HOW TO BECOME A CYBER FORENSIC EXAMINER
From corporate crimes to murder, computer place a role in nefarious activities either as a target, medium or containing evidence and thus, requiring specialist with a skill in the various technologies and legal knowledge to gather evidence stored digitally. As high profile data breaches such as those that hit Sony, JP Morgan, Home Depot etc. continued to grab headlines, the demand for well trained for computer forensic expert is rising who can conduct the requisite investigation to ascertain the offender and cause of security incident and help to mitigate the damage. With the dynamically changing technologies, the computer forensic is also undergoing a rapid change and the main change is that the forensic is moving from the hard disk/static data analysis to different storage areas, from the cloud to browser based and points such as mobile phones.
Cyber Crime has now reached epidemic proportions causing the loss of millions of dollars in the government as well as private sector and due to the inherent drawback in securing conviction arising out of global nature of the cyber crimes coupled with volatility of digital evidence, the demand for computer forensic professional have grown exponentially.
The Digital Forensic Science Research Workshop (DFRWS) defines digital forensic science as:
“The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”With the exponential growth of e-governance, the development of technologies, expert in cyber crime, the demand of cyber forensic have increased multi-fold and have grown into various disciplines.”
This forensic domain deals with the evidence and the legal system and is really the marriage of computer science, information technology and engineering with law. The various domains of cyber/digital forensic are:-
1. Computer Forensics:-
It refers to the process of recovery of the evidence from the computer, laptop and connected devices. Recovery from the file system requires knowledge of various file systems, operating system and every application being used. For example, Firefox Explorer, Email Client etc. One needs to know where the application maintains the system files and other logs. Then, for every application you may require the different software for retrieval of data. Some application are OS Independent and you even need to have the application to retrieve the data. The computer forensic further consist of three sub-domains:-
a. Windows Forensics:-
The wide use of window operating system, its different OS, server models has resulted into emergence of the Window Forensics as a separate discipline. A person to be proficient in Window Forensic needs to have knowledge of structure of different OS and file system like FAT, NTFS etc and how and where the OS maintains the system files and other logs. The different OS may have different default values, functionalities, location of system/application files.
b. Mac Forensics :-
With the rapid use of Mac computer, Mac Forensics has also been developed as a different discipline. There are different file systems as well as different OS version.
c. Linux/UNIX Forensics:-
Similarly, the open software technology and Linux/UNIX being a different OS family resulted into a separated discipline with which a forensic expert needs to be aware off.
2. Network Forensics:-
It normally refers to collecting digital evidence relating to movement of data in the online medium. It requires the knowledge of Networking concepts, hosting of website, website application, Network devices, OSI Models, TCP/IP, routing & other Network protocol. It is most relevant in today’s scenario as the first objective is to trace the origin of data to identify cyber offenders.
3. Mobile Forensics :-
Now with the rapid use of the Mobile, Mobile technology has become one of the biggest challenges particularly as most of the software used by the Mobiles is proprietary in nature. One needs different hardware to access the various Mobiles and different software for making logical/physical extractions of the Mobile. For different mobiles, you may find different software, OS and Application which may be specific to the mobile. You may be required to have the knowledge of programming or you have to develop your own program to analyze the mobile system.
4. Cloud Forensics:-
The cloud forensic is the biggest challenge because of its unique architecture which is spread over the network and may be in the different jurisdictions governed by the different laws and the procedures for the forensic examination.
Cyber Forensics expert is supposed to have the knowledge of all the disciplines in order to successfully retrieve the evidence relating to the computers. Thus, the digital forensic now requires a jack of all the trades and your knowledge of computer science, network based technologies and mobile based technologies would determine your competency and effectiveness. Thereafter, in case of any new field, the forensic expert would be able to learn on the fly.
Starting A Career
Becoming a Computer Forensic Expert seems to be much more difficult than ever envisioned and it is too much for a single individual to shallow initially. The best way is to start with a computer science degree. The young aspirants can start from the secondary education itself which help them to understand the very basic concept which later on, will become the foundation for learning the subsequent techniques, concepts and framework of computer forensic world.
