Digital Forensics involves very technical matters, that delve deep into hardware and software, using specialised tools, to recover data from systems and devices. This may be a part of a forensics team or working in co-operation with other types of specialists. 

Although most of Digitial Forensics is driven by the need to respond to security incidents or suspected crimes, their work is methodical and careful. By recording the steps of their investigations and findings thoroughly, if a part of a law enforcement role, they contribute substantially to the investigation of crimes. With more experience, a Digital Forensics professional may appear as an expert witness in court. 

In a corporate environment, Digital Forensics may examine malware or the effects of a breach to understand the vulnerabilities that have been exploited, the damage caused and the identity of the attackers. The conclusions help the organisation by preventing further incidents. In some organisations, responsibilities will be broader than digital forensics and perhaps include the initial detection of intrusions. 

Within this specialism, there is a deep understanding of software, and in some roles, hardware and industrial control systems. There is an understanding of both the formal records created by software processes and the accidental traces that are left in memory and hardware. Digital Forensics finds and interprets this information to analyse data using specialist software and hardware tools to disassemble and extract electronic components, to recover data from devices like mobile phones. 

Digital Forensics needs to stay up to date on the vulnerabilities of the software and hardware that are in use – almost certainly including cloud technologies – and on the attack techniques and motivations of potential attackers. 

Digital Forensics uses detailed technical knowledge and sophisticated tools and techniques to acquire, analyse and report on the data contents of devices and systems, whether as part of a response to a security incident or an investigation into possible criminal behaviour. 

In detail, you might: 

• triage a set of devices, systems and software components to identify priorities for investigation 
• physically disassemble and examine computers and related hardware 
• use specialist tools and techniques to retrieve data from devices and systems, either directly or remotely, including by imaging storage media 

• analyse files, data elements and memory contents to find evidence of malicious or illegal activity 
• analyse malicious software to understand attack techniques, identify vulnerabilities and attribute the activity to those responsible 
• handle materials and data to avoid contamination or corruption, possibly in line with chain of custody rules 
• log every significant action 
• produce formal reports on the investigation, often to the standard of evidential submission 

Job Titles 

For Digital Forensics roles, titles include: 

• Digital Forensic Investigator 
• eForensics Examiner 
• Digital Forensics Incident Response Specialist 

• Digital Forensics & Incident Response Specialist 
• Digital Forensics and Data Management Analyst 
• Junior Digital Device Data Recovery Practitioner 
• Digital Forensic Technician 
• Computer Forensics Consultant 

For more experienced Digital Forensics roles, titles include: 

• Senior Digital Forensics and Incident Response Specialist 
• Senior Police Digital Investigator 
• Senior Digital Forensic Investigator 
• Manager, Digital and Forensic Investigations 

• Senior Cyber Incident Response Analyst 
• Forensic Lead 

Salaries 

A Digital Forensics role could earn between £20,000 and £45,000 a year.  

A senior Digital Forensics role could earn between £50,000 and £95,000. 

Many of the advertised jobs are in police services, whose public sector salaries are lower than those typically offered in similar jobs in the private sector.

The ranges are calculated from a survey of online job vacancies advertisements in March 2021. 

Each of the 15 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Digital Forensics.

Core knowledge – you will need a very good understanding of these areas 

Forensics 

The collection, analysis, and reporting of digital evidence in support of incidents or criminal events. 

Law & Regulation 

International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare. 

If you need to investigate breaches affecting industrial control systems (ICSs), you'll also need: 

Cyber-Physical Systems Security 

Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures. 

Related knowledge – you will need a solid understanding of these areas 

Distributed Systems Security 

Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multitenant data centres, and distributed ledgers. 

Adversarial behaviour 

The motivations, behaviours, and methods used by attackers, including malware supply chains, attack vectors, and money transfers.  

Software Security 

Known categories of programming errors resulting in security bugs, and techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems.  

Security Operations & Incident Management 

The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence. 

Wider knowledge – these areas will help to provide context for your work 

Network Security 

Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security. 

Web & Mobile Security 

Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.

Skills 

Personal attributes 

• problem solving 
• logical thinking 
• writing formal reports 

• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills 

• file system analysis 
• memory artefact analysis 
• software analysis, possibly including a decompiler   

• scripting in languages or tools, such as Python, Unix Shell and PowerShell 
• physical disassembly of electronic devices 
• use of common forensics tools such as UFED, EnCASE and FTK 
• writing reports suitable for submission in legal proceedings 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

F3 – Forensics 

Principles: 

• secures the scene and captures evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business and maintaining evidential weight, using specialist equipments as appropriate. 
• analyses the evidence to identify breaches of policy, regulation or law, including the presence of malware. 
• presents evidence as appropriate, acting as an expert witness if necessary. 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

This specialism is generally unsuitable for entry directly from another career, on account of its requirement for significantly advanced, specialised skills. 

However, some roles, which are quite specialised, may provide a good foundation on which additional training can build. These include: 

• scene-of-crime officers 
• data recovery 
• archaeology 
• forensic accountancy 

Other roles or careers which involve careful, detailed investigation may also have provided some relevant experience. 

Linked Specialisms 

• Cyber Threat Intelligence 
• Incident Response 
• Networking Monitoring and Intrusion Detection 

• Vulnerability Management 

Moving On 

In a criminal investigation role, you might move from Digital Forensics into other another forensics specialism. Alternatively, you might move into one of these other cyber security specialisms: 

• Network Monitoring & Intrusion Detection 
• Cyber Threat Intelligence 

• Vulnerability Management 
• Incident Response 

Another alternative is to move into a more senior role in Digital Forensics, or as the manager of a Security Operations Centre or Network Operations Centre. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training