Working as a digital forensics analyst

Digital forensics analysts collect, analyze and interpret digital evidence to reconstruct potential criminal events and/or aid in preventing unauthorized actions from threat actors. They help recover data like documents, photos and emails from computer or mobile device hard drives and other data storage devices, such as zip folders and flash drives, that have been deleted, damaged or otherwise manipulated. Digital forensic analysts carefully follow chain of custody rules for digital evidence and provide evidence in acceptable formats for legal proceedings.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

  • 0:00 - Intro
  • 0:26 - What is a digital forensics analyst?
  • 0:57 - Digital forensics specialties
  • 1:24 - How to become a digital forensics analyst
  • 2:17 - Skills needed to be a digital forensics analyst
  • 3:34 - Common tools for a digital forensics analyst
  • 4:42 - Using digital forensics tools
  • 5:17 - Digital forensics analyst jobs
  • 6:30 - Moving from digital forensics to new roles
  • 7:17 - Get started in digital forensics
  • 8:18 - Outro

[00:00:05] Chris Sienko: Welcome to the Infosec Career Video Series. This series of short videos will provide a brief look inside cyber security careers and the experience needed to enter them. Today I’ll be speaking with Infosec Skills author and Paraben founder, Amber Schroader, about the role of digital forensics analysts. So let's get into it. Welcome, Amber.

[00:00:24] Amber Schroader: Thanks so much.

[00:00:25] CS: Amber, let's start with the basics. What is a digital forensics analyst, and what does a digital forensics analyst do? What are the day-to-day tasks?

[00:00:34] AS: So, an analyst is the one that's going to go through and do your imaging of your computers, your mobiles, cloud, capture all the data. So, that side of it. But they'll also start going through and start doing the analytics. So putting the pieces of the puzzle together to figure out what happened. Where the data was found? Who was involved? The who, what, when, where. All the w's get involved with the analyst.

[00:00:56] CS: Mm-hmm. Are there different levels of digital forensics analysts? And if, so do the tasks change in these different roles, or is it an entry-level kind of thing?

[00:01:04] AS: No. I mean, they do change. There are different levels of it. Obviously, there's career path in it, of course. And you'll specialties. So that's the biggest difference that's happened probably over the last five years, is that you'll get someone who only does mobile, only does computer, only does malware, so on and so forth.

[00:01:22] CS: Got it. How does one become a digital forensics analyst? Is this an entry level position? Or do you need some experience first? Do you come from other directions?

[00:01:31] AS: You got to have some mad skills, of course.

[00:01:33] CS: Of course.

[00:01:35] AS: You can go out and you can pursue different ways to do it. So you could go get a degree. There are digital forensic degrees now. One of the many components of cyber. You can go through and get certifications, which there are a ton of great ones out there. Infosec has them, obviously. Certified Hacking Forensic Investigator. So, CFHI.

But the big one is you actually have to have developed skills. You can't just go like, "I know nothing. And I’m going to start today." There's a lot of foundational knowledge because this is a process, because it is technically a type of science. So you have to know all those processes before you can start. So you can't just walk off the street and be like, "Ooh, I’m an analyst. I’m good."

[00:02:16] CS: Got it. So what skills does a digital forensics analyst need to do their job well in terms of whether it's soft skills or whether, you say, as hard technical skills that you can't walk off the street with and already have?

[00:02:31] AS: For the hard technical skills, obviously, that's understanding computers. How they actually operate? Because you're really at the core. It's kind of like when you walk into a great bakery, you're like, "These cakes are amazing. I totally can make this at home." And then you realize, "I need to understand all the ingredients to make a great cake." Same thing with digital forensics. You got to know all those ingredients.

And on the softer side, you actually have to be a really good writer. No one ever talks about that. But you write a lot of reports. And you even have to be a decent presenter, because, essentially, you're conveying a lot of technical information to someone who is non-technical. That's why they brought you in in the first place, is to find all the needles in the haystack. And they don't even understand what hay is. So you really are in that process. So you've got to have kind of the soft skills of writing. And I don't even know if writing's a soft skill. And presentation.

[00:03:17] CS: It's almost like you almost need to be like a translator in certain ways then?

[00:03:21] AS: A little bit. Yeah. You're like a nerd translator. Absolutely.

[00:03:23] CS: Yeah. Yeah, yeah. We got this high-level thing, and we have a CEO who still gets their emails printed out for them. And you need to make them understand why this is a problem.

[00:03:33] AS: Yup.

[00:03:33] CS: Okay. I feel like is a very tool-intensive job. What are some common tools that digital forensics analysts use?

