Digital Forensics Interview Notes

Background and Career Interest

  • Student explores a non-traditional path toward understanding human behavior, opting for a real-world field approach rather than a traditional lab setup.
  • Discovered digital forensics as a middle ground between psychology and technology interests, drawn to evidence collection, computers, and legal cases.
  • Personal motivation partly inspired by conversations with the student’s mom.

Education Timeline and Graduation

  • School context: discussion about direction but no specific CU classes guiding the chosen path.
  • Graduation timing: student indicates graduation in next May.
  • Internship experience: no internships completed yet.
  • Summer work history: worked traditional retail and summer jobs.
  • Path decision timeline: decided on a path only in late spring; missed the internship cycle for the current year.

Internship and Career Exploration Difficulties

  • Traditional psychology internships described as therapist-assistant roles, which the student is not interested in.
  • Curiosity about opportunities to explore both law enforcement and civil forensics as potential career directions.
  • Interest in trying different routes to narrow down which path to pursue.

Forensics Industry Overview and Role Fit

  • Company overview: Digital Intelligence develops computer forensics equipment used by law enforcement and intelligence agencies; also operates a lab.
  • Civil side focus: the lab work centers on civil cases (e.g., employee terminations and data exfiltration, harassment lawsuits) where traces exist on devices.
  • Law enforcement training: the company trains law enforcement but typically does not perform their work due to sensitivities around sharing cases.
  • Role interests: student expresses interest in both law enforcement and civil sides; willingness to pursue whichever opportunity arises.
  • Practical approach to entry: emphasis on gaining firsthand experience by trying roles, certifications, and training offered by or connected to the company.

Networking, Certifications, and Training Pathways

  • Prior conversations: student spoke with Phil Knox at Iron Oak Discovery, who provided potential certifications to pursue.
  • Certification costs: certifications can be expensive; examples include CompTIA and other forensic-specific credentials with costs in the 20002000+ range.
  • Employer sponsorship: programs vary by employer; some employers hire employees who lack certifications and fund their certification once hired.
  • Affordable options for students: some certifications or training routes may be inexpensive or free for students.
  • SANS pathway: SANS certifications are well-recognized but typically costly; discussion about whether a company or student discount could apply.
  • Other training organizations: IASIS (International Association of Computer Investigative Specialists) offers a two-week boot camp for beginners in May; this targets foundational skills for new entrants.
  • Tool-centric training culture: many certifications are tool- or vendor-specific (e.g., Magnet AXIOM, OSForensics, Oxygen Forensics).
  • Core tools discussed:
    • Magnet Forensics – AXIOM: primary forensic tool; daily use in the lab; training may be available; potential for free paths via training teams.
    • OSForensics: all-in-one forensic tool; cost discussed as 50005000 per year.
    • Oxygen Forensics: mobile device forensics tool; widely used.
    • FTK Imager (AccessData): free imaging tool; useful for creating forensic images and recovering deleted files; can access data even if password-protected in some cases.
    • Celebrite (Cellebrite): mobile forensics tool; noted as costly; potential difficulty in obtaining affordable licenses.
  • Training opportunities and access:
    • Internal training coordination: possibility of online/mobile tool training sessions; auditing or taking certification tests through the company.
    • Training lead contacts: Charles (training) and Vaide (compute head) to assess available programs and potential internships or projects.
    • External academic connections: two university professors who teach digital forensics in Des Moines and San Antonio may offer opportunities and guidance.
    • Upcoming events: SANS conference in Florida; SANS.org as a resource for white papers and training materials.
  • Hands-on licensing and access:
    • Potential to obtain licenses for certain tools (e.g., FTK Imager, OSForensics) to gain practical experience.
    • The possibility of the company arranging licenses or access to tools for student exploration and certification.

