Digital Forensics and Forensic Analysts: Salary, Careers, Advice
Many people that are interested in getting into cyber security are unaware of the potential jobs that the related field of digital forensics can offer, and because of this, digital forensics often goes under the radar for people who are interested in a cyber security career. Since many people do not know what digital forensics is, I wanted to provide an overview of what it is, what forensics analysts do, the kinds of tools they use, how to get into the field, and the general pros and cons of a career in this exciting field.
What is digital forensics? Digital forensics is a subset of forensics in which experts search for, recover and investigate data that is stored digitally. This data is often intentionally hidden and can include photos, computer code, emails, documents, financial records, and other sensitive information.
With that being said, you may want to take a deeper look into digital forensics. That will mean going over the ways that digital forensic experts collect data, including how it is analyzed, to programs and tools the experts use, ways to get into the forensics field, and other factors to consider about forensics. Let’s take a look at those now.
What is Digital Forensics All About?
Digital Forensics is based around finding information that is on digital devices and stored in a digital format, which can be intentionally hidden from being found using normal means on a computer. This also means that many digital forensics jobs are found in law enforcement, or possibly in a corporate setting.
Digital forensics also relies on the creation of reports that can either be generated by the tools the experts use to find the hidden information or the reports can be typed, and the findings can be manually included.
What are Digital Forensics Jobs Like?
Digital forensics jobs can have very different environments. They usually are either found in law enforcement or a corporate setting. When they are based in law enforcement, the information being searched for is unknown, or the hard drive or storage device that is in question can be partially or fully damaged. The devices can range from computers to laptops, cell phones, and tablets.
An important rule of thumb in digital forensics is that professionals are always sure to only work with images or copies of the original drive instead of the actual evidence. For law enforcement jobs that is a mandatory guideline. When digital forensics experts are called in to search for hidden information on a criminal suspect’s hard drive, the information they find is often available for use in a court case against a suspect. If the original hard drive can be proven to tampering, the defendant’s lawyers can claim the information was planted, which can have dire consequences for prosecutors.
What About Digital Forensics Jobs in the Private Sector?
In a corporate environment, the job of a digital forensic expert is no less important but may be subject to different regulations or responsibilities. Many cases where an expert is needed in a corporate environment involve trade secrets, such as blueprints or insider trading information. Forensics professionals can also be consulted when company guidelines about computer use are violated, or that a suspected violation has taken place.
Since this job is based within a certain company or corporation, digital forensics experts only need to have expertise with the machines and software used by the company. This typically includes desktops, laptops, and tablets in most companies, but with BYOD policies, it may extend to other corporate owned technology assets, such as smartphones.
The nature of the information can also be narrowed down to a certain extent in a corporate setting as well. Many of the cases in a corporate setting often revolve around finding blueprints, financial statements, or hidden emails. It is not impossible to have cases where the forensics expert finds inappropriate or criminal content that could result in a police investigation as well as the loss of a person’s job.
What is a Forensic Analyst?
A forensic analyst is a specialist in the field of digital forensics. These positions may also be referred to as forensic analysts. Forensic analysts, both in cases of law enforcement and in corporate environments, will have access to a designated lab to use for their analyses. Within the labs there would be “safe boxes” where the forensic analysts can store the drives or devices they are analyzing.
Each lab should have a form of perimeter security and a sign in and sign out sheet. This provides security for the drives and evidence involved in cases, and it also allows law enforcement and companies to keep track of who has access to those digital assets.
While in the lab, forensic analysts or examiners will create virtual copies of the hard drives or devices in question, and then analyze the copies looking for incriminating information or data. The analysts use tools to find and document the data and evidence they find. After any data is found and documented, it can be submitted as evidence against a criminal or used by a company to prove an employee has been breaking agreements and possibly the law while that individual was on the job or associated with that organization.
There are similar positions in the digital forensics field that have similar responsibilities and requirements but have different titles. This depends on the organization and its choice of title. The most important factor to look at is the job’s list of responsibilities. These similar titles will include similar requirements just with a bit a variation. Some titles you can expect to see that are like a forensic analyst are:
- Forensic Science Technician
- Forensic Investigator
- Forensic Examiner
- Digital Forensic Analyst
- Detective/Forensic Detective
Typical Dress Code
As with most other professional jobs in the field, you should follow a business casual dress code. Some digital forensics positions will require you to wear more formal attire such as a tie and dress shirt, while others are more lenient and will allow you to wear more casual clothing. Most positions will not require you to dress in a suit unless there is a special occasion, however, there may be an additional requirement, especially in a law enforcement setting where you may be required to visit a crime scene. This could include options such as safety gear, gloves, protective headwear, or even bulletproof vests.
