by Christa Miller, Forensic Focus
Whether you’re a college or university student trying to plot out your career, an experienced worker figuring out next steps, or a mentor seeking to help either one of them, you may be seeking to answer the question: what can I do in digital forensics?
The digital forensics profession has grown by leaps and bounds over the past three decades, and cybercrime’s proliferation means there’s no shortage of work. In the last ten years alone, mobile devices and the cloud both became evidence storage sources rivaling hard drives. The Internet of Things and artificial intelligence went from obscurity to widely deployed reality.
Looking back at our recap of the Techno Security and Digital Investigations Conference, we can see the number of options reflected in the presentations — and then some. As Doug Brush and Nathan Mousselli pointed out in their panel discussion on certifications at Techno Security, career paths are opening up today that didn’t even exist five or ten years ago.
Meanwhile, Price Waterhouse Coopers recently listed “the essential eight” emerging technologies shaping the next generation of businesses: artificial intelligence, augmented reality, virtual reality, blockchain, drones, the Internet of Things, robotics, and 3D printing.
Of course, most of us are familiar with all of these technologies, and some are even deployed to automate, streamline, or be a subject of digital forensic investigations. But the PWC report takes them further, describing five emerging themes in which the “essential eight” “are coming together to create the next wave of innovation”: embodied AI, intelligent automation, automating trust, conversational interfaces, and extended reality.
So, while you may frequently see the same device models, the same apps, and the same low-hanging fruit from investigation to investigation, good research skills cover those rare unexpected devices and investigative curveballs.
Forensic examiners who might end up giving courtroom testimony have to be able to demonstrate they know (1) how a given device stores data and (2) how the tools they’re using help them to extract and analyze that data. Training counts for a lot of this, but so does the ability to test devices and apps to see how they store, manage, transmit, protect, and delete data. That’s especially true for emerging technology when training hasn’t quite caught up.
So where should you look today, and where might you look in the future? Several current career paths might lay the right foundation for wherever you end up.
This field is perhaps most impacted by the broad social/cultural shift away from computers to mobile devices. As “smart” technology becomes more accessible in homes, vehicles, and the workplace, a similar shift from mobile to Internet of Things device forensics appears to be the next trend.
In these cases, you’ll be responsible for finding artifacts associated with messaging, web browsing history, photos and video, data storage, and more from a wide variety of apps. You’ll have to be able to put suspects behind keyboards (or devices), understanding that the obvious answer isn’t always the actual one.
Your skills will be put to use at multiple stages of an investigation, from quick evidence extraction to help build leads during an interview, to deeper analysis that helps build timelines and cases. The contact and geolocation data you collect might be useful intelligence for long-term operations. Memory forensics can be important, too — passwords are just one example of the critical data you can find there.
One significant subset of criminal digital forensics investigations is internet crimes against children. Often described as pursuing “the worst of the worst,” this career offers high payoff when you’re able to rescue child victims from predators. With AI-based software helping to reduce some of the immediate secondary trauma of viewing child sexual abuse, and stigma lessening around mental health intervention, this career path could be the ultimate way to serve your community.
The downside of all criminal investigations is that caseloads, and the metrics associated with rapidly clearing them, make it difficult to do much research. If you like research but you don’t necessarily want to make it a hobby you do on your downtime, you may want to look into a career that gives you the time you want.
Academia and Training Instruction
The medical profession’s “see one, do one, teach one” saying applies to digital forensics, too. If, in teaching a method to someone else, you discover you have a knack for instruction, academia might be a good place to burnish your skills.
Focusing on research enables you to be at the forefront of emergent technologies. You may have the chance to develop your own forensic tools and contribute to a broader body of research.
Academia isn’t without its troubles. In the United States, for example, adjunct professors cannot be said to make a good living, and don’t have tenure to support them. If you are on a tenure track, it can take years to actually attain tenure. The environment can be political and competitive, with a poor work/life balance. Many graduate students, wrote Chris Woolston for Nature, report mental health problems.
Still, Woolston added, academia gives you the opportunity to connect with and support other researchers while adding to the body of research that’s so critically needed.
If making a good living is as important to you as research, though, then you may want to look into working for a vendor. A variety of roles include training others — another good way to hone your teaching skills, while researching to stay on top of the latest technology — or being an “evangelist,” taking your original research on the road and online to present at conferences or in webinars.
Another possibility is to perform investigations in the corporate world. This is a growing area because of the need for companies to prevent and mitigate both external and internal threats.
External threats get the most media attention, but it’s really internal threats that are riskiest to companies. Misuse of corporate resources can result in thousands of hours of lost productivity as well as leaving companies vulnerable.
For example, employees who bring work-issued devices home may stream illicit material through a torrent service, download unapproved apps — flouting policy either deliberately, inadvertently, or maliciously — exfiltrate sensitive data, or introduce malware onto their system, among other activities. Any of these can occur in conjunction with theft of intellectual property or trade secrets.
You may deal mainly with computers, tablets, and the cloud rather than smartphones. As such, your skills will require a good command of operating systems, the Windows registry, Windows and/or Mac file systems, major cloud platforms like Google Suite and Microsoft Office 365®, and major tablet platforms. Email and browser analysis can also be important.
How much “forensics” is involved, though, depends on the case’s severity and the steps an employee took to cover their tracks. Human resources and legal teams frequently drive these investigations, and likely will have particular requirements.
As an ObserveIT blog discussed last year, detection, determining intent, internal resources, and lack of evidence all present challenges to these investigations. Potentially being limited in your investigations could be frustrating, but then again, pay and benefits are typically higher than in the public sector.
