Friday, February 20, 2009

Part 3 - Considering a Career in Computer Forensics?

What kind of jobs are out there? Can I get a job doing this work?

Those are probably two of the most important questions on anyone's mind when considering their first career or a career change.

While the general consensus seems to be that the field of computer forensics is exploding, I am not sure I agree with that conclusion.

The other thing to consider is that right now, the IT market is collapsing, with the number of job openings shrinking as people are getting laid off, setting up a situation where there are more applicants seeking fewer job opportunities.

If anything, the largest growth in the employment market for computer forensics people is going to continue to be in the law enforcement sector. The government continues to put money into new forensics labs and they need staffing.

The quandary is that many law enforcement agencies will not use civilian employees for computer forensics work, but insist on using sworn employees.

The typical path in law enforcement is to become a police officer or special agent, and then spend a number of years doing general police work. After that, you might have an opportunity to move into computer forensics.

In the private sector, I have not seen much of any indication of new job openings in this field, especially not for people just entering the field. Most of the job openings I have seen have been for experienced examiners.

With an influx of highly trained and experienced IT people entering the job market via layoffs, the competition for IT security jobs and entry level forensics jobs is going to get tougher.

Also, it appears that the US is lagging behind in computer forensics growth compared to the UK and other european countries. For instance, on Forensic Focus , I see many more job vacancies for UK posts than US posts.

A search for the term Computer Forensics on Dice returned 52 openings and the same search on Monster returned 85 openings.

SimplyHired returned 1282 openings against a database of 2.7 millions job postings. This was higher than I expected to be honest. However, not all of these are pure computer forensics jobs. Some are sales, engineering and such. However, when I clicked on several of the hits to review the jobs, some were no longer valid links.

The problem for people new to the field is that there are very few entry level jobs available.

That doesn't mean you can't get a job, it just means that it may take longer to land a position than you might like.

What about certifications?

Honestly, the truth about certifications is that they really only serve two purposes; Getting you an interview or for impressing people to get accepted as an expert in court.

Experience outweighs certifications every time. So if you lack experience, then getting a certification is probably worth it. Bear in mind that getting certified does not make you a better examiner. As with most licensing or certification tests, the goal is to answer the questions to satisfy the testers, not to demonstrate real skill or knowledge. Even the "practical" portions of some of these certifications are more about guessing what they are looking for than performing real world analysis work.

The trick about certifications is that they are an industry unto themselves. For instance, to get to sit for some certifications, you must demonstrate a certain level of training that is of course, provided at a hefty price by the certification company.

Getting the training is a good idea if you can afford it so you can properly use a particular product or technique. I am all for training and would rather see that on a resume than a certification any day.

While I believe that this field will grow at a healthy rate, and I do think jobs will be available, it is important to understand that the narrower your field of specialty, the fewer jobs there are, period.

Patience and preparation is a must. As well as deciding if you are willing to work as a sworn officer for a number of years to get into some law enforcement positions.

Also, be willing to enter a company in a related position to get in the door, with the idea and hopefully a conversation at the outset, that your goal is to practice in your specialty when the opportunity arises.


  1. When I do an search on "computer forensics", up comes 2063 jobs. I've no idea how many of those are bad links or non-technical gigs though.
    It would seem from eyeballing these lists of jobs, few of them are LE-related, most are corporate and gov't-related (defense contractors). I would expect that these latter varities of jobs are in a whole 'nuther world from the in-the-court-of-law sphere. There would be a lot of crossover from forensics to, I would think, the cyber-security (perhaps even cyber-warfare) realms.

    I agree with your assertion that "narrower your field of specialty, the fewer jobs there are", though that might be brushing up against the borders of tautology. However, virtually *all* areas of computer work are specialties. Flash development is a specialty. Device drivers are a specialty. Email protocols are a specialty. JEE architecture is a specialty. Therefore, simply making the move from some other area of CS/EE into some flavor of forensics is not necessarily increasing one's specialization. For many it could actually be expanding, both in an intellectual as well as an employment sense.

    Back to the #s though. When I do a similar search ( on "Ruby", a very popular computer language, I get around 2800 results. For "Python", a much older and also very popular language, I get around 5600 results. For "device driver" ... an area of *extreme* specialization, I get 5900 results. For "linux kernel developer", I get around 1200 results. So it would appear that "computer forensics" has openings on the order of these aforementioned specialties...specialties that are considered to have good employment prospects. I would no more warn someone off becoming a forensics expert than I would becoming a Linux kernel developer, solely on numbers such as these.

  2. If you look at the actual job listings you mentioned on, you will notice that a lot of them have nothing to do with computer forensics. The search engine returns hits for job listing by companies that have "computer forensics" in their company description, whether or not the job being posted as anything to do with forensics.

    Plus, if you notice, Indeed scrapes the jobs from Dice, EDAdvisor, Monster, so quite a few of the listings are going to be duplicates, not unique postings.

    Of the 2063 job listings you mention, I suspect that there are on the order of less than 1,000 openings for "computer forensics" jobs.

    However, I am not warning people off the field, I am just preparing people for the reality of working in the field so they can make a considered opinion about it.

    The job prospects are the least of the considerations in my opinion. And if you do "computer forensics" where someone gets sued or charged, you will end up in court someday to defend your findings. It might be a military court, or some other proceeding, but it will happen.

  3. "Breaking into" the computer forensics field (and by association, incident response) can be difficult. If you're in an area with a community college or university that offers a computer forensics degree, consider taking courses and getting access not only to the placement office, but the instructor and others in the courses for networking and advice.

    Having conducted two rounds of interviews in a year for my team, I look for hands on experience over certifications. I would much rather have someone who has engaged on their own, rather than someone who cannot learn without sitting in a classroom and being walked through's that inquisitiveness and ability to explore on your own that makes the difference between a good examiner and a great one.

    Getting a job in this field, particularly in the US, can be more about who you know than anything else. In the Metro DC area, companies such as ManTech and SRA International, as well as others, use online resume submission applications, and very recent experience (mine, and others) has shown that these go pretty much nowhere. In order to get your resume to the hiring manager, you need to know the criteria for searching placed on a job description (ie, the word "forensics" must appear in the resume X number of times) or you need to know someone.

    One great and beneficial way to proceed is to get training that has job placement along with the military or law enforcement.


I have moderated my comments due to spam.