A vast majority of the work that you will do will be indoors in an office environment. Most of the time you will not have to do much heavy lifting because your job mainly involves working with a specific technology. Depending on where you work, you may be required to travel to other sites/customers or to scenes to process data. Your position also may require you to be able to respond to or work on-call/off-hour incidents or even shift work.
Industry certifications are sometimes required or preferred depending on the level of work you are doing. Some examples of certifications you may need are:
- OSForensics Certified Examiner (OSFCE)
- GIAC Certified Forensic Analyst (GCFA)
- GIAC Advanced Smartphone Forensics (GASF)
- Certified Forensic Computer Examiner (CFCE)
Job Outlook for Forensic Analysts
The employment outlook for digital forensics analysts (forensic science technicians) is stronger than average, with the U.S. Bureau of Labor Statistics citing an expected growth of 17% through the year 2026, as compared to the 7% for the U.S. economy overall.
What Tools Do Forensic Analysts Use?
The tools that the forensic analysts use are typically downloadable programs. Along with these programs, forensic analysts use a read/write blocker so that when copies of the hard drives are made, they do not write to or make changes to the hard drive that is being copied.
These programs allow the analyst to make a copy of the hard drive in question and then search the drive for potentially incriminating information or data. The data can be searched for in a variety of ways. The analyst can search by keywords, file types, timestamps and many more ways.
They can also search emails for embedded files as well as analyzing pictures for embedded files as well. Tools are also available across multiple operating systems. There are a variety of tools that are available to download and use in both Linux and Windows operating systems.
Here are a few examples of digital forensics tools that analysts can use when examining hard drives, but keep in mind that there are many more forensic tools than the ones being covered here.
Examples of Common Forensics Tools
Let’s look at a few examples:
Example 1: OSForensics. OSForensics is a digital forensics tool developed by PassMark Software. It allows forensic analysts the ability to create copies of hard drives, validate the integrity of the copied drive, and perform basic searches for data on the copied drive.
OSForensics also gives analysts the ability to create indexes of specified areas on the copied hard drive. Once the area is indexed, analysts can search that area by using key words, file types, and timestamps. OSForensics specifically can let analysts search through email archives, which can help analysts connect a potential subject to a suspected policy violation or criminal act. Analysts can also use OSForensics to locate and read deleted files on a hard drive.
OSForensics can also help analysts to discover recent activity on the target machine, which can help link certain user accounts to activity on the hard drive. An example of this is an analyst finding that a certain user was logged in to the machine sent an email, and deleted incriminating files and can then link those actions with a timestamp. OSForensic can help analysts discover web browsing activity, USB devices that may have been used, and connected network files. Analysts can also use
OSForensics find usernames, passwords, and hidden sections of the hard drive that normal users would not have access to. OSForensics has many useful features for forensic analysts to use when searching a copied hard drive and can really become invaluable when searching for information that was hidden or recently deleted from the copied hard drive.
Example 2: Sleuthkit/Autopsy. Sleuthkit and Autopsy are two digital forensics that effectively work together. They are both open source software programs. Autopsy is a graphics-based utility that helps analysts analyze hard drives and mobile devices. Autopsy can recover photos from SD cards used in digital cameras and some smartphones.
Autopsy is designed to intuitive and easy to use. Features exclusive to Autopsy are the ability for analysts to collaborate on the same case, extracting location details and camera information from pictures, and providing the ability to extract data call logs, contacts, and texts on Android devices.
Like OSForensics, Autopsy allows forensic analysts to separate activity on a device or hard drive based on timestamps, perform key word searches, extract web activity from popular web browsers, identify documents accessed from USB drives, analyze emails, search copied hard drives for certain file types, validate data integrity from the copied hard drives, and tag possibly incriminating files with custom flags and alerts.
Now that we’ve covered Autopsy’s features, we can explore Sleuthkit’s features as well. Sleuthkit’s features rest in the command line-based modules and tools it has. Sleuthkit’s exclusive features include a way to monitor the volume of the hard drive and analyze the file system being used and a plug-in based framework that allows analysts to include and install other forensic tools and modules to use when analyzing copied hard drives or devices.
Example 3: Prodiscover. The Prodiscover product has other suites of features, but for this article we will only be focusing on the forensic aspects of the tool. Prodiscover is a forensic tool that was created by Technology Pathways.
Prodiscover uses its own imaging format for analyzing hard drives and devices. Key features of Prodiscover include the ability to create a copy of hard drive that needs to be analyzed, search through specific files or the entire hard drive for a comprehensive forensic search, preview hidden and deleted files without compromising the integrity of the copied drive, automate investigation tasks, and examine and cross reference data to make sure that analysts find all the data that is there, which includes hidden or deleted information.
