What It's Really Like to Be a Digital Forensic Examiner
An Interview With Digital Forensics Pioneer John Irvine
There’s little question that technology has significantly changed the way police do business. Just as true is the notion that our ever-advancing technology is changing the type of crimes that police detectives investigate altogether, hence the rise in digital forensics jobs.
Cyberspace is increasingly becoming a “high crime neighborhood,” and the need for a police presence is readily apparent. That’s where the field of digital and multimedia sciences and people like John Irvine come in.
One of the pioneers of the digital forensics field, John was conducting computer investigations before most people knew there was such a thing. Currently, he serves as the Chief Product Officer for CyFir, which offers a remote digital forensics and incident response platform.
John is also an adjunct professor of digital forensics at George Mason University, where he teaches Legal and Ethical Issues in Computer Forensics. He holds a Master of Science degree in Information Systems and a graduate certificate in software systems engineering.
He’s been working in computer forensics since 1997 in both the public and private sector, including work with the FBI, the DEA, and numerous private consulting firms. He also volunteers with the Arcola Volunteer Fire Department. As busy as he is, he found the time to answer some questions for us about the rapidly growing field of digital forensics and what it’s like to work in the industry.
Interview With Digital Forensics Expert John Irvine
Tim Roufa: You have years of experience in digital forensics, to the point that you've established yourself as a recognized expert in the field. It obviously takes a lot of hard work and education to achieve what you've been able to, but how did you get your start?
John Irvine: Completely by accident! Like most stories of great careers, I fell into it because of happenstance, not planning. I’ve always had a great interest in technology. As a kid, I put together the first PC clone on the block. Also, from the age of about five, I knew I wanted to be an FBI agent. Eventually, the two interests dovetailed.
While sitting in my office working in software project management one day, the urge struck me to finally reach out to the FBI. This was before the Internet was, well, the INTERNET, so I couldn’t easily get information online. I called my local FBI field office, left my name and address on the answering machine for interested candidates, and answered “yes” to the question asked about having computer skills.
I received what I call the “So You Want to be a Special Agent?” package a few weeks later. I opened the brochure, and the first page blew away my lifelong dream in one sentence. My career as an FBI agent ended before it started with the requirement for 20/40 uncorrected vision or better. In a time before the wonders of LASIK, I was about 20/2000.
In the back of the packet was what looked like a 17th generation, badly skewed, almost illegible copy of a job posting for a “computer specialist” that had apparently been included because of my stated ability with computers. I thought, “Well, maybe I can fix printers or something for the FBI. At least that will get me in the door.”
I sent my resume to the HR person listed on the job description, and I received a call about a week later from one of the program managers at the FBI’s Computer Analysis Response Team. He said, “Your resume was routed to me because you said you were a ‘computer generalist’ in your cover letter. What do you know about computer forensics?” “Nothing,” I replied. He said, “Great. Come in for an interview.”
TR: How did you first become interested in digital forensics?
JI: In the interview, the people with whom I met told me that I could be a geek with bad eyesight and still help catch the bad guys. Apparently my generalist abilities—meaning I could effectively use different operating systems and had pretty good knowledge of both hardware internals and major applications—would be a great fit on their team.
That was really all I needed to hear. I thought I had been playing with Linux and Mac operating systems in addition to Windows just for fun; I didn’t realize it was all setting the stage for a future career.
TR: Besides your forensics experience, you've spent a lot of time working for the federal government. Did that experience help prepare you for your current career?
JI: Before working for the FBI, I had spent quite a lot of time as a government contractor. In fact, during my senior year of high school, I would leave when the bell rang and would drive up the street to a defense contractor where I worked as an assistant to the directors of HR and Special Security. Later on, I worked for a software company that had a number of government customers.
In addition to already having a security clearance at a very young age, that experience helped me by exposing me to a number of different hardware platforms, software applications, and—most importantly—different types of people in the government and professional world. Regardless of how it looks, computer forensics is as much about the people who use the computers you analyze as it is about the hardware itself.
In the second part of our interview with digital forensics professor and expert John Irvine, we learn about some of the pitfalls of the profession and he explains why this job isn't for everyone.
The Digital Forensics Career Path and Pitfalls
TR: Between your bachelor's degree in management, your software engineering certificate and your master's degree in information systems, how well do you feel your degrees prepared you for your career path?
JI: Each of those programs brought something to the table for me working in computer forensics. First, I think it’s important to say that computer forensics is NOT a computer science discipline. It’s as much an investigative function as it is a technical challenge. If either skill set is missing, one will have a much harder time working successfully in the field.
