Our technology-driven, computer-controlled world has made us faster, more efficient, and more productive than ever before. It has allowed us to effortlessly communicate and conduct business, whether across town or around the globe. For investigative professionals with the right skills and enough resources, virtually any digital data stored or transmitted is accessible.
Computer forensics investigators are the professionals called upon to identify, isolate and recover digital information to be used as evidence in criminal and civil trials.
The term “forensics” means to bring to court or to use in a legal proceeding. As such, computer forensics investigator jobs involve collecting, analyzing, and presenting computer evidence to the court. This field may involve recovering digital evidence on computer-related crimes, such as hacking and identity theft, or it may involve recovering digital evidence and communications related to non-computer crimes.
Computer forensics is still a relatively new discipline, so new laws are being written every day to help define the role, scope and limitations of computer forensic investigators. Because there is little standardization and consistency from one court or jurisdiction to the next, the tools and methods computer forensics investigators use to obtain evidence and present it in a court of law may depend on a number of circumstances.
The most common path to this profession is through a bachelor’s or graduate degree in computer science with coursework specific to computer forensics. There are also a number of undergraduate and graduate programs in computer forensics, and many criminal justice programs that offer a concentration in computer forensics.
Coursework in computer forensics may include courses in digital crime, computer ethics, and information systems security planning, among others.
Computer forensics investigators may need to be licensed as private investigators in the state in which they work. Becoming state licensed as a private investigator may involve meeting the state’s minimum requirements regarding both education and experience.
The Work Computer Forensics Investigators Perform
Computer forensics involves applying investigative analysis techniques to gather evidence from a digital device that can be presented in a court of law. Computer forensics investigators perform structured investigations and maintain a documented chain of evidence, following a standard set of procedures and protocols to ensure evidence isn’t compromised in any way.
Computer forensics investigators use a number of techniques and forensic software applications to search for hidden information and deleted, encrypted or damaged files. All recovered and collected evidence is verified for litigation purposes.
Generally speaking, computer forensics involves recovering two types of data:
- Persistent data – data stored on a hard drive and preserved
- Volatile data – data not stored and preserved, but that may reside in registries, caches and RAM
Computer forensics investigators must have reliable methods for capturing both while preserving the integrity of the data.
Computer forensics investigators may be called upon to recover evidence from any number of computer or digital devices:
- Hard drives
- Email servers
- Storage media
- Web servers
- Internet sites
- Digital cameras
- Zip drives
- Personal digital devices (smart phones, tablets)
- Digital answering machines/fax machines
Their work may involve:
- Examining and recovering information from computers and other digital equipment
- Reconstructing damaged computer systems to locate evidence
- Preparing reports related to recovered evidence
- Reconstructing file fragments
- Testifying in court regarding recovered evidence and the methods used to collect the evidence
Computer forensic investigators may work for:
- Police and other law enforcement agencies
- Defense and military agencies
- Security firms
- Law firms
- Government agencies
- IT companies
- Private investigation firms
- Banking and insurance companies
Professional Certification for Computer Forensics Investigators
Computer forensics investigators often seek professional certification to achieve a competitive edge and to advance their careers. The International Consortium Information System Security Certification Consortium offers a Global Information Assurance Certification (GIAC) – Certified Forensic Analyst designation for professionals in the fields of information security, incident response, and computer forensics.
To achieve certification, candidates must pass an exam, which includes 115 questions and a time limit of 3 hours. Individuals are assessed on the following areas:
- Operating Systems and File systems
- Metadata and Filename Layers
- Forensic Intrusion Analysis
- Digital Forensics and Incident Response
- Digital Forensic Investigation Methodology
- Data Layer Examination
- Analyzing Timelines
- Acquiring and Analyzing Volatile Data
There are no minimum requirements for this certification, although taking the SANS training course, Advanced Computer Forensic Analysis and Incident Response, may help individuals prepare to take the exam.
The Information Assurance Certification Review Board offers the Certified Computer Forensics Examiner designation, which requires individuals to pass an examination that assesses their knowledge in the following areas:
- Law, ethics and legal issues
- Hard disk evidence recovery and integrity
- The investigation process
- Report writing
- Evidence analysis and correlation
- File system forensics
- Computer forensic tools
- Digital device recovery and integrity
- Evidence analysis and correlation
- Evidence recovery of Windows-based systems
The EC-Council offers the Computer Hacking Forensic Investigator certification, which requires completing Exam ECO 312-49, which can be taken at Prometric and VUE testing centers throughout the country. Individuals may qualify to take the exam either by possessing at least two years of experience in computer forensics or by completing an official training program through the EC-Council.