In each example, every tool has a way to create a copy of the hard drive or device that is in question. Each forensic tool also provides a method to analyze and organize the data on the copied hard drive so that analysts can perform fast, accurate, and comprehensive searches. OSForensics can help analysts to find usernames and passwords and can also let analysts find deleted files and data which can be used to link an individual to activity that may violate company policies or can also be used to prove illegal activity in a criminal sense.
Autopsy and sleuthkit can be used to analyze android devices such as smartphones and tablets. Since sleuthkit is a command line based tool and is also supports plug-ins, it can be modified to support other forensic tools and make use of their features without using the same amount of resources that a grapghics based tool would use. Prodiscover has many similar features that OSForensics and Autopsy utilizes, however the ability to automate investigation tasks and methods sets it apart from other tools.
Each tool can compile the results of tests and analyses into reports that can be exported and used in case reports in both corporate and law enforcement environments. An important point to note is that there are many other forensic tools that can be used to perform digital forensic analysis. Now that we’ve covered a few forensic tools, let’s go over how to get into the digital forensics field.
How to get into the Digital Forensics Field
The field of digital forensics often requires a degree to enter. However, degree level depends on the nature of the job. As mentioned earlier, the jobs in this field often fall into the corporate or law enforcement categories.
For corporate jobs, the best way to land them is to go through a degree program and gain hands on experience with the forensic tools in use. In terms of law enforcement, law enforcement agencies will often send uniformed officers to training centers where they can be trained in how to use the tools and software they recommend while complying with current laws and guidelines.
Pros and Cons of Digital Forensics Jobs
Here are a few of the most commonly cited positives of positions in the field of digital forensics.
Pro 1: Salary. A great aspect of digital forensics jobs is the range of salary. The salary for digital forensic analysts can range anywhere from $55,000 to $153,000. The salary will depend on the job and the level of responsibilities the analyst has to manage and the requirements the analyst needs to meet. Many forensics positions within government agencies, such as law enforcement offices, may start out on the lower end of this pay scale, but these positions often include generous benefits packages as well.
Pro 2: Working for the Public Benefit. Many forensics specialists, especially those in law enforcement, highly enjoy their jobs, and cite the benefit of feeling satisfaction in doing work that is needed and important for the public good.
Pro 3 Work Hours. Lastly, a pro of having a digital forensics job is the work hours. If the job is located in a corporate setting, it is possible to have more structured job time. People in a corporate digital forensics job can often expect a nine to five work week. The workload will always shift and change depending on the assignment, but the work hours can remain stable. This type of regular schedule is often not possible in the law enforcement sector, as the collection of forensic data is commonly time sensitive.
Con 1: Dangerous Exposure. A possible con of working in a law enforcement work environment is the possibility of having to work at a crime scene. While some may find the allure of a crime scene exciting, there is inherent danger when working in these environments, and at times it is possible to have cases where the hard drive or device that needs to be copied cannot leave the crime scene.
In those cases, digital forensic experts need to copy the drives while at the crime scene. This exposure can put the analyst in harms way. However, if the analyst is working in law enforcement, this risk is often considered when initially applying and interviewing for the law enforcement position.
Con 2: Challenging Work. Another aspect of the field that adds to the difficulty of this type of job is the fact that the forensic analyst needs to have expertise in a wide variety of operating systems and devices in order to make full use of the forensic tools. Additionally, the analyst must be highly patient and detail oriented as they use these tools to collect data.
Con 3: Monotonous Work. Lastly, a con of having digital forensics job is the amount of repetitive work. With many of the forensic tools used by analysts it can take a significant amount of time to copy the hard drives of computers, servers, and mobile devices that need to be analyzed.
Of course, the time that is needed to create the copies depends on the size of the hard drive and the amount of information found on the hard drive. In some cases, it is possible to that making the copy can take anywhere from 30 to 60 minutes. That can be a significant chunk of time to be waiting for an employee that is on the clock and under pressure. However, that does provide time for the analyst to devise a method or plan to analyze the data on the drive.
Digital forensics is a career where analysts create copies of hard drives and devices and then analyzes them for incriminating information. This information is often intentionally hidden from investigators so that the potential suspects are not caught or held accountable for their fraudulent or possibly illegal activity. These jobs are typically found in corporate and law enforcement environments. There are many tools forensic experts use to analyze the hard drives and devices they copy.
People interested in pursuing a digital forensics career can expect a challenging career path with tedious work and a potentially dangerous work environment. However, the potentially strong salary, ability to control the work environment the analysts work in, and the hours they work can be a game changer when deciding possible career paths.