Cyber Work Podcast recap: What does a military forensics and incident responder do?
Introduction
Cybersecurity meets CSI in the exciting field of digital forensics and incident response. In this role, tech-savvy investigators sift through computer systems and servers for clues to crimes. You can find digital forensics specialists working for a diverse array of employers, including the military, law enforcement and private cybersecurity companies.
Digital forensics career snapshot:
Learn Incident Response
- Median salary of $94,000/year
- Possible job titles include forensic computer analyst, digital forensics analyst, cyber forensic specialist and incident responder
- 84% of job postings require a four-year degree or higher
(Source: CyberSeek)
In a recent episode of the CyberWork Podcast, host Chris Sienko sat down with Daniel Young, managing partner of QuoLab Technologies, a threat-driven security operations platform. Daniel has worked in the digital forensics field for over 15 years in both military and civilian settings. He shared his experience with military forensics and incident response so future digital detectives can get clued in on the career.
Getting started in digital forensics and incident response
Daniel’s journey to digital forensics began as a “young warthog” with his beloved IBM 8086. He cut his teeth on MS-DOS 6.22 before graduating to online gaming and building his own computers. From there, his passion became a course of study at college, where he earned a degree in computer science.
The first time he heard the term “digital forensics” was when he joined the Air Force. As a trainee, he went through on-the-job training and took specialized courses through the Department of Defense and the Defense Cybercrime Center (DC3). The fact that he spoke Arabic also helped him secure him a spot on a digital forensics team. Daniel used his Arabic skills and digital forensics knowledge to analyze devices taken from the battlefield, such as cell phones and laptops.
Types of forensics cases in the military
Daniel handles two major types of forensics cases: counter-hacking and counter-terrorism.
Counter-hacking investigations focus on figuring out how an intrusion happened and where it came from. To do this, Daniel and his team take affected devices like laptops and servers and conduct a thorough forensics investigation on them.
Counter-terrorism investigations shine a spotlight on the individual using the device. Daniel would sift through a device’s content, like chat logs, cookies, browsing history and forum activity. He would then extract that data, using it to build his case, and pass it up the chain of command. For this type of investigation, Daniel uses many of the same tools and techniques he would use for counter-hacking, but the end data is used differently.
Has modern technology made forensics and IR harder?
The job of a digital forensics specialist has gotten more challenging since Daniel started in 2007. Back then, he explains, certain crimes were happening more “in the open.” People were handing off physical CDs loaded with illegal material instead of transferring it via encrypted channels. Now, the majority of that illegal activity takes place online, where it’s much harder to intercept.
What skills are needed to enter the field of military forensics and incident response?
Technical skills are the building blocks of every cybersecurity career, and military forensics and incident response are no exception. There are two commonly accepted ways to build your digital forensics skills: getting a college degree and getting certificates.
Many digital forensics specialists choose to start their careers with a bachelor’s degree in cybersecurity, computer science or information technology. A degree will give you the foundational skills you need to succeed in cybersecurity, like basic programming and computer networking. Although some cybersecurity professionals cast doubt on the value of a college degree for cybersecurity jobs, up to 80% of job openings for digital forensics require a degree, so it’s safe to say that employers want to see degrees.
Once you have your degree in hand, you can build out your computer forensics toolkit with certificates. Some of the most popular certificates for incident response and digital forensics include:
- CompTIA Security+
- Certified Information Systems Security Professional (CISSP)
- GIAC®️ Certified Forensic Analyst
- GIAC Certified Incident Handler (GCIH)
- EnCase Certified Examiner (EnCE)
Getting started in the field isn’t all about technical skills; your non-technical skills are just as important! According to Daniel, the best incident responders have an inquisitive mind and a passion for technology. Perseverance and dedication are also key traits for digital forensics specialists, since you’ll spend hours digging through hard drives or servers in your quest for evidence.
If you’re interested in the military or law enforcement, Daniel cautions that you need to steel yourself for emotionally traumatic material. A typical day in digital forensics might include hours and hours of viewing graphic, disturbing content. Due to the distressing nature of the job, burnout is common. Taking care of your mental health is critical.
What are some things you would absolutely want to see on a person’s resume?
When scoping out future talent, Daniel explains, “I’m looking at it more from a personality-type focus, and I’m not looking at checkboxes on a resume.” In other words, it’s not all about the technical skills or line items on the resume. Strong digital investigators have a particular personality type: they’re flexible, determined and approach their work with a problem-solving mindset.
For education, Daniel likes to see applicants with a computer science background, but not necessarily developers. “They’re makers,” he says, “not breakers.” Instead, he looks for people who have taken classes in network forensics and network security. In particular, he likes to see coursework that focuses on practical and tactical applications.
What is the future of digital forensics and incident response?
According to Daniel, the future of digital forensics lies with threat sharing and collaboration. But to understand this recent adaptation, we first need to look at the past. When Daniel began his first digital forensics job ten years ago, there was a lot less data in the world. He could easily extract all the data from a 100-gigabyte hard drive, transfer it to a share drive and send it off to his colleagues for analysis.
Nowadays, it’s not uncommon for a hard drive to contain a terabyte of information or more. Extracting that sheer amount of data takes much longer to remove and transfer, even when it’s compressed into a smaller package. In the fast-moving, life-or-death situations that military personnel and police officers face, that delay could cost someone their life.
The solution? Threat sharing and collaboration. The digital forensics process should be broken up so different organizations can each tackle a piece without sacrificing valuable reaction time. Data needs to be actionable, and it needs to be shared in real-time between the digital forensics, incident response and threat intelligence teams. At QuoLab, Daniel’s team uses the MITRE ATT&CK framework and tools like Swimlane to facilitate the process of threat sharing and collaboration.
Getting started in digital forensics and incident response
If you think you’re interested in digital forensics, Daniel recommends taking a class. He says DC3 (Defense Cybercrime Center) has a lot of great resources for beginners. Infosec also has a library of trainings and resources for budding incident responders and digital forensics specialists.
Once you get a few certifications under your belt, you’ll be ready to “make the world a better and safer place,” according to Daniel. “At the end of the day, that’s the goal here.”
To hear Dan's full answers and to join the conversation, please check out this episode on the Cyber Work YouTube page.
Learn Incident Response
Sources
- Cybersecurity Career Pathway, CyberSeek
- Department of Defense Cyber Crime Center, dc3.mil