so I made sure I knew my facts prior to testifying. One more point here, examiners today should know a programming language. There will always be a time that your tool does not present the information you want and now it is up to you. Python is my language of choice (thanks to Chet Hosmer). Why Python? More and more of the major forensic suites recognize the evolution of Digital Forensics and have placed a Python API in their software (Autopsy, Cellebrite, XRY, EnCase, and more soon). Python is flexible and cross-platform. I can run it at the command line or in a “tool”. Don’t be intimidated… If you understand Yoda from Star Wars, you will understand Python;
tmpDir = “C:/Temp/Test2”
if not os.path.exists(tmpDir):
- Understanding cybersecurity: I agree with this point, but want to add more to it. “Forensics” has always been a tree with many branches, much like the medical field with different specialties (except they have more schooling and are paid much better). Great examiners have knowledge of the force… wait, wrong article… of the core of digital forensics (data structures, encodings, storage methodologies, etc). I have seen an alarming trend over the past couple of years where examiners attempt to gain entry at the “branch” level of digital forensics (ie mobile forensics). This is a huge mistake in my opinion. Just as a doctor must know the foundation of their field, a digital forensics practitioner should know the their core. After that, and only after that, should an examiner branch to a speciality like mobile forensics, “car” forensics, etc. Cybersecurity, being a different field is an exception. With that said, the skills of a cybersecurity professional have become even more essential than ever in the digital forensics world. #Wanncry So, core first, specialties later and finally DFIR enlightenment.
- Organization & Communication skills: I have combined points four and five from the original article because of these, in my mind, go together. If a person is not organized in their thoughts, they will never be able to properly communicate the essentials of Who, What, When, Where, Why and How. Explaining highly technical issues to a jury or committee is very challenging. They are usually full of people who know very little about technology, except what they see on CSI, and they can not even program their VCR. A couple of issues here. People believe that we can click a couple of buttons and solve the most complex digital crimes in under 60 minutes, including commercials. I will leave that alone… Second, the fact that they still own a VCR scares me. Mine is a DVD recorder / VCR combo. Does that exempt me? When explaining complex issues to non-technical people, I use analogies. I have never forgotten the way “train cars” were explained by NW3C in forensics. The “old-timers” will get that one. Use something they understand in daily life and make it fit to what you are explaining.
- Desire to learn: I am going to jump up and down and spin for a minute. My opinion… This should be the core as to why you do what you do. This should be the passion that drives you and the inspiration to your digital forensic existence. So, if you missed that, you should not only have a “desire to learn”, but it should be your passion. Saying I love technology is a huuuge (Insert Trump voice for that word) understatement. As a young child, I would take things apart and attempt to discover the mysteries of how it worked. I learned so much about 8-track players and ultimately, at the frustration of my mother by me not being able to put it back together, I was banned from tools. Sorry, mom… Things have changed. I have learned the fine art of documentation and can reassemble items now. Back to the point, if reverse engineering, tinkering and learning the digital truth doesn’t fill your soul then there are plenty of other fields out there
On a side note here, I have examined many cases where examiners half-heartedly examined the evidence, looked for the “stuff” that showed guilt and wrote a report only to move to the next case. We are talking about a person’s future life here… As part of the learning and passion, it should be your mission to find and report not only on the “guilty stuff”, but the items that show doubt or innocence.
How does one achieve these things? I can’t help with the passion or desire, but I can recommend a few things;
- Find a mentor/coach in the industry. I have several awesome mentors. I ask them for advice from time to time, usually about my company. I am respectful of their time and always am very grateful for the advice. Remember, a mentor is just that, not a crutch or someone to do the work for you, that work is yours alone. My advice finds someone humble and not trying to make a name for themselves or always saying “look at me” (they exist more than I care to say), but truly a passionate examiner, who loves being geeky and finding the truth in hexadecimal. They will gladly dump their life knowledge on you, sharing their pitfalls and triumphs. The bits of information (pun intended) you will pick up along the way will be invaluable. Again, not a “Forensic-egomaniac”, but a real practitioner who will give great advice and bump you in the right direction as your path unfolds. A big thanks to my many mentors, both past and present!
- Start learning the core of DFIR. If you don’t know 0x20 is a “space” (or can’t look it up) or about bytes, nibbles, and bits… start at the core basics of digital forensics. Yes, this is a bit like #5 below, but since it is here twice, do you see the importance of it? Learn core forensics and work your way from there.
- Get experience. I loved having interns in the lab. It complimented my passion for teaching. You can find paid and unpaid internships. Money is good, but the experience is wealth.
- Participate and ask questions in the community. There is an increasing number of resources in the industry from forums, listservs and social media groups. Join them and ask questions, just be sure you “googled” it first or the flaming could happen. I have a brand new Digital Forensics Group here and there are other great resources from HTCIA, IACIS, Forensic Focus, vendor-based, etc. Involve yourself and don’t be afraid to ask questions! We all started somewhere.
- Get an education. Either at a university or reputable training company, not the $29 courses you will find on some “learning” sites that will also teach you woodworking, Raspberry Pi Tinkering, and “How to Read Body Language” (actual course) all on the same site. Although they may contain knowledge, most have been stolen from those who designed it and you will walk away with a pretty PDF certification from…. someone. Vendor training is great at teaching you their tools and some are incorporating the “fundamentals” as part of their curriculum. I would recommend a vendor-neutral training, not only because I own one of those types of companies (my disclaimer), but that is how I learned long ago. I started with NW3C and SEARCH when those courses were exhausted, I moved to Guidance Training, AccessData training, then to the specializations with MFI (vendor-neutral), Paraben and countless other vendor-based training. If you are curious, here is a list of my company’s offerings and I can also give vendor recommendations based on your needs (feel free to contact me). If travel and expense is an issue, we offer (and more and more vendors) On-Demand, Live-Online (webinar-ish), and Live Training. I even consult with companies on how to set these delivery systems up for a diverse delivery system. You can read about the delivery options here and our On-Demand courses in the portal (which is nearly ready) here.
- Do it! Get your hands dirty with “test” evidence using open source options like Autopsy and tools in Kali Linux, Caine, etc. There is no better education than hands-on learning. If you mess something up in a “test” case. Learn from it and move on. Examine your computer, a friend…. wait.. skip that one. You may learn something causing you to find new friends. Find a tool and start with best practices. I would recommend researching NIST and SWGDE. There are many more I wish to mention, but realize the length of this article ->>> Google is your friend
So with that, I wish you all the best of luck and want to express my gratitude to the members of the industry who took the time to help me along the way. I hope this article can help the next generation of examiners.