Making Sense of Digital Forensics and Incident Response Disciplines

I speak with a lot of security professionals who are seeking to enter or grow in the field of digital forensics and incident response. There is a lot of confusion regarding the work that such individuals do and what opportunities exist to join or excel within their ranks. This is worth discussing.

Computer and Digital Forensics

Digital forensics is often seen as a subset of computer forensics, which typically involves examining computers for signs of malicious or illegal actions. The actions might have been taken by the computer’s user who is being accused of a crime or by a person or malware that compromised the system. Historically, that meant examining the computer’s hard drive.

Today’s IT ecosystem encompasses more than computer systems or their hard drives, which is why digital forensics is seen as a broader practice of examining digital artifacts in databases, memory, network traffic and mobile devices. Sometimes it also involves e-discovery work to support litigation efforts.

Computer Security Incident Response

Incident response (IR) is often viewed as a subset of or a complement to digital forensics. After all, handling a suspected malware infection, system compromise or a data breach usually involves looking at digital artifacts to assess the situation. Performing IR may also include examining a live system by running commands on it to survey the affected host.

The IR process may also involve coordinating actions of the individuals and organizations involved in or affected by the incident—a task that involves strong communication skills, business savvy and a perspective on public relations.

Malware Analysis

When performing digital forensics and/or incident response, the examiner might come across malware in the form of browser scripts, exploit-ridden documents or malicious executables. Examining these artifacts to understand their capabilities requires a specialized malware analysis and reverse-engineering skill-set. (I teach a malware analysis course at SANS.)

The malware analyst (a.k.a. reverse engineer) needs to examine the malware specimen to determine how it its environment and what capabilities are built into its code base. The analyst may be asked to document the program’s malicious capabilities, understand its propagation characteristics, and define signatures for detecting its presence.

Digital Forensics and IR Career Options

As you can see, there are several disciplines within the overall field of digital forensics and incident response. As the result, there are many opportunities for specialization. The numerous options, while initially confusing, also make it easier for individuals to find an area that interests them, building upon their prior experiences while leaving room for professional growth.

One of the challenges for those looking to enter this field is that employers often focus their recruitment efforts on experienced forensicators, rather than investing into personnel who could mature as part of the group. Also, the relative youth of the field makes it hard for the beginners to identify mentors or to define a path for sharpening their skills. In some cases, individuals burn out from working hectic hours that leave little time for professional development.

Related:

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more