Last year, when UCLA Medical Center announced the firing of 13 workers and disciplined several others for snooping into the electronic medical records of pop star Britney Spears, it was IT forensics work that enabled the hospital to correctly identify the culprits.
And after part of a large cargo ship sank in international waters, it was IT forensics experts who recovered and analyzed the computer log files associated with the ship’s loading processes. Information resulting from their investigation revealed that the log files had been altered after the ship sank and a month before the computers were turned over to authorities for inspection.
The role of IT forensics expert typically falls under the broader job category of IT security. These security pros are in high demand at private companies, law enforcement agencies and law firms, which hire them to gather evidence and serve as expert witnesses during court proceedings.
The primary job of an IT forensics expert, as described by the SANS Institute, is to analyze “how intruders breach an IT infrastructure in order to identify additional systems and networks that have been compromised.” Investigating attacks requires proficiency in forensics and reverse-engineering, as well as exploit methodologies, SANS notes.
Several certifications in IT forensics are available through both vendor-neutral organizations like SANS, which offers the GIAC Certified Forensics Analyst certification, and security software vendors, including Guidance Software’s EnCase Certified Examiner certification.
Pay for IT forensics experts varies depending on where in the country they work and what their exact titles are. Specific job titles of professionals who perform IT forensics work include security analyst and security administrator. The national average annual salaries for those titles are $84,700 and $85,300, respectively, according to data collected in 64 U.S. cities through July 2009 by Foote Partners LLC.
At least for now, there is no definitive route for becoming an IT forensics expert. For example, Steve Hunt, a security industry analyst at the Computer Technology Industry Association (CompTIA), believes liberal arts students who majored in math or philosophy make the best IT forensics experts. “These are people who will take different ideas and reassemble them in different ways,” Hunt says.
“There’s a natural talent for it,” says Alan Paller, research director at the SANS Institute. “The ones who are best have an inquisitive, take-it-apart personality. They’ll spend hours and hours and hours digging into things.”
Not surprisingly, that can be the downside of the work. “It can be lonely,” says Gregory Evans, CEO of Atlanta-based Ligatt Security International LLC. But it can also be incredibly rewarding, adds Evans, whose IT security firm recently helped track down a child molester by tracing his e-mails.
Profile of an IT forensics professional
A snapshot look at the IT forensics profession from the perspective of Rob Lee, an IT forensics expert at Mandiant.
Name: Rob Lee
Title: Director and IT forensics expert at Mandiant, a Washington-based information security software and services firm
Related work: Curriculum lead for digital forensics training at the SANS Institute.
30-second résumé: Before joining Mandiant, Lee served as the technical lead for a vulnerability discovery and exploit development team that worked for a variety of law enforcement, government and intelligence agencies.
He is a graduate of the U.S. Air Force Academy and a founding member of the USAF’s Information Warfare Squadron, the first U.S. military operational unit focused on information operations.
Skills boost: To stay current, Lee does hands-on work in the field and is an avid reader of and contributor to information security journals and blogs.
A passion to learn and to continue learning — rather than a formal computer science degree or security certification — is the top requirement for an IT forensics expert, says Lee, who also teaches SANS certification classes. He also recommends specializing in a particular area of computer forensics.
“If you’re choosing forensics, be a specialist in firewalls or hacking or mobile devices,” Lee says. “Mobile devices alone are extremely complex and constantly changing.
“If you’re just beginning, classes are the way to go,” he advises. “After that, you can continue to learn online. The best thing you can do once you attain a certain level [of expertise] is give of yourself back to the community. Choose something you don’t think anyone else has [expertise in] and research that. Always do research and publish it.”