Editor’s note: This article continues our four-part series written by Mr. Santosh Khadsare, our guest digital forensics expert from New Delhi, India, based upon his recent LinkedIn series, #25Days25Questions. You can find Part 1 in this series here. The views in this article represent the views of the author and the other contributors on the original LinkedIn posts, and do not represent the official position of Forensic Focus. More about Mr. Khadsare is in his bio below.
On 18 August 2020 #25Days25Questions was started on LinkedIn. Every day a question was posed to the enthusiastic digital forensic community and the next day I posted my comments/views on the same. The idea of the 25 days 25 questions (#25Days25Questions) initiative was to achieve three major purposes:
- Creating a common forum for the DFIR professionals to interact and share their thoughts.
- Increasing the core knowledge base in an interactive mode.
- Networking with professionals who are working in this niche area.
I have summarised all the responses including mine to get a consolidated reply to the question posed. Everyone one who has responded has equal credit to the final answer.
What skills do you think are required to be a digital forensics analyst?
(originally asked on day 14)
In my view, the basic skills needed to be a digital forensic analyst / investigator / examiner are common sense and presence of mind. You can be an excellent technical resource, but if you lack these basic and absolutely essential skills, then there is no point in you being called in for support.
Other skills are as stated below.
- Application of mind: A good digital forensics professional should know how to apply his/her/their mind and intellect. The profession is not straightforward. You are expected to search for a needle in a haystack. If you do not apply your mind, you will never find the needle.
- Know your profile and your role on the case: knowing what is expected of you for the particular case is absolutely essential. This helps the professional in not overstepping their limits. Example: some cases will require the analyst just to play the second fiddle alongside the primary investigator. The evidence that is obtained may be used as corroborative evidence to prove a hypothesis; in some cases, the analyst ends up being the primary investigator, where the report / findings will determine the outcome of the case. If the analyst does not know how to differentiate their role as per the case requirements, then their career as a digital forensic professional will be in jeopardy.
- Passion and patience: the job of digital forensic analyst is like walking on the line of fire. You will need to have patience so that your delivery of results is not affected. Your focus should be on the task at hand and not on the people who are surrounding you expecting results.
- Honesty: A digital forensic professional should be honest with herself and to her profession. One of the common mistakes that investigators and case officers make is that they believe the analyst is here and will find all possible evidence. This is wrong in my view. The forensic analyst has their limitations and this should be honestly communicated and the expectations must be set before analysis starts. In fact, if the analyst is working on an area which is new to them, they should be open and share this with the investigation officer / team.
- Case awareness: The digital forensic analyst should have the basic skill to ask questions and understand the case with which he is dealing. If you don’t ask questions, you won’t get answers.
- Technical skills: While it is impossible to master all areas of technology which change all the time, the analyst should have a broad understanding and willingness to take support from experts as and when required.
- Analytical skills: to analyse and interpret different types of artefacts and evidence.
- Ethical behaviour: The digital forensic analyst is an important part of the case team. He has to maintain both professional and personal ethics. Many times, he has access to information that is privy to the investigations team. He should know to differentiate between evidential data and personal and private data which is not relevant to the case. He should also know what to share and what not to share. He should know what is privileged information and how to safeguard that data set.
- Communication skills: Forensic reports do form the basis of opinions and often forensic reports are found to be poorly drafted, depicting poor interpretation of artifacts.
Do you think a digital forensics professional should be identified by the discipline they have expertise in?
For example, Computer Forensic Analyst, Mobile Forensic Analyst, Cloud Forensic Analyst and so on.
(originally asked on day 24)
By doing a few online courses and gaining some practical experience, digital forensics professionals start referring to themselves as experts and it is difficult for a person on the other side, especially recruiters, to gauge the expertise of that individual.
Many professionals / experts say that they have in-depth knowledge of all disciplines in digital forensics, which I do not agree with at all. After almost two decades I have been able to work and gain expertise only in three to four disciplines. I strongly feel there is a need to categorize digital forensics experts which is the need of the hour. In this writeup I have tried to make an attempt to do so. (Khadsare, 2020)
Digital forensics as a profession is the culmination of skill sets across various disciplines. The digital forensics professional should be identified by the discipline they have expertise in and also the experience one holds (Khadsare, 2020). Some disciplines include:
- computer (media) forensics
- network forensics
- cloud forensics
- mobile device forensics
- digital video / image & CCTV forensics
- digital audio forensics
- IoT forensics
- drone forensics
During the current pandemic, many have acquired online certifications in digital forensics. Can these certificates be graded or considered, as everyone is including them in their CVs?
