What roles are there in computer forensics and data recovery? There are many different technical jobs and roles in the data recovery and computer forensics industry. Depending on the job you have and role you perform, will effect what you get paid.
Below are an example of these technical roles; in some firms the staff will only conduct one of these roles, and nothing more, as that is the most efficient way for the company to work. For other, generally smaller companies, people will be expected to engage in some, if not all of this work
Physical and Logical Recovery
The giant data recovery companies, e.g. Ontrack, tend to split data recovery into two roles, physical recovery and logical recovery. So one team’s job will be to get the hard drive spinning so it can be imaged, the second role will be the logical recovery, e.g. repairing a damaged NTFS, or FAT system. Those in the former role know everything there is to know about hard drives, those in the later know more than can be healthy about file systems, from Windows, to Linux, to Mac. It is those in the logical side of the recovery who will also be responsible for piecing back together damaged RAIDs. Smaller companies will expect that individuals are able to conduct data recovery at the physical and logical level.
Computer forensics consists of a whole variety of areas and roles, and means different things to different people, people are some examples of roles that are in the industry,
Some of the bigger teams have people who are almost dedicated to data collection, this means that over 70% of their time they will be travelling around the world collecting data, from laptops, desktop, and server. Some people love the travelling and client interaction other people hate monotony.
Imaging & Media Handling
When data arrives wthin a company it needs to be “bagged and tagged” as well as identified as imaged/put onto company servers/desktops/backup devices. Depending on the volume of work this role can be a dedicate job within a company, or a role that everybody engages in
The giant firms such as FTI/the Big 4, often have a processing role. Once the data has been collected, it will be “processed”. This will involve the application of predefined scripts and filters to data, through tools like EnCase. The output of this process may be all that is required, or that output may be the input for the eDiscovery process
Forensic Investigation -Civil Work
Many of the smaller forensics firms engage in a lot of forensics investigation work, looking for allegations of data theft, inappropriate use of Internet, evidence of wiping, etc. Companies who do a lot of this type of work work include CRA (formerly Lee and Allen), DGI (now Stroz), and PalmerLegal Technologies
Forensic Investigation – Police Subcontract work
The police subcontract a lot of work out, and this is an industry in itself. Companies such as CY4OR, CCL, LGC, or FSS are examples of companies which almost depend on this. It may be surprising to hear, but a lot of the work subcontracted is child abuse/child pornography cases. Which involves the location of the images, and then the classification of the images, into 1 of 5 categories (depending on the nature of the images). This means that a lot of the work will involve the viewing of large amounts of abuse images. Other cases, such as murders, rapes, can also be subcontracted out, but often the investigation is limited to the type of processing work mentioned above, and then passing the recovered data/output to those investigating the data.
Forensic Investigation – Mobile Phones
Mobile phones are another huge area in forensics, with thousands of different phones on the market and new phones released on an almost daily basis, this is an area which involves dedication. As a result there are some people who are dedicated to recovering data from mobile phones. There is one company, FTS, who specialise in recovering data from mobile phones, and as such they are incredibly skilled at it, and can conduct recoveries other companies cannot attempt.
Extracting data from mobile phones, while skilled, can appear to be like piece work, as an employee may well be expected to process X amount of phones a day or a week. Much like other areas of forensics some people will love the ability to know all the different phones and be able to use all the different tools there are to recover data from them, for others the idea of working on just phones would not be something they could do for a career. Currently much of the mobile phone forensic market is driven by requests from the police, though civil investigations still need that type of work. Some companies will take on mobile phones, on an ad hoc basis, but will not have dedicated staff to them.
All companies need a management team, what the management teams role is depends on the nature of the work conducted. If the company is about high volume work, such as a data recovery company, the management team will probably focus on operations, trying to make the company as efficient as possible. If the company is all about investigations, then managers will probably lead a team, and help co-ordinate cases and projects.
Forensics Senior Managers:
The senior managers for a large forensics company, managing director, president etc, their role will be the same as it is in any company, to run the business, the fact that they are conducting computer forensics, compared to DNA analysis, is not really relevant. They will need to grow the company, manage their team (team of managers), and ensure the company is running as profitably as possible. For a small company, e.g companies with 1 or 2 people, the MD may well also continue to fill all of the roles mentioned above, as well as this one.
Forensic companies (both the sellers of software and the practioners) always need new tools developing, widgets making, or old ones improving, for this they need a coder or devloper. This knowledge set can vary from knocking up a few scripts in EnCase, to reverse engineering databases and file systems and creating your own tool set. These people generally have a very good knowledge of IT systems, hardware, files systems and forensic artefacts. Again, like most other roles for some this is a full time job, 100% of their time is spent producing new technology to improve their companies capability. For others it will be an add on role, they will produce an EnCase or P