Pathway to Digital Forensics

I am often asked how to get into Digital Forensics and/or Incident Response. It is a great question, often filled with a lot of nuances based on the background of the person asking as well as their areas of interest. That said, I think there are 7 key things that need to be considered; namely, Education, Certification, Resume/ Curriculum Vitae, Networking, Social Media, Mentorship, Applying for Roles, Sharing and Contributing to the field. Let’s dive into each one briefly.

Education

Education can mean different things depending on your background. This could be a college degree or training. Many roles require a bachelor’s degree in any field while some roles will be more specific as to acceptable degrees. Possible relevant degree programs can include Computer Science, Electrical Engineering, Cybersecurity, Digital Forensics, or Criminal Justice. Some roles will have a mix of education and experience that are require to enter a job at a higher level (i.e., mid-level examiner, senior examiner). In those instances, it may be beneficial to have a Master’s degree. There are several programs that offer MS degrees specifically in Digital Forensics – including George Mason University, Marshall University, and Champlain College to name a few.

There are many things to consider when looking at an educational program. Items to consider include who are the professors? Do the instructors have practical experience? Do the professors conduct research in the field? What research has been published from the university? Where do alumni work? What kind of internship assistance is available? What courses are in the program? Do those courses deep-dive forensic topics or are there only 1 or 2 digital forensics classes in the program? What are the pre-requisites for the program?

Training is another option! This is especially valuable to those who are coming from other fields and may already have a degree. Education can come from a variety of sources including formal courses; such as SANS, Cyber5W, or Hexordia classes, or piecing together content from a variety of sources such as those referenced on DFIR Diva’s affordable training list.

Regardless of your education path, be it formal classroom training or on your own, be aware of other learning sources. Several organizations like the High Tech Crime Investigator’s Association have learning resources. There are a variety of conferences and industry events – both in person and virtual with scores of sessions you can learn from. There are also compendium sources full of resources. For a list of resources, check out our blog – Resources to Skill Up and Collaborate in DFIR. Another source for learning and testing your skills is Capture the Flag (CTF) contests. Check out the variety of CTFs under Blue Team on Cyber Defenders or try your hand at the Magnet Virtual Summit CTFs.

Certification

There is quite a bit of debate on the value of certification. Many roles require it as it is a way to demonstrate to a customer or a court that the examiner has some base level of skill. Of course, not all certifications are built equally. There are several considerations when determining which certification is the right fit. One way to determine what certification may have the most value is to look at job requirements for roles you are interested in obtaining one day. There are some other questions to ask yourself. For this purpose, is a tool vendor certification or a vendor neutral certification more applicable? Sometimes a tool vendor certification is more appropriate because the potential employer uses a specific toolset or to be able to testify that one is properly trained and certified in the use of a tool. In other environments, a tool agnostic certification is preferred as it demonstrates knowledge of concepts that can be applied to a variety of tools.

There are more questions to ask before determining what certification makes the most sense for the circumstance. Does the certification involve a practicum? Does the certification have a knowledge question portion? Is it a one-sitting timed examination? How well received and recognized is the exam by the community? Does the certification require specific experience and training? And of course, cost of the certification is often another factor. The right certification for each person will depend on the circumstance, the desired role, and the experience and training that the candidate has already attained.

Resume / Curriculum Vitae (CV)

It is critical to have a resume and/or a CV. My biggest recommendation is to treat this as a living document, the same as your Linked In profile. I strongly encourage folks to at least monthly update your CV and your Linked In profile with new skills, courses, training, certs, publications, or presentations, etc. You will be learning new skills regularly so keep updating. As an added benefit, if you are regularly updating your Linked In profile, it won’t look suspect to your current employer as opposed to a sudden update in prep for a career move.

There are a variety of reasons to maintain a CV as an examiner this can include submitting for proposals as a contractor or consultant, being accepted as an expert witness by a court, participating as a member of some professional organizations, submitting to speak at some events, and applying to be a peer reviewer for example.

What is the difference between a resume and a CV? Your curriculum vitae should include everything you have done related to the field. This includes work experience, education, training, skills, software, operating systems, courses, certification, volunteer work related to the field, DFIR related projects, CTFs you have competed in, courses you have authored, presentations, panels, and articles. Your resume is a shorter document focused on what you are submitting for a specific purpose. This means that your resume should be unique for each role to which you apply. Typically, one can pull info from the CV targeted towards the opportunity.

Resume reviews and workshops can serve as a great opportunity to get guidance on your resume. These are often part of information security conferences. There is an upcoming one at the Magnet Virtual Summit that folks can sign up for as part of Mentorship Day Feb 27th, 2023. I have met so many folks that I still have professional and mentorship relationships with to this day from resume workshops!

