Introduction: What role does forensic science play in cybercrime investigations?
As cybercrimes grow in terms of number of attacks and cost to organizations and businesses, it is obvious that concentrating not only on the prevention but also on the investigation of cases is paramount.
Digital forensics, then, is playing a growing role and companies are more and more on the lookout for knowledgeable professionals, including investigators and examiners. This branch of forensic science encompasses the collection, preservation, analysis and reporting of evidence for many purposes, including legal proceedings. The investigator/examiner will be involved in the recovery and scrutiny of material found in electronic systems or digital devices to identify the cause of data breaches or leaks.
Considering computers as a crime scene, a digital forensic examiner will move just like any other criminal investigator to understand the nature and extent of an incident. They will use analysis techniques, reconstructing the events relating to an intrusion or extracting data needed for a case.
Forensic examiners have the task of collecting data and information from electronic systems (e.g., computers, laptops, tablets, smart phones, digital cameras, flash drives and more) and are responsible for independently analyzing evidence from hardware or files located on a computer. They are also responsible for the proper handling and examination of digital evidence. Then they’ll produce written analysis of their findings and may be called to testify in court as an expert witness.
The field is quickly evolving and examiners’ techniques are becoming more sophisticated, which requires them to have specialized, up-to-date knowledge. As digital forensics can be central to case, examiners are often also involved in larger settings than cybercrimes when their input is requested in seeking data for extra-cyberspace criminal proceedings.
How to enter this field
An investigation requires examiners to use computer forensic methods to determine the source, cause and scope of the incident as quickly as possible. So in addition to them needing a solid knowledge of IT hardware and software concepts, it is crucial for a professional to know how to use the latest forensic tools to find data, anomalies and malicious activity in digital media.
Many examiners start out by pursuing a degree in computer forensics, but this is not the only way to enter this very interesting field. IT professionals can prepare themselves by earning professional computer forensics certifications such as the GIAC®️ Certified Forensic Examiner (GCFE), IACIS’s Certified Forensic Computer Examiner (CFCE) and ISFCE’s Certified Computer Examiner (CCE). Any of these qualifications can be a great asset to demonstrate a competency in this profession.
The ideal certifications and career paths to follow
The Certified Forensic Examiner (GCFE) certification from the Global Information Assurance Certification (GIAC) is appropriate for anyone whose duties include the examination and/or analysis of digital media. According to GIAC, it really suits “anyone interested in a deep understanding of Windows forensics who has a background in information systems, information security, and computers.” This certification is the right choice not only for IT professionals involved in incident response but also for law enforcement professionals with a technology background and analysts.
As IT professional Greg Belding writes about the GCFE: “[It] provides a way for professionals to demonstrate that they have the necessary skills, knowledge and ability to conduct typical incident investigations, including e-discovery, forensics analysis and reporting, evidence acquisition, web browser forensics, and tracing application and user activities on Windows computer systems.”
Here’s what the GCFE exam sections include:
- Analysis and profiling of systems and devices
- Analysis of file and program activity
- Acquisition, preparation and preservation of digital evidence
- Analysis of user communications
- Analysis of Windows system user artifacts
- Fundamental digital forensics
- Host and application event log analysis
- Microsoft browser forensics
- Third-party browser forensics and browser artifact analysis
- Windows registry artifact analysis
- Windows registry fundamentals
Note: The topics covered on the exam suit an intermediate-to-advanced level candidate.
Prerequisites: Training is recommended but not required for certification attempts, as job experience is very valuable to pass this test.
The GCFE certification currently costs $1,999 with a free training course bundle option covering two practical tests. The exam is delivered through proctored test centers (Pearson VUE) and must be scheduled in advance. It consists of 115 questions with a time limit of three hours to complete. A minimum passing score of 72% is required for certification.
Certification holders must recertify every four years.
The Certified Forensic Computer Examiner (CFCE) certification from the International Association of Computer Investigative Specialists (IACIS) is also appropriate for those that are in security or IT and may be law enforcement professionals. This credential can ensure that the individual has the knowledge, skills, and abilities to conduct a computer forensics examination. However, the process to acquire this rigorous, vendor-neutral certification is definitely unique.
