Skip to content

Digital Forensics

Digital Forensics is the process of identifying and reconstructing the relevant sequence of events that have led to the currently observable state of a target IT system.

Digital Forensics icon

More about a career in Digital Forensics

You work on very technical matters, sometimes delving deeply into hardware and software, using specialised tools, to recover data from systems and devices. Although most of your work is driven by the need to respond to security incidents or suspected crimes, you work methodically and carefully, in control of the pace of your work.

You record the steps of your investigations and your findings thoroughly; in some organisations this will be for presentation in legal proceedings, whether civil or criminal. If you're an experienced digital forensics practitioner, you may be directly involved in such proceedings, appearing as an expert witness in court.

You may be part of a forensics team, or working on your own but in co-operation with other type of specialists. If you're in a law enforcement role - perhaps in a police service - you contribute substantially to the investigation of crimes; in many cases, your work is crucial to the solving of a crime.

If you work in a corporate environment, you may examine malware or the effects of a breach to understand the vulnerabilities that have been exploited, the damage caused and the identity of the attackers. Most importantly, your conclusions help your organisation and others prevent further incidents of the same type. In some organisations, your responsibilities will be broader than digital forensics, perhaps including the initial detection of intrusions.

You have a deep understanding of software and, in some roles, hardware and industrial control systems. You understand both the formal records created by software processes, in logs, and the accidental traces that are left in memory and hardware, and you know how to find and interpret them both. It's likely that you use specialist software tools to find and analyse data, and specialist hardware tools to disassemble and extract electronic components if you need to recover data from devices like mobile phones. 

You stay up to date on the vulnerabilities of the software and hardware that are in use - almost certainly including cloud technologies - and on the attack techniques and motivations of potential attackers. You're technically skilled, knowledgeable and a good learner.

In this specialism you'll use detailed technical knowledge and sophisticated tools and techniques to acquire, analyse and report on the data contents of devices and systems, whether as part of a response to a security incident or an investigation into possible criminal behaviour.

In detail, you might:

  • triage a set of devices, systems and software components to identify priorities for investigation
  • physically disassemble and examine computers and related hardware
  • use specialist tools and techniques to retrieve data from devices and systems, either directly or remotely, including by imaging storage media
  • analyse files, data elements and memory contents to find evidence of malicious or illegal activity
  • analyse malicious software to understand attack techniques, identify vulnerabilities and attribute the activity to those responsible
  • handle materials and data so as to avoid contamination or corruption, possibly in line with chain of custody rules
  • log every significant action
  • produce formal reports on the investigation, often to the standard of evidential submission

There are generally two levels of Digital Forensics role: practitioner and senior practitioner. There are few entry-level positions; nearly all practitioner roles require significant IT knowledge and experience and specialist training in at least some aspects of digital forensics.

A practitioner:

  • performs all the tasks described in the Tasks section, usually under supervision initially
  • is unlikely to be called to give evidence in court, at least until experienced

A senior practitioner:

  • carries out the same tasks but on all types of cases and incidents
  • may supervise practitioners and set standards, create and monitor the effectiveness of policies, and arrange or deliver training
  • may be called as an expert witness in civil or criminal trials
  • may also be responsible for managing a digital forensics lab and ensuring the compliance of its practice with official standards

Personal attributes

  • problem solving
  • logical thinking
  • writing formal reports
  • evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action

Specialist skills

  • file system analysis
  • memory artefact analysis
  • software analysis, possibly including decompilation
  • scripting in languages or tools, such as Python, Unix Shell and PowerShell
  • physical disassembly of electronic devices
  • use of common forensics tools such as UFED, EnCASE and FTK
  • writing reports suitable for submission in legal proceedings

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)

F3 – Forensics


  • secures the scene and captures evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business and maintaining evidential weight, using specialist equipments as appropriate.
  • analyses the evidence to identify breaches of policy, regulation or law, including the presence of malware.
  • presents evidence as appropriate, acting as an expert witness if necessary.


*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.

Coming soon

This specialism is generally unsuitable for entry directly from another career, on account of its requirement for significantly advanced, specialised skills.

However, some roles - themselves quite specialised - may provide a good foundation on which additional training can build. These include:

  • scene-of-crime officers
  • data recovery
  • archaeology
  • forensic accountancy

Other roles or careers which involve careful, detailed investigation may also have provided you with some relevant experience.

Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.

Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.

As an experienced practitioner in a Digital Forensics role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still a good understanding of the Related Knowledge but not to quite the same degree. You may have a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.

Coming into such a role, you will not be expected to have all his knowledge initially. But, given the complexity of much of the work, you will need to have a large minority of the knowledge.

If you are working in a criminal investigation function - for example, in a police service, a forensic services company or as an independent expert witness - you will also need a good understanding of the legal requirements and constraints. These are laid out in Criminal Procedure Rules and Practice Directions (CrimPR Part 19 and its accompanying Practice Directions) and the ACPO Good Practice Guide for Digital Evidence.

Core knowledge


The collection, analysis, and reporting of digital evidence in support of incidents or criminal events.

Law & Regulation

International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.

If you need to investigate breaches affecting industrial control systems (ICSs), you'll also need:

Cyber-Physical Systems Security

Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.

Related knowledge

Distributed Systems Security

Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multitenant data centres, and distributed ledgers.

Adversarial behaviour

The motivations, behaviours, and methods used by attackers, including malware supply chains, attack vectors, and money transfers. 

Software Security

Known categories of programming errors resulting in security bugs, and techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems. 

Security Operations & Incident Management

The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.

Wider knowledge

Network Security

Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.

Web & Mobile Security

Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.

You might start in a junior role in Digital Forensics with experience in mobile phone or computer engineering or maintenance, although such opportunities are rare.

Alternatively, you might start as a graduate, with a degree in:

  • computer and digital forensics
  • cyber security and digital forensics
  • forensic science with criminology
  • cyber security or information security

Or, within an organisation, you may transition from one of these cyber security specialisms:

In a criminal investigation role, you might move from Digital Forensics into other another forensics specialism. Alternatively, you might move into one of these other cyber security specialisms:

Another alternative is to move into a more senior role in Digital Forensics, or as the manager of a Security Operations Centre or Network Operations Centre.

For Digital Forensics practitioner roles, titles include:

  • Digital Forensic Investigator
  • eForensics Examiner
  • Digital Forensics Incident Response Specialist
  • Digital Forensics & Incident Response Specialist
  • Digital Forensics and Data Management Analyst
  • Junior Digital Device Data Recovery Practitioner
  • Digital Forensic Technician
  • Computer Forensics Consultant

For senior Digital Forensics practitioner roles, titles include:

  • Senior Digital Forensics and Incident Response Specialist
  • Senior Police Digital Investigator
  • Senior Digital Forensic Investigator
  • Manager, Digital and Forensic Investigations
  • Senior Cyber Incident Response Analyst
  • Forensic Lead

A Digital Forensics practitioner might earn between £20,000 and £45,000 a year. 

A senior Digital Forensics practitioner might earn between £50,000 and £95,000.

Many of the advertised jobs are in police services, whose public sector salaries are lower than those typically offered in similar jobs in the private sector.


The ranges are calculated from a survey of online job vacancies advertisements in March 2021.