[00:03:43] AS: They're going to use – Well, my favorite is they're going to use a lot of gloves. Just kidding. It's just gross. You're touching other people's data. But you're going to use things like write blockers. So you're going to use some hardware devices to prohibit any writes that occur between you and the computer while you might be imaging it. You're obviously going to use Faraday technology to block signals onto mobile devices. And you also are going to use a lot of software, both open source and proprietary. You get a combination of anything from like autopsy on the open source. That's the top open source tool in the space. To practical proprietary platforms. Obviously, Paraben makes one, the E3 Forensic Platform. You've got FTK, EnCase. They've been around a long time as well. Those are all out there. And there's sometimes new emerging tools that do one specific thing, like, fantastic at Internet history. And that's all the tool does. Again, you have more screwdrivers in the toolbox when it comes to digital forensics than probably any other discipline in cyber.

[00:04:43] CS: With regards to open source software, is this the sort of thing that you would encourage people to just sort of grab these things and start tinkering around with them? Or do you need to have the sort of theoretical framework first?

[00:04:54] AS: I think you should tinker around, because that way you're going to know if you actually like the processes that are done every time. I’m one of those that has been in the industry for 30 years. So I started tinkering around. That's how I got my start in it. And in doing so, I was like, "Wow! This really syncs with my brain and how I go through the process." And it felt comfortable to me. I knew this was a space I wanted to stay in.

[00:05:16] CS: So where do digital forensics analysts work? What type of job options are available to them?

[00:05:22] AS: Well, if you want a super public job option, this is not it, because you are definitely in the back of the house. Any midsize company, up to large companies, typically have a digital forensic analyst on staff that will do work. Usually internal investigations, versus doing something external. Unless you're with a consulting firm. If you love to travel, this is a great field, because you can work with a consulting firm, and you can travel the world. They will be thrilled.

And it also has very strong public sector. Whether it's federal, state or local, there are digital forensic analyst jobs at every one of those levels. We're kind of everywhere. We're just the introverts in the back of the room that are hiding a little bit.

[00:06:02] CS: Okay. So there are some cases where a forensics analyst is sort of on staff for a certain company. But for the most part, it sounds like you're doing consultancy work. You're doing almost kind of freelancy work. Is that a reasonable span?

[00:06:16] AS: It's about a 50-50. It's really down the middle. Any type of large company you can think of, they would have an analyst on staff, because they're going to generate enough internal work that they need to have someone internally.

[00:06:29] AS: Okay. For people who are afraid of making the wrong decision and feeling locked into a certain role, can you move into other roles from digital forensics analysts? What are some common pivots out of that work and into other things?

[00:06:41] AS: Obviously, because I come from the space, I feel that digital forensics is one of the cornerstones of cyber, because we touch all the other things from pen testing, to intrusion detection. Usually, you'll produce some type of evidence that you want analysts to go through and review how that puzzle got put together in the first place.

So I think there's a lot of ways you can pivot once you have these skills to those other fields. You can go to managerial. A lot of the directors that I see at some of the larger companies, most of them started in digital forensics. It was a good place for them to get their investigation side going.

[00:07:15] AS: See. So, I guess to wrap things up today, for our listeners who are ready to get started, what's something they can do right now once they turn this video off that will move them towards the goal of becoming a professional digital forensics analyst?

[00:07:27] AS: I know it's going to sound silly, but you can always start on those soft skills. So you can work on your writing skills. You can work on your presentation skills. And the big one is go out and start researching. A lot of times, we don't know the problem. We have to go and learn about it. So, "Oh, this brand-new app came out. We know nothing about it. So we have to go and put those pieces together." That's a great way to get started because you're going to find out if that's something you want to keep doing. I actually love the research side. So I have probably 15 phones on my desk right now I’m doing different research on. And that's an interesting aspect to me. So that's a great way to start. Or start looking at your own devices. If you enjoy looking at your own data, you're going to like looking at someone else's.

[00:08:08] CS: Oh, that's great. Amber Schroader, thank you for your time and insights today. I think this was really interesting.

[00:08:14] AS: Thank you so much.

[00:08:16] CS: And thank you all for watching this episode. If you'd like to know more about other cyber security job roles, please check out the rest of Infosec's Career video series. We'll see you next time.

Join the cybersecurity workforce

Are you a cybersecurity beginner looking to transform your career? With our new Cybersecurity Foundations Immersive Boot Camp, you can be prepared for your first cybersecurity job in as little as 26 weeks.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.