The MS in Information Systems helped by giving me a better understanding of operating systems, file systems, and computer mechanics. However, my BS in Management was equally helpful with my coursework in psychology, sociology, management, and accounting. I can’t really give an edge to one degree over the other for usefulness in the field.
That said, I want to make sure I say a few things. Computer forensics is an apprenticeship discipline. More programs have come about in recent years—the one in which I teach at George Mason University included—that offer excellent coursework in computer forensics. However, you really learn the trade once you’re in a seat working on real cases alongside a senior examiner.
Also, you do NOT need to have a programming background to work successfully in the field. In fact, I’ve had significantly better luck training investigators in the technical details of the job than I’ve had in teaching programmers methods of investigation and art of “the hunch.” If one doesn’t have a technical background in school, that is NOT a deterrent to getting into the field.
TR: You've worked in both the private and public sectors, performing much of the same work. How would you describe the difference between the two?
JI: The largest differences between working in public and private sectors are generally procedure and speed. In the federal world, one’s procedures are generally (but not always) heavily prescribed, and speed of production is generally less critical (with some notable exceptions).
In the commercial world, procedures are largely driven by personal experience or your employer’s preferences, and the speed of production is much higher. I’d spent four months on a single hard drive once with a federal employer because of the amount of data it contained, but in the commercial world, you usually aim for a turnaround time of days or weeks at most.
TR: What is a typical workday like for a digital forensics analyst or examiner?
JI: The workday for a digital forensics professional is anything but typical. Depending on the organization for whom you’re working, you might be working a steady stream of child pornography cases, or you might be analyzing subjects so high profile that you’re watching them on CNN while you’re doing the work.
However, you can often expect to be in an overly hot office (because of the number of computers at your desk overpowering typical office air conditioning), and you’ll get very good at piecing together one working component from a bunch of non-functioning ones.
Much of your day will be spent on documentation. You might be writing a report of analysis, peer reviewing another examiner’s report, or noting everything you did when performing an exam. The best examination in the world is useless if you can’t communicate clearly in a written report that can be easily understood by an agent, officer, lawyer, or jury. Plus, if your written report is poor, it will naturally call into question your technical abilities by those who try to read it.
Depending on where you work, testifying in court is a potential part of performing digital forensic analysis. If you’re working in a law enforcement environment, it’s almost guaranteed, but even corporate forensics personnel might have to testify during an unfair termination lawsuit or to support subsequent law enforcement action from tracking an intrusion. Some examiners I’ve known are great behind the keyboard and can write fantastic reports, but they fall apart when called to testify in court.
TR: You wrote an article titled The Darker Side of Digital Forensics. Can you tell us a little bit about some of the pitfalls of the job?
JI: You’re actually referencing a blog post I wrote an eon ago that was picked up by a few digital forensics outlets and has been reposted time and time again. I had no idea it would have such “legs” when I wrote it; I was just amazed that people who wanted to get into the field still had no idea what it really entailed.
Computer forensics has been a fantastic career for me, but there are definitely pitfalls. In fact, the first two class sessions that I teach are centered around the realities of the job, and I’m shocked every time when I find out that I’m the first person that has told my students what the work is really like after they’ve chosen it as their degree field.
I don’t have scientific numbers, but I’d estimate about 70 to 80 percent of computer forensics cases worldwide are related to child pornography. The closer you get to state and local law enforcement, the higher that number goes.
Even if you’re concentrating on computer intrusions and incident response, you’ll often find child pornography as a purpose or result of the intrusion (or simply existing on the computers you examine from the regular user of the machine).
Exposure to child pornography, particularly for eight hours a day, 40 hours a week, 52 weeks a year, takes its toll. It’s not just looking at still pictures. You’re watching the videos, too, and you’re seeing and hearing everything.
If you can keep doing it, you’ll most likely develop a very dark, graveyard sense of humor to combat it. I also volunteer with a fire and rescue squad, and you see much of the same humor there; it’s a coping mechanism developed by people who work in the more grim areas of life.
Also, depending on the work you’re doing, you’ll be exposed to graphic images and text of murder, torture, rape, terrorism, and just about any crime, depravity, pornography, or deviance you can imagine.
Computers are excellent tools for good, and they’re also excellent tools for committing crimes and spreading hate. As a computer forensic examiner, you’ll be exposed to all of it, day in and day out. In one group we had a joke that riffed on a commercial at the time talking about people who “surfed to the bottom of the Internet.” We added, “…and then our team gets a shovel and starts digging.”
