The question for many people interested in the subject is “How do I get a job in computer forensics?”
The computer forensics industry, for many, appears to be a closed shop. With high priced courses (costs thousands of pounds for a couple of days), strange terminology (MFT, resident data, imaging, cloners, etc), urban myths of recovering data from fried hard drives, and an almost mythical elite of counter terrorism specialists with ninja skills picking their way through hard drives.
The Good News
First the good news, virtually everything mentioned above is a myth or not relevant to a beginner. The police do not have an elite cadre of high tech warriors. They are certainly high tech computer crime units, but the staff are not MIT or Cambridge graduates, with PhDs in computer science, but regular police officers who have taken up this specialist area, like a dog handler or a traffic officer. These staff have then been trained, largely on commercial courses, i.e. their skill set is entirely attainable.
The issue of recovering destroyed hard drives is all but an urban myth. Clean room work, i.e the specialist recovery of damaged hard drives, does occur in the industry, but that is more the area of data recovery than computer forensics. The police subcontract out the vast majority of this work, to specialist companies like DiskLabs and Ontrack. There are no commercial courses for data recovery, yet, and the skill set is really only obtained through working on the subject, with internal training.
The terminology while difficult to understand initially, like any subject, is picked up quickly. Forums like ForensicFocus provide a good place to learn the language, but you can’t learn a practical subject from a forum!
The Bad News:
Some people are selling snake oil in the form of computer forenscis training courses. With some of those providing degrees and training having never conducted the subject in a commercial environment. Despite this students around the country are taking degrees in the subject, with the expectation of walking into highly paid positions in a CSI type role.
Simple maths will show this is not true. Currently around 20 universities provide degrees in the subject, some are three year courses, some are 1 year courses. Assuming there are 40 academic years of study current in progress and there are 20 students per course (on average), that means there are 800 students studying this very focused subject of computer forensics.
With only 1,000 people in the world holding the highly respected CCE qualification, this gives an idea of how over subscribed the university courses are. There are certainly not 800 vacancies in computer forensics in the UK at the moment, and the idea that industry will grow to accommodate 3,200 students in the next 4 years is just fantasy. To further put this in perspective KrollOntrack, the largest legal technologies company in the world has less than 100 dedicated forensics staff around the world.
Increasingly companies are starting to ask set technical questions, some even have mini exams, during the initial interview/application procedure and those coming out of university are unlikely to be able to answer the standard questions, despite having 1 to 3 years studying the subject. Sample forensics questions are available here for those interested.
To make matters worse many companies want people with experience, so those fresh out of University dont have the experience, or often the knowledge.
So, how do you get your first job?
To get your first job in computer forensics requires effort, time, and possibly money on your behalf.
- Have/get a good degree, from a good university. Some employers will prefer a good science degree from a good university, rather than a second rate degree from a second rate university
- Learn the basics of the subject.
- How does a hard drive work?
- What technology is on the market?
- Where is data stored? In a file system, in an operating system, in a computer, on a desk, and in a company.
- Know the difference between computer forensics and electronic discovery!
- What is the most common type of investigaiton for the company your applying to?
- How would you go about conducting this invesitgation?
- Get hold of basic forensic software, Helix, is a good start as is FTK Imager and DTSearch. Use trial versions of EnCase and FTK and anything else you can get hold of
- Use these tools on your own hard drive, learn the basics. Buy old drives from eBay and the second hand stores. Try and recover data. Learn as much as possible
- Learn to Code
- Basic prgramming skills will help you stand out from the rest of the applicants and are very useful in day to day investigations. Manipulating data, renaming files, using EnScripts, etc
- Know the market
- Who is who?
- What company does what type of work?
- Do you want to conduct police work (often involving looking at Child Porn), or investigate data theft, or be involved in multi-million dollar investigations?
- Do you want to work in London, out of London?
- Do you want the work to be UK based or international? The latter will involve a lot of travel and sitting at airports and hotels.
- Are you after money or the challenge?
- Do you plan to get promoted in the future and move up the ranks, or do you want to stay doing the technical work?
- Get a recruiter
- Getting to know the employers in the industry takes years. Recruiters already know them, so get hold of a specialist recruiter in the industry and tell them what your after.
- Research your company
- When you eventually get an interview research the company. Know what they do, who they are, and how long they have been around. Their website, obviously, is a good place to start, but use other resources. Friends, Google, LinkedIn, FaceBook, find out what you can
- Get a job, any job
- If you can’t get a job in a computer forensics, get a job as close to the subject as possible. Perhaps IT support in a forensics company, or another IT job, pen testers are highly regarded as are programmers. Any set of skills that can overlap are worth getting, as are the life skills of working in an IT enviroment. Then keep applying, but don’t change jobs every 3 months, that looks bad on your CV!
- Be Realistic
- Many students think that after they have a degree in forensics they can expect to get paid £40,000, plus get internal training, plus get paid to go on training courses. This is not realistic.
- On leaving university most students, especially those who have gone to one of the less respected universities, will need to be trained in computer forensics and go on commerical courses. This is not cheap for the company, and the students will not be able to be a “fee earner” for quite some time. In fact, the students will be a drain on their employers resources for 6 months to a year, so expecting to be paid a lot of money for this time, while you are being trained, is optimistic at best.