In response to the growing number cyber-attacks, IT system intrusions, and data thefts occurring at commercial, governmental and military facilities, a new branch of forensic science has developed. The field of computer forensics applies investigative principles and techniques to crimes and terrorist attacks relating to computers and network systems.
Computer forensics is typically introduced after a cybercrime has occurred. Using established crime scene protocols and evidence recovery methods, a computer forensic examiner or investigator will try to recreate the crime, establish a profile of the suspect, and identify or recover data that was stolen, destroyed or altered.
Computer forensic examiners are usually found within law enforcement agencies, but a growing number of them may be found in the private sector as members of IT departments or as consultants. The majority of computer forensic professionals receive their initial training and work experience within a law enforcement agency before entering the private sector.
Computer Forensic Examiner Job Functions
In order to investigate a digital crime, a computer forensic examiner will perform a number of functions:
- Recover any residual data or evidence relating to the crime
- Identify the motive of the attack and data that has been targeted
- Investigate and interrogate key IT and management personnel
- Reconstruct the tools used to penetrate the system’s security
- Isolate weaknesses in the enterprise’s network or IT system
- Backtrack through personnel files, communications or records to discover how critical system weaknesses were revealed
- Recover or reconstruct stolen, lost or altered data
- Produce evidence and summary reports detailing methods, suspects, and motives
- Testify in court about the crime
- Remain current about cyber-crime methodologies and tools
As a profession that is on the cutting edge of law enforcement and network security, a number of professional certifications have arisen that denote competency, experience and ongoing education. The most important of these are given by the organizations that represent this industry.
- The International Society of Forensic Computer Examiners offers the Certified Computer Examiner (CCE) designation for professionals who have passed the comprehensive exam. Recipients of this certification must possess 18 months of experience performing digital forensic investigations and have documentation of self-education in this field.
- The SysAdmin, Audit, Network Security (SANS) Institute offers a number of certifications
- Global Information Assurance Certification Forensic Examiner (GCFE) requires recipients to pass a comprehensive exam.
- Global Information Assurance Certification Forensic Analyst (GCFA) conferment requires successful completion of an extensive examination.
- Electronic Commerce Council offers professionals the opportunity to receive the Certified Hacking Forensic Investigator (CHFI) designation upon successful completion of a comprehensive examination.
- The International Association of Computer Investigative Specialists provides the Certified Forensic Computer Examiner (CFCE) designation upon completion of a Peer Review Program and a written examination.
Education for Computer Forensics Examiners
Computer forensics is a major offered by many post-secondary educational institutions in the form of associate’s, bachelor’s and master’s degree programs. The associate’s degree provides a foundation in cybercrime, intrusion detection and the legal framework regarding data theft. Although it is possible to enter the computer forensics profession with an associate’s degree, most professionals find their education is deficient in many areas and additional work experience is required to gain proficiency in these areas.
A bachelor’s program is likely to include courses in criminal law, computer networks, computer operating systems, computer science, cyberterrorism, and computer programming. Most baccalaureate programs also require courses in mathematics and communication, which will aid computer forensics examiners in their professional responsibilities.
There are a growing number of schools with advanced degree programs in computer forensics. These master’s degree programs offer intensive courses in a variety of subjects that are critical to computer forensics job success, including:
- Information Security Theory and Practice
- Network Forensics
- Digital Media Forensics
- Operations of Intrusion Detection
- Incident Response Forensics
Salary and Employment Projections for Computer Forensics Examiners
The SysAdmin, Audit, Network Security (SANS) Institute issued a Salary and Certification Survey in 2008 indicating that 38% of the information security professionals polled earned salaries in excess of $100,000 each year.
The two most important factors in determining salary for this profession were work experience and level of education. According to the SANS report, professionals with a bachelor’s degree and five to nine years of experience in the field earned, on average $91,541 per year. Those with a master’s degree and five to nine years of work experience received, on average, $96,531 in annual salary.
According to Indeed.com the five states with the highest average annual salary for 2011 were
- Mississippi – $115,000
- West Virginia – $108,000
- New York – $107,000
- Washington D.C. – $105,000
- Massachusetts – $101,000
The Infosec Institute states that computer forensic professionals are in high demand both in the public and private sector, giving the job outlook for this profession an A rating. The New York Times reports that the biggest employment sectors are
- Corporate Information Security Departments
- Law Enforcement Agencies
- Law Firms
Resources for Computer Forensics Examiners
- The International Association of Computer Investigative Specialists
- The International Society of Forensic Computer Examiners
- The American Society of Digital Forensics and eDiscovery
- High Technology Crime Investigation Association
- Digital Forensics Association