In my previous article, "So you want to be a computer forensics expert," I discussed the unregulated (and sometimes downright disorganized) nature of the relatively new field of computer forensics and the lack of standardization when it comes to background and qualifications of those working in this role. While it's true that many current forensics examiners are self-trained, it's inevitable that as the profession matures, more formal training will be required by employers. And eventually, those employers may not even have the option to hire you if you don't meet certain educational criteria.
The inevitability of regulatory control
It's likely that there will come a time when computer specialists have to be licensed by the government or a professional organization in the same way that doctors, lawyers, plumbers and hairdressers (and in some states, even palm readers) are today. In fact, many would argue that this requirement is long overdue. The rationale behind licensing is that in some occupations, how you do your job has a profound effect on other people's lives. The original purpose of licensing is to protect the public from incompetents and charlatans, although many have questioned the effectiveness and pointed out the negative consequences of occupational licensing requirements. This opposition has had little impact on the ever-expanding oversight of government over the business world. According to an article on Occupational Licensing by S. David Young on the Library of Economics and Liberty website, in the U.S. almost five hundred different occupations were subject to licensing by at least one state as of 2002.
Forensics experts play a vital part in today's society, although they are largely hidden from the public. Forensics examiners provide expert testimony in criminal trials and civil lawsuits that can affect whether an accused person is found guilty of a crime and subjected to often-severe penalties, or whether a company or individual is found liable and forced to pay sometimes huge awards. Certainly it's tough to deny that forensics experts can have a profound effect on others' lives - arguably at least as much so as librarians, tree trimmers, bill collectors, show promoters, upholsterers, insurance agents, automotive technicians, funeral directors, locksmiths and HVAC mechanics (all of which are licensed in California). You can find out what occupations are licensed in your state by using the tool on this website.
Given this trend, it would seem to be only a matter of time until computer forensics will be another licensed occupation. If and when that happens, entry into the field will be restricted to those who meet the mandated requirements, which will probably include formal education or training and/or on-the-job experience and may also include passing a licensing examination and/or a background investigation. If you're considering a career in computer forensics at this time, you can get ahead of the game by getting the education/training under your belt now. Even if it's not mandatory, it will make you a more attractive job candidate and may result in a higher level of compensation and faster advancement. You may also want to consider documenting your knowledge and skills by obtaining one or more industry certifications.
Computer forensics training options
Currently there are several ways to get the education and training for entering a career in computer forensics, including the following:
- Complete a two- or four-year college or university degree in computer forensics or a related subject
- Complete a "trade school" or "vocational school" training program in computer forensics
- Complete a "boot camp" in computer forensics
- Complete training provided by vendors of forensics equipment and software
- Complete in-house training courses offered by your employer
- Complete a self-study course
- Obtain on-the-job training through an apprenticeship or internship program
I'm not going to list specific training programs in this article because there are hundreds or even thousands, and it's impossible for me to know the quality of each school or short course. A web search for "Computer forensics training" will turn up many hits. What I want to do is help you decide what type of training is best for you and provide some tips on how to evaluate the different programs within your chosen type.
A formal associate's or bachelor's degree in computer forensics is the most impressive educational credential that you can present to a potential employer, but it also requires the most time and usually the largest financial investment. The good news is that you may already have some of the credits you need if you've completed college courses in basic subjects, and/or you might be able to CLEP out of some of the required classes, thereby shortening the time commitment that's required. You might also qualify for financial aid; check with your chosen college or university.
Some schools offer some or all classes online, and some are self-paced so you can attend college without traveling to the campus and work when it's convenient for you. Be sure that the school offering the degree is properly accredited and not a "diploma mill." Check out the reputation not only of the school as a whole but its computer forensics program in particular. This program may be part of the Computer Science program in some schools, and part of the Criminal Justice program in others. The emphasis will probably be slightly different, with the former more focused on the technical aspects and the latter more focused on the legal aspects. Private employers may prefer the CS focus while public/government agencies prefer the CJ approach.
If you don't have the time to dedicate to getting a degree, and especially if you already have work experience in the field and want to supplement it with some formal training, a trade school program might serve your purposes. These are also called vocational schools or technical schools.
This type of school is usually a private commercial enterprise that's regulated and licensed by the state. They must meet minimum standards in regard to facilities, student admission standards, student complaints, and so forth. Unlike a college or university, they offer targeted training in specific programs designed to prepare you for a job, and don't usually offer general, basic or "liberal arts" type courses. Programs typically range from six months to one or two years. Like colleges and universities, some vocational schools offer online training. To confuse matters further, some vocational/technical schools offer associate's or bachelor's degrees while others only offer certificates of completion. It's important to check out the accreditation and reputation of the school before signing up for a course.
