So you want to get into DFIR?

For this week, I felt the need to touch on things for those who are looking for their pathway towards InfoSec, particularly with Digital Forensics & Incident Response.  So this will be a multi-part posting through the week with each day a different aspect. My hope is those who are looking to get into it will get something out of it, and for those within it may consider some things they had not yet…especially if you happen to be in a leadership role over these folks.

So as we go into this together, let me first give a shout out to Devon Ackerman, who graciously hosts my blog and also maintains a repository of darn near anything related to the field. Please see for more information relating to Classes, Certs or CTF’s.

The Basics

We need to shore up some stuff quickly first. I delineate a distinct difference between Forensic Examiners/Analyst, Incident Responders and Investigations.  I do this as a matter of my own legal brain as a methodology of separation of duties along with specific job roles for each one of them. While many of us can do multi-roles, that comes with time and experience in my personal opinion. I’m also one of those folks who is a strong advocate of gaining some experience in other realms before jumping into InfoSec in general. This is a hard one for many and something a lot will disagree with me. But my reasoning is just because Infosec is the sexy job titles right now (and the pay is usually higher) doesn’t mean that jumping right into it is advised. A lot can wrong very quickly.


For me, the best pathway to getting into Digital Forensics is through a solid education in Information Technology and going through forensics training. I am not a strong advocate of vendor certifications like Accessdata’s ACE or even EnCase’s EnCE as initial certifications. That is largely due to those certs typically revolving around the tool and not the actual knowledge of Digital Forensics. They are great to show mastery of the tool in court, or a future employer if that is their preferred tool, but have something else that really gets you into the weeds of forensics. If you were to ask me what the best course to take outside of academia, I will be biased and say SANS FOR500. Smiply put, there are a ton of people who contribute to the material of that course on an almost monthly basis to keep it updated and relevant. Something I’ve not seen in other certifications out there that are widely praised. If you are taking practical analysis from a FAT12 floppy or a Windows XP machine, you’re doing it wrong.

Formal Education

As you’ll see from Devon’s website, there are starting to become much more focused training out there for digital forensics specifically. In my opinion, this is good and bad. It is good because the field is getting more recognition out there as being a legit IT field. It is bad because most of what you learned your first year will be irrelevant by the time you’re graduated. This is also my issue with at the US-based degrees. Many of them are not really teaching anything that you can’t just Google and learn from a YouTube video. Because software can be so expensive, they rely much more heavily on use open source tools…many of which are completely outdated because the course material is not updated nearly as often as it needs to be. This inherently lies the biggest issue and something that I’ve noticed between the difference in other countries and how they are taught. Here, even learning the basics of interpreting hex is something that really does not get taught. One thing to look for when determining school is if they are certified by someone to be teaching it. Look for things like the program is certified or sponsored by the NSA, DHS, Cyber Crime, Department of Defense, etc, if you’re in the United States. These programs are at least audited by an outside entity for relevancy in the courseware. Beats just going some place and wasting money on courses that really don’t teach out anything in the field.

Getting Experience – Public v. Private

This is where you’re going to really have two paths in front of you. Do you go Private or Public sector? I cannot make this decision for you. But what I can tell you is that some of the most memorable work I have ever done was under my public sector tenure. You’ll learn very quickly things that private sector, or even your courses, cannot simply teach. But you better have a good head on your shoulders and solid moral footing. More to come on this later in the week.

Private sector will offer its own challenges and experiences that you may never see in public sector as well. But they are much more in-line with corporate strategy and hurdles. Instead of worrying about a person not providing your their PIN, you have to worry about GDPR regulations on an employee who lives in the states but is a citizen of Germany. This is why I normally suggest folks work either with Legal IT or as a SOC analyst before trying to get into digital forensics/incident response/investigations within a company. It gives you much better understanding of the legalities out there and protecting yourself from your employer, or lawyer, from ripping you apart based on not knowing what you’re doing. But more to come on this as well during the week!

Stay tuned tomorrow for diving into Public Sector!