What makes a good forensicator? or how to get a job in Digital Forensics
5 Nov 2011
A common question those seeking to enter the field of digital forensics ask is what do I need to get a job in the field? This is a good question. There are many paths and the most appropriate one will change depending upon your personal circumstances. School graduates are best advised to seek a university degree either with a major in digital forensics or computer science. This will enable them to obtain entry level positions with a range of organizations, government agencies in particular frequently recruit recent graduates and government experience is often valued in the private sector if you want to make a change later in life. However for those who are already in a career breaking into the field can be extremely difficult.
If you are already working in IT, it is possible to complete either an industry certification or graduate study or even transfer directly into a forensic position, although this is becoming harder as the pool of qualified applicants continues to grow. However no matter how qualified you are this will never guarantee you a job. Certifications and qualifications are only good for getting past the HR screening process. After that the decision will be based on other factors, partially on your performance in the interview and partly on your performance in previous jobs. When I am looking for employees I am looking for two things, motivation and the ability to solve problems. I will take these attributes over certifications any day.
So why is your problem solving ability important?
The profession of digital forensics requires analysts with an inquiring mindset, computers and other digital devices contain a wealth of evidence and the hardest part is identifying what is relevant and what is not. Eoghan Casey makes a distinction between forensics and investigation for just this reason. As the devices and operating systems we are examining are always changing you have to be able to learn how a new device or piece of software works all the time. In law enforcement you frequently need to examine devices that have never been examined before. If you are not able to develop a new methodology you are not going to be much use to your employer.
I am not talking about being a mathematical genius or a programming god. Simply the ability to get a job done with minimum fuss and instruction once you are assigned it is all I am asking for. This does not just apply to computers and forensics either, it is reflected in everything you do. Are you the sort of person who when faced with a difficulty immediately starts thinking about trying to solve it rather than thinking about why it cannot be solved.
How do you prove you are a good problem solver?
So it is all very well to know that you need to be a problem solver, but how can you show a potential employer that you are one? The answer is simple, you need to solve problems now. Monitor a few mailing lists and look at the questions people are asking, look around your workplace (or college) for things that are not working and fix them. Teach yourself to use different applications, a programming or scripting language is really useful, python, PERL or enscript in particular, but even c# is useful (sorry that’s just my *nix side showing through). The more tools you know the better. Ideally start a blog, or even just a journal of the things you are teaching yourself, then review what you have done before you attend an interview. When you are asked questions link them back to the problems you have solved. This shows that you are not just giving answers from something you have read, but really know what you are talking about.
How do I find a good problem solver?
I have been employing people (in different fields) for about 18 years, and have made some really bad decisions and some really good ones (or just got lucky) in that time. The most effective selection method I have seen and worked with was what we used at the NSW Police Force. Candidates were given a broken computer which they had to fix and get running. Once running they had to configure a windows and Linux operating system and find some hidden files. There was nothing too tricky about any of the problems, except that it took the average person about 2 hours to complete everything and they only had 1 hour. Some really well qualified candidates who presented well in an interview failed miserably on this test, while others not so good on paper clearly proved that they had the right stuff.
This test was also a source of some great stories. One time the candidate received a phone call about 15 minutes into the test. I thought this is a bit strange, he should have turned his phone off. I did pick up that the conversation was serious. When the call was finished he turned to me and said “that was my girlfriend, she went into labour this morning so I have to get to the hospital straight from here”. He then went on to calmly complete the test before heading off to the birth of his first child.