Recently, I ran across the following job post.
"Computer Forensic Examiner/MEDEX -- Afghanistan"
- % Travel : 100
- Clearance: Must currently possess a minimum Final Secret in JPAS, DIA Access preferred.
- Must be able to pass a SI and POLY.
The posting goes on to list 17 skills -- specific to digital forensics -- in which potential candidates must be proficient.
Been there. Done that.
Did you know jobs like that existed? I didn't. I had to find out more. My search took me to the blog: Girl, Unallocated.
That's where I found the real deal, Melia Kelley -- aka Girl, Unallocated. She met all qualifications. In fact, she's already been there and done that. The only difference; there was Iraq, not Afghanistan.
Made a promise
I better step back for a second. I had mentioned in a previous article that I know just enough about digital forensics to be dangerous. Some students called me out on it, particularly one young lady -- something about me being a guy and knowing very little.
I'm about to fix that.
I contacted Melia, explained my predicament, and she agreed to help. After exchanging a few emails, I started understanding Melia's world - busy. Besides working, Melia and her husband are raising four children. I began to feel as if I was intruding and suggested a phone call might be easier. It was.
Here is what Melia had to say about her path to digital forensics.Kassner: English literature seems an unlikely college major for a digital forensics professional. What happened? Kelley: I don't know if it was luck, fate, or maybe random causality that led me to digital forensics. I'm just one of those people who managed to find what they love doing. In college, I knew I wanted to be in the legal field; looking back, that must have been the first step. Kassner: Digital forensics is a technically demanding field. How does a paralegal just out of college transition to digital forensics investigator? Kelley: The transition didn't happen overnight. Fortunately, I worked for a company that encouraged me to get hands-on experience. In addition, specialized training and forensic certifications were another way I could demonstrate my increased capabilities.
My first certification was Certified Computer Examiner. A vendor-neutral cert provided by the International Society of Forensic Computer Examiners.
I followed up with two vendor-specific certifications: EnCase Certified Examiner by Guidance Software and Access Data Certified Examiner by Access Data. I wanted to show proficiency in what are arguably the most recognized software suites in the industry.
Also, one thing I learned, there is no "final destination" in this field. Everything we use; knowledge base, systems, data, and tools are constantly in flux.Kassner: Okay. Now you are an employed digital forensics professional. Then you decide to spend a year in Iraq as a civilian digital forensics examiner. What was that like? Kelley: Iraq is where I honed my skills. The training, resources, and huge amounts of data to examine provided more experience in one year than all the previous ones combined. And, knowing lives may be on the line is plenty of motivation to do my best work. Kassner: (During the phone call, I tried my best to get at least one juicy detail about Iraq. But, nada. Something about my lacking security clearance.)
As for the pool...one thing I learned from my time in Iraq is that a sense of humor is invaluable. If you dwell on the fact that you're far from home and family it can be incredibly hard day-to-day.
So, humor is a good distraction.
The day at the pool came after a hard week. Our officer-in-charge decided it was time to take a break and go relax. As always, the person with the lowest rank gets ribbed the most. What you are seeing is our poor Airman getting dunked in the deep end.
I (Melia) took that picture, so I attached another. Here we're at the foot of Ziggurat of Ur. See if you can spot the female civilian - kind of like "Where's Waldo".First Advantage Litigation Consulting. How does this position differ from your time in Iraq? Kelley: For one thing, Army Colonels are less intimidating than lawyers -- just kidding. They are about equal. I no longer get USO packages or Christmas cards from strangers saying thank you.
But I'm not complaining. In Iraq I was the only MEDEX investigator on my base, so I felt a bit isolated. At First Advantage, I am part of an active team that provides an amazing amount of professional support and cross-training.
