An overview of being a Forensics Investigator as a career

An overview of being a Forensics Investigator as a career

Henry Dalziel | Information Security Careers | November 18, 2012

What is forensic science and computer forensics?

This is part two of our career advice for those interested in getting a job within the information security space.

In a previous post we spoke about becoming a Security Analyst and this post is an overview of being a Computer Forensics Investigator and appreciating what forensic science is.

A Computer Forensics Investigator, often referred to as a Forensic Analyst is a specially trained information security professional who works predominantly with law and government agencies, but also with private organizations, to retrieve information from computers, servers and other types of data storage devices. Forensic science studies is the general term for the field and career.

Forensic accounting is vital in this role since law enforcement require legal evidence acquired through computer forensics. The analysis techniques that Computer Forensics Investigator needs are highly skilled and in demand. As a forensic professional the individual must have solid auditing and reporting skills in being able to write up findings and, if required, to testifying in court.

So in summary, the Forensic Analyst must have a very solid understanding of cyber security and all aspects of security including intrusion detection and overall an ability to know what to look for when security breaches have occurred.

As mentioned already, this role is typically associated with law enforcement. Legal investigators need evidence to prove cyber crime which includes crimes such as corporate theft, trade secrets, destruction of intellectual property, and financial fraud.

Education, Training and Qualifications

There are no specific educational requirements to become a computer forensic investigator but as a minimum you should obtain either a degree or certificate in computer science and/ or forensic investigation majoring in cyber crime and information security. Following from a degree in forensic investigation or computer crime, you should certainly consider getting a specific forensic certification.

CISSP, Cisco Certified Security Profession (CCSP) and CHFI from EC Council are the three qualifications that immediately jump out and will help you find that job. The Computer Hacking Forensic Investigator (C|HFI) is probably the most popular; a course which focuses on network security investigations. The exam is currently in version 8 as of March 2012.

Like most of the other infosec certifications out there, members of the CHFI designation must re-certify under the program every three years to retain their designation.

What about the salary and the job market?

According to Robert Half Technology, analysts who work for state or federal law enforcement agencies are able to expect a salary of between $55,000 and $80,000 but this can increase owing to experience, certifications and security clearance. The Analysts may also take home larger salaries when employed by private government contractors.

Corporate organizations and consulting firms typically pay slightly less – anywhere between $45,000 and $55,000. Analysts who work in major urban areas can expect to earn more than those who work in less high-tech states and cities.

With the constant rise in cyber crime Computer Forensics Investigators or Forensic Analysts are in demand. Period. There are many opportunities in both public and private sectors and overall the job market for the profession in the US is excellent. The opportunities are particularly solid is you have relevant forensic training and certifications as mentioned above.

Learn to use a forensic distro!

We created a list of the top ten pentesting Linux distributions which subsequently became the top twelve (because of comments on the blog post) Anyway – one of the Linux Distro’s on our list is called CAINE which we think you ought to take a look at – if you are interested in forensics. Here is a link to the post. Getting familiar with a forensics distro is a really smart way to understand the tools (obviously) but also to learn how to effectively work with the necessary tools.

Some of the forensic tools (within CAINE)

Here are some of the forensic tools and programs within CAINE: AIR (which stands for Automated Image and Restore). AIR is a GUI front-end to dd and dc3dd designed for easily creating forensic bit images. Autopsy is another great tool. The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools, which is bundled within The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).

Another tool is Afflib. The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. The main point with Afflib is that the forensic investigator will not be restricted to any proprietary formats that may limit how he or she may analyze equipment and software. This open standard allows investigators to quickly assimilate and use their preferred tools to solve crimes, gather information/ intelligence, and resolve security breaches.

Galleta is an Internet Explorer Cookie Forensic Analysis Tool included within CAINE. Galleta was created to examine the contents of cookie files. Galleta can parse Cookie data and write the output into a csv file for example.

Similar to Galleta is Pasco. Pasco is an Internet Explorer activity forensic analysis tool. The program was written to analyze the contents of Internet Explorer’s cache files. Pasco can parse information contained with the index.dat file and generate a report.

Rifiuti2 is an important tool contained with CAINE. Many computer crime investigations and forensic experts require the reconstruction of a machine’s Recycle Bin. Since this process is executed regularly, the developers created a way to examine the contents of the INFO2 file in the Recycle Bin despite the numerous re-writes.

Another tool is the “The Sleuth Kit” (TSK) which is an assortment of UNIX-based command line tools that allow you to investigate a machine. Autopsy is a frontend GUI for TSK which works using a browser.

Are you a forensic expert? We’d love to have your comments and feedback.

Leave a comment or reply below...thanks!