Excellent programs are offered by universities, vendors, professional associations and the government, such as New Technologies Inc., Guidance Software, Access Data, the International High Technology Crime Investigation Association, the International Association for Computer Information Systems and the Federal Law Enforcement Training Center). But don’t fool yourself into thinking that a weeklong boot camp will qualify you as a CF expert. In a battle between an experienced examiner and one with an advanced degree, juries may defer to the latter. Some jurisdictions require licensure to perform forensic investigations.
Experimentation: The ability to construct illuminating experiments and the patience to elicit data are hallmarks of a skilled examiner. If you need to know how metadata changes when a user touches a file, you’ll be prepared to testify if you’ve proven your theory by competent experimentation. Experiment with systems, applications and operating systems to understand how they work.
Experience: There’s no substitute for applying your skills and testifying in real cases. How can you get that experience? Apprentice to a veteran examiner or offer to perform a “shadow exam,” to see if you find something he or she missed. Assist attorneys or local law enforcement at little or no cost.
Exchange: Every examiner benefits from the exchange of ideas with colleagues. Join industry associations, go to meetings, subscribe to online discussion groups and unselfishly share what you learn. Caveat: The CF community is very supportive, but other examiners may justifiably regard you as a competitor, so don’t expect them to reveal all. Show respect by doing your homework. Be a learner, not a leech.
Equipment: Learn the tools and techniques suited to the task, and invest in them. Use quality hardware and properly licensed software. Keep applications up-to-date. Test tools to insure they’re reliable. Cross-validate results. Too many people confuse buying tools with acquiring skills. A well-trained examiner can do the job with a hex editor and a viewer. We use forensic suites, such as Guidance Software’s EnCase or Access Data’s FTK, to automate routine tasks, improve efficiency and lower costs — but buying a program doesn’t make you a ready expert.
Earning: The demand for examiners is growing, but it takes marketing skill and financial acumen to create a thriving business. You must attract and serve quality clients, and make ends meet, to transform opportunity into achievement. Consider a first job with established CF companies or law enforcement, not only for a steady income, but for the training. Starting salaries average $50,000 to $75,000, but in the private sector, quickly rise to six figures as you gain experience and responsibility. (Examiners with J.D.s or network security skills command higher salaries.)
Many CF firms charge clients $250 to $600 per hour, so it’s not unrealistic for entrepreneurial examiners to hang out their shingles after learning the ropes. Expect $25,000 in minimum startup costs for hardware, software and training. Overhead will vary on whether you operate from your home or offsite.
Essential Element — Character: The final “E” is the “essential element” — character. A successful examiner is at once, teacher and student, experimenter, skeptic, confidante, translator, analogist and raconteur. He or she unearths the human drama hidden in the machine. So many qualities distinguish the best examiners — integrity, tenacity, technical skill, imagination, insatiable curiosity, patience, discretion, attention to detail and the ability to see both the forest and the trees. Ultimately, it’s your character that will determine if you’ll be a top computer forensics expert.
