SANS Digital Forensics and Incident Response Blog

The Many Fields of Digital Forensics and Incident Response

As the world of information technology grows in size and complexity, sectors within the IT industry become more and more specialized. Within IT, information security used to be considered niche. Nowadays, saying that your're an infosec professional positions you as somewhat of a generalist. After all, within the infosec field there are several specialization areas, including compliance, pen testing, application security, etc.

This brings us to digital forensics and incident response (DFIR), which may be seen as a niche within information security. Today, being great at all things related to DFIR is no longer practical for most people, which is why DFIR professionals have been specializing in areas such as file system examination, incident handling, memory forensics, malware analysis, and so on.

For this reason, don't be surprised when you see the breadth of courses within SANS' expanded DFIR curriculum, which is designed to help professionals expand their knowledge of DFIR subjects. The curriculum reflects the industry dynamics outlined above:

One way to understand some of the specialization areas within DFIR is to look at how SANS defined its offerings, which are driven by industry trends and student requests. The curriculum includes several core courses: FOR108: Digital Forensic Foundations (details soon!), FOR408: Windows Forensics and SEC504: Hacker Techniques, Exploits and Incident Handling. In-depth courses are: FOR508: Advanced Incident Response, FOR572: Advanced Network Forensics and Analysis and FOR610: REM: Malware Analysis. Specialization courses are: FOR518: Mac Forensics, FOR526: Memory Forensics In-Depth and FOR585: Advanced Smartphone Forensics.

Though there is a need to develop expertise in the DFIR areas represented on the curriculum map, it's often impractical to know only one of the areas represented there. Sub-fields of DFIR overlap. We need to know how to collaborate with the individuals that work in other roles within the DFIR, infosec and IT in general. It might make sense to select a few areas of concentration where you'll build up expertise in the next year or two and focus there. Soon enough, you might see further specialization opportunities within the niche sub-sub-fields you've picked as your focal points.

Lenny Zeltser

Lenny Zeltser teaches malware analysis at SANS Institute and focuses on safeguarding customers' IT operations at NCR Corp. He is active on Twitter and writes a security blog.