One of the most frequently asked
questions I get is, “How do I become a computer forensic specialist?” Though I hold strong views on that, I
feel obliged to note that I don’t offer my ongoing path as an example. Who wants to hear, “First, become
passionate about electronics as a child, go to law school, try cases for
twenty-five years, teach yourself the discipline almost before it was a
discipline and then pursue formal training to ascertain whether what you think
you understand is what you really need to know?” It smacks of the Cheshire Cat-like reply forensics guru Andy
Rosen gives when cross-examined about his lack of conventional training: “I
went to the same flight school Orville and Wilbur Wright attended.”
In the end, success as a computer
forensic examiner comes down to qualifying and performing as an expert in
court. I’ve boiled down the
efforts I think matter most in becoming a skilled and successful computer
forensics expert into “The Seven E’s:”
lion’s share of computer forensics knowledge is self-taught. The best computer forensics experts are
insatiably curious about how and why computers work. They spend much of their time reading about software,
hardware, registry keys and root kits, and they live for the joy of figuring
out how it all fits together.
There’s a wealth of information out there: in books (search
Forensics) and online (http://www.e-evidence.info is superb), in discussion forums and product FAQs,
in user groups and confabs. If
these diversions aren’t your idea of a good time, computer forensics isn’t
where you’ll be happy.
Step One: Read extensively about computers forensics.
Education: Unless, like Andy Rosen, you can honestly say you
helped invent computer forensics, you’ll need formal education to shore up your
general analytical and communication skills and to insure that the methods you
employ are sound and thorough.
Like it or not, you’re vulnerable in the courtroom without a college
degree, and it’s harder to get traction as an expert when your only sheepskin
is from You U. A computer science
or law degree is nice, but your degree can be in philosophy or animal
husbandry, so long as you go on to study computer forensics in a meaningful and
comprehensive way. Professional
certifications that legitimately demonstrate training, testing and practical
experience have value in helping courts, clients and potential employers assess
There are excellent courses of study offered by universities, forensic tool
vendors (e.g., NTI, Guidance Software and Access Data), professional
associations (e.g., HTCIA), law enforcement agencies (IACIS and FLETC--only
available to government personnel) and others.
Forensics training needn’t be
college credit bearing, but don’t fool yourself into thinking that a week long
boot camp is sufficient to qualify you as an expert. If you’re coming from law enforcement or government,
extensive experience and training may supplant the need for a college degree,
but recognize that in a battle between an experienced examiner and one holding
an advanced degree, juries may defer to the latter. Note also that some jurisdictions require licensure to
perform forensic investigations, so be sure that your education includes what
it takes to legally offer your services for hire in your state or province.
Step Two: Get a college degree and complete as many formal courses of
study and certifications in computer forensics as your time and budget allow.
Experimentation: Every case is different, so the answer you seek may
not be in the literature, the forums or the ken of an experienced
colleague. Sometimes, you have to
test your theories. The ability to
construct illuminating experiments and the patience to elicit the data is a
hallmark of skilled computer forensic examiners. If you need to know how a file or metadata changes when a
user does something or what digital detritus is left behind, you’ll be best
prepared to testify if you’ve proven your theory by competent experimentation.
Three: Experiment with systems, applications and operating systems to gain
hands on appreciation of how they work and what they do.
Experience: You can study forensics and muck about in the realm
of the theoretical until the cows come home, but there’s no substitute for
applying your skills and testifying in real cases. Experience is the catch-22 of many professions: you can’t get work without experience
and you can’t get experience without work. Apprentice to a more experienced examiner or offer to assist
attorneys, IT or local law enforcement at little or no cost. If confidentiality concerns can be
allayed, a local experienced examiner might be willing to let you assist in
performing a “shadow exam, if only out of a desire to see if you find something
he or she didn’t see.
Work on real cases and real media, and welcome every opportunity to have your
opinions tested by experienced cross-examiners.
Exchange: Every examiner benefits from the exchange of ideas
with skilled, experienced colleagues. Join local and national industry associations, go to meetings
and conventions, subscribe to online discussion groups, read forum postings
(Google computer forensic forum) and unselfishly share what you
learn and benefit from what others share.
The computer forensics community is very supportive, but appreciate that
other examiners may justifiably regard you as a competitor or adversary, so
don’t expect them to reveal all or do your work for you. Show respect for others by first doing
your homework. Don’t waste time
with a question that’s been asked and answered in a prior posting or one you
took no steps to address on your own.
Be a learner, not a leech.
Network with other examiners, ask questions and earn their trust. If you learn something useful, share
the tools and techniques suited to the task and invest in them. That means using reliable hardware,
properly licensing commercial software, keeping applications patched and
up-to-date, testing tools to insure they’re reliable, cross-validating results
and knowing how the tools work their magic. Too many confuse buying tools with acquiring skills. A well-trained forensics examiner can
do the job with a hex editor and a viewer application. We turn to forensic suites like
Guidance Software’s EnCase or Access Data’s FTK to automate routine tasks,
improve efficiency and lower costs; but don’t think you can buy a program that
makes you ready to throw your hat in the ring as an expert.
Invest in solid equipment and reliable tools, but be sure you know how they
work and can prove their worth.
Earning: For a
private practitioner, it’s all just a hobby without paying customers, so
acquire the marketing and business skills to attract good business, satisfy
clients and make ends meet. The
demand for skilled, experienced computer forensic examiners is growing at a
fantastic rate; yet you won’t benefit without the marketing and financial
acumen needed to transform opportunity into a good job or thriving business.
Seven: Learn to attract good business, satisfy clients and make ends meet.
Seven E’s + Qualities =
A successful forensic examiner
is, at once, teacher and student, experimenter, skeptic, confidante,
translator, analogist and raconteur.
So many qualities distinguish the best examiners; among them, integrity,
intellectual honesty, tenacity, technical skill, imagination, insatiable
curiosity, patience, caution, discretion, attention to detail and the ability
to see both the forest and the trees.
Most of these aren’t gleaned by
study but are parts of one’s character brought to the work. The Seven E’s explain how to become a qualified
computer forensics examiner. Add these qualities to become a good one.
Craig Ball is a board-certified trial
attorney and certified computer forensic examiner based in Austin, Texas. He limits his practice to service as a
court-appointed Special Master, neutral expert and private consultant in
computer forensics and electronic discovery. His syndicated electronic evidence column, “Ball in
Your Court,” appears in