Also, in Iraq I didn't go "outside the wire" for any reason. By contrast, in the past few months, I have been to London, Munich, and Tokyo for business. Added bonus. I have my own car here, and don't have to wait for a convoy or Chinook to get somewhere.Kassner: I recently interviewed Eric Huber, also a digital forensic professional. He pointed out the difference between digital forensics and eDiscovery. You mentioned dealing with something else called MEDEX (MEDia EXploitation). What is MEDEX? Kelley: MEDEX is similar to digital forensics. It utilizes many of the same tools, follows the same methodology, and requires the same set of skills. To some they are interchangeable.
The difference lies in the end goal:
- Digital forensics is the process of uncovering and interpreting data for use in a court of law.
- Media Exploitation is the process of uncovering and interpreting data to be used as actionable intelligence.
If you remember, during our phone conversation, I mentioned a concern students have. There is no clear-cut path that students can follow to become a digital forensics professional. They see that as a real problem.
I'd like to start with something you pointed out, "People gravitate to digital forensics from varied backgrounds."
Would you explain what you meant?Kelley: From what I've observed, the digital forensics field seems to have gone through three generations of professionals. The "first generation" -- founding fathers of the profession -- may not have considered what they did distinctly unique. They were programmers, IT professionals and police officers coming up with solutions to new technical problems.
The "second generation" came in when digital forensics was recognized as a field and its importance became clear in litigation and law enforcement arenas. Professionals with varied backgrounds began to join and certifications and commercial tools started to surface.
I believe we are now in the "third generation". Digital forensics is becoming well-known. There are now universities offering degrees specifically in digital forensics.
The best advice I can think of for someone wanting to break into the field is to do digital forensics. You don't need company-backing to take an exam, nor do you need to spend vast amounts of money.
Also, run practice forensics examinations using open source or evaluation software. There are practice images online for this purpose. I would also recommend becoming involved in the online digital-forensics community. Some of the biggest names in the industry are active, and it is a great way to get your name out there.Kassner: From all you have learned and experienced, what would you tell a classroom full of students interested in digital forensics as a career? Kelley: First, digital forensics is nothing like what you see on television. It's not a matter of pushing a button and information popping up on a shiny holographic screen. There is a lot of time spent doing research, investigating minutiae, and writing reports. It's not always glamorous.
I would be remiss if I didn't mention something. The likelihood is high that you will come across unsavory components while investigating, particularly if law enforcement is involved. To help cope, many companies have mandatory counseling for investigators working that type of case.
There are wonderful aspects to the job and they far exceed the bad. Job satisfaction is one. And, it is a good field for people who like a challenge and continued learning.Kassner: Information Technology is said to be a male-dominated profession. Digital forensics, a subset of IT, appears to be as well. For example, the LinkedIn group, "Women in Digital Forensics" has just eight members. Would you share if and how that affects you? Kelley: Personally, being a female has never been a detriment to my career. Truth be told, there are advantages and disadvantages to being a minority. I and several other female digital forensics investigators talked about them during a Forensic 4cast panel discussion. Kassner: In the Forensic 4cast podcast, I swear I heard the term "forensicator". Is that a real word? Kelley: Forensicator...It's not a real word, though I may petition Webster's Dictionary next year. I believe it was started as a spoof by some members of SANS. And it went viral -- or as viral as something can go in a niche online community. Kassner: Last question. Your website is called Girl, Unallocated. What's that about? Kelley: Initially, my blog was going to point out how digital forensics was wrongly portrayed in movies and television shows. And, I wanted a name to reflect that. I considered using "Boondock Satas" or "Inglorious Write Blockers."
In the end, Girl, Unallocated won. Unallocated space refers to the clusters on digital media designated by the system as not containing active data. Unallocated space can, and frequently does, hold information that has not been overwritten. For forensicators, it is a goldmine of information.
This was my second interview with a digital forensics investigator. This profession is definitely multi-faceted, requiring serious IT skills, knowledge of law-enforcement procedures, and the intuition of Sherlock Holmes. My hat is tipped in respect.
Thanks, Melia, for sharing your story.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.