Making a Career In Digital Forensics: A New Age Career


Iqbal Singh, Founder, Forces Network


With increasing digitization and automation the surface area for attack for cyber criminals has increased exponentially. Cybercrime is on the rise and jobs in digital or computer forensics are in great demand. It is a branch of digital forensic science. Using technology and investigative techniques, digital forensics helps identify, collect, and store evidence from an electronic device. Digital forensics can be used by law enforcement agencies in a court of law, or by businesses and individuals to recover lost or damaged data. The goal of computer forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it. It essentially involves data recovery with legal compliance guidelines to make the information admissible in legal proceedings. The terms digital forensics and cyber forensics are often used as synonyms for computer forensics.

Digital forensics starts with the collection of information in a way that maintains its integrity. Investigators then analyze the data or system to determine if it was changed, how it was changed and who made the changes. The use of computer forensics isn’t always tied to a crime. The forensic process is also used as part of data recovery processes to gather data from a crashed server, failed drive, reformatted operating system (OS) or other situation where a system has unexpectedly stopped working. Businesses also use computer forensics to track information related to a system or network compromise, which can be used to identify and prosecute cyber attackers. Businesses can also use digital forensic experts and processes to help them with data recovery in the event of a system or network failure caused by a natural or other disaster. Typically they investigate security breaches on a computer system, network, website, or database to find out how they occurred, endeavour to retrieve lost files, and repair damaged data while strengthening the security system to prevent reoccurrence.


Where Do They Work? 

Many computer forensic investigators work within the law enforcement industry, whether directly for law enforcement agencies or for private firms hired by agencies to manage digital evidence. It’s also possible to work as a forensic analyst for a private company. In this case, you’re likely to be tasked with identifying vulnerabilities, investigating breaches, and attempting to retrieve data from damaged or compromised digital storage devices. Some digital forensic investigator jobs require you to be on call to respond to incidents that might not occur during regular business hours. You can also work as a freelancer in this domain. See the profiles of typical freelancers billing in a range from $20- $200 per hour.

Salary. Digital forensic analysts in the US make an average base salary of $74,575, according to Glassdoor, as of December 2022. Job sites ZipRecruiter and CyberSeek report salaries of $73,271 (computer forensic investigator) and $100,000 (cyber crime analyst), respectively.\\

Job openings. To get a feel of the kind of job openings, take a look at indeed website for such roles.

Types of Digital Forensics

There are Several Types of Digital Forensics

There are various types of computer/ digital forensic examinations. Each deals with a specific aspect of information technology. Some of the main types include the following:

  • Database Forensics.The examination of information contained in databases, both data and related metadata.
  • Email Forensics.The recovery and analysis of emails and other information contained in email platforms, such as schedules and contacts.
  • Malware Forensics.Sifting through code to identify possible malicious programs and analyzing their payload. Such programs may include Trojan horsesransomware or various viruses.
  • Memory Forensics. Collecting information stored in a computer’s random access memory (RAM) and cache.
  • Mobile Forensics. The examination of mobile devices to retrieve and analyze the information they contain, including contacts, incoming and outgoing text messages, pictures and video files.
  • Network Forensics. Looking for evidence by monitoring network traffic, using tools such as a firewall or intrusion detection system.

How Does Computer Forensics Work?

Forensic investigators typically follow standard procedures, which vary depending on the context of the forensic investigation, the device being investigated or the information investigators are looking for. In general, these procedures include the following three steps:

  • Data Collection. Electronically stored information must be collected in a way that maintains its integrity. This often involves physically isolating the device under investigation to ensure it cannot be accidentally contaminated or tampered with. Examiners make a digital copy, also called a forensic image, of the device’s storage media, and then they lock the original device in a safe or other secure facility to maintain its pristine condition. The investigation is conducted on the digital copy. In other cases, publicly available information may be used for forensic purposes such as Facebook posts or public Venmo charges for purchasing illegal products or services displayed on the Vicemo website.
  • Analysis. Investigators analyze digital copies of storage media in a sterile environment to gather the information for a case. Various tools are used to assist in this process, including Basis Technology’s Autopsy for hard drive investigations and the Wireshark network protocol analyzer. A mouse jiggler is useful when examining a computer to keep it from falling asleep and losing volatile memory data that is lost when the computer goes to sleep or loses power.
  • Presentation. The forensic investigators present their findings in a legal proceeding, where a judge or jury uses them to help determine the result of a lawsuit. In a data recovery situation, forensic investigators present what they were able to recover from a compromised system.

Often, multiple tools are used in computer forensic investigations. A researcher at Kaspersky Lab in Asia created an open source forensics tool for remotely collecting malware evidence without compromising system integrity.

