Starting A Career in Digital Forensics: Part 1
Can anyone remember when computers and cell phones did not impact our daily lives? Today, the majority of us take for granted that these technological marvels are necessary for our daily existence. However, this has not come without a concomitant price, that being the enormous proliferation of cybercrime which is directly related to the prevalence of these devices. Cybercrime has now reached epidemic proportions, causing the loss of billions of dollars annually. Daily, crimes such as identity theft and fraud, online child exploitation, child pornography, hacking, and intellectual property theft continue to make headlines. Many illegal drug deals are arranged using e-mail and/or text messaging. Frequently, cell phones containing probative information are encountered at crime scenes. Digital surveillance systems routinely capture crimes as they are being committed. Not surprisingly, many individuals post information about their criminal offenses on one or more of the social networking sites!
Responding to Cybercrime
Not too long ago there were few public sector agencies fully equipped and staffed to perform analysis on digital media. Many employed examiners whose prior experience consisted of being a sworn officer or investigator. Internal and external training programs were limited and not formalized. There was a paucity of forensic software and hardware and it was expensive. Due to the scarcity of trained examiners and the associated costs, there were even fewer private sector agencies offering digital forensic services. Likewise there were virtually no undergraduate or graduate programs to assist in preparing an individual for a career in digital forensics. However, over the past ten years or so, the landscape has dramatically changed with the expansion of digital forensics services in both the public and private sectors. External training programs and technical certifications are now commonplace as are undergraduate and graduate degree programs in digital forensics. The diversity and complexity of currently available forensic software and hardware tools far exceeds what was available just several years ago.
“What Do I Do?”
A question often asked is, “What education and training is necessary to work in digital forensics?” There is not one easy, simple answer to this question. First of all, an individual has to make a choice of career pathways, namely do they wish to work in the public sector or in the private sector. These divergent paths may eventually lead to:
- Different types of employers.
- Working with different types of employees.
- Needing different qualifications.
- Working on distinct types of cases.
- Having different job expectations.
- Differences in salaries and benefit packages.
The Public Sector
Examiners are routinely employed by government regulatory agencies, the intelligence agencies, the military, and by many federal, state, county, and local law enforcement agencies. Before choosing a public sector career path, there are a number of important points to consider, some of which may include:
- Funding is normally provided via taxing authorities.
- Agency requirements to follow certain federal, state, or local mandates which could impact hiring and promotional opportunities.
- Requiring prospective employees to undergo a thorough background investigation which normally includes fingerprinting, drug testing, and/or polygraph examination.
- Examiners mandated to sign contracts to remain with the agency for a period of time after they are trained.
- Agency requirements for random drug testing.
- Law enforcement agency examiners being exposed to some of the most appalling types of cybercrime, namely child exploitation cases and child pornography.
- Examinations and reports being confidential and not intended for general discussion and dissemination.
- Strict security access requirements to the area where examinations are conducted and where digital evidence is stored.
- Examiners assisting investigators at violent crime scenes (homicide, suicide, rape, etc.) to retrieve and/or image computers in unsafe, potentially contaminated environments. Frequently this occurs outside of the normal work hours or work day.
- Shortages of trained personnel and large case backlogs.
- Agencies instituting “quotas” regarding the amount/type of work examiners are expected to complete within a defined time frame.
- Accreditation issues. There are a number of practices which examiners will be required to follow: a documented training program, maintaining chain of custody records, verification/validation of technical procedures, routine proficiency testing, use of appropriate standards and controls during testing, peer review of case records, courtroom testimony monitoring, annual reviews and audits, and so forth.
Some law enforcement agencies only employ sworn examiners. When examiner vacancies occur, sworn personnel with technology degrees or backgrounds are normally promoted or the agency may instead identify and train other sworn personnel. There are a number of sound, logical reasons for this approach. Some of those reasons include:
- Before being hired, candidates have to meet certain minimum educational, psychological, and physical requirements.
- They have already been through officer basic training.
- Familiarity with agency policy and procedure.
- Practice in writing and executing search warrants.
- Regularly conducting investigations and making arrests.
- Routinely working with prosecutors and the criminal justice system.
- Experience in court testimony.
So, how can a non-sworn individual end up working as a sworn examiner? The individual would first have to become a sworn officer and then, hopefully, be promoted at a later date. (Recent trends show some agencies hiring sworn examiners from another agency or recruiting non-sworn, experienced digital forensics examiners and training them to become sworn officers).
Many public sector agencies employ non-sworn examiners. However, those examiner positions are not easily obtainable. When vacancies become available, the agency will generally promote current employees with science degrees or technical degrees and train them to become examiners or may instead identify and train other personnel. The bigger the agency, the more likely this is to occur. Under these circumstances, to eventually obtain an examiner position, an individual may initially have to seek employment in another capacity within the agency. At a later date, when an examiner position becomes available, they then could apply for that position. Their chances would improve if they have a science or technology degree and some prior experience and/or technical certifications. However, there are no guarantees. The agency may very well seek to employ an already fully trained, experienced, court qualified examiner rather than promote from within.
This discussion will continue in a future issue of DFI News.
John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. firstname.lastname@example.org