Because of the work and the content to which an examiner is subjected, many people who enter the field don’t last. On average, I’d say about 50 percent of the people who get into it leave within about two years. That seems to be the mark when an examiner has had enough cases under his or her belt to become either weighed down by (or immune to) the exposure. If you can make it past the two-year mark, you generally have a long career ahead of you in computer forensics.
A Changing Discipline
TR: With such rapid advancements in computing technology over the past decade, how has the field of digital forensics changed over your career?
JI: Computer forensics has changed tremendously from when I started in the 90s. Back then, you looked at every file on a hard drive (because you could), and mobile devices weren’t even a thought. Floppy disks would come in by the hundreds, but now, you never see them.
Today, the amount of data is so vast that you have to be much more pinpoint in your searches, and mobile devices are an equal—if not more important—subject of examination.
Additionally, the depth of tools has changed significantly. In the early days, most tools were written by cops who had taken a few programming classes or who were self-taught. We had dozens of single-use utilities that we would cobble together to do an examination.
Now, the tools are much more professional and multi-purpose. A good examiner will still have a large “toolbox” from which to work, but he or she has much better base platform options for performing the overall examination. The industry is always trying to move to the magic “find all evidence button,” and some tools are edging close to that for certain types of cases.
Politically, the types of cases have shifted tremendously. Originally, computer forensics was mostly used by law enforcement for criminal cases. After 9/11, much of the work shifted toward counterterrorism. Now, computer intrusions are the hot topic, and many careers have moved toward incident response. The field changes tremendously with the times.
TR: Currently you serve as Vice President for Technology Development at CyTech Services. If you can share them with us, what sorts of innovations have you been able to have a hand in over your career?
JI: Making the move to CyTech Services has been a fantastic one for me. In my position, I not only am able to use my computer forensics experience, but I can also use my background in software project management. CyTech produces CyFIR Enterprise (CyTech Forensics and Incident Response) for performing enterprise computer forensic investigations.
My contribution here is further development of the tool with a practitioner’s eye. For example, CyFIR’s architecture allows investigators to search every node on an enterprise network at once for forensic data—without requiring users to stop work for a lengthy imaging process.
If there’s a malicious code outbreak in an organization, CyFIR has the ability to locate all affected machines within minutes instead of days or weeks. This is huge when performing incident response, e-discovery, or internal investigations on a large enterprise network or when responding to a multi-store point-of-sale compromise that is stealing credit card data from checkout lanes. The old thinking of “image everything and sort through it later” just doesn’t fly anymore in an enterprise context.
While not an “innovation” per se, with my management background, I have been exceptionally lucky identifying candidates who make outstanding forensic examiners.
Resume inflation is, unfortunately, a large problem in our industry, and someone who looks great on paper might have only a buzzword-level knowledge of actually performing an exam. Through an interview process I’ve developed over time, I’ve been extremely successful in finding the right candidates with the skills necessary for the position.
On the educational side, I’ve been able to pass my knowledge and—more importantly–my experience to future generations of forensic examiners. During those first two days of class that I mentioned, I find that one or two people each semester will tell me that they didn’t realize what they had bargained for when they started the program and thank me for letting them know what the job was like, because they didn’t feel comfortable performing that kind of work.
At that point, I am able to guide them into a computer security program that won’t have the same kinds of content issues waiting for them in the future. Likewise, I can pretty quickly identify the students who really seem to have “the knack,” and I can help point them in the right direction to start their careers.
In the final portion of our interview with digital forensics expert John Irvine, we learn why the field is so important, what aspiring examiners can earn, and what you can do to get started in a career as a digital forensic expert.
Why Digital Forensics Is so Important, and How You Can Get Started
TR: Why is the field of digital forensics so valuable to governments and corporations?
JI: Digital forensics is valuable to both governments and corporations for exactly the same reason—information. Whether that information is evidence for a federal criminal case or knowledge of an insider stealing corporate intellectual property for a competitor, digital forensics professionals provide data that the customers otherwise do not have available.
In very simple terms, one could liken the job of a digital forensic examiner to that of a photo developer. For example, if I have an undeveloped roll of film in my hands, that’s almost useless to me as any kind of evidence. However, if someone develops that film into pictures (or recovers data from a hard drive in our case), that content can provide everything the prosecutor, HR manager, or corporate security officer needs.
Now that I think about it, I need to come up with a new analogy for the future. Kids in school today probably don’t even know what a “roll of film” is anymore!
TR: What do you enjoy most about your job, and why do you continue to do it?
