What is computer forensics?
What is computer forensics? How much does it pay? What roles are there? What technology is used? Lots of questions and even more answers. If these questions, if answered briefly, will be wrong to some people.
For example, to the question “How much can you earn in computer forensics?” it could be said, with confidence, that it’s “£30,000 to £50,000 per year”. While this will be true for many people, but it’s not true for everyone, in fact it’s probably often as wrong as it is right. The directors and leaders in KrollOntrack, the world’s biggest legal technology company will earn far more than that (you can probably add a one or two zeros on to that salary); graduates earn a lot less than that. Forensic consultants in London and New York can also get a good deal more than that, especially if all the benefits are accounted for.
Equally, to the question, “Do forensics staff process backup tapes?” the answer would almost certainly be “No” for the vast majority of computer forensics staff: Processing backup tapes is something they would never get involved in, and they would not know an EDB file from an STM file –it’s simply not their area, so they would not be expected to. On the flip side of that there are people in “forensics” who work in this area, there are even people who only do this, and never image a hard drive or use EnCase; they just work with tapes.
The Expansion of Computer Forensics
Over the years the term “Computer Forensics” has grown to mean more and more.
It now includes, depending on your experience of computer forensics, the collection of data from anything from CDs and USB sticks, through desktops and laptops to servers, SANS, and backup systems.
In addition to that it normally includes the investigation of much of this data; emails, files, deleted data, fragmented data etc.
Currently, the investigation of structured data, i.e. data bases, the analysis of frauds, etc lies mainly with forensic accountants and “data analytics” professionals. With that said some data analytic teams belong to computer forensics departments; for other companies it’s the other way around.
Then, there is the analysis and investigation of emails. This, some may think, is squarely in the computer forensics area, but others would put the issue definitively in electronic discovery arena.
Electronic discovery tools are, in short, far more powerful and capable than any of the “computer forensics” tools. Review platforms, concept searching, near de-duplication, building and displaying social networks, etc; this all completely dwarfs anything that EnCase, iLook, or FTK can do to assist with the investigation of emails and email communications.
EnCase, despite its huge reputation, cannot do much more with emails than view them in text or hex, or recover deleted files. This functionality has not changed much over the past 10 years. Meanwhile electronic discovery has pushed forward with fantastic technology, from Attenex to ContentAnalyst, from RingTail to Relativity.
Currently the most useful definition of computer forensics is probably this:
- It involves the collection and analysis of data,
Sadly this is vague, and doesn’t really say much, and does a disservice to those who are conducting some highly technical work.
The separation and specialization of computer forensics
Computer forensics now encompasses so much it is really breaking into different areas, much like IT in general has.
Computer forensics areas now include: Civil investigations (data theft, employment issues, fraud investigations, etc), criminal investigations, data analytics, electronic discovery, data collections, data extraction, data recovery, data filtering and processing, data reviews, data hosting, the list goes on.
Much like IT, there are people who specialise in the individual areas. There are people who just collect data, that’s all they do, and they are very good at it. There are those who maintain review platforms, and those who only filter data ready for processing.
There are some people who get involved in a variety of different areas, but there is unlikely to be many (if any) people who get involved in all areas. Depending on the size and nature of the company will depend on what people do, and how specialist they are.
Overall its a great time to be in the industry as it moves in new directions, new specialities are created, and people hone their skills in older areas.
During the past decade computer forensics has evolved dramatically, and the next decade is looking pretty good to.