I speak with a lot of security professionals who are seeking to enter or grow in the field of digital forensics and incident response. There is a lot of confusion regarding the work that such individuals do and what opportunities exist to join or excel within their ranks. This is worth discussing.
Computer and Digital Forensics
Digital forensics is often seen as a subset of computer forensics, which typically involves examining computers for signs of malicious or illegal actions. The actions might have been taken by the computer’s user who is being accused of a crime or by a person or malware that compromised the system. Historically, that meant examining the computer’s hard drive.
Today’s IT ecosystem encompasses more than computer systems or their hard drives, which is why digital forensics is seen as a broader practice of examining digital artifacts in databases, memory, network traffic and mobile devices. Sometimes it also involves e-discovery work to support litigation efforts.
Computer Security Incident Response
Incident response (IR) is often viewed as a subset of or a complement to digital forensics. After all, handling a suspected malware infection, system compromise or a data breach usually involves looking at digital artifacts to assess the situation. Performing IR may also include examining a live system by running commands on it to survey the affected host.
The IR process may also involve coordinating actions of the individuals and organizations involved in or affected by the incident—a task that involves strong communication skills, business savvy and a perspective on public relations.
When performing digital forensics and/or incident response, the examiner might come across malware in the form of browser scripts, exploit-ridden documents or malicious executables. Examining these artifacts to understand their capabilities requires a specialized malware analysis and reverse-engineering skill-set. (I teach a malware analysis course at SANS.)
The malware analyst (a.k.a. reverse engineer) needs to examine the malware specimen to determine how it its environment and what capabilities are built into its code base. The analyst may be asked to document the program’s malicious capabilities, understand its propagation characteristics, and define signatures for detecting its presence.
Digital Forensics and IR Career Options
As you can see, there are several disciplines within the overall field of digital forensics and incident response. As the result, there are many opportunities for specialization. The numerous options, while initially confusing, also make it easier for individuals to find an area that interests them, building upon their prior experiences while leaving room for professional growth.
One of the challenges for those looking to enter this field is that employers often focus their recruitment efforts on experienced forensicators, rather than investing into personnel who could mature as part of the group. Also, the relative youth of the field makes it hard for the beginners to identify mentors or to define a path for sharpening their skills. In some cases, individuals burn out from working hectic hours that leave little time for professional development.
- Malware Analyst - Job Description
- Tips for Starting a Security Incident Response Program
- What is an Information Security Expert?