SANS Digital Forensics and Incident Response Blog

Professional Development in Digital Forensics and Incident Response

Professionals looking to enter and grow in the field of digital forensics and incident response (DFIR) face many challenges. Organizations often focus their recruitment efforts on experienced forensicators, rather than investing into personnel who could mature as part of the group. Individuals who found a way to enter this field often struggle to identify mentors or to define a path for sharpening their skills. In some cases, individuals burn out from working hectic hours that leave little time for professional development.

A panel at the 2011 Digital Forensics and Incident Response Summit explored how individuals can excel in the DFIR industry. The following are some of the highlights of the panelists' perspectives, which I jotted down while moderating the discussion:

  • Bamm Visscher shared tips on becoming an incident responder. He recommended starting by getting exposure to all topics related to DFIR, including log analysis, intrusion detection, hard drive forensics, computer crime, and so on. The goal is to explore the field to understand what interests you the most. Then, pick several of those areas to gain competency in them. As your experience grows, select one area that is particularly enticing to you and that you are good at, and become an expert at it.
  • Richard Bejtlich offered advice on structuring a computer incident response team. He recommended starting the group by laying out your vision for the team and outlining what capabilities it needs to bring to the fight. The structure of the group needs to reflect its purpose. He highlighted the importance of understanding the interests of the team's members and assigning the roles appropriately. Richard emphasized that the role of the team's leader is to allow the members to achieve their fullest potential so they want to stay as they grow professionally.
  • Ken Dunham considered how to balance professional and personal priorities while working in the DFIR field. He highlighted the need to have passion for the work that you do. Given how demanding digital forensics and incident response work can get, if you aren't going to love it, you will burn out quickly. If you don't know what your DFIR passion is, Ken suggested trying out a few things until you find out. He also recommended taking the time to speak with other professionals in the industry about their jobs, to see what their work is like, and to understand what they like and dislike about their responsibilities. Ken also explained the importance of allocating time-at least an hour per week-towards developing the skills important to you.
  • Joe Garcia discussed how an organization can grow the skills of its existing team members if it is unable to hire from the outside. He explained the need to understand the prerequisite requirements for the DFIR position and, if given some options, select beginner candidates accordingly. He also outlined a number of training and learning options for getting to know tools and concepts related to digital forensics. These included both formal training organizations such as SANS Institute, as well as local groups such as HTCIA and InfraGard. Joe also emphasized the need to provide mentoring within the team, encouraging the more experienced members to share knowledge and expertise with the beginners.

The panel covered a number of topics related to career progression in the field of digital forensics and incident response. The common theme was, perhaps, the need for the individuals in this industry to understand what they really enjoy doing and focus their professional development on that particular aspect of DFIR. Along these lines, employers should put effort into mentoring their team members to understand what they are good at and to provide the environment where the individuals can grow asprofessionals, finding their jobs personally-fulfilling and wanting to continue working at the organization.

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.