(originally asked on day 16)
Online certifications are good from a knowledge-gaining point of view and also tell about someone’s interest to learn about this field. A few online courses have virtual lab access and one-to-one mentoring, which are worthwhile and worth a mention in the CV, but others should be avoided. Also certifications with tests at the end to check what is learnt should be pursued and can be mentioned.
If you have learnt something which adds to your knowledge base, for which you have received a certificate after completing a formal test and obtained the pass percentage, you should be free to showcase your certification as a part of your professional profile.
However, you can never claim expertise on any area just on the basis of your certification and through attending classes. Expertise comes from continuous working in the field for numerous years on multiple projects. The courses and certifications can only be gate passes and not proof of your expertise.
Not all certifications can be considered when including in a CV, as only a few carry a “true” value. For example, certifications in certain tools or technologies from the vendors, or certifications for courses from EC-Council, GIAC, SANS, CompTIA, Offensive Security etc. The candidate’s competency needs to be tested well during the interview process. Quality is more important than quantity.
Do you need advanced qualifications (Bachelor’s or Master’s degree) to become a cyber / digital forensics professional?
(originally asked on day 1)
The answer to this question is a big ‘NO’. These advanced qualifications are very much required for a few specialised job roles within the field of digital forensics, but that doesn’t mean a less qualified person cannot enter this niche field.
Qualifications should be per job profile, as they only act as a gate pass. While having a Bachelor’s or Master’s is an added qualification, it cannot be the basis to determine the quality of a forensic professional. Many of the current certifications and degrees have been designed by professionals and educationists who entered the field when no such degrees existed.
The digital forensic field requires technical aptitude and analytical skills for a person to be successful in their job. For a job role of first responder and lab assistant in a digital forensics laboratory, a person with the requisite skill sets is sufficient to do that task, as they are not involved in analysis but only in seizure, documentation, imaging / cloning and preservation of exhibits.
On the other hand, for a digital forensics analyst, a Bachelor’s degree is more than sufficient, along with specialized courses — and experience — in a particular discipline of digital forensics. Specialization courses in cyber forensic disciplines will help to gain deep theoretical as well as practical knowledge. Internships will play a big role in new entrants’ skill set development.
Qualifications should always be broken into multiple categories. It is how we should score potential candidates for employment and promotions, and should be weighed based on the following:
- academic standing & education
- professional certifications
- field experience
- aspirations (hobbies, R&D, further the cause)
- tactfulness, social norms, interview points
To sum up, Bachelor’s and Master’s degrees are desired, but not mandatory to enter the digital forensics profession. However, at a later stage it is recommended that digital forensic professionals should reskill and upskill. For job roles of digital forensic analysts, technical managers, quality managers, and experts who need to be deposed as expert witnesses in a court of law, higher qualifications become mandatory.
Should experience matter more than qualifications and certifications while selecting a person for a digital forensics job role?
(originally asked on day 5)
Yes, experience should be given precedence over certifications, but not over mandatory qualifications. It also depends upon what level, designation, responsibility, accountability and role one is going to hold. Next, the experience should decide how well the candidate’s character, attitude, and achievements fit the role in order to take full dedication towards delivering the required parameters.
The correct blend of qualifications and experience plus domain expertise is needed. Today’s technology landscape is becoming an area of super niche specialization.
One has to keep in mind that no person is master of all and everyone has one or more skill sets. Another important aspect is that the fundamental character of the individual is most vital, and their professionalism and attitude will determine their suitability to the post.
What is the importance of internships for new entrants in digital forensics? Are they really required?
(originally asked on day 15)
Internships are very important, and if a new entrant gets an opportunity they should pounce on it (even if it is unpaid). You get to work on live cases and also get to work under a person / mentor who can guide you for your future. Internships also turn to jobs, as many interns are absorbed in the same laboratory / establishment.
Internships are a tool for implementing your knowledge. Practice what you learn in real time, and you will retain it for a longer period. Internships are a perfect path for new entrants to start brushing up their practical skills in the market and assess their value. It is your introduction to a long term career opportunity.
In short, if you want to reskill or up-skill, an internship is the best way to do that. Professionals from other domains who want to get into digital forensics also can use this path, as this is the most useful and shortest path available to make a switch.
Should DFIR be taught in undergraduate or graduate courses as a subject? Where is the line to help and teach others?
(originally asked on day 8)
Catch them young. The younger the better. There is no line to help and teach others. We will soon be at a time where after your basics it might be cyber security as a course.
