Day in the Life of a Computer Forensics Analyst
| Michael Cooke
Are you ready to find a school that's aligned with your interests?
If you love working with computers and want to make a difference, consider becoming a computer forensics analyst. These professionals uncover digital evidence by retrieving deleted or encrypted data and other information.
With the number and sophistication of cybersecurity breaches increasing, a computer forensics analyst's skills are in high demand. These may include tracing a hacker’s steps to determine how a breach was executed to recover critical evidence.
What Is a Computer Forensics Analyst?
The forensics field includes any application of scientific methods to detect crime. Forensics often involves uncovering hidden evidence, which is also true for computer forensics.
Computer forensics analysts may also go by computer forensics scientists and computer forensics examiners. These individuals specialize in finding evidence for computer-based crimes. They are critical cybersecurity personnel for governments and private companies such as financial institutions, accounting and law firms, and software providers like SaaS companies.
Although many organizations need cybersecurity personnel, there is a significant shortage of computer forensics professionals. According to Cybersecurity Ventures, there were approximately 3.5 million unfilled positions globally in 2021.
The primary reasons for the cybersecurity shortage are workload and qualifications. Computer forensics analysts may work long hours. They typically need credentials such as college degrees and certifications to work in the field.
What a Computer Forensics Analyst Does
Generally, a computer forensics professional's top responsibility is to protect the computing resources for an organization or individual and analyze breaches after they occur. Achieving this goal likely includes planning ways to avoid unauthorized entry or access, investigating breaches after they happen, and participating in bringing the offenders to justice.
In 2021, companies lost on average $4.24 million per breach (based on analysis of only 17 countries and 537 incidents). With the actual number of breaches in the thousands, the losses due to ransomware, denial-of-service attacks, and other techniques is staggering.
Cybersecurity Ventures also estimates total losses would be equivalent to the third largest economy in the world. This is a clear indicator of how important computer forensics analysts are today where everyone is interconnected in cyberspace.
In trying to prevent and investigate security breaches, computer forensics analysts often work with government agency officials and law enforcement.
To be most effective, computer forensic professionals need a broad range of computing skills and knowledge of common threats and hacking techniques.
Standard Duties of Computer Forensics Analysts
Retrieve protected/encrypted data: Computer forensics analysts' primary role is to recover data and information from hard drives of computers, laptops, and other devices. Often, this requires restoring files, images, or messages, many of which are encrypted or erasure has been attempted. Analyze network breaches: Data breaches on non-cloud hosted resources involve the perpetrator gaining access to the organization’s servers or computers via a local network. Forensic analysts are typically charged with collecting data from these network intrusions to try and determine how hackers gained access. Assist in devising security strategies: An important first step in securing computing resources is understanding how successful breaches occurred. This often means recreating scenarios to better understand these breaches and then creating or modifying security strategies and protocols to guard against future incursions. Enact security actions: Computer forensics analysts are specialists. Much of their work involves critical thinking and analytical exercises. However, it is not uncommon for these professionals to enact security actions like coding of programs or integrating vendor services. Document case findings: There is an adage in technical circles that the job is not completed until the paperwork is done. This certainly applies to much of the work computer forensics specialists do. Therefore, the ability to create reports and other documents that accurately and effectively describe their work and its results is an important skill.
Nonstandard Duties for Computer Forensics Analysts
Collect and analyze evidence for criminal cases: Like forensics in general, there is the possibility that evidence obtained by computer forensics analysts will be used in criminal cases. Not all projects result in criminal prosecutions. However, the likelihood that the data and information they collect and analyze is high. Preserve chain of custody for evidence: For many projects, it is not known initially whether a computer forensics analyst's work will be used for criminal prosecution. Nevertheless, the possibility dictates that care must always be taken in ensuring the chain of custody, or complete documentation, of any evidence. Participate in legal proceedings: For most computer forensics analysts, testifying in front of grand juries or in court is unlikely. Most firms will have specific individuals that would typically perform this function. However, forensics work may be included as part of a legal proceeding. Advise other crime investigators: Working with other professionals is not uncommon for forensics analysts. This may take various forms depending on the forensic analyst's skills, experience, and expertise. However, advanced forensics analysts may advise junior level colleagues or investigators from outside government agencies; such as law enforcement. Train other analysts: As analysts advance and gain more experience, their expertise will likely become a major asset for the organization. Professionals at this level may train new employees, teach seminars or courses, and present at industry conferences.
The Day to Day for a Computer Forensics Analyst
Very few tech professionals perform the exact same tasks every day. However, a day in the life of a computer forensics analyst follows some routine — at least for some projects. In the course of a day, forensics analysts will likely gather and evaluate evidence from various devices.