Although minor data breaches might simply involve identifying, isolating, and remediating the suspect machine, bigger breaches involving many sensitive records, significant monetary damages, or nation-state actors might require deeper investigation across dozens or hundreds of systems.
Enter root cause analysis, a subset of corporate investigations, which can help stop ongoing attacks and prevent future ones from happening. That’s because they indicate threats that have proliferated across systems as attackers gain a foothold and then move laterally across a network, seeking access to “crown jewels” of intellectual property — or to disrupt network operations entirely.
Here again, operating system, registry, and file system artifacts are crucial, as are memory and cloud forensics skills. Network forensics — the examination of how data and users move between systems — demands packet capture and analysis, logfile analysis, and more.
If you have a knack for programming and you’d rather zero in on the infection itself, going even deeper to figure out what makes attacks so effective, then malware forensics might be a great specialty for you. It involves reverse engineering, or delving deep into code to figure out how malware works, including its payload: how it exploits vulnerabilities and hides its own tracks.
On a proactive level, malware forensics can be used in threat hunting, which both contributes to and makes use of threat intelligence. You can use it to identify tactics, techniques, and procedures (TTPs), the patterns within them, and potentially the threat actors who deploy them.
Private Investigations and Consulting
More than just adultery investigations have gone digital. Private investigators and consultants are called upon to investigate a variety of other crimes. These can include:
- Consulting for trial attorneys, both for the defense and the prosecution, in preparation for trial
- Cyberbullying and harassment in schools and workplaces
- Missing persons, particularly those deemed by law enforcement to be runaways
- Collision reconstruction, including pairing vehicle “black box” data with other contextual clues, such as date and time stamps from text messages to see whether a driver was texting and driving at the time of collision
- Working closely with certified fraud examiners to determine means, motive, opportunity, and intent behind the fraudulent activities shown on the books
- Digital video recorder (DVR) analysis that can show (or disprove) evidence of tampering with a video feed at a crime scene.
Private investigators and consultants often start out in law enforcement or the private sector before striking out on their own, bringing their unique experiences to bear in serving other corporations, attorneys, or anyone in need of their skills. While they may start out offering services locally or regionally, demand can grow. Many consultants serve nationally and even internationally.
Government and Counter-Terror Investigations
Those in the military (or reserves) or federal law enforcement may have the opportunity to put digital forensics skills to use in mining electronic media for intelligence purposes. Document and media exploitation (DOMEX) is broken down into its component parts — MEDEX, or exploitation of storage media, and DOCEX, exploitation of documents found within those media.
DOMEX can involve research as well, as mission-critical devices may be encrypted or make use of apps you might never have seen before. Media in foreign languages may require translators to contextualize the information.
You may be active duty military, or employed by a government contractor to which militaries outsource DOMEX. Either way, expect to be challenged in these roles. While operational security concerns prevent much blogging or discussion of DOMEX exploits, many experts in the community have worked in either MEDEX or DOCEX, which informs the expertise they bring to training and presentations.
The Future of Digital Forensics
As digital forensics continues to evolve into the areas the PWC report talked about — “the next wave of innovation” including embodied AI, intelligent automation, automating trust, conversational interfaces, and extended reality — it’s wise to start asking questions now. What are some of the things we can expect to see in digital forensics in the future?
- Writing for D/SRUPTION, Laura Cox wrote, “Process automation, chatbots, advanced robotics, autonomous drive technology, and personal companions like Buddy and Jibo could all benefit from embodied intelligence.”
- Deloitte describes intelligent automation as “the combination of artificial intelligence and automation,” including autonomous vehicle guidance and advanced robotics.
- Automated trust, as explained by the MIT Technology Review, combines “blockchain—the distributed ledger technology that forms the basis of the digital currency Bitcoin—with artificial intelligence (AI) and the internet of things (IoT).” This matters to supply chains, which are coming to be increasingly complex; delivering citizen services, as described by PWC India; and smart contracts, as described by Richard Myers for In the Mesh.
- Conversational interfaces are perhaps most prevalent in Apple’s Siri, OK Google, Amazon Echo, Microsoft Cortana, etc. You might have seen chatbots pop up on websites you visit, offering assistance. The key, according to John Brownlee at Fast Company: “The idea here is that instead of communicating with a computer on its own inhuman terms—by clicking on icons and entering syntax-specific commands—you interact with it on yours, by just telling it what to do.”
- Extended reality, or “immersive” technology, encompasses virtual reality (VR) and augmented reality (AR). Writing for Forbes, Joe McKendrick quoted Laurence Morvan, chief corporate social responsibility officer for Accenture, in differentiating the two: VR works for immersive learning, while AR is best for “building technical skills on the job.”
McKendrick went further, however, describing Morvan’s cautions against the misuse — theft and manipulation — of personal data in immersive experiences, fake experiences, the loss of access to critical real-time data, and the potential for technology addiction.
The questions around these technologies are no different from the questions surrounding existing technologies, of course. Where data is stored, how and where it travels, how easy it is to access and analyze, and other questions remain perennial. The biggest challenge remains the rapid advancement of technology — how the answers we don’t have today could affect the questions of tomorrow.
Looking for more about these different options? Make sure you’re subscribed to our RSS feed to get our daily posts, which link to the latest insights in a variety of fields. You can also sign up to receive our monthly newsletter, and join in with discussions on the forums. In addition, Phill Moore’s This Week in 4n6 updates the community on forensic analysis, threat hunting and intelligence, malware analysis, vendor news, and all kinds of events and presentations.