Get a job: Forensics

Ever thought about working in digital forensics? As part of out regular Get a job series on security careers, SC asked some prominent Australian forensics professionals about how to get into their industry and what it takes to succeed.

Forensics is a diverse area of information security. Professionals in the field are digital detectives who can subvert security systems, follow complex data trails and prepare evidence that can sway the outcome of high-profile court cases. They work in a tight, close-knit industry and often collaborate to unravel crime.

Why you want it

"It's a chance to delve under the bonnet," says Rod McKemmish, partner at PPB Advisory. "If you like finding out how things work, how computers and humans tick, then it is a great job." McKemmish was a beat-cop who some two decades ago entered the the burgeoning industry as a founder of the Victorian Police forensics division, one of the first of its kind in the country.

It is common for forensics officers to have a background in policing, in sworn or civilian roles. Those with law enforcement experience are well-placed to snap up a senior position in the burgeoning industry that is in need of talent.

Those working in the private sector may work with police to crack data breach cases, or to gain the required authorisation to obtain evidence.

Patrick Dunne, senior manger of forensic evidence services at the Australian Securities and Investments Commission (ASIC), kicked off his career in a law enforcement agency in 1997 when as a Unix and Oracle administrator he was sent to one of the world's first computer forensics courses, conducted by a Canadian law enforcement agency. 

"There was no Encase or FTK in those days - we used a disk editor to view data," he says. Now Dunne's teams investigate cases involving Terabytes of data and troves of new and legacy file formats. All of this must be decoded within often tight court deadlines so ASIC's lawyers and investigators are sufficiently resourced to battle what Dunne says are often well-resourced businesses and individuals.

His work at the securities watchdog is satisfying stuff. "The work we do helps to promote a stronger and fairer marketplace and as such is vital to the community," he says. His staff are distributed across the country and collaborate via weekly video and audio team meetings.

Shane Bell, director of forensic technology at McGrathNicol, got his start in the industry as an officer for eight years in the Australian Navy before working for a further six years in private sector forensics. He also loves the job.

"It can be very interesting and very engaging. Each matter is different and you get a chance to explore new technologies as well as master the old stuff," he says. "At the moment we are assisting with some very complex large scale electronic discovery matters and who knows, maybe next week we will be out on a search warrant or an Anton Piller order, or being called to give evidence in court as an IT forensic expert witness, or even assisting in uncovering a large fraud."

One professional speaking on the condition of anonymity is a forensics officer of eight years with a Federal Government agency. M.K, not his real name, cracks fraud cases and regularly accompanies Australian Federal Police on search warrant raids against suspected fraudsters. He has worked in the tech sector for about 15 years.

"Data carving and searching for evidence is the fun bit," M.K says. "But this is only a small percentage of the overall job." When M.K isn't digging for data on mobile phones, computers and thumb drives, he is presenting statements and reports for court-admissible evidence.

M.K started his career as a police offer and like many still has the heart of a cop: he is methodical, down-to-earth and he hates the beaten-up glossy image of the trade as it is portrayed in Hollywood crime flicks. "It's nothing like CSI. That show really gives me the sh*ts, and it sometimes attracts d**kheads to our industry," he says.

Forensics demands an analytical mind, and a respect for due process. Professionals are unswerving followers of the creed of continuity of evidence, meaning they produce detailed documentation about the steps in investigations that could take days, or many months.

But McKemmish thrives in this pool of paperwork. He sees it as an opportunity to present complex technological processes as a story readable by laymen and lawmakers.  One prominent case was so successfully prosecuted on what he says were grounds of solid book work that he did not need to give evidence in court and the case was quickly closed.

Most forensics professionals at a senior level have given evidence in court more times than they can remember. It's a stressful environment but one that M.K enjoys as a place to test his skills. 

"Any nerd can find evidence on a computer.  But being able to present that in court in admissible fashion, being able to handle yourself in the witness box against other experts and lawyers, that's where your skills come in."

Courtroom duels is also where McKemmish gets a thrill.

"I like the civil matters, exchanging reports, having conferences, and the intellectual sparring before you get in the witness box."

They also travel, a lot. "I've seen the world," McKemmish says.

Why you might not

Forensics professionals may work long continual hours that stretch into the early morning. They also may begin work when the rest of us go home in order to minimise down-time to clients. M.K is occasionally on site for long stretches while search warrants are executed.

They all acknoweldge that it can become tedious in the thick of investigations.

"If you don’t like travel and you don’t like long and sometimes uncertain hours, then this field is not
for you," Bell says. It is also a difficult industry to break into, he says.

