Leadership

Breaking into the digital forensics field: Melia Kelley's path

The field of digital forensics is not for the faint-hearted, especially if it involves intelligence-gathering for the military. Michael Kassner talks to Melia Kelley about the path that took her to Iraq.

Recently, I ran across the following job post.

Wanted:

"Computer Forensic Examiner/MEDEX -- Afghanistan"

Requirements:

  • % Travel : 100
  • Clearance: Must currently possess a minimum Final Secret in JPAS, DIA Access preferred.
  • Must be able to pass a SI and POLY.

The posting goes on to list 17 skills -- specific to digital forensics -- in which potential candidates must be proficient.

Been there. Done that.

Did you know jobs like that existed? I didn't. I had to find out more. My search took me to the blog: Girl, Unallocated.

That's where I found the real deal, Melia Kelley -- aka Girl, Unallocated. She met all qualifications. In fact, she's already been there and done that. The only difference; there was Iraq, not Afghanistan.

Made a promise

I better step back for a second. I had mentioned in a previous article that I know just enough about digital forensics to be dangerous. Some students called me out on it, particularly one young lady -- something about me being a guy and knowing very little.

I'm about to fix that.

I contacted Melia, explained my predicament, and she agreed to help. After exchanging a few emails, I started understanding Melia's world - busy. Besides working, Melia and her husband are raising four children. I began to feel as if I was intruding and suggested a phone call might be easier. It was.

Here is what Melia had to say about her path to digital forensics.

Kassner: English literature seems an unlikely college major for a digital forensics professional. What happened? Kelley: I don't know if it was luck, fate, or maybe random causality that led me to digital forensics. I'm just one of those people who managed to find what they love doing. In college, I knew I wanted to be in the legal field; looking back, that must have been the first step. Kassner: Digital forensics is a technically demanding field. How does a paralegal just out of college transition to digital forensics investigator? Kelley: The transition didn't happen overnight. Fortunately, I worked for a company that encouraged me to get hands-on experience. In addition, specialized training and forensic certifications were another way I could demonstrate my increased capabilities.

My first certification was Certified Computer Examiner. A vendor-neutral cert provided by the International Society of Forensic Computer Examiners.

I followed up with two vendor-specific certifications: EnCase Certified Examiner by Guidance Software and Access Data Certified Examiner by Access Data. I wanted to show proficiency in what are arguably the most recognized software suites in the industry.

Also, one thing I learned, there is no "final destination" in this field. Everything we use; knowledge base, systems, data, and tools are constantly in flux.

Kassner: Okay. Now you are an employed digital forensics professional. Then you decide to spend a year in Iraq as a civilian digital forensics examiner. What was that like? Kelley: Iraq is where I honed my skills. The training, resources, and huge amounts of data to examine provided more experience in one year than all the previous ones combined. And, knowing lives may be on the line is plenty of motivation to do my best work. Kassner: (During the phone call, I tried my best to get at least one juicy detail about Iraq. But, nada. Something about my lacking security clearance.)

Very well, then. What can you tell this investigative reporter about swimming pools in Iraq?

Kelley: A security clearance is a must for doing MEDEX work.  And, working with the intelligence community must have rubbed off on me. As you can see, I am reluctant to part with information.

As for the pool...one thing I learned from my time in Iraq is that a sense of humor is invaluable. If you dwell on the fact that you're far from home and family it can be incredibly hard day-to-day.

So, humor is a good distraction.

The day at the pool came after a hard week. Our officer-in-charge decided it was time to take a break and go relax. As always, the person with the lowest rank gets ribbed the most. What you are seeing is our poor Airman getting dunked in the deep end.

I (Melia) took that picture, so I attached another. Here we're at the foot of Ziggurat of Ur. See if you can spot the female civilian - kind of like "Where's Waldo".

Kassner: Thank you for sharing your experiences in Iraq. You presently work for First Advantage Litigation Consulting. How does this position differ from your time in Iraq? Kelley: For one thing, Army Colonels are less intimidating than lawyers -- just kidding. They are about equal. I no longer get USO packages or Christmas cards from strangers saying thank you.

But I'm not complaining. In Iraq I was the only MEDEX investigator on my base, so I felt a bit isolated. At First Advantage, I am part of an active team that provides an amazing amount of professional support and cross-training.

Also, in Iraq I didn't go "outside the wire" for any reason. By contrast, in the past few months, I have been to London, Munich, and Tokyo for business. Added bonus. I have my own car here, and don't have to wait for a convoy or Chinook to get somewhere.

Kassner: I recently interviewed Eric Huber, also a digital forensic professional. He pointed out the difference between digital forensics and eDiscovery. You mentioned dealing with something else called MEDEX (MEDia EXploitation). What is MEDEX? Kelley:  MEDEX is similar to digital forensics. It utilizes many of the same tools, follows the same methodology, and requires the same set of skills. To some they are interchangeable.

