Options
A word of advice (digital forensics)
si20
Member Posts: 543 ■■■■■□□□□□
I'm just going to write up a quick word of advice for anybody looking to get into digital forensics (within law enforcement). I finally made the break after some years of study and I was over the moon. I couldn't wait to start analyzing hard drives, phones, whatever was available. Well i've had a reality check. Digital forensics at university is NOT like the real thing. Maybe I was naive to think it would be. It's like going to Karate class and thinking a real fight is exactly like what your 3rd Dan teacher has taught you (silly analogy, I know).
Paperwork. There's a lot of it. I mean, A LOT. If you don't like admin tasks, consider what you're getting yourself into. Think about it logically for a second. The police have received a complaint about somebody. That gets logged. Paperwork is created. That paperwork will get printed out and will become part of your 'case notes' as I like to call them. After this, you'll most likely be given a 'strategy' by the OIC (officer in charge). After this, you'll have to forensically image the hard drive (more paperwork). And it goes on...
Then you'll need to update the system to explain who has the hard drive at every step of the process, what the suspect's drives were copied on to and where they are now. Oh, and they'll need labelling up. Oh and remember that paperwork you had in the beginning? You'll need to keep it for the examiner because he/she is going to require it. You forgot to write down the serial number of the hard drive??
I can't put this more bluntly: forensics isn't just technical. In fact, it's more admin/paperwork than technical. The technical side of things is about 20% of the process. When I did my MSc, 90% (roughly) was practical and open-source. Well, in the real world, open-source is very rarely used because the commercial tools are built to handle terrabytes of data and process it in a way that it can be investigated later on in the process.
It's safe to say that this will absolutely not be a long-term career for me. I just wanted to let it be known because i've had a bunch of people PM me, or post on here and ask about digital forensics and tell me how much they want to get into it. If you still want to, that's great! But there will be people (like myself) who want to be technical and not touch administrative tasks such as filing, updating databases and manually hand-writing things out.
Paperwork. There's a lot of it. I mean, A LOT. If you don't like admin tasks, consider what you're getting yourself into. Think about it logically for a second. The police have received a complaint about somebody. That gets logged. Paperwork is created. That paperwork will get printed out and will become part of your 'case notes' as I like to call them. After this, you'll most likely be given a 'strategy' by the OIC (officer in charge). After this, you'll have to forensically image the hard drive (more paperwork). And it goes on...
Then you'll need to update the system to explain who has the hard drive at every step of the process, what the suspect's drives were copied on to and where they are now. Oh, and they'll need labelling up. Oh and remember that paperwork you had in the beginning? You'll need to keep it for the examiner because he/she is going to require it. You forgot to write down the serial number of the hard drive??
I can't put this more bluntly: forensics isn't just technical. In fact, it's more admin/paperwork than technical. The technical side of things is about 20% of the process. When I did my MSc, 90% (roughly) was practical and open-source. Well, in the real world, open-source is very rarely used because the commercial tools are built to handle terrabytes of data and process it in a way that it can be investigated later on in the process.
It's safe to say that this will absolutely not be a long-term career for me. I just wanted to let it be known because i've had a bunch of people PM me, or post on here and ask about digital forensics and tell me how much they want to get into it. If you still want to, that's great! But there will be people (like myself) who want to be technical and not touch administrative tasks such as filing, updating databases and manually hand-writing things out.
Comments
-
Options
danny069
Member Posts: 1,025 ■■■■□□□□□□
I agree Si20, good post to let others know what goes on in the real world. When I did my undergrad in digital forensics it was very tedious and a lot of reporting/admin works goes into it. It is interesting but at the same time I also want to be on the more technical side as you mentioned. Thanks for posting.I am a Jack of all trades, Master of None -
Options
Mike7
Member Posts: 1,107 ■■■■□□□□□□
@si20, what you do in law enforcement is FileSystem forensics. The paperwork is needed to ensure that your work is admissible in court.
There are other branches in digital forensics such as malware forensics that you probably will like. These are cybersecurity jobs at SOCs and security research companies. I post a link (Introduction to DFIR) just last month. Do take a look.
-
Options
PJ_Sneakers
Member Posts: 884 ■■■■■■□□□□
Yep. Generally the tech guys suck at documentation, and the LE guys suck at the IT part.
Documentation is one of the most important parts of a criminal case. If you screw up, you will literally end up letting robbers, rapists, and murderers go free. -
Options
beads
Member Posts: 1,531 ■■■■■■■■■□
The civilian side of things is much, much more interesting when hunting malware and figuring out where the machine started to go bad, etc. Occasionally you may run into something that requires that LE touch but since you know the ins and outs of the CoC - just makes you that much more valuable. Of course most places just outsource that type of work as it generally takes me about 2 weeks to do a forensic analysis and write all the wretched reporting out, justification, pictures. You know the routine.
That side of things, no I don't like, either. On the other hand I do see more of a need for this specialty in the civilian world and more forensic positions being created. Your not done yet.
- b/eads