How to Become a Computer Forensics Investigator


Hello and welcome to our weekly InfoSec Institute video series. Once again we’ll be discussing a career path for people either on the existing career path or looking to try something new to change their life or change their career.
Today we’ll be talking about a career in computer forensics with Amber Schroader who is the
CEO and founder of Paraben Corporation. Amber has spent the last two decades as the driving force for innovation in digital forensics. Amber has developed over two dozen software programs designed for the purposes of recovering digital data from mobile phones, computer
hard drives, email, and live monitoring services. In addition to designing for digital forensics,
she has also spearheaded the process and the procedures for mobile and smartphone devices
as well as the emerging field of IOT devices. Amber is the patent holder on the EMI shielding
container otherwise known as Faraday Bank as well as inventor of many other shielding
products. Amber has written and taught at numerous classes for this specialized field
as well as founded multiple certifications in the field. So please welcome Miss Amber
Schroader. Thank you for being here. Hi, thanks.
Thank you for being here today. So we’re going to start, and again this is sort of coming
from a newcomer’s perspective, but let’s start talking at first a little bit about your professional
journey. How did you get started in computer forensics, and what triggered your first interests
in forensics? I’d say the biggest thing that triggered me
being interested, it was something that clipped in my brain. So this is the odd side thing
is that I’m dyslexic, so I naturally do everything backwards, which is really what computer forensics
is about in the first place is just taking all of security and doing it backwards, and
kind of putting those pieces together. And so it really clicked for me where some of
the other things they’re like, “Hey, we really want you to do it always this way.” It was
very prohibitive, I’ve also been a big person of imagination, which I know you don’t really
hear in a technology thing, but I think it makes a huge difference in being in computer
forensics and kind of going along that path. I started when I was 14, and worked my way
kind of through the industry and up until where I am now, but that was really kind of
one of the triggers is actually finding that little bit of success to say, “Hey, this clicks
in my brain and I can kind of follow it.” Now do you feel like the sort of path that
you followed from age 14 to the present day can be followed similarly now? Has the technology
changed? What were some of your jobs along the way that sort of got you interested in
this and so forth? Well I definitely think technology has changed
a lot, and nowadays I look at it, and I talk to my 15 year old kid, and he has no idea
what a command line is. So it is probably a little easier than it was when I started
where it’s a lot more button clicking than it used to be, so it makes it a lot more accessible
for a lot of people who might want to switch out jobs as opposed to starting the field
from the foundational time until now. I think it is a lot more accessible because it’s a
lot more use of just technology. I’m a fundamentalist. I believe you should
actually understand how everything works, but we’re a dying breed in the digital forensic
space. A lot of people have no idea what their examining at the end of the day.
Yeah. We talked with Keatron Evans, last week, who works at Incident Response, and he was
saying that one of his big pieces of advice was to know everything. Know the networking
aspect, know the security aspect, and you’re just going to find things better. So hearing
that from two different people, I think there’s probably a lot to that.
Oh yeah. So for the benefit of our viewers who are
considering computer forensics as a career for the first time, can you sort of walk us
through the day-to-day activities of a forensics professional?
Okay. So the big thing to have everything debunked, there are no lab coats, there’s
no one walking around in pig tails, and few unlike they’re that edgy like NCIS or CSI.
It just doesn’t happen. You will wear gloves all the time because computer data is just
as digital as other people’s data. It’s still belongs to someone else, but the day-to-day
is pretty simple. You spend a lot of time waiting for imaging to happen because that’s
just a fundamental aspect of it is that you’re going to image something, and computers only
process so fast. What I spend the majority of my time doing
is I’ll image, and then I’ll spend a lot of time in analytics, and really trying to understand
what my suspect is thinking when they’re doing it. I do a lot of smartphones, and so one
of the aspects of the smartphone is different than on a computer is you actually learn a
vernacular associated with a person, and that can be very hard because there’s a lot of
times I’m like, “Okay, I totally don�t understand what they’re trying to say here. Let me figure
it out with this.” If this acronym still means this when you’re my age versus the age of
my suspect because it is so different, and some of those psychology aspects really become
a lot more important when you start looking at digital data because it’s very personal
and active with that person. So a lot of it is spent in that, troubleshooting
because staff is abused, and so it doesn’t process perfectly. They have a TV. I think
if my mom calls me one more time and says, “Why don’t you do stuff faster? They did the
email in like 10 seconds.” And I was like, “Mom it’s not TV. It takes a couple of days.”
Right. No one is rotating 3D models in front of the-
No. It just pops up out of nowhere, and you’re like, “Oh good.” Then you’re like, “Yeah great.
