Become a Computer Forensics Expert

By | December 17, 2017

So, you have just finished watching CSI and decided to pursue a career in computer forensics. You have extensive computer knowledge and spotted all the mistakes the actors made. You figured, because of your computer experience, it could not be that difficult.

You Googled the topic, read through hundreds of articles and eventually landed on this page. Stop right there! Before you continue; please read the What is Computer Forensics article to learn more about Computer Forensics and available certifications.

Computer forensics is not as glamorous as the TV shows would like you to believe. You will be performing a lot of monotonous tasks. For example, sorting out data, creating timelines and documenting your steps. You will need to study constantly to familiarize and update yourself with the methods, procedures and tools you need to use. Still want to do computer forensics? Then carry on reading.


Before becoming a forensic pathologist you need to qualify as a medical doctor and before you work as a forensic accountant you need accounting qualifications. You might think that you need qualifications in computer sciences before you can work as a computer forensics expert, but here you will be wrong. You need no formal computer training and many computer forensics experts only have a law enforcement background. The sad truth is that most people working in this field of expertise have little or no formal training in computer sciences.

Computer forensics are not regulated like its medical and accounting counterparts. They are normally self-taught people that developed an interest in digital evidence. This include, law enforcement officers, computer specialists or neither. The point is that you do not need to worry about your background; you have the first prerequisite mastered and that is curiosity. You need an inquisitive mind and a thirst for knowledge to start.

Having a computer science or law enforcement degree will help, but this is not a prerequisite. There are however some other prerequisites you must aware of:

  • Curiosity – You must have a curious mind and be the kind of person who always asks questions. You must have endurance to keep on searching until you find all the answers.
  • Organization – You need to be an organized and immaculate person. You will be dealing with a lot of information (data). The ability to analyze and organize it correctly is important. Every step in the forensic process must be documented and presentable to anyone without any technical background.
  • Patterns and Correlations – You must be able to recognize patters and see correlations in the data you analyze and distinguish between evidence and useless data. When dealing with something like emails, you can’t present thousands of emails as evidence, you will need to sort between relevant and irrelevant emails.
  • Observation – You need to be able to spot minute details, but also see the “big picture”. You should never be the reason a criminal “got away with it”, because you missed something.
  • Computer Experience – Regardless of whether you are self-trained or formally educated, you need a good understanding of computer science, IT security, networking, operation systems and software. You will also need to master the hardware and software tools you will use to collect evidence and discover hidden data.
  • Clean Criminal Record – Your criminal record needs to be clean. You need to always stay a “reliable” witness. When testifying in court, any discrepancies in your past can be used by the opposing attorneys to discredit you and your testimony.

The requirements for becoming a computer forensic examiner will depend on the agency you would like to work for. Some could require that you are a sworn law enforcement officer. In this case you will need to go through the necessary law enforcement training first. This may include physical fitness and firearm training.

The Computer Forensics Process

Your main function as a computer forensics expert will be to examine computers and devices for collecting evidence to convict or exonerate a person accused of a crime. Sometime you will need to prove if a crime was committed in the first place. You might be called to the scene of the crime to take custody of the equipment suspected of being involved in a crime or even examine it there. You will need to educate the “first responders” on the proper procedures in securing the equipment before your arrival so that important evidence will not be lost. It is important that they do not switch of the equipment or try to examine it themselves.

Most of the time, the equipment will be brought to you. No matter how you obtain the equipment, the examination process will always stay the same. Below are some steps in the computer forensic examination process. I will discuss these in more detail a little later.

Before You Start

It is recommended, but not always possible, to have a credible law enforcement official present at every stage of the examination process to “sign-off” on your collected evidence and supporting documentation. If you are the law enforcement official, ask another credible person to act as a witness and corroborate all the your documentation. This way; when you are accused of altering or fabrication evidence, you will be able to disprove the accusation.

Create Bit-Level Duplicates

When dealing with data on a hard disk or flash drive and before you can start examining the data and collecting evidence, you will need to create a bit-level disk image (duplicate). Each physical sector will need to be copied exactly. Do not use just any imaging software tool; use software certified for forensic investigation like EnCase Forensic Imager from Guidance Software.

Start your Examination Immediately

When you get called to a scene or as soon as you receive the suspect equipment, start processing it immediately to avoid any evidence loss, but always remember to create images of the storage devices first. Do not overlook external storage locations. This will include; external hard drives, flash disks, memory cards, phones, tablets and tape backup devices. Remember that the memory cards in GPS units, 3G dongles, digital cameras and digital picture frames can also contain evidence.

Do not Process the Originals

Once you have all the evidence collected and bit-level duplicates, you can start examining the data. Do not examine the originals, do all your examinations on the duplicates because when examening the original, you may alter the timestamps (dates) on the files and it will be difficult to prove you did not fabricate or alter the evidence. There are many forensic software tools available. A forensic examiner is only as good as the tools he or she uses. Use the right tools for the job and wherever possible, make sure that they are certified for computer forensics work.

Documenting and Presenting Evidence

The computer forensic process does not end after you’ve collected and analyzed the evidence. You will need to document your findings, create reports documenting the procedures used to obtain the evidence and also create timelines. This documentation will prove that the evidence was obtained in a legal manner and no evidence was altered or fabricated. Remember I recommended a credible person to be present throughout the process; a signature from him or her will add to the creditability of your documentation.

The documentation you provide can mean the difference to a successful conviction or a criminal getting away with it. Most of the time you will not need to testify in court and your findings will need to be presented by a non-technical person. You will need to explain your findings in detail in the documentation you provide to accommodate for this. You will also need to develop the ability to give a clear oral presentation of your finding for when you need to testify.


Computer Forensics might not be as exciting as you initially thought, but you will now and then get the satisfaction of putting away a criminal or exonerating an innocent person. There are many job opportunities available for a person with computer forensic skills, both in the private and public sectors, so pursuing a career in computer forensics is not a bad idea.

Sharing is Caring!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.