The process, in fact, consists of two stages: a peer review (30 days in which candidates, guided by a mentor, solve four practical problems and document their findings) and a testing phase (30 days to complete a hard drive practical problem and 14 days to solve the knowledge-based objective exam of 100 questions).
Once complete, the candidate acquires the credential if they can demonstrate fluency of the CFCE core competencies and practical skills. Candidates must obtain a minimum score of 80% on the exam and practical test in order to pass.
Here are the competency areas addressed in the CFCE Program:
- Pre-examination procedures
- Computer fundamentals
- Partition schemes
- File systems
- Data recovery
- Windows artifacts
- Presentation of findings
Prerequisites: Candidates who wish to attain this certification must have successfully completed 72 hours of training in the field of computer/digital forensics to be allowed to participate in the CFCE Certification Program.
IACIS offers a two-week basic computer forensics examiner (BCFE) training course ($2,995 US) to satisfy this requirement, but any comparable program that addresses all core competencies of the certification is acceptable. In fact, “those not attending the BCFE course may meet the 72-hour training requirement with a comparable course (subject to IACIS approval), pay a $750 registration fee, and successfully pass a background check to enroll in the CFCE program and sit for the exam.”
Certification holders will find the IACIS proficiency exercises (to test practical skills and demonstrated knowledge points) are available annually; however, it’s only offered to certified CFCE members, purposely for recertification — a requirement that is every three years.
The Certified Computer Examiner (CCE) certification from the International Society of Forensic Computer Examiners (ISFCE) is appropriate for incident responders who may be security or law enforcement professionals. This certification is now required by some companies for their forensic computer examiners.
The purpose of this credential is to set standards for the digital forensic professionals both in terms of knowledge and ethics, while enabling them to advance in the field by providing a level of proficient knowledge for all professionals to attain and, of course, become certified on the basis of their expertise and skills.
“The CCE certification is widely considered to be the most prestigious non-vendor specific forensic certification available,” writes the ISFCE. This certification is made available to all examiners working publicly or privately.
Here’s an outline of the necessary level of proficiency required for a CCE test candidate:
- Complete an online test and forensically examine three pieces of media, submitting a report after each examination
- Know proper procedures for acquisition of digital evidence extracted from networks
- Demonstrate forensics knowledge in various operating system (e.g., macOS, Windows, Linux/Unix, etc.)
- Apply recovery techniques, analysis and reporting
Note: The certification is designed to test an applicant’s proficiency in several areas, as outlined in the CCE competencies.
Prerequisites: This includes a minimum of 18 months of verifiable professional experience conducting digital forensic examinations or attendance of appropriate training in an ISFCE Authorized Training Center (CCE bootcamp). Self-study is also acceptable if deemed appropriate by the Certification Board.
Preconditions: An application must be submitted and approved prior to registering. There is also a fee for the CCE test (see associated fees).
- CCE Process — $485.00 USD
- CCE Recertification (every 2 years) — $150.00 USD
Unlike the other mentioned certifications (GCFE and CFCE), the CCE process includes four steps: an application process in which the eligibility is ascertained; an online written exam where the candidate must pass with a minimum score of 70%; a practical examination to be passed (again, with a 70% score at a minimum); followed by a practical examination problem to be resolved within 90 days and then scored by an assigned assessor (a minimum score for this portion is also 70%). If all parts are completed and passed, then a certification is granted by the board within two business days. The testing material is only available in English, but the certification process is open to candidates worldwide.
What training is available?
To gain the skills necessary to conduct an investigation into potential cyber-related crimes and present digital evidence and data in a court of law, examiners will need computer forensics training to learn about e-discovery, malware analysis or incident response.
