Digital Forensics: Tech detectives follow the computer trail
Posted on
July 21, 2015
Digital forensics is the practice of recovering computer data in criminal investigations.

From hipsters in lab coats to gun-toting crime solvers, television programming is full of depictions of computer forensics as a fast-moving, action-packed career where analysts routinely interface with law enforcement and often confront perpetrators with evidence of their crimes in dramatic courtroom showdowns. Is that really the case?

As with any television dramatization, this depiction of digital forensics certainly glamorizes the field, but there are grains of truth behind the flashy Hollywood embellishments. Computer forensic technicians do often uncover critical evidence that solves crimes, and they do testify in court about their findings. The reality, however, is that forensic analysis is painstaking work that requires great attention and tremendous expertise. Successful forensic analysts have many lucrative career opportunities in both the public and private sectors.

Introduction to Digital Forensics

Digital forensics as a field includes the retrieval and analysis of information stored, processed or transmitted by digital devices. While the field originally covered only traditional computers, the proliferation of device types over the years now requires forensic analysts to routinely extract information from smartphones, tablets, embedded computers and even automobiles. Any digital device with storage, processors and/or memory is fair game for the forensic analyst seeking to uncover hidden information.

One of the most common forms of forensic analysis is the retrieval of information from storage media, such as a hard drive, flash device, or camera memory card. Because they may need to testify about their findings in court, forensic analysts must take care when retrieving information from storage that they do not accidentally alter any of the information stored on that device. Any intentional or accidental modification of data taints the evidence and may result in that evidence becoming inadmissible in court.

Therefore, forensic technicians accessing the contents of storage can't simply boot up a computer and browse its hard drive. Instead, they work with duplicate images of the actual evidence and also use special write blocking devices to prevent accidental data corruption. The evidence retrieved from storage devices may include documents, pictures or even temporary cache files that contain information about browser history and other use of a computer system.

Forensic analysts also often turn to network-level analysis to determine the activity that took place on a network during a period of time. In some cases, forensic analysts make use of specialized tools that capture information about network traffic and store it for later analysis. In some cases, the device may capture the full contents of network transmissions, allowing analysts to completely reconstruct any activity that took place on the network. This approach, however, is quite costly because it consumes massive amounts of storage.

Therefore, many organizations choose to capture summary data, known as network flows. The information captured using the network flow approach includes the IP addresses of the source and destination system, the ports and applications used and the amount of data transferred. It's quite similar to the type of data you would find on a telephone bill. An analyst can tell which systems talked to each other and how much information was exchanged, but they can't reconstruct the contents of the communication.

The combination of device and network forensics can paint a detailed picture of a user's network activity. Forensic analysts can then take this information and reconstruct the circumstances surrounding an event to support law enforcement or other types of investigations.

Careers in Digital Forensics

Career opportunities abound for qualified forensic analysts. Digital forensics is an extremely technical field and individuals with this expertise are coveted and in high demand. Government agencies are the most obvious potential employers, including both law enforcement agencies, the military and other units that conduct investigations. Opportunities exist at the federal, state and, in some cases, even local level. The use of digital evidence is so prevalent in our judicial system that even small cities now often have digital investigation units, or at least an individual qualified to perform forensic analysis of smartphones and other devices.

The private sector also provides opportunities for careers in digital forensics. In fact, many analysts who start their careers working for a government agency often gain experience and then move to the private sector in search of more lucrative career opportunities. Many private investigators employ forensic analysts on a contract or freelance basis and some firms specialize in digital investigations, hiring analysts around the world to conduct private digital forensic investigations in support of corporate clients. Analysts working in the private sector may find themselves working in support of legal defense teams, the internal investigations of private corporations or various other causes.

Digital Forensics Certifications

IT professionals seeking to shift careers and specialize in digital forensics often find certification programs an excellent way to get started. Earning a professional certification validates that job candidates successfully achieved a base level of knowledge, regardless of whether they participated in a college degree program, enrolled in instructor-led technical training courses or completed a program of self-study.

The International Society of Forensic Computer Examiners (ISFCE) offers the Certified Computer Examiner (CCE) program as a vendor-neutral certification for forensic analysts. Candidates for this credential must either complete an approved training program (either through a bootcamp or self-study) or have 18 months of verifiable professional experience in digital forensics. Candidates who meet these requirements must submit a written application for the program to the CCE board. Once approved, they then must pass both written and hands-on exams demonstrating their knowledge of digital forensics.

Digital forensics clearn hard drive

The Information Assurance Certification Review Board (IACRB) offers a similar vendor-neutral credential: the Certified Computer Forensic Examiner (CCFE) certification. Similar to the CCE program, the CCFE requires that candidates pass both a written exam and a hands-on practical evaluation. The written exam includes 50 multiple-choice questions administered during a two-hour testing period. Candidates who pass the written exam may then take the practical exam which requires performing a forensic examination of case files and writing a formal analysis report suitable for presentation in court.

Candidates seeking a more focused experience may choose to pursue certification on a particular forensic tool. The EnCase Certified Examiner (EnCE) program offers an approach that focuses on the EnCase forensic toolkit. This program requires passing a two-hour online multiple choice examination with a score of 80 percent or higher and then taking a practical examination using the EnCase tools. Candidates for this credential must either complete 64 hours of online or classroom training in digital forensics or demonstrate that they have twelve months of relevant work experience.

Finally, the SANS Institute offers three certification programs focused on digital forensics. The GIAC Certified Forensic Analyst, Certified Forensic Examiner, and Network Forensic Analyst are highly regarded certification programs that require strong technical depth to pass. SANS offers training courses focused on each one of these exams and candidates must pass written exams to earn any of the GIAC credentials.

Digital forensics is an exciting career field with many diverse employment opportunities. IT professionals seeking to expand their technical skills may wish to pursue training in this field through self-study or a formal training program. In addition to completing training, employers always appreciate candidates who take the additional step of demonstrating their practical knowledge by successfully completing one or more digital forensic certifications.

About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.

Posted to topic:
Tech Know

Important Update: We have updated our Privacy Policy to comply with the California Consumer Privacy Act (CCPA)

CompTIA IT Project Management - Project+ - Advance Your IT Career by adding IT Project Manager to your resume - Learn More