Investigating the Ins and Outs of Computer Forensics

                                                                                                                                                                  There’s something innately cool about the field of forensics. To the outside observer, the process of digging into evidence to help solve crimes or bring proof to a courtroom seems like something out of a Sherlock Holmes story.

And if we’re talking computer forensics, the plot definitely thickens! The complexity of digital tools makes digital forensics pretty specialized work—bringing the legal system and the electronic world together to investigate crimes and solve problems.

If that kind of pairing gets your brain whirring, keep reading! We asked experts in computer forensics to share about this fascinating career.

What is computer forensics?

Computer forensics (also known as digital forensics) is the practice of collecting, analyzing and reporting on data in a way that meets the standards of our legal system. So basically, anytime you need evidence from a digital device to use in court or any legal proceeding—computer forensics will be involved.

So when does this come into play? Situations like intellectual property theft, fraud investigations, employment disputes and bankruptcy investigations are common territory for computer forensic analysts—but that barely scratches the surface of what these professionals get into.

This career can also vary widely depending on the employer. For example, some forensic analysts work in law enforcement, and must meet their state’s requirements to work as law enforcement officers.

Certified forensic analyst and investigator Ryan Massfeller explains that police forensic examiners must be sworn law officers in most states. “Many of the cases we work on deal with sexually exploitive images of children and cannot be processed by anyone outside of law enforcement.”

Another side of computer forensics is in the private sector. Greg Kelley, chief technology officer of Vestige Digital Investigations, deals with cases that clients bring in—such as data theft or evidence surrounding viruses and compromised data.

“Every case is different,” Kelley says. “Even if we are examining 10 computers for evidence of employee theft of data, the circumstances and results are different. Whether it is a forensic analysis of an ESXi server or encountering a yet-unheard-of virus, there is always something different.”

While deeply in the realm of technology, computer forensics also merges with legal and law enforcement territory. There are plenty of rules to follow if you want a piece of evidence to be legally admissible.

 “What takes the most of my time are typically acquisition and handling requirements,” says Dennis Chow, chief information security officer of SCIS Security. He explains that these often-tedious requirements exist so that the data used in legal proceedings is airtight and cannot be challenged or rejected as tampered with.

How do you become a digital forensic analyst?

According to the Bureau of Labor Statistics (BLS), professionals in digital forensic science often need at least a bachelor’s degree.¹ More specialized training offered by the employer, a credentialing organization or a police academy may come later, depending on where you hope to work.

Kelley’s career began in IT with a computer engineering background. “Some of our clients were smaller law firms who started asking us if we could recover deleted files or examine a hard drive.” Kelley says looking into this demand led to specializing in computer forensics.

IT led to SOC (security operations center) analyst work for Chow, which in turn led to investigating malware. “With my written and verbal skills, I discovered working with legal teams was quite easy for me,” Chow says.

In law enforcement, digital forensic analysts usually need to graduate a police academy or state-approved training program for police officers. But the background in technology is important, too. Massfeller had a decade of IT administration experience before applying to work in law enforcement.

“Most forensic examiners working in law enforcement have worked through the ranks as a police officer, to detectives, to eventually working in forensics,” Massfeller says. “I on the other hand was hired directly into the lab given my experience and skills and turned into a cop.”

What does a digital forensic analyst do?

It’s helpful to get the bird’s-eye view, but what does being a digital forensic analyst really look like? We asked our experts to share some of the work they do most often, to help you see the inside of this career.

1. Proactive scanning

As a detective, Massfeller doesn’t simply deal with devices brought to the precinct. The LEO digital forensic analysts hunt for criminal activity. “Routinely we proactively scan peer to peer networks looking for torrents that are known to contain sexually exploitive images of children,” Massfeller says. When they find something—the process of obtaining warrants and evidence begins.

2. Filling out legal documentation

Whether the paperwork is to satisfy acquisition requirements, request information or get a warrant signed by a judge—computer forensic analysts spend lots of time dotting their ‘i’s.

Massfeller says he writes court orders and search warrants in the process of obtaining evidence. “We also write a full forensic report documenting the steps we took to find the evidence,” Massfeller says. Digital forensic analysts might need to present their findings in court—in which case documenting and adhering to restrictions is of utmost importance.

3. Physical investigation

“We examiners suit up in full body armor and execute a search of the property for electronic devices,” Massfeller says. “We also typically interview the suspect to find out about any passwords or browsing behaviors. Once the seized evidence is secured at the computer forensics lab we begin processing it in a forensically sound manner.

4. Using digital forensic tools to find data on devices

This is where the digital forensic magic happens. “With computers we make a forensic image of the suspect’s hard drive behind a write blocker or with a cellphone using software and sometimes hardware exploits to download the information from the device,” Massfeller explains. When the information is obtained, digital forensic analysts search it for evidence.

“The most challenging aspect about the job is that you need to really find efficiencies in how you investigate each case,” Chow says. “You’re shifting and sleuthing against tons of data trying to find IOC’s or other mission objectives, and you typically don’t have much time.”

Digital forensic analysts will need to stay sharp in their critical thinking, as well as current technology and useful digital forensic tools to keep this process efficient, legally admissible and effective.

5. Presenting computer forensic evidence in a trial

If the digital forensic evidence is involved in a legal proceeding, analysts might need to present their findings to a judge.

“At trial we are qualified as expert witnesses,” Massfeller says of law enforcement officers who are digital forensic analysts. “We present our findings to a jury and a verdict is reached. It’s a lengthy process to give everyone due process.”

6. Staying up to date with technology

“There are two very challenging aspects of the job,” Kelley says. “The first is staying up to date with the latest technologies.” Kelley says that includes operating systems, updates to programs running, forensic applications and new viruses and vulnerabilities.

When it comes to evidence or risk of a breach or theft—companies, individuals and entities of all kinds want their answers in a hurry. Digital forensic analysts need to be at the top of their technological game to stay competitive and effective in the job.

That’s not to say you can make everyone happy. Kelley says the other most challenging part of the job is satisfying clients who don’t understand the technology.

“Client demands for getting answers sometimes test the capabilities of our tools, skills and even the laws of physics when it comes to the speed of the computers we use,” Kelley says.

Computer forensics on the horizon

Computer and digital forensics have every likeliness of becoming even more critical as technological capabilities and access grow. Digital forensic analysts engage in the critical work of digital accountability, and employers as well as law enforcement organizations rely on their skills—and the evidence they find.

“It is complex and challenging work in high demand,” Chow says. If that’s something that appeals to you, check out some of the precursors to computer forensics by reading our article “8 Signs You’re Wired for Working in a Cyber Security Career.”

¹Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, [information accessed May 8, 2019] www.bls.gov/ooh/. Information represents national, averaged data for the occupations listed and include workers at all levels of education and experience. Employment conditions in your area may vary.