What’s Digital Forensics? How Cybersleuths Work
Think of the word “forensics” and you’ll probably conjure up images of grisly scenes from TV drama series like CSI: Crime Scene Investigation. However, there is another world of forensic investigation, where bodies and bloodstain patterns are replaced by more mundane (but equally illustrative to the forensic mind), laptop computers, mobile devices, games consoles, Alexa-style virtual home assistants, and even automobile digital management systems. Don’t let the everyday appearance of these devices fool you. In the world of digital forensics, electronic devices are as important to any investigation as the discovery of a murder weapon.
So what’s digital forensics all about and how does this new breed of cybersleuths help law enforcement agencies and corporations investigate criminal activities and protect us from the bad guys? We spoke with Dr. Denise Kinsey, who has more than 25-years’ experience in the field and recently joined National University’s faculty to share her digital forensic investigation skills with students in the bachelor degree in cybersecurity online program.
“Digital Forensics is the process by which we try to recover digital artifacts, items that are on any kind of electronic device that may be used in an investigation, whether it be to exonerate somebody or to help secure their guilt,” says Dr. Kinsey.
What’s Digital Forensics? Law Enforcement and Corporate Security
In law enforcement, digital forensics is used to gain additional evidence after a crime has been committed to support charges against a suspect or prevent further crimes from happening. Information stored on a device could place a suspect at the scene of a crime, help uncover motives, or highlight criminal connections. It could also be used to support an alibi and prove someone’s innocence.
In a business setting, digital forensics could be used as part of the organization’s incident response protocol, helping to identify exactly what happened and isolating what or who was responsible, whether that’s for prosecution or just internal knowledge.
However, according to Kinsey, not all incidents referred to digital forensic teams are caused by malicious intent.
“It could simply lead to the discovery that kicking-off two programs simultaneously causes the server to crash, for example,” says Kinsey. “A lot of times you don’t know what’s happening until you start going through the logs and going into the drives and looking for any of those artifacts to see what got recorded.”
“Falling” Into a Career in Digital Forensics
Like many other professionals engaged with digital technology during its infancy in the 1990s, Kinsey didn’t set out to develop a career specifically in digital forensics.
“I actually fell into it,” says Kinsey. “I was already working as a security analyst and there was an incident that my company wanted investigating. Three of us literally learned how to use the tools by getting our hands on everything we could read and playing with the tools. This was back in the 90s — so there weren’t all the tutorials, there wasn’t YouTube, there wasn’t this instant access to content, and there weren’t any classes on it. So we taught ourselves.”
Highlighting the difficulties the team faced, Kinsey recalls, “You didn’t know if you were doing things right or wrong and you had no baseline.”
While Kinsey couldn’t go into too much detail about her first case, she could reveal it was a classic case of industrial espionage.
“It was basically somebody who was getting into a system that they had no legitimate reason to be in,” says Kinsey. “They were trying to steal intellectual property so they could set themselves up as a competitor and they were also messing with intellectual property and changing schematics so that when products went into production, they would not be made to the necessary tolerances and safeguards.”
Digital Forensics Today
Digital forensics has come a long way since Kinsey’s first tentative steps into the field. Tools and processes have been developed and documented, and training and accreditation required, giving digital forensic teams the confidence that their investigations can stand the rigors of cross-examination in court.
“There are a number of brand name tools available — things like Encase and Forensic Toolkit (FTK), or Cellebrite for phones,” says Kinsey. “There are even some open source tools that you can practice and learn with. It’s really about learning the techniques and being able to apply those between the tools.”
The Daubert Standard
While the different tools each have their own unique benefits, the most important thing is that a forensic investigator is able to validate their findings. If different investigators using different tools examine the same evidence, they should all find the same results. Any evidence given in court must conform to the Daubert Standard.
Kinsey explains that the Daubert Standard stems from a landmark court case where an expert witness’s findings were questioned as unreliable.