And because they’ll rely on forensic analysis tools to help them with this job, they need to be able to stay on top of all of the latest methods and technologies to be most productive in their role. Here are a few courses that can aid such a professional in their certification preparation:
- ISFCE CCE BootCamp® is geared towards successfully taking the CCE exam. It provides training on core forensic procedures with a focus not only on gathering evidence but also on how to present it in court
- IACIS Basic Computer Forensic Examiner (BCFE) provides an in-depth study of topics to take the CFCE exam and includes enabling tasks needed to become proficient in the competencies, such as “search and seizure of digital devices to analysis of FAT and NTFS analysis”
- SANS FOR500: Windows Forensic Analysis is specifically for in-depth forensic analysis of Windows operating systems
- IACIS Windows Forensic Examiner (WFE) Training Program is a good option for the CFCE certification. This is a five-day, 36-hour course on virtualization, partitioning, NTF, Windows security and registry concepts
- eForensics Magazine offers Self-Paced Mentored Online Training and has online courses such as …
- The National Initiative for Cybersecurity Careers and Studies (NICCS) Certified Digital Forensics Examiner (CDFE) 5-day course ($3,000) is ideal for anyone encountering digital evidence while conducting an investigation
Alternatively, there’s the training hosted on the NICCS Portal: for example, CFDI 240 course (via Champlain College) for digital forensics in a criminal investigation, and the CFDI 445 course on the best practices for analysis of some hypothetical and real case scenarios which might also interest some professionals in the field.
When it comes to personalized professional development, certification holders can earn continuing professional education (CPE) credits by attending webinars, seminars and workshops. The IEEE International Workshop on Information Forensics and Security (WIFS), for example, is an annual event that brings together experts to discuss advanced research and developments in several topics of the trade. Be sure to check the website for the WIFS 2020 event information.
Also consider the continental conferences by the International Institute of Certified Forensic Investigation Professionals (IICFIP) USA, Inc. The institute’s mission: “To promote excellence of forensic investigation skills globally by carrying out accreditation and other training in all countries across the globe evolving standards for forensic investigation processes and creating a process for validating new approaches to forensic investigation. To create a Common Body of Knowledge (CBK) for forensic investigation processes.”
The job outlook (and salary prospects) for computer examiners with degrees and/or certifications in digital forensics
For those who want to pursue this career and become a forensic examiner, the job outlook is excellent. This is especially true for professionals with degrees and pertinent certifications.
A digital forensics salary can increase with experience, advanced qualifications and type of employment. Those employed as computer forensic examiners may find work in the public or private sectors and can be appointed to analyze hardware and software for digital evidence while working with enforcement, consulting firms or cyber defense/intelligence agencies to prepare evidentiary findings.
According to PayScale, for example, the average salary for a SANS/GIAC-certified forensic examiner (GCFE) is $86,000.
Due to the rapid growth of violations involving computers, forensic examiners play a major role in both cybercrime cases and traditional crime investigations. As such, “digital forensics is a crucial aspect of law and business in the internet age and can be a rewarding and lucrative career path.”
Indeed, there are many career opportunities for people with degrees in digital forensics or computer forensics degrees and getting ready by certifying in the field is a great idea for somebody looking for the best available positions. Many credentials are available that cover different aspects of the field and that offer different certification paths to better suit the needs of any person, whether newbie or pro.
- Overview of the Certified Forensic Computer Examiner Program, IACIS
- GIAC Certified Forensic Examiner (GCFE), GIAC
- CCE Certification, ISFCE
- What is Digital Forensics?, UpGuard
- What is Computer Forensics?, Forensic Control
- Computer Forensics Degree, Criminal Justice Degree Schools
- Best Digital Forensics Certifications, Business News Daily
- How to Become a Digital Forensics Professional in 2019, Forensic Notes
- Forensics Examiner, ScienceDirect
- What It’s Really Like to Be a Digital Forensic Examiner, The Balance Careers
- Digital Forensics vs. Computer Forensics, Data Narro, LLC
- Computer Forensics Certification, Cyber Security Education
- Computer Forensics Examiner Job Outlook & Salary Info, Forensics Colleges
- Online Courses, eForensics Magazine
- 22 Best Schools with Online Computer Forensics Programs 2019, Cyber Degrees
- Salary for Certification: SANS/GIAC Certified Forensic Examiner (GCFE), PayScale
- What is digital forensics? And how to land a job in this hot field, CSO
- 5 Cases Solved Using Extensive Digital Forensic Evidence, EC-Council