A major activity for every project or case is the gathering of evidence. In most cases, this will entail using programs and hardware tools to access data and information from a computing resource. Desktops, laptops, servers and flash drives are the most common.
After gathering evidence, computer forensic analysts must evaluate it. Most of the data will likely be irrelevant. Therefore, it is important for analysts to segment this information efficiently so they can examine items that provide information about the breach or cybercrime.
Computer forensics analysts may spend time working alone to evaluate the evidence and prepare reports. However, they also have regular meetings with work teams and clients. Additionally, these professionals may need to meet with investigators or other persons, especially if the case may result in a prosecution.
These cybersecurity professionals also devote time to learning and career development. This may include attending webinars or in-person conferences. Analysts in advanced roles may also train or guide new colleagues.
Where Computer Forensics Analysts Work
Many businesses, government agencies, or nonprofits have dedicated IT personnel since managing computing resources. Securing these resources is critical for organizations that host a lot of sensitive information.
Therefore, many mid to large organizations employ computer forensics analysts, while others outsource this responsibility to information security firms with these professionals on staff.
Some of the top cybersecurity targets are small businesses, healthcare, and government agencies, followed by financial institutions and schools. Therefore, computer forensic analysts can find job opportunities in virtually every state.
Large, densely populated metropolitan areas typically employ the largest number of computer forensic analysts. Yet, these numbers vary greatly. For example, the Bureau of Labor Statistics (BLS) reports the Los Angeles area employs far more forensics technicians than some entire states like New York and New Jersey.
Location also affects salary. In large metropolitan areas, forensic technicians can earn an average annual salary of $80,000 to above $100,000, according to the BLS. Yet, forensics professionals average less than $40,000 per year in Albuquerque, New Mexico.
Cybersecurity breaches can happen and originate from anywhere. Therefore, the type of work will probably not vary significantly depending on a forensic analyst's location, but average salaries do vary.
Should You Become a Computer Forensics Analyst?
Becoming a computer forensics analyst is a major decision. Students should carefully consider the career's tasks, salary, and location before pursuing this path. Other considerations include job requirements and potential employment opportunities.
As with most cybersecurity jobs, employers typically require a college degree, often a bachelor's or master's. Common degree areas include computer science, information security, cybersecurity, and forensics. Although not required to enter the field, there are several certifications that may help with career advancement:
Certified Forensic Computer Examiner from The International Society of Forensic Computer Examiners Certified Forensic Computer Examiner offered by The International Association of Computer Investigative Specialists The EnCase™ Certified Examiner program Digital Forensics Certified Professional through the Digital Forensics Certification Board CyberSecurity Forensics Analyst certification
Computer forensics is a technical specialization. Therefore, professionals need a good foundation in computing and networking. This background coupled with forensics experience can open doors in the cybersecurity industry in coding, analysis, and administration. As cyberthreats and breaches continue to rise, the need for professionals in forensics will only increase.
How to Prepare for a Career in Computer Forensics
A love of computing will serve you well in this occupation. Much of your work will be devoted to catching cybercrime criminals. Therefore, a healthy respect for the integrity of organizational computing resources is also a good attribute.
While the nature of computer forensics work may involve long hours and travel, it can be quite rewarding. Your work may save important proprietary resources and prevent significant financial losses for your clients. However, many cybersecurity jobs require formal education, experience, and one or more professional certifications.
Learn More About Computer Forensics Analysts
Professional Spotlight: Greg Kelley, EnCE, DFCP
What previous cyber-related (or general computer science/STEM) experience did you have, if any, and what prompted your journey to become a computer forensics analyst?
My background is that I have a BS in computer engineering. I spent time as a programmer, consultant, system integrator, and other computer-related fields. I started in the computer industry in 1994. Eventually, I had my own company with my current business partner. Some of our clients were law firms, and around 2000, they started bringing us hard drives and asking if we could recover deleted data or do other things related to computer forensics. That led us to look into the field and eventually decide to specialize in it.
If you specialize in a particular subject or work in a particular industry, what prompted this choice and/or how did it evolve? Please feel free to expound on how and/or why you founded Vestige here as well.
As one of the founders, I was CTO from day one, but that didn’t mean as much then as it does now. As we grew, we hired more employees and my role evolved from just doing day-to-day forensics to consulting with clients, scoping their situations, hiring, training, mentoring and guiding my analysts, and also doing the day-to-day forensics, just not all the time.
For whom do you think this career is a good fit? Why?