“It wasn’t sound,” says Kinsey. “It wasn’t peer-reviewed, it wasn’t accepted into the field, there weren’t journal articles about it, it wasn’t well known and a lot of the findings weren’t open so that it could be repeated.”
“So these things are part of the litmus test of whether or not we can use the tools or processes in court. Any attorney is going to be the one who asks, ’Are these things valid?’”
If there is any doubt about the specific tools and processes used to uncover evidence, “Worst case, you just repeat it with another tool,” says Kinsey.
How is Digital Forensics Taught?
The process of teaching digital forensics at National University takes very much a hands-on approach.
“Students are given different situations and they are provided the tools and techniques to be able to go and investigate those situations,” says Kinsey.
Students are put into real-world scenarios, where everything isn’t always straightforward. “They are given the idea that something has happened — now you’ve got to perform an investigation to get to the crux of the matter to see if there was really a crime committed; was it a mistake, was it an accident? Students are not given answers. Sometimes they don’t know the type of crimes they are investigating and sometimes they do because it’s an isolated exercise.”
Kinsey describes the process as a “digital scavenger hunt.”
This type of approach gives students the chance to work with different tools and see how good they are at investigation and discover if they like and are a good fit for that kind of work.
“It really is kind of a puzzle you are trying to identify,” says Kinsey. “Is there anything in here connected? Is there any kind of a timeline? Does any of this make sense in a particular context?”
Analytical and Creative
While Kinsey insists there is no typical student with an aptitude for digital forensics, there are certain traits that students must possess if they are to be successful in the field.
“You really have to be analytical and you have to be creative, which kind of crosses a boundary,” says Kinsey. Most people, she says, are often one or the other.
“You need to be analytical because it’s very methodical work. You have to go through a process, you have to pay attention to detail, you have to make sure that all your t’s are crossed and all your i’s are dotted. But then you have to be creative because when you get these different artifacts you also have to be able to identify if there is something wrong.”
Kinsey explains the creative process really kicks in when the forensic examiner hits a roadblock. Perhaps they are unable to access a specific partition on a hard drive or timelines just don’t match up when they suspect something isn’t right.
Like many other creative tasks, the work can be isolating and time-consuming.
“It’s not like CSI or any of the other television shows,” says Kinsey. “A lot of the time you work in your lab by yourself.”
Besides analytical and creative skills, Kinsey believes that the biggest requirement to be a successful forensic examiner is the ability to work with an ethical fortitude that can’t be compromised.
“If you can be bought — this is not a field for you,” says Kinsey bluntly.
The forensic examiner’s ethical fortitude is often called into question during court proceedings and it must prove resilient if the evidence presented is to be deemed reliable.
“You may have to testify and if you cannot withstand the scrutiny, you may be the weakest link,” says Kinsey. “If there is a defense attorney, they are going to tear into your life and they are going to attack you, that’s the kind of thing they do to rip a case apart.”
Defense attorneys hone in on human vulnerabilities.“Let’s face it, as humans we make mistakes and we do things we shouldn’t do and things that we regret over our lifetimes; so often, it’s the person that they try to attack. This is why you have to be sound in not only who you are and what you are doing, but also the processes that you are using.”
In many cases, it’s vitally important that a digital forensic expert is able to maintain their resilience and composure.
“It can be an emotional situation,” says Kinsey. “You may be dealing with somebody who has lost something, life or limb, or a child is missing, or horrible things have happened. You have to be able to distance yourself much the way that those who work in emergency rooms are able to divorce themselves from the proceedings going on. I’ve known investigators who have had PTSD after some of the investigations they have worked on.” Kinsey advises that If you don’t have the right temperament to cope with the criminal side of things, corporate might be a better route you want to pursue professionally.
There are several career paths for students who want to launch a career in digital forensics: in stand-alone positions in law enforcement and within large corporations, as part of a more general career in cybersecurity with a smaller company, or as a career focus in the military.
