For answers to these and other important questions, organizations turn to digital forensic investigators.
What is digital forensics?
The National Institute of Standards and Technology (NIST) defines digital forensics as the application of science to the identification, collection, examination and analysis of data — while preserving the integrity of the information and maintaining a strict chain of custody. Put more simply, it’s the scientific process of collecting information and artifacts around a cyber incident. A digital forensics career includes analyzing digital information to further investigations and solve cybercrimes. Ultimately, digital forensics investigators work in support of the victim, or the organization suffering a cyberattack, yet their employer is usually either a public or private organization that has been tasked with helping the victim understand the attack, its mechanisms and how to recover. Ondrej Krehel is the chief executive officer and founder of digital forensics firm LIFARS and his professional experience spans the public and private sector including special cyber operations, cyber warfare and offensive missions, and he is a court expert witness and lecturer for the FBI Training Academy. He says both the public and private career paths are uniquely rewarding and critical to the field of cybersecurity.
Public sector vs. private sector careers
When a cyber incident is detected, many organizations alert federal law enforcement officials including the FBI and Department of Justice. In the interest of finding the attackers and solving the case, digital forensics investigators employed by these government agencies sort through the attack’s digital footprint. “They are in the business of criminal investigation and prosecuting crimes,” Krehel says. To work on the federal side of digital forensics, a security clearance is required and the digital forensic investigator may be called into court to testify on their findings, so they must be able to authenticate their method of investigation. To solve cases, public sector digital forensic investigators often work with other regional government bureaus to share insights and resources. They also rely on partnerships with investigators who work on the commercial side, usually for a consulting firm that performs the same types of analyses. Sharing insights and leveraging knowledge is helpful, because in the end, everyone’s goal is to solve the case for the victim and prevent potential future victims. “Federal enforcement relies on firms like ours; they always seek to know what’s happening in the private sector,” Krehel explains. “What is their strategy and what are the digital forensics people learning?” And the same happens in the reverse. Commercial investigators cooperate with federal agencies and often learn something they didn’t know. Specific victim information may not be shared but gathering attack intel for the sake of solving other cases is common. In the private sector, consulting firms seek to help victims and solve cases just as public sector investigators do, but they also build forensics tools for their customers and provide support services where needed. They rely on a more automated, software approach to the business rather than a singular scientific focus of solving one or a few legal cases.
What does it take to be a digital forensics investigator?
Whether you choose to work in the public or private sector, an important trait for digital forensic investigators is the ability to be good under pressure. Because cracking a case often requires long hours and you’re sometimes not able to tell other people what you’re working on, dedication to the work is key. People who can create life balance often do well in this field. “It’s important to balance your mental, physical and intellectual needs,” Krehel says. “You also have to match the pace of hackers; don’t underestimate them.” Teamwork is how cases get solved, so a willingness to communicate and work well with others is critical. Often, digital forensic investigators work in a two- or three-person team and when one person has an idea, the other team members fill out the idea and push the project forward. Teamwork masters the idea, Krehel says. “Whenever I work on a problem, I use two to three other intelligent people who bring additional skill sets to the problem. You need to find others who can cover your blind spots and watch your back.” Neither public nor private digital forensic investigators should be easily bothered by fast-paced work because there is always a high volume of cases to work on. While public sector investigators often prefer a more scientific approach to the process, private sector investigators use an automated software approach. Both types will often be required to testify in court and interact with attorneys, although if the legal system and serving justice is truly of interest, the public sector is a better fit. You might work for a district attorney’s office for example, so the ability to navigate courtroom drama is important. All digital forensic investigators are truth seekers, however. For example, Krehel’s consulting firm LIFARS was recently asked to investigate a case previously closed by a victim’s insurance provider. “But something just wasn’t adding up in the minds of a couple of people,” he explained. “They didn’t buy the story, so they called for an independent review of the investigation.” Unfortunately, other investigators and the insurance company weren’t interested in helping so the LIFARS team started from the very beginning. After a lengthy review of the artifacts and the attack’s digital shadow, they came up with what really happened. And their client was very grateful for finally understanding the true nature of the breach. Forensics careers often require digital forensics training, as well as hustle, persistence and discipline. For Krehel, this has meant a constant pursuit of knowledge. Knowledge is power, he says, and that has been his path to success. To learn more about digital forensics in the public sector, watch the Cyber Work Podcast, What does a digital forensic investigator do in the government? with Ondrej Krehel. Computer Security Resource Center, NIST