Most likely, the main reason that “How do I get into DFIR?” is asked so often is because there are no beaten paths, no roadmaps, and virtually no straight-line guidance to show you the way. Sure, some are fortunate by having a coach (ie: mentor) who can help design a potential path, but overall, there isn’t a single way for everyone to follow. It is probably easier to chart out a path in the medical profession than it is in the DFIR world.
As to why there are many different paths, I would opin that a lack of regulation coupled with a lack of community agreement as to what constitutes the path-to-DFIR results in everyone beating down their own path rather than simply following well-lit road signs on a freeway.
On one hand, the timing is ripe for ANYONE to get into DFIR! Chart your own path and it will likely work as long as you end up being competent and knowledgeable. Conversely, this is a nightmare for hiring managers and for those who haphazardly flounder in attempts to get into the field.
Your path in Five Es (Education, Experience, Educating, Extras, End)
First, identify your intended E nd (goal). What is the specific (reasonable) job that you want? Let’s not shoot for CEO of a major software corporation just yet. Pick the job that might get you there first. From that goal, chart your path. What E ducation and e xperience do you need? Can you e ducate others on these skills already? If not, learn the skills well enough that you will be able to e ducate others at some point.
Let's take one path example (given no experience, education, or educating) to become a forensic examiner.
- Forensic Examiner
- Formal: Degree, continuing education courses, certificate course
- AS/BS/MS/PhD in digital forensics
- Vendor: Software, hardware, analysis courses
- FTK/EnCase/X-Ways/Belksasoft/Paraben/SANS, etc
- Documented research and experimentation (Test tools against data!)
- Blogs, papers, books (Write! Write! Write!)
- Government, private, non-profit organizations (non-paid volunteer effort)
- Government, private, non-profit organizations (paid to do the work)
- Informal: On-the-job to coworkers, community groups, high tech associations, etc…
- Formal: Educational institutions, vendors
- What you know (learn as much as you can)
- Who you know (know everyone you can)
- Who knows you (most important, be known to as many as you can)
All of the above are things that you generally have control over. Some opportunities may not be available now but could be later. Others might be substitutes for each (such as 2 years of experience substituting for each year of college). Overall, you control your efforts into these categories. To become a forensic examiner, as someone who gets paid as a forensic examiner, the more of the above that you have, the more competitive that you are. Not every E is needed, but the more you have, the better chances you have.
The things you have less control over are:
- Do you have what is needed now for the job that is available now?
- Can you physically (or remotely) work at the location?
- Do you know if your references will be helpful?
- First impressions in an interview
- Everything else
- Late to interview because traffic, weather, lost paperwork (by you or your potential employer), etc...
Keeping with this example of your end goal of being a forensic examiner, one path is different than another. Which is best? Which is best for you? No one can answer this question, but you can listen to advice and guidance from others and mold the advice to fit your situation. One coach may have fell in the job of a forensic examiner by pure luck. Another coach may have worked for years just for a small chance to be a forensic examiner. Both will have different “Es” in how they got there, but both can give you guidance on how they could have done it better and how you might be able to benefit from their path.
I’ve written about this field on occasion, and this is how I look at it. Your employability is mostly based on your ability to do the job. Your chances of being employed are solely based on the box of goods you bring to the table.
Your box of goods is a collection of all that you have done at a point in time to get to sit at the table. Your box of goods contains course certificates, degrees, research, experience, blog posts, papers, volunteer work in DFIR, and even books that you read that pertain to this field. Fill up your box of goods. Some items will be heavier than others (a master’s degree in digital forensics will be more valuable than having written a single blog post…), but every item adds weight to your credibility.
Another tip is to be well-rounded in your Es. If you rely heavily or solely on one aspect, such as education in getting a PhD in forensics but absolutely nothing else, you are not well-rounded. By the same token, if you rely solely on experience and nothing else, the result is the same. Being exposed to more than one or a few sources gives you a better perspective on how to solve problems, and that you aren’t a one-tool-practitioner or an academic-only theorist. Throw some variety in your box!
Phill's problem is everyone's problem
Does anyone have a good system for tracking the available training classes, learning directives, etc etc and putting that into a skills matrix?— Phill Moore (@phillmoore) November 19, 2020
Trying to think of a good way to map out training plans with regards to "you want to get good at x, do 123"
Phill asked about tracking what is available for a skills matrix. I am not sure that at this point it is possible. Vendors change courses, degree programs come and go and change, job requirements are as solid as a bowl of jello, and technology changes force changes in skills. With that, I stick with the premise that until we are regulated to follow a specific set of guidelines, we make our own paths based on what each of us personally needs and individually bring to the table.
Exceptions (another “E”)
Let’s stay with the ‘forensic examiner’ end goal for this example. Some jobs do have a set and specific training matrix and these jobs are the exceptions . You will find these mostly in the public sector where all training is not only provided but provided in a neat and organized manner. Private sector companies may provide training, but this is much looser organized than in the government. I would say that if you want the easiest and error-free path to be a forensic examiner, shoot for a government organization that will hire you, train you, and gives you the experience. To be honest, this might be the toughest way to get in and not without inherent risks to your physical and mental well-being….