Career switchers should be sure to include cross-industry relevant skills on resumes. This could include technical skills (i.e., networking, troubleshooting) or soft skills such as briefing executives, customer service, and writing experience. Skills can be categorized by depth. For example, you may be Proficient with Python while Familiar with C#.

Networking

Networking can be a critical part of the path to breaking into DFIR. There are both local low-cost events as well as large national and international events. Local BSides events are a fantastic way to meet others. These events are small conferences that tend to be low cost and more general information security events than digital forensics specific. BSides events are all over the world, so definitely worth checking out.

Professional organizations are also a great way to network. The High-Tech Crime Investigation Association (HTCIA) has local regional chapter events and specializes in digital forensics. Other groups with local events include 2600 groups and DefCon groups – although, those groups are more information security/hacker oriented.

Another place to network is at conferences. There are a variety of conferences that are focused on digital forensics. These include OSDFCon, Techno Security, SANS DFIR Summit, and DFRWS to name a few.

Social Media

Having a presence on social media can be very valuable to connecting you to others in the field. This is also a great place to network. Here are some of my favorite virtual spaces where you can participate directly in digital forensics conversations and learn what is going on in the field.

·         Digital Forensics Discord Server

·         #DFIR on Mastodon

·         #DFIR on Twitter

·         #DFIR on LinkedIn 

·         Computer Forensics Subreddit

For those new to using social media professionally, I have two primary recommendations. First, use a separate account then the one used for personal life, connected to family and friends. Use this separate account only for DFIR and keep it professional. Curate this social media account specifically to follow other folks in the field. Secondly, keep interactions positive and professional – this means that social media is not the right place to bash a tool, examiner, or company. Remember the internet is forever – and screenshots are as well.

Mentorship

Regardless of where you are in your career, it is critical to find a mentor. There are a couple of ways to connect with and find a mentor including pairing programs, your own network, or someone whose work you would like to contribute.

There are two upcoming pairing programs at the time of this writing which I am aware:

·         MVS 2023 Mentorship Program (Feb 27)

·         Women in Cybersecurity (WiCyS) Mentor Mentee Program - Applications for 2023 open March 1, 2023

There are some tips for when reaching out to someone either in your network or someone who you don’t know, but you are interested in contributing to their work. When you reach out ask specific questions as opposed to just asking them to be your mentor. Some folks receive many of these requests per week and cannot possibly respond to and help all of those folks. Ensure you are also sharing information about you and your interests and why you would like to work with them or seek their mentorship. Also please respect that they may not have the cycles to help you at this time or at all. That is okay, you may need to reach out to other folks. In general, forensics examiners are very giving with their time to the community but work and family demands can ebb and flow.

Applying

The next step is to begin applying for roles. I recently wrote a blog on the Top 10 Places to Search for a Digital Forensics Job which will share what websites to use to look for a role. It is important to remember that a lot of positions ask for a set of skills that are unlikely to be had by a single individual. Please apply even if you don’t have every qualification. While some items may be non-negotiable, such as citizenship status or a position being in-seat instead of remote – many items that may be listed as required, could become preferred if there are not candidates who meet every requirement. This is a numbers game and you will want to apply for as many roles as possible. It is always better if you can get a referral from someone already employed by the organization. Don’t be afraid to reach out to folks you know and ask. Hopefully these are folks you met through your networking or social media efforts.

It is important to remember that digital forensics and incident response roles are not always considered entry level roles. There are lots of great roles in organizations that may help you obtain skills and experience to eventually laterally move into digital forensics. This can include working in the Security Operations Center, Cloud Security, Networking, or another role in information security - particularly those that are considered “blue team” or focused on defense.

Share and Contribute

While this is the last part of the pathway, it is probably the most important! Sharing with the DFIR community will make a dramatic difference. No matter where you are in your journey, you have something to share from your perspective. Sharing demonstrates both your work ability as well as your writing, coding. or presentation skills. I highly recommend that those starting out in the field focus on sharing technical content.

There are a variety of ways to share that go beyond writing a blog. This could be by scripting, either to your own git repository or by contributing to community projects like the LEAPP project, Autopsy modules, or Volatility Plugins. Another way to share is by building CTFs or writing up your solves to challenges including the Blue Team Challenges on Cyber Defenders or Magnet Virtual Summit CTFs. Artifact information can be shared with either the Artifact Genome Project or the Artifact Museum. Folks can also contribute forensic images to the greater community via the Computer Forensic Reference Data Set (CFReDS) or Digital Corpora. Regardless of how you share, be sure to update it on your resume and Linked In!

Conclusion

There are defined steps that you can take to break into digital forensics and incident response. It takes a bit of work as digital forensics and incident response roles aren’t typically considered entry level roles. However, by focusing on each of these areas, you can increase your likelihood of breaking into the field. That said, don’t forget about related field and roles such as those in the Security Operations Center (SOC), Cloud Security, or Networking that can be steppingstones to your DFIR role!