Dunne's team do not often travel, thanks to their remote meetings, but their workload can push into "anti-social hours at short or no notice," he says.

But broadly speaking the professionals love their jobs, and find the question of drawbacks a difficult one to answer.

Show me the money!

It's a small industry with big promise and big bucks. Progression for talented and interested professionals can be fast, both within organisations and buy jumping ship.

Private sector salaries start somewhere between $55,000 to $80,000 in Sydney for a greenhorn techie.

In a more senior client-facing role that blends business and technical forensics, professionals can receive salaries of more than $180,000, plus bonuses.

Bell understands that Australia pays better than the US and Britain.

Pays generally can't be matched in the public sector, which is a big problem for state police which struggle to retain experienced professionals. But it offers a level of training said to be generally unavailable in the private sector.

Dunne says the salaries on offer at ASIC are competitive, for the right people. He acknowledges the near universal disparity between public and private sector paycheckks, but says ASIC is an attractive place to work because of "good working conditions and the opportunity to work on some very large and high profile cases"

M.K says public sector pays for an experienced professional hover around $100,000 plus awards, and says the best way to earn cash in the industry is to work as a consultant. But the government anti-fraud gun warns that in taking that job to "be prepared to give them your pound of flesh."

How to get it?

University degrees in forensics exist, but they are not essential to break into the industry. Greenhorns must have some form of IT degree, and McKemmish recommends one focused on networks which he says is an in-demand skill.

Forensics certificates such as a Certified Computer Examiner and the Encase Certified Examiner have landed greenhorns jobs, Bell says. "These are good ways to demonstrate keenness and give you the edge over other potential candidates".

The certifications also offer a good taste test of what the industry is like.

In the industry, enthusiasm is king. More importantly than degrees, Bell says, "you need to demonstrate a keenness to learn and a real desire to want to work in the field."

And you need experience, which makes forensics a tough industry to break into, Dunne says. "Many agencies and firms require a significant amount of direct experience. Good candidates are snapped up quickly when opportunities arise.  Many positions within the private sector are not advertised."

Dunne says ASIC considers among other attributes the attitude and aptitude of candidates seeking a job.  "You can't possibly know everything about everything, but we need you to be sufficiently internally motivated to recognise where there is a knowledge gap, research possible solutions, and to share and discuss those solutions within the team." 

"It's not enough to simply follow a procedure - we want your intelligence and experience."

Courts require professionals to demonstrate expertise though experience and qualifications, not degrees. This is "for good reason", M.K says. "Universities cannot hope to keep up with the real world. The currency of experience is where it really counts."

Those gunning for management positions will also need technical experience.

Prodigy

Success requires a decision on whether to remain in the technical or business management realms, and within the public or private sectors.

Professionals in all camps consider themselves successful. McKemmish says a position managing clients and scoring new business will draw fatter paychecks, while Bell says the professional services sector offers attractive strategic senior roles that "adds a different dimension to your career than just being purely technical".

Electronic discovery professionals are in demand in the industry, Dunne says, as the specialisation continues to merge with with forensics. "There are not many people who are experts on all aspects of the Electronic Discovery Reference Model and there is a growing requirement for smarter, faster forensics that remains focussed on the investigation aspects of a case, albeit with one eye on the litigation outcome," Dunne says.

He says there are opportunities for ediscovery specialists to become proficient in forensic collections and analysis. To address this, ASIC has opened an overarching Evidence Services Group that contains specialists in the areas including of forensics, ediscovery, evidence management and bulk hard-copy document management.  Dunne says the groups "interact constantly".

For M.K, management is boring. He says he is not interested in "managing other techos" and says worklife as a technical professional in the public sector is great. Dunne also acknowledges "some potential cost to a work/life balance" that comes with a job in the private sector.

McKemmish recommends to find a mentor who will likely be outside of the business.

Leaders in the field have excellent verbal and written communication skills. "The ability to relay a technical message in a manner that can be understood and digested by non technical people is the real strength of the industry leaders in our field", Bell says.

Climbing the ladder by jumping ship, Dunne says, can be a rare opportunity because the market is relatively small.

He says professionals must keep their technical knowledge up to date and maintain a network of peer contacts. "A hunger for knowledge and an interest in 'how stuff works' will serve you well.

M.K says the best forensics professionals think like criminals, and he "highly recommends" that greenhorns start their careers in law enforcement. "You need to be able to think like a crook, to know where to look and what to look for".

Copyright © SC Magazine, Australia