Digital forensics definition
Digital forensics, sometimes called computer forensics, is the application of scientific investigatory techniques to digital crimes and attacks. It is a crucial aspect of law and business in the internet age and can be a rewarding and lucrative career path.
Jason Jordaan, principal forensic scientist at DFIRLABS, defines digital forensics as "the identification, preservation, examination, and analysis of digital evidence, using scientifically accepted and validated process, and the ultimate presentation of that evidence in a court of law to answer some legal question."
That's a pretty good definition, though there's a caveat: the term is sometimes used to describe any sort of investigation of cyberattacks, even if law enforcement or the court system aren't involved. And digital forensics specialists work in both the public and private sectors. Champlain College, which has its own digital forensics program, has a more generalized description: "Digital forensics professionals are called into action once a breach occurs, and work to identify the hack, understand the source, and recover any compromised data."
History of digital forensics
Law enforcement was somewhat slow to understand the necessity of applying forensics techniques to computers and high-tech equipment. For the most part, in the 1970s and 1980s early digital forensics pioneers were people who worked at police or federal law enforcement agencies and who happened to also be computer hobbyists. One of the first areas that came to the attention of law enforcement was data storage, as investigators had long worked to seize, retain, and analyze documentation from suspects; it began to dawn on them that much of that documentation was no longer committed to paper. In 1984, the FBI launched the Magnet Media Program to focus on these digital records, the first official digital forensics program at a law enforcement agency.
Meanwhile, many of the techniques used to track down and identify hackers as they intruded into computer systems were developed ad hoc in the private sector. A generally identified seminal moment came in 1986, when Cliff Stoll, a Unix sysadmin at Lawrence Berkeley National Laboratory, tried to figure out a $0.75 discrepancy in an accounting log and ended up fingering a German hacker who was breaking into sensitive systems and selling data to the KGB. Along the way, Stoll created what was probably the first honeypot trap.
Much of the specialization and professionalization of digital forensics over the '90s and '00s came about in reaction to two unpleasant realities: the spread of child pornography online, which led to the seizure of huge volumes of digital evidence; and the wars in Afghanistan and Iraq, in which U.S. troops often ended up capturing the laptops and phones of enemy insurgents and had to extract useful intelligence from them. A landmark came in 2006, when the United States Rules for Civil Procedure were overhauled to implement a mandatory regime for electronic discovery.
How digital forensics is used in investigations
There are a number of process models for digital forensics, which define how forensics examiners should proceed in their quest to gather and understand evidence. While these can vary, most processes follow four basic steps:
- Collection, in which digital evidence is acquired. This often involves seizing physical assets, like computers, phones or hard drives; care must be taken to ensure that no data is damaged or lost. Storage media may be copied or imaged at this stage in order to keep the original in a pristine state for reference.
- Examination, in which various methods are used to identify and extract data. This step can be divided into preparation, extraction and identification. Important decisions to make at this stage are whether to deal with a system that's live (for instance, to power up a seized laptop) or dead (for instance, connecting a seized hard drive to a lab computer). Identification means determining whether individual pieces of data are relevant to the case at hand — particularly when warrants are involved, the information examiners are allowed to learn may be limited.
- Analysis, in which the data that's been gathered is used to prove (or disprove!) the case being built by examiners. For each relevant data item, examiners will answer the basic questions about it — who created it? who edited it? how was it created? when did this all happen? — and attempt to determine how it relates to the case.
- Reporting, in which the data and analysis are synthesized into a format that can be understood by laypeople. Being able to create such reports is an absolutely crucial skill for anyone interested in digital forensics.
Digital forensics tools
Any digital forensics practitioner will have a wide variety of tools in their kit. At one end of the spectrum you have single-purpose open source tools like the packet sniffer Wireshark or HashKeeper, a free-to-use program that can speed the examination of database files. At the other end, you have powerful commercial software platforms with multiple functions and slick reporting capabilities like Encase, or CAINE, an entire Linux distribution dedicated to forensics work.
The Infosec Institute breaks down these tools into a number of categories, which in and of itself gives you a sense of the sorts of tasks they can complete:
- Disk and data capture tools
- File viewers
- File analysis tools
- Registry analysis tools
- Internet analysis tools
- Email analysis tools
- Mobile devices analysis tools
- Network forensics tools
- Database forensics tools
The Institute also maintains a great list of popular forensics tools, which is updated regularly.
Digital forensics degree programs and certifications
Traditionally, digital forensics practitioners came from a more general computer science background, and often were experienced sysadmins who were already comfortable with many of the basic tools used in digital forensics. However, in line with the increasing specialization within the industry, a few schools now offer degrees or concentrations specific to digital forensics — two in conventional on-campus settings and three online:
- Purdue University has a Cybersecurity and Forensics Laband offers a master's degree with a specialty on cyber forensics
- The School of Business and Justice Studies at Utica College offers a bachelor's degree in cybersecurity and information assurance, with cybercrime investigations and forensics as one of the possible concentrations
- Champlain College offers anonline bachelor's degree in computer forensics
- The John Jay College of Criminal Justice at the City University of New York offers an online master's in digital forensics and cybersecurity
- The University of Maryland University College offers an online master's in digital forensics and cybersecurity
If you have a more general educational or professional background but would like a leg up in your job search, you might want to consider pursuing a digital forensics certification. Business News Daily curated a list of the five most valuable certs; their top picks are SANS's Global Information Assurance Certification (GIAC) Certified Forensic Examiner and Certified Forensic Analyst certifications.
Finally, it's worth noting that, as digital forensics expert John Irvine puts it, "computer forensics is an apprenticeship discipline ... You really learn the trade once you’re in a seat working on real cases alongside a senior examiner."
Digital forensics jobs
Jobs in digital forensics tend to have titles like "investigator," "technician" or "analyst," depending on your level of seniority and specialization. The majority of jobs in the digital forensics field lie in the public sector — in law enforcement, for state or national agencies, or for crime labs, though the latter might be privately run and contract with public agencies.
However, with public cybercrime labs often overwhelmed — and less nimble than they could be due to bureaucratic red tape — large companies are beginning to run their own labs, creating another lucrative path for digital forensics professionals. As of 2017, there were six digital forensics labs accredited by the American Society of Crime Laboratory Directors at private companies, including Target, Walmart and American Express.
What sort of salary can a digital forensics professional expect? According to PayScale, the average forensic computer analyst makes around $70,000 a year, though there's a rather wide range that can go from around $45,000 to around $115,000.
Digital forensics career
With all that being said, you might decide that computer forensics is the career path for you. And it's a fascinating one! But maybe linger just a little bit on the decision: like any career path in law enforcement, it can put you in touch with the some of the worst of human nature. John Irvine has a somber blog post on the darker side of computer forensics. Remember how we said that much of the computer forensics field became professionalized in the hunt for child pornographers and terrorists? Well, as Irvine describes, that can take a real toll on investigators, as they have to examine and watch much of the material they find. It's a sobering thought, but a necessary one as you consider a digital forensics career.