Education

So you want to be a computer forensics expert

Deb Shinder outlines the skills, education, tools, and experience you will need to follow a career in computer forensics.

Forensics, or forensic science, is the application of scientific methods to resolve or shed light on legal issues. It has a number of subdivisions; forensic medicine involves the examination of the human body (living or dead) for purposes of answering legal questions or gathering evidence for a criminal or civil action. Forensic accounting involves the examination of financial records for the same purpose. And computer forensics, as the name indicates, involves the examination of computer systems and data for legal purposes.

A forensic pathologist is a medical doctor first, who then specializes in pathology, with forensics being a subspecialty. Similarly, a forensic accountant has a broad education in general accounting principles before focusing on the legal field. Ideally, then, a computer forensics expert will be trained in computer science before specializing in forensics. However, in the real world there has been deviation from this pattern. The computer field is much less regulated than medicine or accounting, and one doesn't have to be licensed or meet any particular educational standards in order to hang out a shingle as a "computer expert." Many are self-taught or learned their skills through on-the-job training. And many of those working in computer forensics were initially trained in law enforcement - police officers or general evidence technicians who developed an interest in digital evidence. Others were IT professionals or IT security personnel (with or without formal training) who became interested in the evidentiary nature of digital data.

The point? There are many different starting points for becoming a computer forensics expert.

Qualifications

It helps to have a computer science degree, but that's not a requirement. You do need either formal training or a number of years of experience in the industry. It also helps to have law enforcement training, but again, that's not always necessary. However, if you'll be working for/with law enforcement agencies, you'll need to have a clean criminal history. Even if you only plan to work on civil cases, if you'll be testifying in court, anything in your background that can be used to damage your credibility will be seized upon by the opposing attorney.

Whether you start out on the IT side or the law enforcement side, to be a good computer forensics expert, you should have certain personal characteristics. As with any investigative specialist, you should have a curious nature - one that leads you to want to dig and ask questions and keep at it until you figure out the answers. You should be organized, as you'll be dealing with a lot of information and you must be able to recognize patterns and see correlations. You need to have excellent observation skills, and be capable of seeing both the minute details and the "big picture." And you must be objective, so that you can draw conclusions that aren't influenced by your preconceptions or prejudices. Finally, you need to be able to meticulously document your findings and often, to be able to present them to others (attorneys, judges, juries) who don't have your specialized knowledge, so you need both good writing skills and good speaking skills.

Regardless of whether you're self-trained or formally educated, you need a good basic understanding of computer science, networking protocols, operating systems and software, and IT security issues. Beyond that, you need to master the software and tools you'll use to collect the evidence and discover hidden data. You also must understand the law as it pertains to evidentiary data, rules of evidence and what must be done to preserve the chain of custody and the integrity of the evidence. You'll need to know about search warrants, exigent circumstances, and probable cause for seizing digital evidence.

Depending on the agency for which you work, you may or may not need to be a sworn law enforcement officer to work as a computer forensics examiner. If you are required to be sworn, you'll have to go through the law enforcement training academy and meet all the qualifications (including physical fitness and firearms training) that other law enforcement officers must meet.

What the job entails

In the criminal justice system, a computer forensics expert's primary task is examining computers and devices to discover and collect evidence to convict or exonerate a person accused of a crime (or in some cases, to determine whether a crime has in fact occurred and the nature of that crime). You might be called to the scene of the crime or the location of the equipment that's suspected of being involved in a crime, to take custody of the computer equipment. First responders should be educated in how to preserve the evidence before your arrival. For example, they should know not to shut down or unplug a running computer or to attempt to examine it themselves. Some criminals "booby trap" their systems with software that will erase incriminating files if a particular sequence of keystrokes isn't entered at a particular time. At the very least, shutting down the system will lose any data that's in RAM.

The sooner you - the forensics expert - can take charge of the system, the less likely important evidence will be lost. Often, however, the computers will be brought to you at the lab. Then you'll have to work with what you have: first and foremost, the information on the hard drive. Your first step in dealing with that evidence, whether in the field or in the lab, will be to make a disk image. This is an exact, bit-level duplicate of the disk. You want each physical sector of the disk to be copied so the data is distributed in exactly the same way as on the original.

There are several ways to make a bit-level copy of a disk, depending upon where you are and what equipment you have available:

  • Remove it from the suspect computer and attach it to another computer, preferably a forensics workstation.
  • Attach another disk to the suspect computer and make the copy.
  • Use a standalone imaging device.
  • Use a network connection to transfer the contents of the disk to another computer or forensics workstation.

You should use imaging software that's made specifically for law enforcement forensics work, such as EnCase Forensic from Guidance Software. In addition to image creation, such software includes analysis and reporting features. You can find out more about EnCase here.

If you're called to the field to take custody and begin processing digital evidence, of course you don't want to overlook data storage locations external to the suspect computer(s). That could include external hard drives, USB thumb drives, flash memory cards, CDs and DVDs, backup tapes, network attached storage devices, smart phones, tablets, etc. Even the memory cards in a digital camera, digital picture frame, GPS unit or other consumer device might contain evidence. It's also important, if you are involved with executing the search warrant, that digital storage devices are easily disguised. Thumb drives, in particular, are made in all sorts of designs to look like toys, pens, even food. This web site shows some of the creatively designed flash drives that are out there.

Once you have all the evidence collected and have made bitstream copies of the drives, you will examine those copies rather than the original disks. That way, you won't introduce changes to the originals during your examination. For example, if you examine the original, you will change some of the timestamps when you open files.

You will use various tools to analyze the contents of the files you've copied. For instance, there are tools such as Evidor that will search for keywords - not just in the regular files but also in the paging file, unallocated space, and slack space (the unused space within a disk cluster). You can use tools such as Ontrack to recover files and file fragments that have been deleted and to repair files such as Word documents and zipped files.