Thereafter, the individual can have a degree in the computer science and in parallel, the individual can do the certifications in networking, acquiring skill in the hacking methodologies and the courses like CCNA, CEH etc. which would not only refine the skill but would also give an abstract view of movement of data and threats of the real world. Till last few years, there were virtually no undergraduate or postgraduate courses in computer forensics and due to expansion of digital forensic services in both the public and private sector, external training programs, technical certifications and degree programs are now common place.
After the graduation, the individual can go for the specialized courses to learn computer forensic, advanced network technologies, mobile technologies and for this purpose can go through various courses such as CFCE, CCFP, CHFI and other domain oriented courses. As for a single individual, it is not possible to acquire all these skills simultaneously, so the best course of action is to choose a particular segment such as computer forensic or network forensic and after acquiring expertise in one field and combining it with a available job opportunities into the forensic arena, the individual can move ahead slowly after consolidating the positions at each level with a blending mixture of theoretical and practical knowledge of the domain.
After reaching this level, one has to be more of a jack of all the trades to understand and stay abreast with all the new technologies that comes into the market. It would be better to say that to a larger extent, after basic skills in computer/network forensic, the skill requires are flexibility and a major capacity to learn on the fly. Further, the certification like Certified Computer Examiner (CCE), Certified Forensic Computer Expert (CFCE) etc. may be obtained which are only provided after completing a certain amount of training, self study or professional experience and which gives the assurance of a certain level of competency of the individual to the potential employer and thus, advances the future of Cyber Forensic aspirants.
After reaching at a Post Graduate Level, and having a field experience of 3-5 Years, the individual can go for advanced professional courses such as CISA, CISSP, CISM etc. which would not only integrated the conceptual knowledge with the real life world but would also give an individual, an abstract view which may be converted into entrepreneurship or professional advancement and the individual would be in a position to reap the benefit and enjoy the profession. The skill at this level would be of international nature, well respected and accepted beyond national boundaries giving recognition which no other profession in the world would provide.
The computer forensic professional are referred to by many titles including Computer Forensic Investigator, Digital Media Analysts, Digital Forensic Expert and Digital Forensic Detectives. The forensic expertise are required not just by Law Enforcement Agencies but also in the corporate world by the Incident Response Team for investigation into hacking, data theft and other various offences becoming part of corporate espionage. The demand for skilled forensic experts will substantially grows with the increase in level of sophistication and frequency of cyber attacks. More and more companies are engaging full time forensic professional as part of their Permanent/Hybrid Incident Response Team as the breaches have become more common.
Further, with the increase cyber threats and breaches bringing potential liabilities on the companies, the computer forensic itself developed into a ‘Profession’ and like any other professional, Chartered Accountant, Lawyers, Doctors etc., These computer professionals are providing services to various small and large companies. Further, as it is not feasible for any company to have Incident Response Team with all expertise and thus, still may have to hire outside expert in the event of major breach. Further, as the procedure of collection of evidence have become more technical as requiring collection of memory dumps which are required to be done in the real time, the profession of computer forensic has developed ‘AS A SERVICE’. Thus, given the requisite skill level and the need to update on the cutting edge of technologies, outsourcing has become a dominant approach to gain forensic expertise.
Though the type of investigation and the examination be performed may vary between the private and the public sector but the demand in both is increasing due to the rapid increase in the data and development of data management system as a separate component of Enterprise Information Architecture. The private sector examiner apart from being providing services as a contractor to the government department can be excepted to provide evidence to private attorneys, corporations, private investigators and corporate security departments.
Training Over Education
The dilemma of quickly trained examiners through vendor training vs. A Forensic Examiner having an appropriated degree needs to be understood.
The person equipped with vendor training or small certification may be able to produce some useful result without having in depth knowledge of file system architecture but may not be able to qualify the challenges which may be countered during the cross examination and thus, would not meet a threshold of due diligence. A forensic expert must be capable to conduct contextual analysis in order to link interdependencies between the recovered artifacts so as to make his opinion/result meaningful to the case in hand.
