Digital Forensics is the process of identifying and reconstructing the relevant sequence of events that have led to the currently observable state of a target IT system.
Digital Forensics involves very technical matters, that delve deep into hardware and software, using specialised tools, to recover data from systems and devices. This may be a part of a forensics team or working in co-operation with other types of specialists.
Although most of Digitial Forensics is driven by the need to respond to security incidents or suspected crimes, their work is methodical and careful. By recording the steps of their investigations and findings thoroughly, if a part of a law enforcement role, they contribute substantially to the investigation of crimes. With more experience, a Digital Forensics professional may appear as an expert witness in court.
In a corporate environment, Digital Forensics may examine malware or the effects of a breach to understand the vulnerabilities that have been exploited, the damage caused and the identity of the attackers. The conclusions help the organisation by preventing further incidents. In some organisations, responsibilities will be broader than digital forensics and perhaps include the initial detection of intrusions.
Within this specialism, there is a deep understanding of software, and in some roles, hardware and industrial control systems. There is an understanding of both the formal records created by software processes and the accidental traces that are left in memory and hardware. Digital Forensics finds and interprets this information to analyse data using specialist software and hardware tools to disassemble and extract electronic components, to recover data from devices like mobile phones.
Digital Forensics needs to stay up to date on the vulnerabilities of the software and hardware that are in use – almost certainly including cloud technologies – and on the attack techniques and motivations of potential attackers.
Digital Forensics uses detailed technical knowledge and sophisticated tools and techniques to acquire, analyse and report on the data contents of devices and systems, whether as part of a response to a security incident or an investigation into possible criminal behaviour.
In detail, you might:
For Digital Forensics roles, titles include:
For more experienced Digital Forensics roles, titles include:
A Digital Forensics role could earn between £20,000 and £45,000 a year.
A senior Digital Forensics role could earn between £50,000 and £95,000.
Many of the advertised jobs are in police services, whose public sector salaries are lower than those typically offered in similar jobs in the private sector.
The ranges are calculated from a survey of online job vacancies advertisements in March 2021.
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Cyber Security Governance & Risk Management
Core knowledge – you will need a very good understanding of these areas
The collection, analysis, and reporting of digital evidence in support of incidents or criminal events.
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
If you need to investigate breaches affecting industrial control systems (ICSs), you'll also need:
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
Related knowledge – you will need a solid understanding of these areas
Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multitenant data centres, and distributed ledgers.
The motivations, behaviours, and methods used by attackers, including malware supply chains, attack vectors, and money transfers.
Known categories of programming errors resulting in security bugs, and techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
Wider knowledge – these areas will help to provide context for your work
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
F3 – Forensics
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
This specialism is generally unsuitable for entry directly from another career, on account of its requirement for significantly advanced, specialised skills.
However, some roles, which are quite specialised, may provide a good foundation on which additional training can build. These include:
Other roles or careers which involve careful, detailed investigation may also have provided some relevant experience.
In a criminal investigation role, you might move from Digital Forensics into other another forensics specialism. Alternatively, you might move into one of these other cyber security specialisms:
Another alternative is to move into a more senior role in Digital Forensics, or as the manager of a Security Operations Centre or Network Operations Centre.
Our qualifications framework is currently under development. Sign up to our newsletter here to be notified when this is published.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below: