How to Get into Digital Forensics or Security Incident Response

The field of digital forensics and incident response (DFIR) is attracting a lot attention among information security professionals and law enforcement officers seeking to progress in their careers. One of the challenges of entering this field is that employers often limit their recruitment efforts to experienced forensicators. What can people seeking to get into this industry do?

It seems that organizations rarely want to invest into growing the skills of a beginner forensics or IR analyst. As the result, individuals seeking to get into DFIR should look for opportunities to pick up relevant skills as part of their current job responsibilities. Some ideas and examples:

  • If you have system administration duties, start getting to know the steps and tools used to investigate suspected security incidents. Gradually incorporate these utilities into your toolkit. Examine logs for security events. If you encounter a suspicious executable, begin experimenting with it in a malware analysis lab from a behavior-monitoring perspective.
  • If you have a network administrator role, become familiar with the essential aspects of network intrusion detection. Use the network troubleshooting tools you already know, but dig deeper into the traffic to identify potentially malicious patterns. Play with network forensics puzzles.
  • If you have a programming background, get to know assembly. Pick up a free disassembler and debugger and begin exploring benign programs using these tools. Identify interesting code sections and spend time understanding their inner-workings. When you feel comfortable, start looking at malicious executables.
  • If you’ve been performing file system and related forensics tasks, start incorporating additional utilities into the toolkit you use to examine the evidence you already feel comfortable collecting. Look at the artifacts you didn’t consider earlier. Research their meaning and ask questions about what you find.

The idea is to obtain some baseline DFIR knowledge by building upon what you already know. Look for ways to do this in the context of your current job responsibilities without undermining your commitments to your employer. Supplement the research and experimentation you can do at work with studying and exploring on your own time. Read books on the relevant topics, keep up with DFIR blogs and take formal training if your budget allows. Participate in online forms and informal meet-ups. Talk to people who currently work in DFIR.

Once you learn a bit about DFIR through informal exploration, reading and studying, start looking for a job—in your organization or elsewhere—that can provide you with experiences and mentoring in the aspect of digital forensics and interest response that interests you. Don’t forget to incorporate what you’ve learned about DFIR into your resume, of course.

There are many ways to enter a given field, and everyone’s approach might be different. What are your tips for people interested in getting into DFIR? What has worked for you?

Update: For a perspective on this topic from Harlan Carvey, see his Getting Started post.

Hand-picked related posts:

Just so you know, I teach the malware analysis course at SANS Institute.

Lenny Zeltser

Updated August 25, 2011
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more