Tools, Techniques, and Core Concepts in Forensics

  • Forensic tools and their purposes:
    • Magnet AXIOM: comprehensive analysis platform for digital forensics data; used daily; training available through Magnet’s team.
    • OSForensics: all-in-one toolkit for imaging, analysis, and evidence handling; important for broad investigations.
    • Oxygen Forensics: specialized in mobile devices; important for phone data extraction and analysis.
    • FTK Imager (Axis Data): free, essential for creating forensic images; supports recovery of deleted data; can access data even on password-protected devices in some cases.
    • Celebrite: high-cost option widely used in mobile forensics; cost barrier discussed.
  • Practice areas and workflows:
    • Forensic imaging and evidence preservation: baseline step; imaging should be performed to preserve evidence; improper handling can jeopardize the case.
    • Evidence preservation and chain of custody: critical for eDiscovery and court admissibility; missteps can compromise investigations.
    • DFIR (Digital Forensics and Incident Response): a growing field combining security incident response with traditional digital forensics; used to investigate breaches, identify entry points, and patch vulnerabilities.
    • Evidence processing and lab work: initial preservation in physical locations; subsequent analysis can be performed remotely via secure access.
    • eDiscovery relevance: forensic imaging and preservation practices apply to electronic discovery workflows.
  • Mobile forensics vs. computer forensics:
    • Mobile devices require specialized tools (e.g., Oxygen Forensics) and sometimes more expensive licenses; different workflows compared to computer forensics.
  • Certifications and career relevance:
    • SANS: recognized credential in cyber forensics, but expensive; corporate sponsorship or student discounts may mitigate cost.
    • CompTIA and other vendor-specific certifications: common starting points; cost varies; employer sponsorship common after hire.
  • Industry dynamics and culture:
    • Law enforcement side often values seniority; the current model can shift toward skill and interest-based progression with new training programs.
    • Civil-side work emphasizes evidence trails across corporate devices and networks; more flexible in terms of remote analysis after imaging.

Practical Considerations: Location, Work Style, and Career Planning

  • Work location preferences:
    • In-person presence is often required for the initial evidence preservation step (physical access to devices).
    • Remote work is feasible for analysis stages (after data is acquired and imaging is performed).
  • Relocation and travel:
    • Willingness to relocate for training and job opportunities; potential for on-site roles requiring presence near labs or client sites.
    • Possible travel for conferences (e.g., SANS conference) and training sessions.
  • Immediate post-graduation plan:
    • Student desires to work right after graduation to gain practical experience and avoid immediate grad school costs.
    • Graduate school is financially burdensome; intends to build experience in the coming year.
  • Internship and project opportunities:
    • Potential intern project from the employer to build resume and gain concrete experience.
    • The role being sought may be more IT-oriented rather than a pure forensic examiner, aligning with the student’s psychology/neuroscience background and problem-solving skills.
  • Communication and follow-up plan:
    • Next steps include a follow-up conversation planned for the following week (Tuesday morning) and ongoing email/text communication to coordinate opportunities.
    • The mentor will investigate tool access, training slots, and potential internships; will loop in internal experts and academic contacts.

Foundational Concepts and Terminology

  • Digital Forensics and Incident Response (DFIR): integrates digital forensics investigations with incident response to detect, respond to, and recover from cyber incidents.
  • eDiscovery: electronic discovery process used in legal contexts to collect, preserve, and analyze electronically stored information.
  • Evidence preservation: the essential first step in any forensic process to maintain the integrity and admissibility of data.
  • Forensic imaging: creating a bit-for-bit copy of a device’s storage to analyze without modifying the original evidence.
  • Chain of custody: documentation ensuring the integrity and provenance of evidence from collection through analysis and presentation.
  • Civil vs. law enforcement forensics: civil forensics focuses on corporate or civil litigation contexts; law enforcement focuses on criminal investigations, with differences in access, workflow, and sharing of case information.
  • Training and certification landscape:
    • Vendor-specific certifications (e.g., Magnet AXIOM, OSForensics, Oxygen) vs. general certifications (e.g., CompTIA) vs. specialized programs (e.g., SANS, IASIS).
  • Industry resources and events:
    • SANS: a primary source for training and certifications in cyber security and forensics; annual conferences and a broad set of white papers.
    • IASIS: provides foundational boot camps aimed at novices entering digital forensics.
    • University and professor networks: collaboration opportunities with academics teaching digital forensics.