The individual equipped with the forensic tools also termed as ‘click monkey’ or ‘tool monkey’ uses automated tool but does not have the knowledge of the concept on which the tool works. Thus, their success is limited to the extent of efficiency of tool but the same may not be sufficient for court testimony where an expert may need to explain the concept in order to link various evidences. Such ‘tool monkeys’ cannot explain the error and the limitation in the recovery and presentation of data which may occur as a result of design flow, oversight or issues required interpretation of data structures. These peoples are incapable in detecting the flows in the tool or variation in the results which may emerged consequent to the use of various tools and thus, they succumb to the defence attacks. However, these does not apply to the personals belonging to the law and enforcement agencies as they undergo appropriate training and spend considerable time searching for probative evidence, deposing in courts and thus, they bring a wealth of knowledge and experience to which the personal working in the private sector may never have.
On the other hand, the expert with grounding in theoretical, technical and research methods are capable of not only comprehend the concept underlying the tools but in a position to design and execute effective test for desired solution. They are also in a position to recover the desired information even without using the tool and thus, can withstand the defence attacks and make the evidence admissible in the court of law. A well educated/trained expert is able to apply desired due diligence to follow the steps to arrive at a solution and for this purpose, plan and develop, test and solutions and explain them to corroborate the result as and when required.
The Computer Forensic is about striding through thousands or possibly million of different variety of digital artifacts and deriving inference/results which provides inculpatory or exculpatory evidence relevant to the case. The forensic expert is the only person to analysis and see majority of these artifacts and if some of them have been overlooked, they would not have been re-evaluated and its evidentiary value is lost. The tools may be able to recover large number of images but a technically qualified person would be in a position to link the fragments of images and other data which may have been missed by the tool to give more meaningful result. This skill has gained prominent significance particularly when there are ample number of tools available for wiping, purging destruction of data available to the cyber offenders and in many cases, the expert may have to draw the conclusions from the remnants which may otherwise does not look meaningful or have been overlooked by the tool in absence of protocol/file signature. Such proficiency never comes through tool expertise.
What Do I Do
Those interested in career in this field should consider obtaining a specialized degree relating to the computer science and start developing the skill in one of the specialized field, computer or network forensic and continued to add skill as well as professional certifications. The professional who are already working into the allied computer field can now take advantage of the education programs providing specialised knowledge into the computer forensic. Their chances to move to the digital forensic field would improve if they have a science or technology degree and some prior experience accompanied by a professional certification.
The knowledge of the legal system is essential to make the evidence admissible in the court of law. The computer forensic professional must possess a solid comprehension of law so as to properly and legally handle evidence. Further, the individual need to have excellent observation skills and be able to evaluate both the minute details and the ‘Big Picture’ and should have objectivity in decision making and finally to present his findings before the court of law. The individual must be aware about Incident Response Procedures and various computer forensic guidelines i.e. International Organization of Computer Evidence (IOCE), Scientific Working Group on Digital Evidence (SWGDE), Association Chief Police Officer (ACPO).
The individual may make any specific choices depending upon his/her short/long term professional goals. It’s not easy thing to land a career in the digital forensic field as it requires hard work, loads of learning and plenty of patience and dedication to break into the field.
The computer forensic domain provides a dynamically changing profile with the exponential growth with handsome return as an employee, professional and provides vast avenues for entrepreneurship. It is a profession which is not restricted by any national boundaries and welcomed and accepted at every corner of the world. A good computer forensic professional is really a global person in the true realm of the world. The professional will find the community, investigation agencies, legal fraternity, judiciary looking to them to explain the hidden layers in order to explore the truth and aiding in delivery of justice. Further, the continued exponential growth of electronic devices and archival storage due to burst in ‘Big Data’ will soon lead to a crisis point for digital forensic analysis and investigation and as such, the growth of the profession will outweigh any other profession in the world.