Computer forensics investigator analyzes a suspect’s hard drive obtained in evidence.
Article

Computer Forensics: Ultimate Guide for Starting a Career in This Emerging Field


Cybersecurity

Billions of individuals globally use digital technology daily. While most people implement it for personal or professional reasons, some individuals use the Internet to commit crimes. Phishing/spoofing, blackmail, child pornography, harassment, financial fraud, and drug and weapons trafficking are examples of common crimes perpetrated through digital tech today.

Computer forensics help government and law enforcement officials combat digital crimes by locating and preserving digital evidence that suggests illegal activity. For example, when investigating an individual involved in corporate fraud, computer forensics can locate previously deleted spreadsheets or “doctored” data that may prove criminal activity. Computer forensics also can locate hidden documents or emails on digital devices, helping law enforcement investigators prove premeditated intent.

The field of computer forensics offers significant benefits to society and broad job opportunities for individuals looking to pursue a career in this field. For those interested in computer forensics or seeking to become a computer forensics investigator, this guide explores computer forensics salaries, degrees, roles, and tools.

What Is Computer Forensics?

According to the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center, computer forensics, “in its strictest connotation, [is] the application of computer science and investigative procedures involving the examination of digital evidence—following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.” Based on this definition, computer forensics investigators use extensive knowledge of digital technology and investigative procedures to find evidence of illegal activity in a computer or digital device. When finding proof of Internet fraud and other criminal actions, these professionals may discuss evidence with other law enforcement officials or provide testimony to a judge or jury.

Digital evidence varies by content and location. The National Institute of Justice notes that digital evidence is found on smartphones or tablets, memory cards in digital cameras, and hard drives, to name a few sources. Content includes documents, spreadsheets, photos, videos, or other sources.

Additionally, metadata is another form of digital evidence. Metadata is the information that sheds light on a particular piece or group of data. For example, when someone makes a digital purchase, information surrounding that purchase is metadata.

For computer forensics investigators, metadata is key. For example, when someone posts a photo to social media, metadata can derive the camera type capturing the photo as well as the geographic location of where it was taken. Metadata is critical for computer forensics investigators trying to locate a suspect.

Computer forensics, however, doesn’t limit investigations to one type of digital device. InfoSec, an organization that educates individuals and organizations on the threats of cybercrime, lists the following digital categories of computer forensics:

  • Media and file system forensics: focuses on storage media including hard drives.
  • Operating system forensics: examines operating systems including Windows or Mac OS.
  • Network forensics: analyzes traffic and intrusions within computer/digital networks.
  • Mobile device forensics: investigates different types of data collected in mobile devices including smartphones.
  • Virtual systems forensics: evaluates the data and collection of virtual machines.
  • Software forensics: analyzes author information behind certain software.
  • Web and email forensics: focuses on cookies, browser history, and other items that can help locate email phishers and scammers.
  • Database and malware forensics: examines the collection and access of data within pertinent databases and viruses.
  • Cloud forensics: probes cyber attacks and other pertinent data within cloud systems.
  • Social network forensics: delves into pertinent social media data used in the prosecution or defense of a suspected criminal.

Computer Forensics Investigator: Key Skills and Duties

Computer forensics investigators have wide-ranging and complex responsibilities. Because of the multitude of devices and types of data and metadata requiring protection, these professionals must understand computer systems, networking, and programming. They must know how data is hidden, manipulated, and damaged and how to retrieve and interpret data to determine criminal or illicit activity.

A computer forensics investigator or analyst typically conducts many tasks during an investigation. According to InfoSec’s website, these professionals examine data gathered from computers and other devices, dismantle and rebuild damaged systems to locate lost data, write detailed reports, and testify in court.

In an article for Forbes, Ondrej Krehel, founder and CEO of the cybersecurity company LIFARS, notes top skills and traits cybersecurity professionals need for success. Beyond strong computer science skills and a thorough understanding of cybersecurity, Krehel notes that individuals interested in a career in digital/computer forensics require analytical thinking skills to identify patterns and make astute observations and correlations.

Additionally, Krehel states the importance of organization and communication skills, as well as a desire to learn, for individuals interested in digital forensics roles. Adroitness in record-keeping and verbal interaction with law enforcement professionals are crucial to succeed in computer forensics investigations. Because technology always is evolving, computer forensics investigators also must continually build their knowledge base for greater effectiveness on the job.

