General security

Webinar summary: Digital forensics and incident response — Is it the career for you?

May 5, 2020 by Graeme Messina

Introduction

Infosec held a webinar with Cindy Murphy to find out about what it takes to get started in digital forensics and incident response. Cindy gives her take on how to get started in this highly technical field, and how she herself got started. 

Sprinkled throughout the webinar are pieces of wisdom and practical advice that can help you get started in the industry. In this article, we’ll do our best to distill some of this wisdom, helping you understand the type of work that a DFIR professional does, how to prepare for it with training and what, if any, education requirements there are. 

What are we talking about when we mention DFIR? 

What is digital forensics? In simple terms, it falls under the same umbrella as forensic science. We usually associate this kind of work with law enforcement, but private companies also carry out these types of services. It focuses primarily on evidence collection, recovery and investigation. 

Digital forensics is just one piece of the puzzle, though. Today, there is a strong need for incident response expertise to be coupled with digital forensics. Attacks are often still taking place when investigations get underway, so incident response is needed to mitigate and eliminate threats before investigative work can be undertaken.

We call this combination of skill sets DFIR. It can be teams of people, or single professionals with knowledge in both fields. As we will discover, the more general knowledge a forensics professional has, the better.

The current state of digital forensics and incident response is one of positive growth. So much so, in fact, that the demand outstrips the supply by a long shot. 

I had the chance to hear from Cindy Murphy, who is President and Lead Examiner of Gillware Digital Forensics, to find out what her company sees as being advantageous in the current DFIR job market. We get some deep insights from this 30-year DFIR veteran about what it takes to break into the market. The answers might surprise you!

Why choose DFIR as a career?

Any line of forensics work is going to be challenging and engaging, especially if you enjoy problem solving. Cindy explains why her line of work is so interesting: “There are all sorts of technical explanations, but I think one of the best ways to explain it is to say that if you want a career where you’re never ever gonna be bored, this might be a good career to look at.”

If you still aren’t sure why you would choose to work as a DFIR professional, it is also worth considering how much room for growth there is in this space. Perhaps one of the best things about this line of work is something that Cindy was quick to point out: “It is ever-changing, ever-growing and ever-expanding.”

Other than always being refreshingly different from day to day, DFIR is also interesting for people that enjoy trying to understand how an attack unfolded. Cindy elaborates:

“We look at data to try to recreate what happened, or to try to figure out the root cause of an incident, and to try to help an individual, a company, or an organization better secure their networks. Really, that can include endless sorts of things.”

Getting started as a DFIR professional

We all have to start somewhere, regardless of the industry or job role. The traditional path to get to this point is normally: get certified, show competency, find a job. 

DFIR is a little different, though, as certifications don’t always tell the full story about a person’s abilities. Sometimes it is about what you learn by practicing in the real world that can help to get you started. 

Cindy spoke about her beginnings: “I ended up learning very experientially to start with in my formative years, and then moved to a more formalized training through National Crime Center, what was then EnCase and FTK through those vendor supported training programs.” This means that there is value in both formal education and training, as well as real world on the job learning.

How important is education and certification?

We all know that in order to show off your skills to a potential employer, you need to have certifications and qualifications behind you. This is especially true if you are working in a systematic and forensic environment. 

Cindy talks about how certifications are important when criminal justice proceedings are involved. “I think all of the educational options are good ones. When you’re in a digital forensics position where you’re likely to be in court doing straight machine forensics or doing civil litigation work in the private sector, or in law enforcement having formal training certification, and formal education is really helpful for building your curriculum vitae, your CV, and showing the court your background and expertise in an area …”

But Cindy also explains that while this is important in establishing your credentials, it doesn’t always equate to the best experience in the technical sense: “… It looks better to a jury, to a judge, to attorneys to have that formalized education, but that doesn’t mean that’s the end all be all, right?” This ties in with what we all know to be true in most technical fields: formal education is important but experience is normally what separates the good from the great.

What skills are needed other than technical skills?