There are also tools that will sort and organize the contents of a disk to make it easier for you find what you're looking for (for example, in a child pornography case you might be looking primarily for graphic images and videos). These utilities can sort by file header rather than file extension, so that even if the criminal has tried to disguise the files by changing their extensions, you can still find them. Other tools can decode data and time values that are embedded in files, to help you discover the accurate timestamps when the criminal has changed the timestamps displayed with the file.

Although the majority of the personal computer market consists of Windows machines, you will also encounter suspect computers that run Linux/UNIX or Mac operating systems. There are tools that allow you to copy files from one operating system to another. The Coroner's Toolkit is a collection of tools for examining UNIX systems.

Documenting and presenting your findings

The job of a computer forensics expert doesn't end when the digital evidence has been obtained and analyzed. You must then document your findings in the form of one or more reports that detail not only what you found, but how you found it. It's important that you be able to articulate the process and procedures you followed so there will be no doubt that the evidence was legally obtained, that its integrity was preserved throughout the process, and that there was no opportunity for it to be tampered with. In police work, there is a well known axiom: If it's not in the report, it didn't happen. Whether or not you are a sworn officer, this applies to your forensics report, as well.

Finding and documenting the evidence well is half the battle, but in order to obtain a conviction (or acquittal, if you work on the side of the defense), that evidence must be presented in court. In some instances, your written report may be entered into evidence alone but most of the time, someone must testify to its veracity and explain it, in layperson's terms, to the judge and/or jury. That someone is likely to be you, so another skill you must develop is the ability to clearly give an oral presentation of your findings. For more information about testifying in court, see my article, "Testifying as an expert witness in computer crimes cases."

Summary

Forensics is not quite as exciting as it's made to seem on TV; forensics examiners rarely hunt down criminals themselves or put themselves in the line of fire, and forensic evidence doesn't often magically appear at the last moment during a trial to save the day and win the case. However, forensics is an important part of the investigative process and the computer forensics expert often has the satisfaction of having contributed significantly to putting the guilty behind bars - or even better, to exonerating the innocent.

Computer forensics isn't limited to criminal cases, though. It's also an important factor in the outcome of many civil lawsuits, and there are job opportunities for those with computer forensics skills in both the public and private sector. As technology advances and as computers and digital data permeate more areas of our lives - including those involving crimes and civil disputes - this is likely to be a growth field in the future.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

19 comments
loren
loren

Very interesting

unhappyuser
unhappyuser

I'd love to but the startup costs are incredible. Startup costs are easily $30K or more for equipment and classes. After that your pay is low until you get experience. Once you have that, if you've been successful in the probationary phase, you get the big bucks! EMD

ramiek01
ramiek01

Whats the cheapest way to get the certification needed for this skill.I've been in the IT field for 10yrs and I'm really looking to get into computer forensics.

clarkcurtis
clarkcurtis

We have one of the top security programs in the country here at the College of Computing and Informatics and UNC Charlotte. And yes we have a computer forensics program, which is becoming very popular. I actually attended at career fair not too long and there was a FBI agent and a Secret Service agent, both of whom specialized in computer forensics. So, there are definitely some great jobs out there.

dayen
dayen

Ispent years working on computer and finding files and hidden programs that maybe why I find Computer Forensics fascinating I never intend to be the one in court to prove the case but knowing computer forensics is a must if you are computer security you gota to know when to call in the big guns and I don't mean Fema Thank you for the time.

Neon Samurai
Neon Samurai

You can start by reading a number of books. I'm actually trying to remember which HOPE talk was given regarding forensics (at least one of several years worth so it'll take me some looking). The real problem comes after the initial education though. In forensics, you have to be ready to back up your findings in court as an expert witness. To gain the credibility to be considered an expert witness, you need to work your way up to it. This takes time on the job. Frequently forensics folks have prior work history in law enforcement just to get the credibility by becoming known in the court system (as prosecutes witness not defendant). It's a hard position to earn and easily lost if you start being proven wrong on the stand. My uneducated guess is that a university course and resulting co-op or whatever entry level work is going to be less expensive than going it alone and starting out as a complete unknown.

AnsuGisalas
AnsuGisalas

a US critical infrastructure sysop and get free courses from DOH(S)...wait, no, it's called FEMA.

auogoke
auogoke

There is no mention of such a program on the UNC Charlotte website. (There is a computer forensics course though.)

AnsuGisalas
AnsuGisalas

You have to make the job for yourself. I think the article gave a pretty good outline of what it entails though.

unhappyuser
unhappyuser

Legos, stuffed animals, pens. TOO many! EMD

klaasvanbe
klaasvanbe

In the past I was a forensic expert and would take this job again immediately. Someone in Toscana who needs someone like me?

Neon Samurai
Neon Samurai

This is probably of interest to anyone looking at the article and ways to enter the computer forensics business: http://www.hopenumbersix.net/mp3/16/basics_of_forensic_recovery.mp3 " Basics of Forensic Recovery Kall Loper This presentation will introduce the basic model for forensic recovery of data in civil and criminal contexts. Technical challenges of acquisition and analysis will be briefly covered but the primary emphasis will be on the requirements of bringing data to court. Common tools will provide examples to illustrate the model. There will also be a brief discussion of provisions of the enforcement mechanisms of the Digital Millennium Copyright Act and recent case law dealing with failures to comply with production of evidence. "

Neon Samurai
Neon Samurai

Always hear to help. :D (HOPE 2 through HOPE 2010 talks are all available on each applicable conf website if your still looking for distractions.. lots of good stuff there too)

HAL 9000
HAL 9000

Just what I needed something else to listen to so I can waste some time. :^0 Col