“There are definitely digital forensic careers within law enforcement,” says Kinsey. “It’s a case of identifying a jurisdiction you want to work for, whether that’s a sheriff’s department or a local police department. Then we have the folks who traverse state lines and local jurisdictions working with the FBI, and those who work with organizations like the NSA, the CIA. And, of course, you have the military.”
In the private sector, Kinsey explains that large cloud-based service companies and enterprises like Microsoft have forensic departments because they need to get to the bottom of any incident that might occur.
“They are going to want to make sure that somebody is not stealing their intellectual property, that there is nothing that is escaping their security measures so they are going to have professionals employed in these areas,” says Kinsey.
Smaller businesses do not tend to have a full-time need for digital forensic specialists but training in the field will almost certainly be a useful asset to any employer or to your resume.
“If it’s a small company, you still might have digital forensics as a part of your duties, especially when you read a job offering and it says ‘and other duties as assigned.’ You just won’t have the same level of frequency with it,” says Kinsey. “In fact, I didn’t have it as a set job. I had it as ‘other duties as assigned.’ I fell into it – and it grew from there.”
Thanks to the specialist nature of the field, there is also the option of working on a contract basis as a digital forensics consultant, particularly when testifying in court.
In the courtroom, experience matters. “A lot of times, a company will hire somebody who is external to the organization to repeat the process that was done by the internal employees,” says Kinsey. “This helps the company to validate that these steps were taken and that they can be repeated. The consultant will then often testify on behalf of their client; the consultant has a lot more experience testifying than an internal employee who may have done only one investigation in a number of years because there had not been that much need.”
Diversity in Digital Forensics
Kinsey is a big advocate for greater diversity in the cybersecurity arena.
“I absolutely believe that we need as much diversity as possible in cybersecurity,” says Kinsey. If we continue to go after the problems in a reactive way, we’ll always remain reactive. If we start opening this field up to people who have psychology backgrounds, or experience in criminal justice, law enforcement and IT, and those who understand mathematics, we are more likely to become proactive.”
She is also a big proponent of helping military personnel and veterans secure their future through qualifications and experience that are recognized by civilian organizations.
“A lot of professionals who work in the military cannot disclose what they have done because it’s confidential,” says Kinsey. “So what we are also doing is providing them with a public view of what they have accomplished, so that they have the credentials that they need to get a job in the civilian market when they retire.”
Enabling National University’s military alumni to progress in their civilian careers is something that Kinsey thinks is especially important and gratifying.
“It’s definitely a necessity and of great value,” says Kinsey. “It’s something that we can be proud of offering and that students can take and apply almost wherever they go. If these servicemembers end up going into traditional IT jobs, then they still will be that much more valuable because they’ve got a different view into it than a traditional IT person.”
The Online Degree in Cybersecurity Option
Being able to reach students, regardless of their location or situation, is one of the many things that Kinsey enjoys about teaching in National University’s online cybersecurity degree programs.
“I love online education,” says Kinsey. “I believe it can be as good or better than on-campus education simply because it gives you the freedom to pursue the best program for you, no matter where it happens to be located, or where you happen to be located.”
This is particularly true for students who would not normally be able to access traditional university education, including active duty servicemembers and those who, because of family or work commitments, cannot attend classes on campus.
“It serves the need for our military because you cannot stop being in theatre to go to class,” says Kinsey. “It allows opportunities that many other students wouldn’t otherwise have, especially when we talk about underserved populations. If you have a quality program, with quality instruction, and the opportunity to interact, you can get a very similar experience online as you would on-campus. I love online!”
What’s Digital Forensics? A Great Career!
A career in digital forensics can be a challenging and rewarding vocation. To succeed in this role, you’ll need the right temperament and the right skill set. For those with the right stuff, a degree in cybersecurity from National University could be your first step towards achieving your goals. To learn more about digital forensics, visit our bachelor degree in cybersecurity online program page.