Techniques Used By Forensic Investigators

Investigators use a variety of techniques and proprietary forensic applications to examine the copy they’ve made of a compromised device. They search hidden folders and unallocated disk space for copies of deleted, encrypted or damaged files. Any evidence found on the digital copy is carefully documented in a finding report and verified with the original device in preparation for legal proceedings that involve discovery, depositions or actual litigation.

Computer forensic investigations use a combination of techniques and expert knowledge. Some common techniques include the following:

  • Reverse steganography.Steganography is a common tactic used to hide data inside any type of digital file, message or data stream. Computer forensic experts reverse a steganography attempt by analyzing the data hashing that the file in question contains. If a cybercriminal hides important information inside an image or other digital file, it may look the same before and after to the untrained eye, but the underlying hash or string of data that represents the image will change.
  • Stochastic Forensics.Here, investigators analyze and reconstruct digital activity without the use of digital artifacts. Artifacts are unintended alterations of data that occur from digital processes. Artifacts include clues related to a digital crime such as changes to file attributes during data theft. Stochastic forensics is frequently used in data breach investigations where the attacker is thought to be an insider, who might not leave behind digital artifacts.
  • Cross-Drive Analysis.This technique correlates and cross-references information found on multiple computer drives to search for, analyze and preserve information relevant to an investigation. Events that raise suspicion are compared with information on other drives to look for similarities and provide context. This is also known as anomaly detection.
  • Live Analysis.With this technique, a computer is analyzed from within the OS while the computer or device is running, using system tools on the computer. The analysis looks at volatile data, which is often stored in cache or RAM. Many tools used to extract volatile data require the computer in to be in a forensic lab to maintain the legitimacy of a chain of evidence.
  • Deleted File Recovery.This technique involves searching a computer system and memory for fragments of files that were partially deleted in one place but leave traces elsewhere on the machine. This is sometimes known as file carving or data carving.
An Example of Stochastic Forensics

(Book Reference: To know more about computer forensic analytics refer the book Python Forensics: A Workbench for Inventing and Sharing Digital Forensic Technology, by Chet Hosmer. It shows how to use Python and cybersecurity technology to preserve digital evidence.)

How Digital Forensics Has Been Used as Evidence?

Digital forensics has been used as evidence by law enforcement agencies and in criminal and civil law since 1980s. Some high profile cases include the following

  • Google Trade Secret Theft.  Anthony Scott Levandowski, a former executive of both Uber and Google, was charged with 33 counts of trade secret theft in 2019. From 2009 to 2016, Levandowski worked in Google’s self-driving car program, where he downloaded thousands of files related to the program from a password-protected corporate server. He departed from Google and created Otto, a self-driving truck company, which Uber bought in 2016, according to The New York Times. Levandowski pleaded guilty to one count of trade secrets theft and was sentenced to 18 months in prison and $851,499 in fines and restitution.
  • Michael Jackson. Investigators used metadata and medical documents from Michael Jackson’s doctor’s iPhone that showed the doctor, Conrad Murray, prescribed lethal amounts of medication to Jackson, who died in 2009.
  • Apple Trade Secret Theft.An engineer named Xiaolang Zhang at Apple’s autonomous car division announced his retirement and said he would be moving back to China to take care of his elderly mother. He told his manager he planned to work at an electronic car manufacturer in China, raising suspicion. According to a Federal Bureau of Investigation (FBI) affidavit, Apple’s security team reviewed Zhang’s activity on the company network and found, in the days prior to his resignation; he downloaded trade secrets from confidential company databases to which he had access. He was indicted by the FBI in 2018.
  • Enron. In one of the most commonly cited accounting fraud scandals, Enron, a U.S. energy, commodities and services company, falsely reported billions of dollars in revenue before going bankrupt in 2001, causing financial harm to many employees and other people who had invested in the company. Computer forensic analysts examined terabytes of data to understand the complex fraud scheme. The scandal was a significant factor in the passing of the Sarbanes-Oxley Act of 2002, which set new accounting compliance requirements for public companies. The company declared bankruptcy in 2001.

Career Paths in Digital Forensics

Digital forensics has become its own area of scientific expertise, with accompanying coursework and certification. Some examples of cyber forensic career paths include the following:

  • Forensic Engineer.These professionals deal with the collection stage of the computer forensic process, gathering data and preparing it for analysis. They help determine how a device failed.
  • Forensic Accountant.This position deals with crimes involving money laundering and other transactions made to cover up illegal activity.
  • Cybersecurity Analyst.This position deals with analyzing data once it has been collected and drawing insights that can later be used to improve an organization’s cybersecurity strategy.