Actionable Next Steps for the Student (Strategic Plan)

  • Short-term goals (0–6 months):
    • Explore onboarding opportunities for tool-based training (e.g., auditing Magnet AXIOM, OSForensics, Oxygen, or FTK Imager) through the employer’s training team.
    • Attend or audit IASIS boot camp (two weeks in May) to establish foundational forensics skills.
    • Pursue low-cost or student-discount options for foundational certifications (e.g., CompTIA) and evaluate employer sponsorship options.
    • Request a small intern project from the company to gain tangible experience and build resume/portfolio.
  • Medium-term goals (6–18 months):
    • Complete at least one tool-specific certification (e.g., Magnet AXIOM or OSForensics) and gain hands-on experience with imaging and mobile forensics.
    • Consider attending a SANS conference (Florida) or similar event for exposure to white papers and networking.
    • Build a professional profile highlighting the interdisciplinary background (psychology/neuroscience) and methodical problem-solving approach to forensics.
  • Long-term goals (18+ months):
    • Decide between pursuing a law enforcement trajectory (e.g., FBI, CIA) or civil/digital forensics roles in industry, guided by hands-on experience.
    • Potential relocation considerations based on job opportunities and training facilities.

Supplementary Resources Mentioned

  • Vendor and organization resources:
    • Magnet Forensics: AXIOM toolkit and training information.
    • OSForensics: all-in-one forensic toolkit (price around 5,0005{,}000 per year).
    • Oxygen Forensics: mobile device forensics tool.
    • FTK Imager: free forensic imaging tool from Axis Data; capabilities include recovering deleted files and accessing data even on password-protected devices in some scenarios.
    • Celebrite/Cellebrite: mobile forensics tool with high cost; discussed as a potential barrier.
    • SANS Institute: provider of widely recognized cyber forensics certifications; Florida conference mentioned; resources on sands.org.
    • IASIS (International Association of Computer Investigative Specialists): two-week boot camp for beginners in May.
  • Academic and professional contacts:
    • Phil Knox (Iron Oak Discovery): provided potential certifications and pathways.
    • Charles (training lead) and Vaide (head of compute forensics) for internal training opportunities.
    • Two college professors who teach digital forensics (Des Moines and San Antonio) for additional training ideas and networking.

Notable Dialog Points and Practical Takeaways

  • The field blends investigative rigor with technical tooling; non-IT backgrounds (e.g., psychology, feminist political theory) can contribute strong analytical thinking and a questioning mindset beneficial to forensics.
  • Initial evidence handling and imaging are foundational; mistakes early on can undermine later analysis and legal admissibility.
  • There is a spectrum of roles—from direct forensic examiner to IT-side support and incident response—where an entry-level candidate might contribute while gaining experience.
  • Financial considerations heavily influence certification decisions; employer sponsorship can significantly reduce personal cost, especially for students.
  • Real-world opportunities exist to gain hands-on experience through internships, audits of training sessions, and early access to trial licenses for forensic tools.
  • Networking with academics and industry professionals is emphasized as a strategic path to uncover additional opportunities and guidance.

Key Takeaways to Remember

  • DFIR is an integrated field combining digital forensics with incident response.
  • Evidence preservation and forensic imaging are non-negotiable first steps in investigations.
  • A balance between civil and law-enforcement paths exists; practical experience will guide the best fit.
  • Start with low-cost or employer-supported training, then progressively obtain tool-specific certifications.
  • Leverage interdisciplinary strengths (e.g., psychology, analysis, attention to detail) to differentiate in the forensics field.