Believe it or not: soft skills are another crucial skill in the FDIR work environment. As an employer, Cindy outlines why soft skills and interpersonal communication are just as important as hard skills in her line of work: “I want people who have hard skills and soft skills. I want people who are able to talk to other people and explain difficult concepts in simple ways. I want people who are good at writing, who have good grammar and who write clearly and concisely, and can express technical things in simple words on paper. And I want people who can present to non-technical people what they’ve learned about the technology.”

If you are not good at articulating your train of thought or putting pen to paper, then all is not lost. Cindy believes that these are skills that can be worked on and learned, even if you don’t think of yourself as having those kinds of skills. “Some people say, or they say but you can’t teach me that. You can’t teach me to be comfortable speaking, or to say things more simply, or to express myself better in writing. I’m either good at it or I’m not. I’m here to tell you those are things you can learn as well. So for people who know they’re strong in the technical areas, but have some concerns about those soft skills, those are definitely things you can learn.”

If you have the ability to perform difficult technical tasks while still maintaining your ability to communicate with others, then you are in good shape. As someone that employs new staff on a regular basis, Cindy has a unique take on how these skills come together to create a capable DFIR professional: “Those differentiating factors for me as an employer looking at bringing people on board have to do more with the combination of the technical knowledge and skills, and the people knowledge and skills. Are you good on the phone? Can you explain things that are hard in a way that’s easy to understand? Do you write well, or do I have to worry about every report that goes out the door?” If you are able to balance these skills, you can market yourself as a well-rounded candidate.

Is it easy to find work as a DFIR?

The simple answer from Cindy is yes, but, finding a job and actually landing a job are two different things. “There is huge demand for digital forensics, incident response and network security folks, not only in the private sector but in the public sector. There’s a huge shortage of people with these skill sets, with the technical skillset and those soft skills.” 

This doesn’t mean that finding a job is guaranteed, or that finding a job is easy. What this does show is that the demand is there for skilled professionals that can add value to an organization.

What is a DFIR professional?

Cindy gives us a breakdown of what a DFIR professional is and what they do at her company, Gillware Digital Forensics. “What we do is investigate incidents that happen on computer networks, or individual computers. We look at data to try to recreate what happened, or to try to figure out the root cause of an incident, and to try to help an individual, or a company, or an organization better secure their networks.”

Cindy speaks about how important broad knowledge is in this line of work: “You have to have a little bit of knowledge about all sorts of different subjects. And there’s a lot of specialization in the field. I mean, we’re talking about everything from cell phones, and SIM cards, and flash memory, to 2,000-, 3,000-, 50,000-machine networks. So there’s a lot of ground in this industry to cover.”

Cindy also talks about what makes this such a great role: “It’s a great field, super interesting, and as broad or as narrow as you need it to be.”

Conclusion: Tips for landing that dream job

Sometimes you can get started in the industry by simply making yourself available. Cindy has a refreshing take on getting started in digital forensics and incident response: “Whether it’s volunteering to help secure a network, or whether it’s an internship at a police department in the forensics lab, those sorts of things you have to be a little bit creative, and put yourself out there.”

If you lack experience, don’t put blinkers on while chasing down your ultimate goal. If you have the will and determination, Cindy mentions that you could also look at taking a lateral move by starting off in a position that is different to the one you are after: “I think you also have to express that willingness to do anything. People misinterpret sometimes those entry-level positions as I’m applying for this position. This is the position I want. If we’ve already made a selection for that position, and you haven’t said, hey, I will literally do anything in your company to get my foot in the door, the person who says that is probably gonna get hired before you.”

Remember the soft skills and make things personal. You want the interviewer to remember you when they are looking through the pile of resumes and CVs. Cindy recommends a personal touch: “If you want to stand out in this crowd take the time to send a thank-you card after you get an interview you’ll probably get hired.” Cindy continues: “Send a physical card. Send an email follow-up. Take the time to pick up the phone and call back afterwards. And keep your name and your resume at the top of that pile.” If you follow these tips then you too could land your dream role as a DFIR professional.

Be sure to check out the full webinar stream right here.

Posted: May 5, 2020
Articles Author
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.