EC Council, an organization providing cybersecurity training and resources, notes specific systems, devices, and tools needed by computer forensics professionals. “When you investigate any cyber attack and gather the information, you may have to interact with various endpoints such as a mobile phone, printer, IoT, USB, external hard disk, iPad, notepad, digital camera, and projector,” according to its website. Additionally, EC Council reports the importance of cybersecurity professionals possessing knowledge about computer networking devices, including servers and local area networks (LANs), as well as a fundamental understanding of current cybersecurity law

Computer Forensics Salary and Benefits

According to Payscale, the median salary for a digital forensic investigator is $71,850 per year. For example, information security analysts, professionals with comparable education and training to computer forensic investigators, earned a median salary of $98,350 per year in 2018, according to the U.S. Bureau of Labor Statistics (BLS).

Education, experience, type of company, and the geographical area also impact the earnings of a computer forensics investigator. “Digital forensics salary can increase with experience, advanced degrees, and security clearance. Analysts may also take home larger salaries when employed by private government contractors,” according to InfoSec’s website. “Analysts who work in major cities like Washington, D.C., and Los Angeles can make more than those who work in less high-tech cities. More experience and advanced degrees can bring higher salaries,” according to InfoSec.

Computer Forensics Degree, Concentrations, and Education Requirements

Because computer forensics is a specialized field, professionals often need advanced degrees and certifications. The specific degree, concentration, and education requirements often vary on the scope of the position and type of company or organization. For example, a computer forensic investigator working with the Federal Bureau of Investigation receives different training than a professional working for a non-government entity such as a credit bureau or consulting firm

Aspiring computer forensic investigators can start their career path by earning a bachelor’s degree in a technology-focused field such as computer science or information technology. These degree programs offer relevant skills that help students prepare for success as computer forensics investigators.

Colleges and universities also offer graduate-level degrees in technological fields through programs such as the Master of Science in Information & Assurance (MSISA). These advanced degree programs help current and aspiring computer forensics investigators stay competitive and potentially earn higher salaries.

In addition to computer forensics degree programs, professionals can earn certificates to qualify for promotions and certain jobs. The Global Information Assurance Certification (GIAC), a group that administers information security certifications, offers a Certified Forensic Analyst (GCFA) designation and a Certified Forensic Examiner (GCFE) designation.

As noted, education and experience requirements for a computer forensic investigator often varies by company or organization. Some employers consider work experience in conjunction with a candidate’s educational background. Other organizations require specialized work experiences or expertise in a certain technological field such as information technology or web development.

Computer Forensics Tools and Technologies

Depending on the size and scope of an investigation, investigators apply different computer forensic tools and technologies.  The National Institute of Standards and Technology provides a comprehensive list of tools and techniques available to computer forensic investigators.

  • Database forensics: Analyzes databases and subsequent metadata. This technique helps determine whether certain databases contain information regarding criminal activity or if the metadata can pinpoint who is conducting the illegal activity.
  • Email parsing: Software that extracts pertinent data from emails. This tool determines signatures of emails potentially sent from criminals or containing information regarding criminal activity.
  • File carving: Searches or creates files with no other metadata besides file format. This method helps reconstruct content or files that criminals may have tried to damage or destroy.
  • GPS forensics: Uses GPS data produced by a criminal suspect to determine conclusions and potentially bring charges. An investigator could use GPS data to discover the location of a criminal.
  • Hashing: Condenses and expands a string of text to find data. Using this approach, investigators can discover illicit activity or information in a database hidden or condensed by criminals.
  • Mobile device acquisition: Acquires and replicates digital evidence from a smartphone or mobile device. This tool helps analyze if a suspect’s phone contains any illicit or criminal material.
  • Software write blockers: Acquires data on a hard drive without potentially damaging its contents. Using this technique, investigators can carefully analyze data on a hard drive associated with a crime without corrupting it.
  • Web browser forensics: Enables evaluation of data gathered through certain web browsers. Investigators use this tool to find information commonly input into a web browser, like a credit card number, and find connections or potential clues to criminal activity.
  • Wi-Fi forensics: Interprets activity and data collected by Wi-Fi networks to find information and develop leads regarding certain crimes. If the personal information of 10 individuals using the same Wi-Fi hotspot is stolen, investigators can analyze and interpret data from that hotspot to potentially find the responsible criminal.

As technology evolves, so will the digital techniques used by criminals to commit crimes. To keep pace, computer forensic investigators must remain fluent in new technologies and tools to address crimes.