The difference lies in the end goal:

  • Digital forensics is the process of uncovering and interpreting data for use in a court of law.
  • Media Exploitation is the process of uncovering and interpreting data to be used as actionable intelligence.
Kassner: The next few questions are based on queries I'm getting from students.

If you remember, during our phone conversation, I mentioned a concern students have. There is no clear-cut path that students can follow to become a digital forensics professional. They see that as a real problem.

I'd like to start with something you pointed out, "People gravitate to digital forensics from varied backgrounds."

Would you explain what you meant?

Kelley: From what I've observed, the digital forensics field seems to have gone through three generations of professionals. The "first generation" -- founding fathers of the profession -- may not have considered what they did distinctly unique. They were programmers, IT professionals and police officers coming up with solutions to new technical problems.

The "second generation" came in when digital forensics was recognized as a field and its importance became clear in litigation and law enforcement arenas. Professionals with varied backgrounds began to join and certifications and commercial tools started to surface.

I believe we are now in the "third generation". Digital forensics is becoming well-known. There are now universities offering degrees specifically in digital forensics.

The best advice I can think of for someone wanting to break into the field is to do digital forensics. You don't need company-backing to take an exam, nor do you need to spend vast amounts of money.

Also, run practice forensics examinations using open source or evaluation software. There are practice images online for this purpose. I would also recommend becoming involved in the online digital-forensics community.  Some of the biggest names in the industry are active, and it is a great way to get your name out there.

Kassner: From all you have learned and experienced, what would you tell a classroom full of students interested in digital forensics as a career? Kelley: First, digital forensics is nothing like what you see on television. It's not a matter of pushing a button and information popping up on a shiny holographic screen. There is a lot of time spent doing research, investigating minutiae, and writing reports. It's not always glamorous.

I would be remiss if I didn't mention something. The likelihood is high that you will come across unsavory components while investigating, particularly if law enforcement is involved. To help cope, many companies have mandatory counseling for investigators working that type of case.

There are wonderful aspects to the job and they far exceed the bad. Job satisfaction is one. And, it is a good field for people who like a challenge and continued learning.

Kassner: Information Technology is said to be a male-dominated profession. Digital forensics, a subset of IT, appears to be as well. For example, the LinkedIn group, "Women in Digital Forensics" has just eight members. Would you share if and how that affects you? Kelley: Personally, being a female has never been a detriment to my career. Truth be told, there are advantages and disadvantages to being a minority. I and several other female digital forensics investigators talked about them during a Forensic 4cast panel discussion. Kassner: In the Forensic 4cast podcast, I swear I heard the term "forensicator". Is that a real word? Kelley: Forensicator...It's not a real word, though I may petition Webster's Dictionary next year. I believe it was started as a spoof by some members of SANS. And it went viral -- or as viral as something can go in a niche online community. Kassner: Last question. Your website is called Girl, Unallocated. What's that about? Kelley:  Initially, my blog was going to point out how digital forensics was wrongly portrayed in movies and television shows. And, I wanted a name to reflect that. I considered using "Boondock Satas" or "Inglorious Write Blockers."

In the end, Girl, Unallocated won. Unallocated space refers to the clusters on digital media designated by the system as not containing active data. Unallocated space can, and frequently does, hold information that has not been overwritten. For forensicators, it is a goldmine of information.

Final thoughts

This was my second interview with a digital forensics investigator. This profession is definitely multi-faceted, requiring serious IT skills, knowledge of law-enforcement procedures, and the intuition of Sherlock Holmes. My hat is tipped in respect.

Thanks, Melia, for sharing your story.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

19 comments
ms_vickin
ms_vickin

Thank you to Michael and Melia for an interesting and informative conversation. I'm currently taking a class in the legal aspects of digital forensics. I've found there to be an abundance of information online and I find myself trying to absorb all I can. There are many wonderful blogs (yes, I do read Girl, Unallocated) by those working in the field. Many of the heavy hitters in the field can also be found on Twitter. I've found the digital forensics community to be very generous in sharing their knowledge to help those in training. As a female in the networking arena of IT, there aren't many of us and there are even less in the forensic circle. I would encourage women out there interested or even just curious to listen to the Forensic 4cast panel discussion. It was funny, insightful and encouraging to hear intelligent women discuss their work and experiences. Finding where to start in this field can be confusing and intimidating, but one easy, simple and, most importantly, FREE, avenue to pursue is to start reading the blogs. There's no way you'll ever get bored or feel like you've learned it all.