How To Build Digital Forensics Skills

Success in cybersecurity, including digital forensics, often relies on having the right technical and workplace skills for the role. For a career as a computer forensic investigator, consider investing in skills like

  • Digital Storage Devices:  Understand how data is stored on hard drives and consumer electronic devices, so you’re better equipped to retrieve critical or compromised data.
  • Operating Systems: You’ll need to know how to find and retrieve information from Windows, Linux, macOS, Unix, and Android devices.
  • Cryptography: Often, the data you’ll need to retrieve and analyze are encrypted, so it’s critical to understand encryption and decryption methods
  • Communication: You may be tasked with documenting evidence and writing reports on your findings. In this role, you may have to communicate technical concepts to non-technical audiences, like company executives or juries.
  • Malware Engineering: You may be tasked with reverse engineering a piece of malware to better understand its functionality and impact.
  • Digital Forensic Software: Programs like Forensic Toolkit (FTK) contain a collection of forensic tools to help you scan devices for information and crack encryptions.
  • Data Privacy Laws: Since you’ll be working with sometimes sensitive data, you’ll need to be familiar with local, federal, and international data protection laws.
  • Problem-Solving:Rarely is the data you’re looking for sitting out for you to find easily. Instead, be prepared to do some sleuthing to solve complex problems.

Relevant Certifications

Earning a relevant cybersecurity certification can validate your skills to recruiters and hiring managers, enhance your resume, and open up new job opportunities. Some commonly-demanded certifications for digital forensics jobs include:

Certifications Give you a Leg Up In Your Job Hunting
  • Certified Computer Examiner (CCE): The principal certification offered by the ISFCE is the Certified Computer Examiner (CCE). First awarded in 2003, this certification is the result of the ISFCE’s desire to increase the level of professionalism and further the field and science of computer forensics.
  • EnCase Certified Examiner (EnCE): The EnCase™ Certified Examiner (EnCE) program certifies both public and private sector professionals in the use of Opentext™ EnCase™ Forensic. EnCE certification acknowledges that professionals have mastered computer investigation methodology as well as the use of EnCase software during complex computer examinations.Recognized by both the law enforcement and corporate communities as a symbol of in-depth computer forensics knowledge, EnCE certification illustrates that an investigator is a skilled computer examiner.
  • GIAC Certified Forensic Analyst (GCFA): The GCFA certifies that candidates have the knowledge, skills, and ability to conduct formal incident investigations and handle advanced incident handling scenarios, including internal and external data breach intrusions, advanced persistent threats, anti-forensic techniques used by attackers, and complex digital forensic cases. The GCFA certification focuses on core skills required to collect and analyze data computer systems.
  • GIAC Certified Forensic Examiner (GCFE): The GIAC Certified Forensic Examiner (GCFE) certification validates a practitioner’s knowledge of computer forensic analysis, with an emphasis on core skills required to collect and analyze data from Windows computer systems. GCFE certification holders have the knowledge, skills, and ability to conduct typical incident investigations including e-Discovery, forensic analysis and reporting, evidence acquisition, browser forensics and tracing user and application activities on Windows systems.
  • GIAC Network Forensic Analyst (GNFA): The GIAC Network Forensic Analyst (GNFA) certification validates a practitioner’s ability to perform examinations employing network forensic artifact analysis. GNFA certification holders have demonstrated an understanding of the fundamentals of network forensics, normal and abnormal conditions for common network protocols, processes and tools used to examine device and system logs, and wireless communication and encrypted protocols.
  • Certified Information Privacy Professional (CIPP): The IAPP offers the most encompassing, up-to-date and sought-after global training and certification program for privacy and data protection. The Certified Information Privacy Professional (CIPP) helps organizations around the world bolster compliance and risk mitigation practices, and arms practitioners with the insight needed to add more value to their businesses.


Pick a Career Path from a Myriad of Options in Digital Forensics

Digital forensics is a new age sunrise career. In addition, it is an exciting field to work in as no two days are likely to be the same. It also calls for a breadth of skills. Also, it is a highly paying career and as one gains in experience one also can become a freelance consultant billing on global projects while sitting in the comfort of your home. This can be a suitable career for veterans who have a curious mindset, are continuous learners and like to work in a fast paced environment. However, it calls for a adequate preparation especially by way of certifications which ideally must be gained while still in military service.  With average cost of a security breach increasing with each passing day for an organization they are now more willing to invest in cyber security including hiring the relevant professionals. This makes this career future proof at least in the immediate future.

About the AuthorIqbal Singh joined the NDA in Jan 1984 and was commissioned into 4 GARH RIF in Dec 1987. He took premature retirement in 2008 with an ambition to make a career in the technology industry. He has worked with Satyam Computers at Hyderabad and Nokia at Noida. Currently he is working with a Big Tech firm based at Gurgaon. Iqbal likes to explain complexity with simplicity. He believes that anyone can make a career in tech with some upskilling and effort.



Leave a Comment