Teaching Digital Forensics and Incident Response (DFIR) as a subject at the undergraduate level is highly recommended. However, at the postgraduate level, DFIR can be taught as a full-fledged Master’s degree. Trying to teach at undergraduate level as a full degree has its own cons:
- The kids fresh from school are not ready for a serious course like DFIR as a degree
- DFIR is a specialist course which requires understanding of the various sub-segments within the field of computer science, so without a basic framework in computer science, trying to teach DFIR at the undergraduate level creates half-baked professionals
- Many DFIR professionals lack skills in scripting and coding. This is primarily because they are not exposed to this in both undergraduate and postgraduate levels
- DFIR is intended to analyse applications during an investigation, so unless basic programming logic is taught and understood properly, it is not possible to build a good DFIR investigator.
Keeping all these in mind, DFIR should be taught as a subject in undergraduate and offered as a degree at postgraduate level.
How should DFIR professionals give information back to the community (sites, blogs, forums, research, etc.)? Which is the best way?
(originally asked on day 21)
Whatever medium you can find to give back, just go ahead. The only thing that matters is intent and selflessness. A combination of various options would be ideal. However, blogs and regular snippets about the research that is happening, along with practical question and answer sessions (like this one) on issues faced by the digital forensics professionals, will be of immense value.
Digital platforms that are 100% legitimate and genuine will serve this purpose and should be free, i.e. providing valuable information back to the community. It is the community that should be more flexible in choosing the source.
How do I prepare for a DFIR interview? What is important to highlight to secure a job?
(originally asked on day 25)
Keep the following key points in mind while preparing for a DFIR interview:
- Irrespective of whether you are a beginner or a working professional, show that you have a fundamental interest in the subject and an inquisitive mind. You should have hunger to learn.
- Basics of information technology, cybersecurity and forensic science.
- Knowledge of digital forensic tools.
- Knowledge about the recruiting organisation and the job role they are offering. Ask questions to your interviewer if you have any doubt about the role in the job at offer.
- Be open and honest. It is not possible for you to have exposure to all facets of DFIR. If you don’t know something, say “I don’t know”.
- Understand the questions within the context and try to answer.
- Lure your interviewer towards your strengths and make them ask questions you want them to ask.
- DFIR is a practical subject, you are expected to walk your talk. So do not overplay or exaggerate your skills. The job giver should get a feeling that you are moldable (flexible) even if you lack a few qualities and skills.
- Don’t show attitude. There are always smarter experts in the field than you.
- Be polite, to the point, and straightforward.
- If your interviewer is less knowledgeable than you in some areas, don’t tease or underestimate him. He may be a specialist in another area.
- Be cool, be practical, and have presence of mind.
- Last but not least: People like me may advise you with dos and don’ts. Keep them at the back of your mind, but be the person you actually are. It will sail you through.
Participation in #25Days25Answers
As anticipated, a wide spectrum of participants to include enthusiasts, new entrants, professionals, experts, mentors and academics took interest and put forth their views in these 25 days. A few of the participants and their designations are as mentioned below.
- Barath Rajagopalan J Iyer, ACIArb, CMO, Founder & Director – SourceData Consulting
- Prince Boonlia, Editor In Chief at Digital Forensics (4N6) Journal
- Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite & SANS Senior Instructor, DFIR Co-Curriculum Lead and Author
- Richard Saylor, Computer Crimes Program Manager at U.S. Army Criminal Investigation Command
- Venkatesan Owner, Lab Systems India Pvt Ltd
- Jessica (Ceres) Hyde, Director, Forensics at Magnet Forensics
- Michael Smith, Cybersecurity, Privacy & Disaster Response
- Rajesh Kumar, Certified Cyber Forensic Professional at State Forensic Science Laboratory, Patna
- Anupam Tiwari , IT Security Enthusiast and Blockchain Learner
- Patrick Siewert, Founder & Principal Consultant, Expert Witness, Nationwide Instructor
- Patrick Eller, CEO – Digital Forensic Examiner – Expert Witness
- Amrit Chhetri, DFIR & AI Researcher
- Aman Agarwal, Cyber Crime Investigator and Incident Responder
- Nikhil Sood, Information Security Auditor
- Om Salamkayala, Digital Forensics Professional
- Kashish Srivastava, Intern @Noida CyberCell
- Rohit Tiwari, SOC Trainee at SOC Experts
- Vipin George, Cyber Forensic Consultant, Kerala Police Academy
- Piyush Kohli, Cyber Threat Engineer – Global Threat Operations
- Bikash Halder, Cyber Security Analyst
- Atoshe Lohe, Managing Director at INsoftware & Solution/Institute of Information Security and Computer Forensic.
- Shreya Koley, Summer Intern at KPMG
- Shubham Sangwan, Intern at Gurugram Police
- Kanishka Joshi, Actively seeking opportunities in Auditing and Compliance
- Khadsare, S., 2020. Grouping of Professionals in Cyber Forensics. Digital Forensics (4N6), 2(3), p. 82.
- Khadsare, S., 2020. https://www.digital4n6india.com [Accessed 2020]
About The Author