girlunallocated
girlunallocated

As Michael mentions, there really isn't a clear-cut path. A couple of thoughts, though - You mentioned that you have your A+. Why not continue with that path and get your Network+ and Security+ certifications? There are plenty of self-study options out there, to help limit costs. They aren't DFIR specific, to be sure, but it will demonstrate a baseline of knowledge (I personally have all three). As for DFIR knowledge, there is a lot of information available online and in books that should help you get on your way. You may not have the piece of paper (i.e. cert) initially, but it is a start in the right direction. On the job front, it can be a good move to get work doing general IT in a law firm, or large corporation that has a legal department. eDiscovery vendors also are a great place to start working in the industry. Even if you aren't doing DFIR work directly, these can help give you exposure to the industry.

mistercrowley
mistercrowley

Hey all! I am interested in the forensics part but I am not sure where to go from my A+ IT Tech cert - which is a lifetime cert for me and it no longer exists as the IT Tech. What do you suggest? I work as a bi-lingual call center rep for one of the largest computer manufacturers in the world - helping people get the best machine for the money they want to spend. I just don't make a lot of money to take classes or buy resources... Any input would be greatly appreciated. Thanks, Chris

IT Pixie
IT Pixie

Just in time for when I'm thinking about getting into the digital forensics/cyber security field... Thank you Michael for the article and Melia for sharing her experience! :)

AnsuGisalas
AnsuGisalas

My spider sense tells me to think this means "icky stuff - to the extreme", would that be incorrect? I'll also echo Sean and say: Thanks Kelly and Michael - this line of investigation is getting interestinger and interestinger...

seanferd
seanferd

That was quite interesting.

Michael Kassner
Michael Kassner

New post Learn how a forensics investigator gained experience by helping the U.S. military in Iraq.

girlunallocated
girlunallocated

You are absolutely right on following the blogs and twitter. Even after a number of years in the field, I am still amazed by the amount and quality of the informaiton that is freely available from people in the industry. And as strange as it seems, twitter is incredibly active in the DFIR community. Often, that is where I get the latest news and happenings. Thank you for taking the time to read and respond! It is great to see the quality of people (and women!) out in the industry.

Michael Kassner
Michael Kassner

Perchance did you read my article where I interviewed Eric Huber? He sheds more light on the profession.

HAL 9000
HAL 9000

Now I should warn you that we will corrupt you so you should [b]Run like Hell[/b] to remain safe. :^0 On the other hand you might even find this site more than a bit interesting but they are a dangerous crowd here. ;)

jc
jc

If your mind isn't wired in such a way that you can "turn off" the emotional switch, another career choice could be warranted. I don't think I have ever performed an investigation (10+ years) where additional items of interest didn't spawn from the original request. These are not usually known at the beginning of the investigation and they can certainly lead to some dark places. To perform at my best, I find that I have to totally immerse myself into the mind and data of the subject of my investigation. It is like mentally taking off the gloves and sinking your fingers deep into what the dog left in the yard. The outcome can be truly rewarding, but getting there can take a toll on you. When I am working a case, I refer to it as diving into my headache hole. :)

girlunallocated
girlunallocated

You are absolutely right.... "icky to the extreme"! Depending on which area you work in (i.e. Law Enforcement, Military, Litigation, etc.) what you come across will likely vary. Military and Law Enforcement tend to see more violence in addition to the other "ickiness." I don't know if I've ever met an DFIR examiner who has worked long in the field who hasn't seen all kinds of pornography (and I mean ALL kinds). The hardest to deal with for many is CP. Coming in contact with Child Pornography can and does happen to examiners, and can be very hard to deal with.

ms_vickin
ms_vickin

Excellent interview. I read his blog as well. You seem to be on a roll. Look forward to reading more.

mistercrowley
mistercrowley

I should warn you that me being corrupted is a hard call since I am pretty much there. When I get on a machine and am looking for things, most people that work with me cannot follow me. Particularly when looking for files and whatnot. I actually subscribe to TR, using several newsletters. TR Dojo, Daily Digest, and IT Career. Love the HAL/IBM avatar... very apropos...

Michael Kassner
Michael Kassner

You mentioned that you know as much as possible about the subject. I have heard -- the podcast, i think -- that some investigators prefer not to know about the subject as it biases the investigation. Thoughts?

HAL 9000
HAL 9000

If nothing else. Though to be perfectly honest I've been shown some really excellent Porn Sites by the Geriatrics in Retirement Homes women being the worst offenders. If I was interested I could probably qualify for a PhD in Porn Sites. :^0 Though it's perfectly straight and most defiantly no Kiddy Porn which is what I personally find really offensive. ;) Col

AnsuGisalas
AnsuGisalas

People pursuing this line of work probably knew what you meant... It has to be worth something that your work is one of the major means of getting to the distributors of that filth, though? It is to me, at least, I am almost as happy that people like you do this job, as I am saddened that there is reason for it - obviously, I'd rather that there was no such thing, but what you do is right up there! Thanks for answering my question too! :D

HAL 9000
HAL 9000

Welcome to the Gutter with the rest of us. ;) It's fun here and you can not fall any lower. :D Col 0:-)

Editor's Picks