Becoming a Computer Forensic Examiner
One of the most frequently asked questions I get
is, “How do I become a computer forensic specialist?” Though I hold strong views on that, I feel obliged to
note that I don’t offer my ongoing path as an example. Who wants to hear, “First, become passionate about
electronics as a child, go to law school, try cases for twenty-five years,
teach yourself the discipline almost before it was a discipline and then pursue
formal training to ascertain whether what you thinkyou
understand is what you really need to know?” It
smacks of the Cheshire Cat-like reply forensics guru Andy Rosen gives when
cross-examined about his lack of conventional training: “I
went to the same flight school Orville and Wilbur Wright attended.”
In the end, success as a computer forensic examiner comes down to
qualifying and performing as an expert in court. I’ve boiled down
the efforts I think matter most in becoming a skilled and successful computer
forensics expert into “The Seven E’s:”
Exploration: The lion’s share of computer forensics knowledge
is self-taught. The best computer forensics experts are insatiably
curious about how and why computers work. They spend much of their
time reading about software, hardware, registry keys and root kits, and they
live for the joy of figuring out how it all fits together.
There’s a wealth of information out there: in books (search Amazon.com for Computer Forensics) and online, in
discussion forums and product FAQs, in user groups and confabs. If
these diversions aren’t your idea of a good time, computer forensics isn’t
where you’ll be happy.
Step One: Read
extensively about computers forensics.
Education: Unless, like Andy Rosen, you can
honestly say you helped invent computer forensics, you’ll need formal education
to shore up your general analytical and communication skills and to insure that the methods you employ are sound and
thorough. Like it or not, you’re vulnerable in the courtroom without
a college degree, and it’s harder to get traction as an expert when your only
sheepskin is from You U. A computer science or law degree is nice,
but your degree can be in philosophy or animal husbandry, so long as you go on
to study computer forensics in a meaningful and comprehensive
way. Professional certifications that legitimately demonstrate
training, testing and practical experience have value in helping courts,
clients and potential employers assess qualifications.
There are excellent courses of study offered by universities, forensic tool
vendors (e.g., X-Ways, Guidance Software and SANS), professional
associations (e.g., HTCIA), law enforcement agencies (IACIS and FLETC--only
available to government personnel) and others.
Forensics training needn’t be college credit bearing, but don’t fool yourself
into thinking that a week long
boot camp is sufficient to qualify you as an expert. If you’re
coming from law enforcement or government, extensive experience and training
may supplant the need for a college degree but recognize that in a battle
between an experienced examiner and one holding an advanced degree, juries may
defer to the latter. Note also that some jurisdictions require
licensure to perform forensic investigations, so be sure that your education
includes what it takes to legally offer your services for hire in your state or
Step Two: Get a
college degree and complete as many formal courses of study and certifications
in computer forensics as your time and budget allow.
Experimentation: Every case is different, so the answer
you seek may not be in the literature, the forums or the ken of an experienced
colleague. Sometimes, you have to test your
theories. The ability to construct illuminating experiments and the
patience to elicit the data is a hallmark of skilled computer forensic
examiners. If you need to know how a file or metadata changes when a
user does something or what digital detritus is left behind, you’ll be best prepared
to testify if you’ve proven your theory by competent experimentation.
Experiment with systems, applications and operating systems to gain hands on
appreciation of how they work and what they do.
Experience: You can study forensics and muck about in the realm of
the theoretical until the cows come home, but there’s no substitute for
applying your skills and testifying in real cases. Experience is the
catch-22 of many professions: you can’t get work without experience
and you can’t get experience without work. Apprentice to a more
experienced examiner or offer to assist attorneys, IT or local law enforcement
at little or no cost. If confidentiality concerns can be allayed, a
local experienced examiner might be willing to let you assist in performing a
“shadow exam, if only out of a desire to see if you find something he or she
Step Four: Work on
real cases and real media, then welcome every opportunity to have your opinions
tested by experienced cross-examiners.
Exchange: Every examiner benefits
from the exchange of ideas with skilled, experienced
colleagues. Join local and national industry associations, go to
meetings and conventions, subscribe to online discussion groups, read forum
postings (Google computer forensic forum) and unselfishly share
what you learn and benefit from what others share. The computer
forensics community is very supportive but appreciate that other examiners may
justifiably regard you as a competitor or adversary, so don’t expect them to
reveal all or do your work for you. Show respect for others by first
doing your homework. Don’t waste time with a question that’s been
asked and answered in a prior posting or one you took no steps to address on
your own. Be a learner, not a leech.
Step Five: Network
with other examiners, ask questions and earn their trust. If you
learn something useful, share it.
Equipment: Learn the tools and techniques suited
to the task and invest in them. That means using reliable hardware,
properly licensing commercial software, keeping applications patched and
up-to-date, testing tools to insure they’re reliable, cross-validating results
and knowing how the tools work their magic. Too many confuse buying
tools with acquiring skills. A well-trained forensics examiner can
do the job with a hex editor and a viewer application. We turn to
forensic suites like X-Ways Forensics, Guidance Software’s EnCase or Access Data’s FTK to
automate routine tasks, improve efficiency and lower costs; but don’t think you
can buy a program that makes you ready to throw your hat in the ring as an
Step Six: Invest in
solid equipment and reliable tools, but be sure you
know how they work and can prove their worth.
Earning: For a private practitioner, it’s all just a hobby
without paying customers, so acquire the marketing and business skills to
attract good business, satisfy clients and make ends meet. The
demand for skilled, experienced computer forensic examiners is growing at a
fantastic rate; yet you won’t benefit without the marketing and financial
acumen needed to transform opportunity into a good job or thriving business.
Step Seven: Learn to
attract good business, satisfy clients and make ends meet.
Seven E’s + Qualities = Success
A successful forensic examiner is, at once, teacher and student,
experimenter, skeptic, confidante, translator, analogist and
raconteur. So many qualities distinguish the best examiners; among
them, integrity, intellectual honesty, tenacity, technical skill, imagination,
insatiable curiosity, patience, caution, discretion, attention to detail and
the ability to see both the forest and the trees.
Most of these aren’t gleaned by study but are parts of one’s
character brought to the work. The Seven E’s explain how to become
a qualified computer forensics examiner. Add these
qualities to become a good one.
Craig Ball is a board-certified Texas trial
attorney and certified computer forensic examiner based in New Orleans,
Louisiana and Austin, Texas. He limits his practice to service as a
court-appointed Special Master, neutral expert and private consultant in
computer forensics and electronic discovery.