JI: Digital forensics appeals to me on a number of levels. First and foremost, it allows me to make meaningful contributions to the safety and security of people without being restricted by the physical limitations of eyesight or age. I might not be the agent chasing someone down an alley, but I might give that agent the data from the subject’s cell phone that seals the case and opens three more.
Next, digital forensics deeply appeals to me because it’s a hybrid of my love of law enforcement and intelligence (my TiVo is filled with cop and spy shows) and my inner geek. If you watch those shows, you’re even seeing an evolution of those characters on screen. Fifteen years ago, they were the über-nerds with broken glasses and awkward social graces. Now, the computer forensic examiner usually has a dry sense of humor and a great sense of style!
TR: What does it take to be successful as a digital forensics examiner or analyst?
JI: Primarily, it takes a sincere passion for justice (and I’m using that in an all-encompassing term) with a love of things technical. If you have those two items, you’re well on your way.
Formal educational programs are available now which didn’t exist just a few years ago, and it’s well worth taking the time to investigate them to see what each has to offer. Additionally, many of the forensics tools out there have classes (using the tool sold by the company, my own included) that can get you started.
As I tell my students, the field requires a very strong sense of personal responsibility. You need to be willing to put your name and reputation on the line with each case you analyze because you could very well end up in court based on the contents of your report. If you lack conviction, grace under pressure, or candor, this is absolutely NOT the career field for you.
Lastly, being successful is helped tremendously by finding a good mentor in the field and working shoulder-to-shoulder with that person while you learn the trade. Schools can give you a great foundation, but case experience helps you put people behind bars.
TR: How much should your average digital forensics examiner expect to earn, and how much might they earn if they become reputable and/or go to a private firm?
JI: Digital forensic salaries vary widely, and as of recently due to sequestration and market saturation of people trying to advertise themselves as computer forensic examiners who aren’t, salaries are starting to come down. (Much of the responsibility there rests with bad hiring managers who can’t determine a candidate’s true skill set.)
However, in general, a person with talent should be able to find positions between $60-$80,000 at a junior level, $80-$120,000 at a mid-level, and up to and over $150,000 at a senior level. That said, I’ve known some amazing examiners who were in positions paying only $50,000 per year as local police officers, and I’ve known lousy examiners who made more than $250,000 per year because they marketed their name well.
In very general terms, forensic examiners make the most in defense litigation cases or in e-discovery if they can run a large number of cases at once (and bill multiple clients). Those salary levels are typically followed by federal government contractors, federal government employees, state government employees, military, and finally local government examiners, respectively.
Commercial salaries run the gamut depending on experience, size of the company, and corporate interest in forensics (either because of proactivity or public embarrassment).
TR: What advice do you have for someone who is trying to decide whether or not they want to work as a digital forensics examiner, or for someone just starting out in the field?
JI: Read this article! Seriously, I would spend a little time on LinkedIn and reach out to people in digital forensics to ask them many of the same questions you’ve asked me.
Find people who work for the organizations or companies you want to work for and let them tell you about the day-to-day grind. I field one or two inquiries a week through either my LinkedIn or school email addresses, and I’m happy to offer my advice depending on their individual situations.
If you have a little money to spend, I’d suggest signing up for one of the training classes offered by the large computer forensic tool manufacturers to get a feel for what’s involved with the work and the ways in which it’s done.
If the class holds your interest, I’d look into the excellent programs in some universities at either the BS or MS levels (like the Masters of Computer Forensics available from George Mason University in Fairfax, Virginia, where I teach).
TR: If you have anything else you'd like to add about your career or the field in general, please feel free to share it.
JI: Computer forensics definitely isn’t for everyone, and that’s OK. Before spending a lot of time or money, find a digital forensics professional in your area, offer to buy him or her a cup of coffee, and pick their brains for an hour. Most of us are more than willing to share our knowledge, as that’s how we came up ourselves.
Digital forensics is a growth field (let’s face it, computers aren’t going away anytime soon), and there’s plenty of work for everyone. However, if you don’t value truth and aren’t able to stand up for your work in the face of adversity, you won’t last long in this business where reputations are everything.
I may not know a given forensic examiner personally, but I can guarantee you that I’m one phone call away from someone who does, and those unofficial “hall files” get passed around between examiners quickly. One instance of poor candor or lack of responsibility can end a career in its tracks.
All that said, it’s been a fantastic field for me, and I’m grateful to everyone I’ve worked with in the past for the lessons they’ve taught me and the experiences that they’ve imparted. It’s been a wild ride.