Home | About | Engagement | FAQ |   Contact


Becoming a Computer Forensic Examiner

One of the most frequently asked questions I get is, “How do I become a computer forensic specialist?”  Though I hold strong views on that, I feel obliged to note that I don’t offer my ongoing path as an example.  Who wants to hear, “First, become passionate about electronics as a child, go to law school, try cases for twenty-five years, teach yourself the discipline almost before it was a discipline and then pursue formal training to ascertain whether what you   thinkyou understand is what you really need to know?”  It smacks of the Cheshire Cat-like reply forensics guru Andy Rosen gives when cross-examined about his lack of conventional training: “I went to the same flight school Orville and Wilbur Wright attended.”

In the end, success as a computer forensic examiner comes down to qualifying and performing as an expert in court.  I’ve boiled down the efforts I think matter most in becoming a skilled and successful computer forensics expert into “The Seven E’s:”

1.           Exploration

2.           Education

3.           Experimentation

4.           Experience

5.           Exchange

6.           Equipment

7.           Earning

Exploration:  The lion’s share of computer forensics knowledge is self-taught.  The best computer forensics experts are insatiably curious about how and why computers work.  They spend much of their time reading about software, hardware, registry keys and root kits, and they live for the joy of figuring out how it all fits together.

There’s a wealth of information out there: in books (search for Computer Forensics) and online, in discussion forums and product FAQs, in user groups and confabs.  If these diversions aren’t your idea of a good time, computer forensics isn’t where you’ll be happy.

Step One: Read extensively about computers forensics.

Education: Unless, like Andy Rosen, you can honestly say you helped invent computer forensics, you’ll need formal education to shore up your general analytical and communication skills and to insure that the methods you employ are sound and thorough.  Like it or not, you’re vulnerable in the courtroom without a college degree, and it’s harder to get traction as an expert when your only sheepskin is from You U.  A computer science or law degree is nice, but your degree can be in philosophy or animal husbandry, so long as you go on to study computer forensics in a meaningful and comprehensive way.  Professional certifications that legitimately demonstrate training, testing and practical experience have value in helping courts, clients and potential employers assess qualifications.

There are excellent courses of study offered by universities, forensic tool vendors (e.g., X-Ways, Guidance Software and SANS), professional associations (e.g., HTCIA), law enforcement agencies (IACIS and FLETC--only available to government personnel) and others. 

Forensics training needn’t be college credit bearing, but don’t fool yourself into thinking that a week long boot camp is sufficient to qualify you as an expert.  If you’re coming from law enforcement or government, extensive experience and training may supplant the need for a college degree but recognize that in a battle between an experienced examiner and one holding an advanced degree, juries may defer to the latter.  Note also that some jurisdictions require licensure to perform forensic investigations, so be sure that your education includes what it takes to legally offer your services for hire in your state or province.

Step Two: Get a college degree and complete as many formal courses of study and certifications in computer forensics as your time and budget allow.

Experimentation: Every case is different, so the answer you seek may not be in the literature, the forums or the ken of an experienced colleague.  Sometimes, you have to test your theories.  The ability to construct illuminating experiments and the patience to elicit the data is a hallmark of skilled computer forensic examiners.  If you need to know how a file or metadata changes when a user does something or what digital detritus is left behind, you’ll be best prepared to testify if you’ve proven your theory by competent experimentation.

Step Three: Experiment with systems, applications and operating systems to gain hands on appreciation of how they work and what they do.

Experience: You can study forensics and muck about in the realm of the theoretical until the cows come home, but there’s no substitute for applying your skills and testifying in real cases.  Experience is the catch-22 of many professions:  you can’t get work without experience and you can’t get experience without work.  Apprentice to a more experienced examiner or offer to assist attorneys, IT or local law enforcement at little or no cost.  If confidentiality concerns can be allayed, a local experienced examiner might be willing to let you assist in performing a “shadow exam, if only out of a desire to see if you find something he or she didn’t see.  

Step Four: Work on real cases and real media, then welcome every opportunity to have your opinions tested by experienced cross-examiners.

Exchange: Every examiner benefits from the exchange of ideas with skilled, experienced colleagues.  Join local and national industry associations, go to meetings and conventions, subscribe to online discussion groups, read forum postings (Google computer forensic forum) and unselfishly share what you learn and benefit from what others share.  The computer forensics community is very supportive but appreciate that other examiners may justifiably regard you as a competitor or adversary, so don’t expect them to reveal all or do your work for you.  Show respect for others by first doing your homework.  Don’t waste time with a question that’s been asked and answered in a prior posting or one you took no steps to address on your own.  Be a learner, not a leech.

Step Five: Network with other examiners, ask questions and earn their trust.  If you learn something useful, share it.

Equipment:  Learn the tools and techniques suited to the task and invest in them.  That means using reliable hardware, properly licensing commercial software, keeping applications patched and up-to-date, testing tools to insure they’re reliable, cross-validating results and knowing how the tools work their magic.  Too many confuse buying tools with acquiring skills.  A well-trained forensics examiner can do the job with a hex editor and a viewer application.  We turn to forensic suites like X-Ways Forensics, Guidance Software’s EnCase or Access Data’s FTK to automate routine tasks, improve efficiency and lower costs; but don’t think you can buy a program that makes you ready to throw your hat in the ring as an expert.  

Step Six: Invest in solid equipment and reliable tools, but be sure you know how they work and can prove their worth.

Earning:  For a private practitioner, it’s all just a hobby without paying customers, so acquire the marketing and business skills to attract good business, satisfy clients and make ends meet.  The demand for skilled, experienced computer forensic examiners is growing at a fantastic rate; yet you won’t benefit without the marketing and financial acumen needed to transform opportunity into a good job or thriving business.

Step Seven: Learn to attract good business, satisfy clients and make ends meet.
Seven E’s + Qualities = Success 
A successful forensic examiner is, at once, teacher and student, experimenter, skeptic, confidante, translator, analogist and raconteur.  So many qualities distinguish the best examiners; among them, integrity, intellectual honesty, tenacity, technical skill, imagination, insatiable curiosity, patience, caution, discretion, attention to detail and the ability to see both the forest and the trees. 

Most of these aren’t gleaned by study but are parts of one’s character brought to the work.  The Seven E’s explain how to become a qualified computer forensics examiner.  Add these qualities to become a good one.


Craig Ball is a board-certified Texas trial attorney and certified computer forensic examiner based in New Orleans, Louisiana and Austin, Texas.  He limits his practice to service as a court-appointed Special Master, neutral expert and private consultant in computer forensics and electronic discovery.