You have to be technical, very technical. You can’t concentrate on just computers or phones. Eventually, you will have to understand how they interact with each other, with networks, with applications, with cloud services, etc. You have to think critically and be skeptical. Even when you think that a specific artifact has a specific meaning it is incumbent upon you to hypothesize as to what else it could be and conduct tests to prove and disprove your theories. Last, but not least, you need to be articulate both in how you speak and write. You are most likely conveying your results to a business leader, attorney or court. They need to understand highly technical concepts in simple terms.
What educational path did you take to become a computer forensics analyst? Did you pursue additional education at any point? And what was your educational experience like?
While my education started with a BS in computer engineering, it continued throughout my work experience as I took turns in dealing with multiple areas related to computers and digital devices. To complete that education, I had to learn what it meant to forensically preserve data, recover deleted data, and understand what artifacts are and how to observe, research and report on them. My education continues as the digital world continues and advances. New devices, OS, applications and services require one to keep up to date on the latest technologies.
What certifications or tests did you need to pass, if any, to enter the field and/or progress in your career? How did you prepare for them, and what were they like?
I have the EnCE (Encase Certified Examiner) and DFCP (Digital Forensics Certified Professional). I had to take multiple choice questions that tested my knowledge. I then had to take a practical exam, namely a mini-forensic examination. Preparing for them required reading study guides prior to the exams but more importantly, having the experience for which the certifications tested.
What's a typical day like for you?
A typical day starts with me having a plan of what I’m going to accomplish and then ripping up that plan in the first 30 minutes of the day. I spend parts of my day meeting with my analysts to get updates on their cases and help them troubleshoot issues. I spend another portion of the day talking with new clients or old clients about new cases and then providing quotations and project scopes. I will find myself working on my own forensic cases which may involve general consulting with clients. Sprinkle in the weekly management meetings, attending an occasional webinar, giving a talk or providing testimony in the case. I also double as our internal IT so I spend time with that as well.
What's your favorite part of being a computer forensics analyst? The most challenging part?
The most challenging part is finding the time to devote to new technologies or forensic challenges. Whether it is acquiring data from a new device or service or researching a new artifact, it is sometimes difficult to devote that time while also meeting clients' needs.
I’m particularly proud of those cases where I have been hired to scrutinize the report or results given by another examiner where those results don’t quite seem to make sense. I’m also proud of cases where the client comes to us in a desperate situation and we are able to solve it for them and provide them that relief. Those cases are often “bet the company” matters where the stakes are high.
What advice do you have for individuals considering becoming a computer forensics analyst?
You need to be flexible in what you do. Understand that you may want to concentrate on one aspect of forensics but find that your clients may want a whole realm of services. Look at each opportunity as a chance to learn new things and grow. Be prepared to work long hours and jump in an instant to help a client because urgent matters don’t wait for you to have time to attend to them. If you are looking for a no-pressure, 9-5 job, this is not it. Also consider doing something other than “forensics” in order to better your IT skills.
What do you wish you'd known before becoming a computer forensics analyst?
I honestly can’t think of anything.
Greg Kelley, EnCE, DFCP
As a founder of Vestige, Greg has been involved in the digital forensics field since 2000. He is responsible for the creation of Vestige’s infrastructure and continues to oversee the process of standardizing and streamlining Vestige’s forensic analysis to provide consistent high-quality results in a timely basis.
Greg has over 20 years of experience working in the computer industry. Greg leads Vestige’s Digital Forensic services. His responsibilities include helping to determine strategic direction of the company and overseeing the day-to-day operations and internal Information Systems infrastructure. He helps in performing as well as managing the digital forensic investigations and leads the Data Evidence Specialists and Forensic Analysts on the Vestige team. He is one of the contributing authors to the book Law Firm Cybersecurity.
FAQ About Working in Computer Forensics
What is computer forensics and why is it important?
Computer forensics is a cybersecurity discipline that deals with gathering, evaluating, and analyzing evidence from computer breaches. Professionals in this area are critical to understanding these attacks and bringing perpetrators to justice.
Is the field of computer forensics hard?
Hard is a relative term that is best defined by you. Will you be required to make a significant investment to understand and master the technical skills needed to be effective as a computer forensics analyst? Yes.
What does a day in the life of a computer forensics analyst look like?
Many days will be spent gathering data and information. Other days may require collaboration with colleagues or clients. Occasionally, a computer forensic analyst's day involves preparing or presenting information for criminal cases.
How does computer forensics apply to everyday life?
Computer forensics professionals help keep banking and purchasing data from being compromised. They also help to convict those individuals who commit these acts. Additionally, these professionals protect our utilities, like the electric grid, and investigate attacks on government agencies and classified records.
Featured Image: sinology / Moment / Getty Images
View hand-picked degree programs
Tell us what you’d like to specialize in, and discover which schools offer a degree program that can help you make an impact on the world.