From corporate theft to murder, computers often play a role in nefarious activity, requiring specialists with a mix of legal and technical expertise to gather evidence stored digitally.
"If it's a crime, a computer can be a component of it," says Mike Finnie, a computer forensics specialist with Computer Forensics Inc.
Even if the computer is not the instrument of the crime, it may contain evidence of illegalities. As PCs, PDAs and other computer-based devices become pervasive in work and personal lives, it's no surprise they often play a role in illegal behavior.
Wanted: Legal and Investigative Skills
Specialists in this field, known as computer forensics, combine technical expertise.
with investigative skills and in-depth knowledge of the legal system. The field's techniques are used not just by law enforcement agencies but also in the corporate world for investigations into workplace improprieties as well as potentially illegal behavior.
Opportunities for technology professionals to break into computer forensics have increased, but many organizations still prize specialists with law enforcement experience that includes work for local or state police, the FBI or the Secret Service. "Almost invariably, the best forensic examiners are current or former law enforcement officers, either federal or local," says John McElhatton of JMac Enterprises, a firm offering computer forensic services. "The necessary investigative skills are already in place."
Tech Crime-Scene Pitfalls
Technology professionals not trained in computer forensics will almost certainly cause problems in investigations, according to experts in the field. Countless investigations have been stymied by well-intended techies eager to gather evidence yet unaware their efforts may end up altering data, thus foiling the chances for a successful inquiry or prosecution.
Even top-notch network administrators, says McElhatton, may "step on the potential evidence out of ignorance of forensic and evidence-handling protocols."
Computer Forensics Training
Training is now available to professionals working outside law enforcement, opening up the field to techies willing to learn the analytical, communication and legal skills necessary to work in computer forensics.
"We're very busy in this industry," says Warren Kruse, coauthor of Computer Forensics: Incident Response Essentials, a leading book on the topic. "It's somewhat new, so someone can still get in on the ground floor."
But techies should still consider whether they have the traits needed to succeed in the industry.
Rick Van Luvender, president of InfoSec Academy, says computer forensics specialists must be detail-oriented and able to carry themselves with poise, especially when faced with questions from opposing counsel in a courtroom. "You need to treat every piece of evidence you collect as if it will be presented in court," he says.
Others concur, emphasizing the need for techies to communicate their findings to nontechnical workers, including attorneys, judges and juries. "It doesn't do any good to start talking hexadecimal to a jury," says Finnie.
Given the newness of the field, titles are still in flux, but job listings may be posted under titles such as forensics examiner, computer investigator or investigation specialist.
Specialized software in the field is offered by Guidance Software, among other companies, but training in investigative protocols is considered more important than knowledge of specific software.
Computer Forensics Certifications
Some organizations offering certification and training in computer forensics are the International Association of Computer Investigative Specialists and the Southeast Cybercrime Institute. The InfoSec Academy curriculum, for instance, covers everything from file systems and data formats to crime-scene processing and ethical issues. Software vendors also offer training, and a number of universities offer computer forensics programs. The National Center for Forensic Science at the University of Central Florida, for instance, offers a graduate certificate in the field.
Training programs may be particularly appealing to independent computer consultants, says Van Luvender. Many companies are unable to employ forensics experts or may be wary about having one employee investigate a colleague. Such companies typically will hire a consultant when a problem arises.
While the bar may be high to enter computer forensics, the rewards are unique. "Every case is different," says McElhatton. "It is very challenging and rewarding to crack a case using a combination of investigative and technical skills."