When time is really limited, the "boot camp" type of training might appeal to you. This is an intensive, "total immersion" short-term course (usually one or two weeks) that often also includes targeted preparation for one or more certification exams. Prices usually range from a few hundred to several thousand dollars. Be aware that boot camps are usually commercial ventures operated by a company or individual for profit. Quality of the training ranges from useless to excellent.
The makers of forensics equipment and software often offer training in the use of their products. This may be included in the cost of the product or you may have to pay extra for it. These classes are usually short (one day to two weeks) and, like boot camps, may be operated by "traveling trainers" who go from city to city to conduct the training or they may be held in a fixed location. The courses will focus on how to use the specific equipment or software, as opposed to boot camps, which will usually provide more general training. Vendor training may or may not include a vendor certification exam.
Many large companies provide training for their employees, so if you already have a job, you may be able to benefit from employer-hosted classes. For example, a company might bring in trainers (or use qualified on-staff trainers) to conduct training in computer forensics for its current IT professionals, to expand their skillsets and train them to handle incident response and administrative investigations of security breaches. A law enforcement agency might likewise provide in-house training in computer forensics for some of its police officers, to allow patrol officers, general crime scene technicians or other interested employees to move into the role of digital forensics specialist. In-house training may be optional or mandatory for particular employees, and it can range from very informal to a formal standardized course of study that leads to an industry-recognized certification or even carries college credits, depending on how it's implemented.
If you're an IT pro, you may have obtained various IT certifications such as the MCSE or CCNA by studying on your own and then taking the associated exam(s). You won't find the plethora of self-study material for computer forensics certifications that abound for those other exams. However, it's still possible to devise your own self-study program and you can take some of the computer forensics certification exams without completing a formal course.
You can determine what topics to study by following the guidelines and learning objectives that are provided for most exams, and then dig out the information through web searches and popular books dedicated to the subject of computer forensics.
On-the-job training/apprenticeship and internship
Once upon a time, almost all training for jobs was on-the-job training. Even physicians learned by working under the tutelage of an experienced doctor. The apprenticeship system still exists today in the unregulated occupations (which, at the moment, still include computer forensics examiners in many jurisdictions). Unfortunately, it's rare to find an apprenticeship program in the types of companies and government agencies that employ computer forensics examiners. What you might be able to find is an internship program, where the firm or agency will take you on as an unpaid worker for a few months. You'll get exposed to a real forensics lab and do simple work such as research and "gofer" duties. Unfortunately, these spots are usually reserved for college students who are majoring in forensics, so they serve as a supplement to (rather than a substitute for) formal education.
Evaluating a training program
For any program you're considering, but especially in the case of trade schools, boot camps and vendor courses, before you lay down your money it's important to thoroughly check out the programs and ask lots of questions. Find out exactly what is included in the cost. Some high-dollar boot camps include room and board for the duration. If not, don't forget to figure in the cost of food and lodging (as well as travel) if the training location isn't local. Do you get copies of the forensics software to keep? Here are some other items for your checklist:
- What are the credentials of the instructor(s)? Find out what experience they have and how they are regarded in the field.
- How long has the program been in operation? What has turnover in personnel been like during that time?
- What is the record of the program in regard to its graduates getting jobs in the field? Ask for names and contact information of others who have completed the training and find out what they think about it now.
- Talk to the employers of graduates and find out how they feel about the level of knowledge and competence of their employees who completed the training.
- Are certification exams administered at the end of the program? Is the cost included in the training cost? How well are the particular certifications regarded within the industry?
Watch out for schools that seem overly eager to get you to sign on the dotted line. Be cautious about taking on a student loan to pay the tuition, and be sure you understand the terms. If you're offered a grant, make sure that's really what it is, and not a "loan in grant's clothing." That means you should read every contract very carefully - more than once - and seek legal advice if you don't understand it. A forensics examiner must be able to focus on details, so going over every word of the contract is good practice for your new career.
In part one of this article, we took a look at the different types of training you can get to prepare you for a career in computer forensics, and how to evaluate the individual training programs. Next month, we'll examine some of the popular certifications that are available for computer forensics examiners, which are most recognized and respected by employers, and what you have to do to obtain them.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.