Computer Forensics Expert: Chris
Q: Why did you choose to go into computer forensics?
A: My office was looking to expand our capability to respond to, investigate, and prosecute hi-tech offenses and crimes involving technology. This was in response to a significant increase of cases involving technology – not only traditional cybercrimes like hacking and online child exploitation, but violent criminal activity where digital evidence was critical to the case. They approached me as I had expressed interest, and from there I was put on a training track. I found that it was the newest and most exciting field of criminal investigations, and to this day, still feel that way. To me, the best thing about the field is that it changes every day, from the law to the technology, so you are constantly being challenged to learn more, enhance your skills, and deal with new situations.
A: I believe, and teach my students, that the best digital forensic examiners have a combination of skill, education, and experience in three areas. The first and most critical area for digital forensic examiners to be well versed is obviously in technology. Fundamentally, the field starts with a solid understanding of computers, cellular phones, personal digital assistants, and various types of media. Not only how they work but how data is stored.
The second critical area for digital forensic examiners to have knowledge and education in is the law, particularly forensics. This includes admissibility of evidence, the court system, and the rules and procedures for insuring that the results of forensic examinations are ultimately admissible in court.
The third area that is central to being a good examiner is having an investigative background. Forensic examinations on digital evidence are different from normal forensic examinations. Forensic examinations on digital evidence are investigative in their nature as opposed to standard forensic examinations where unknown samples are compared to known samples. Forensic examiners with some investigative experience understand the importance of not only finding files, which is typically the less difficult part of the digital forensic examination, but also telling a story about how the file got there, who put it there, when it got there, and why it is there.
There are other critical skills and traits the examiner must have. Honesty and integrity are the most important of these traits. A digital forensic examiner also has to be organized and have the ability to manage many tasks, with little supervision, at the same time. An ability to work well under pressure goes a long way for a computer forensic examiner. Last, the best digital forensic examiners communicate well orally and in writing. Juries statistically are typically less educated as a whole than digital forensic examiners. This poses a significant challenge to examiners as they must have the ability to conduct extremely complex and technical examinations, write compelling reports of their findings, then communicate those findings at the ultimate test of their profession – trial before a judge or jury. This is where the process is put to the most rigorous test!
Q: What steps does someone go through to get a job in computer forensics?
A: The steps are typically different when looking at the private versus the public sector. In the public sector, on the state and local level, many times you see sworn law enforcement examiners identified, recruited, and trained from the field of already available personnel. Civilian examiners on the public side are often new examiners or retired sworn personnel. Federal law enforcement jobs are different, where there is an integration of both sworn and civilian examiners in forensic labs as a product of active recruiting of qualified personnel. The military operates in a similar fashion, with an integration of active military, civilian examiners working in military outfits, and government contractors. Many times government contractors take former military personnel as new hires who have active security clearances and prior military or other government experience.
Private sector positions, including positions in boutique forensic firms, corporate security positions, and larger forensic consulting positions are filled by people from various backgrounds. These can and do often include prior government or law enforcement forensic examiners transitioning to the private sector and “techies” transitioning into information security or forensics. Although there is some emphasis put on a person’s experience during hiring phases, hiring of entry-level forensic examiners can and does include applicants with strong academic credentials. Industry certifications are always a plus.
Q: What is the most enjoyable thing about your job?
A: It is a different story, a different experience, a different challenge either legally or technologically or both, every single day.
Q: What is the biggest challenge regarding your job?
A: The biggest challenge is also the most enjoyable aspect of my job. Every day the technology and the legal aspects of the field of computer forensics and cybercrime change. You constantly have to adapt, adjust, and learn the technology and law to continue to be relevant in this field. If you can’t think on your feet, work under pressure, and make tough decisions, this field may not be right for you.
Q: What are your daily tasks like?
A: The great thing about my job is that answering a question like this is so difficult. Often times I am asked, “what is a typical day for you?” The answer is simple. I have no typical days. A day can be spent in court on cybercrime cases, interviewing witnesses, conducting examinations in serious criminal investigations, building forensic workstations, working on legislative initiatives, managing budgets, or educating others about responsible Internet use. Often it involves more than one of these things.
Q: What is one thing you didn’t know about computer forensics before going into the field that you wish you had known?
A: It is not just a technical field. Technology is a major part of it, but this is also a legal field and an investigative process. ‘Forensics’ originates from a Latin term meaning “belonging to the forum.” Looking for and finding evidence is a large part of the job. Reporting and testimonial aspects are just as important. The ability to communicate orally and in writing is very important as are an understanding the legal principles relating to statutes, best practices, and court rules.
Q: What would you tell incoming college students regarding the field?
A: Computer forensics is “the” field to be in because it is cutting edge. The challenges examiners face on a daily basis are constantly changing because we are growing with the field – seeing history develop before our very eyes. To me that is a fascinating concept. Statistics show that the field will only continue to grow in the future as the ubiquitous nature of the Internet, computers, cellular telephones with computer-like capabilities, media, personal digital assistants, and certainly, cybercriminals, are on the rise.