Want to Break Into IT Forensics? Here’s How.


A rising number of online security breaches—both large and small—has led companies in a variety of industries to hire forensic analysts in droves. If you have an IT background, you have a chance at transitioning into the field, even if you have little (or no) prior experience in IT forensics.

Transferable Skill Sets

Tony Robinson, a senior security analyst for a major power company, started his career as a systems administrator. “I feel like this background in systems administration is what allowed me to gain the knowledge I needed to excel in information security,” he said. “If you’ve never built, maintained, or administered a system, then you really don’t have an appreciation for it, how companies use their computer systems, or realistic/effective ways to defend systems.”

For those who want to get into forensics, Robinson recommends learning as much as possible. The ultimate goal is to “establish yourself as someone who has knowledge of how companies use their information systems, how they’re deployed, maintained, etc.”

Any candidates for a forensics position should have a foundational IT skill set, added JP Bourget, founder and CEO of Syncurity Networks: “Candidates need to know how OS works, and not just Windows but Linux, too, and increasingly Mac.” Knowledge of networks is likewise vital if you want to figure out how an attacker gained access to a system.

“For instance,” Bourget added, “if [a victimized company runs] Windows, you must have a grasp on the filing system because the only way if you can tell if someone stole a file is if you can understand the forensic artifacts that Windows leaves behind.”


Most federal agencies and government contractors require their IT staffs to possess certain certifications in order to perform applicable job functions. For that reason alone, it’s worth considering whether to pursue certifications, although some tech pros prize field experience far more highly.

Among certifications, many in the security industry readily embrace SANS, which features training programs that cover nearly every aspect of forensic security.

Not all security experts frown on certifications. “I just kind of look at them like continuing education,” Robinson said. “After a certain point in your career, they become less and less important, but for newcomers to IT Security, getting a few certs not only grants you some nice foundational knowledge, it also establishes that you are willing to learn.” The certifications that he’s earned over the years include CCNA, Network+, A+, Security+, Linux+/LPIC-1, CEH, and more.

How to Build Knowledge

One of the challenges of forensics is that it’s not well-defined as a sub-industry; there’s no one path to becoming an expert, although there are many avenues to educating yourself.

If you want to learn more about the latest and greatest in the field, head to the blogs. There’s Lennie Zeltser’s eponymous blog, for example, which is popular among forensics folks; for those interested in speaking with experts, there’s also David Cowen’s weekly computer forensics hangouts on Google+. Search online for talks by heavy hitters Dave Marcus and Raphael Mudge, too.

“Get involved in the information security community,” Robinson advised. “Find your niche and people that are into the same subjects as you. Network with people on social media. Go to local hackerspaces/makerspaces, security meetups, etc. Attend Security and IT conferences whenever you can. Look for an ISSA chapter, OWASP chapter, INFRAGARD chapter, LUG (Linux User Group) etc.”

Hardware is another major area of study, one that’s become more accessible in recent years thanks to virtualization, which allows newbies to set up lab networks and simulated environments. Robinson suggested the following security-centric training resources that can help you sharpen your technical skills:

There are also free security conference recordings available via Irongeek and the Internet Archive. Books are another inexpensive way to get a leg up. Bourget said a good start is The Basics of Digital Forensics.

Soft Skills

Forensics experts must have an investigative mindset and a real passion for sleuthing. Nearly all hiring managers look for an intense interest in the subject. If you are unable to patiently solve difficult puzzles or don’t like following mysteries to a logical end, this is not a career for you.

Being able to communicate vertically in the office and possibly give testimony in a legal setting are necessary soft skills. Eric Robi, founder and president of Elluma Discovery, said there are a lot of IT people who try to transition to forensics, and some are better than others: “There are those who are comfortable staying in the server rooms and talking to the machines all day and that personality is not a good fit. This industry is really about communicating your results, so you have to be able to very effectively convey your findings to everyone who needs them.”

Good report writing skills are also required. “What you find in an investigation is relatively pointless,” Robi said, “unless you can write about it with clarity in English.”

While looking for a job, the quality of your writing may well get you noticed. Bourget encouraged candidates to write blog posts about the topic of their choice. “Let’s say you decide you love memory analysis,” he said. “Write some memory analysis for beginner posts. Show that you can explain it to other people. Your work will go a long way to proving the depth of your interest.”