Additional Computer Forensic Jobs and Occupations

While computer forensic investigators often work for law enforcement or government organizations, other companies and institutions need their help.

Experian is a credit bureau that sought cyber forensic professionals to help maintain its own security.  The company emphasized the need for effective cybersecurity to other individuals capable of “investigating cybersecurity incidents, violation of company policy, and fraud.” RSM International, a network of major accounting firms, also employed the services of digital forensics professionals to develop more secure cybersecurity measures to protect its clients. In addition, major telecommunications companies like Verizon hire computer forensics professionals to address security breaches, assist customers with computer-related incidents, and contain breaches.

Other careers close in functionality and mission to the computer forensic include information security analysts that work to “carry out security measures to protect an organization’s computer networks and systems. Their responsibilities are continually expanding as the number of cyber attacks increases,” according to the U.S. Bureau of Labor Statistics. While using digital tools to address breaches and crimes like computer forensic investigators, information security analysts only typically address illicit digital activities at a particular organization.

Cybersecurity consultants inform businesses about the types of digital initiatives or forensic tools needed to secure data, computers, and networks from attacks. While these consultants command a large arsenal of digital tools, they might not conduct specific investigations into crimes.

Private detectives engage in similar work to computer forensic investigators, but they don’t necessarily use the same digital tools to find suspects or locate the illicit activity. According to the BLS, “private detectives and investigators search for information about legal, financial, and personal matters. They offer many services, such as verifying people’s backgrounds and statements, finding missing persons, and investigating computer crimes.” Even though detectives can work in collaboration with computer forensics investigators, the scope and size of crimes and the technological methods used for investigations can differ.

The Growing Possibilities of Computer Forensics

Evolutions in digital technology make it easier for criminals to conduct nefarious activity across the globe.  At the same time, computer forensics investigators use advanced digital technology to identify criminal activity and ensure these individuals are brought to justice. As the threat of digital crime increases, so does the need for computer forensic investigators.

Even individuals possessing a strong background in technology or computers need a degree that lets employers know they possess the necessary skills, knowledge and experience to succeed in the role. Norwich University’s Master of Science in Information Security & Assurance online program provides individuals with the advanced skills and tools needed to succeed as computer forensics investigators, offering courses in an online format that works in conjunction with a student’s other family and work responsibilities.

Computer forensics is a rewarding career for people who are passionate about technology and justice, analytical thinkers and problem solvers, thrive on working with others and explaining technical concepts and driven to use digital tools to arrive at justice. Discover how an MSISA degree from Norwich University can open new doors in computer forensics.

Learn More

Established in 1819, Norwich University introduced online educational programs in 1998 to support working adults and lifelong learners around the world. Norwich University Online offers relevant and applicable curricula that allow students to make a positive impact in their work and communities while pursuing new careers.

Norwich University’s online Master of Science in Information Security & Assurance program helps create strong cybersecurity leaders well-versed in computer forensics practices. Students can customize their MSISA by choosing from one of five diverse concentrations including Computer Forensic Investigation and Incident Response Team Management, Critical Infrastructure Protection and Cyber Crime, Cyber Law and International Perspectives on Cyberspace, Project Management, and Vulnerability Management.

Recommended Readings
A Key Role in Cyber Security: How to Become a Penetration Tester
How to Become a Cybersecurity Engineer
The Pinnacle of Leadership: How to Become a CEO

Sources:
Computer Forensics, National Institute of Standards and Technology
Digital Evidence and Forensics, The National Institute of Justice
Computer Forensics: Areas of Study, InfoSec
Computer Forensics Investigator, InfoSec
6 Skills Required For A Career In Digital Forensics, Forbes
6 Skills Required For A Career In Digital Forensics, EC Council | Blog
Average Digital Forensic Investigator Salary, Payscale
Information Security Analysts, U.S. Bureau of Labor Statistics
Forensic Science Technicians, U.S. Bureau of Labor Statistics
Computer Science, Norwich University
GIAC Certifications: The Highest Standard in Cyber Security Certifications, Global Information Assurance Certification
Master of Science in Information Security & Assurance, Norwich University
Computer Forensics Tools, National Institute of Standards and Technology
Cyber Security and Fraud: Responding to Online Identity Theft, Experian
Interview with a... Cybersecurity consultant, U.S. Bureau of Labor Statistics
Private Detectives and Investigators, U.S. Bureau of Labor Statistics