No, I’m still breaking the exchange server down.” She’s like, “Exchange? They didn’t
have that on TV. You made that up.” And I was like, “No I didn’t.” It’s amusing because
the CSI effect has really changed the digital forensic space. It’s made it a lot more attractive
to people that are actually interested because it exists, but as far as, you know, day-to-day
I mean realistically, I’m in a tee shirt and jeans. We’re actually casual at our lab, but
we still treat it like a science. There’s a lot of checklists, there’s a lot of making
sure you’re following it and doing the same procedure every time because otherwise I’d
be doing more of an art than a science. And then of course there’s validation. We
do it once a quarter, so we have to revalidate our tools. It’s kind of like calibrating a
computer in a way. So we do that as part of our lab procedure, but I don’t know if a lot
of people do that. There’s a lot of writing as well. No one ever talks about that in computers.
You got to be a good writer. There’s a lot of it.
Yeah. You’re conveying what you found to someone else. You’re not just-
Mm-hmm (affirmative). And you have to make sure they understand it, and it’s even harder
if you’re doing any work with a jury because then you’re explaining it to your mom.
Mm-hmm (affirmative). Or 10 of your moms. Yeah. 10 of your moms that are all talking
together behind your back, and you’re like, “Oh please let them understand what staff
check does.” It’s not pretty. So what are some of the big challenges you
can expect to face in a standard day? Like what are the things that are really sort of
difficult on a day-to-day basis to work through? I think part of it is that frustration of
just things not going well or not working with mobile more than computers. Normally
computers, hey you’re going to have a problem pulling a drive, different things like that.
Why does it have this weird encryption? But with phones, you have to adjust for every
phone because it’s clanking around in someone’s pocket, and it really changes your acquisition,
and then you’re having to work in a Faraday Cage on top of it, which makes it so you’re
like, “Great, I’m wearing these weird metal gloves while I’m working on this.” It’s kind
of that adjustment to it. It’s not perfect. Everyone always expects working in anything
digital to be perfect, and it’s a lot of troubleshooting. It’s okay, it works great this time, let me
follow the procedure, let me image it with more than one tool, and then it didn’t work
great with the second tool. And you’re like, “Great, now I’m on the third tool.” Then when
you hit the fourth tool, it’s a camera, and you’re taking pictures of a screen and everything,
and you’re like, “This is not what I expected.” Yeah. So on the other side of that, what are
the most interesting parts of the job? I think actually, don’t laugh, it’s the data.
Not that reading everyone’s little deep dark secrets is that exciting, but it’s interesting
to see how people actually function with their data. I did a case in the last 12 months,
and I use it as an example because it was the first time in my career I ever had my
suspect where the only device they used for the internet happened to be a smartphone.
And so they had 235,000 text messages, and I looked at that, and it was like, “Holy crap,
this is a lot of reading. I don’t want to read this.”
Yeah. They had 125,000, 130,000 cookies on a phone. On a phone, and you’re just like,
“This is a massive amount of data for something you wouldn’t expect that to come from.” And
there was a lot of sifting. It actually took two of us to do the analysis because actually
of an age difference. We only had an age difference between me and the other examiner of about
five years, but she was from a different region in the country because I didn’t understand
the vernacular. So I couldn’t put everything together on my
own. It took that extra kind of explanation, but that data part is very fascinating. If
you like doing puzzles and putting things together, digital forensics is the space for
you. Wow. So what are the certification that you
think are crucial to have when considering hiring a forensic professional or being one?
And do you think that certifications are a mark of knowledge on the candidates part or
is hands on work weighted more heavily? Do you think there’s advantages to both? Disadvantages?
I think there are advantages to both of them. So a lot of certifications in digital forensics
actually come from the manufacturers. So for example, Paraben, we our own certifications
that are associated with our tools because we’re essentially telling you how do you use
this drill to the best capacity you can use this drill? And so you have to go through
that process for it, you get that from open text, you get that from access data, etc.,
so they’ll each teach you that. So that’s important because I don’t want you to come
into the office and not be able to use digital. That gets a little freaky because I have to
wait for you to be functional with the tools you’re given.
So that’s important to get a diverse offering in that. I think that’s the other thing is
not make sure it’s centric to one thing. Overall, certifications I think there’s a variety out
there from ethical hacking, like a Certified Ethical Hacking, Forensic Examiner… I can’t
ever do the acronyms, it’s the dyslexia. Right. Fair.
Yeah. I’m like, “Oh there’s a lot of them.” Those have a value to them because you’re
going to learn those fundamentals as are the college degrees. You can get in cyber and
different things like that, but you need to have those fundamentals. Those certifications
didn’t exist when I started because it was in the very beginning, and so a lot of that
you can actually compensate for some of it with really taking time to read some of the
fundamental books. There’s great books out there that you understand. If I’m going to
do a file system work, I’m going to read Bryan Carrier’s book on file systems because that
would make sense. He’s got fundamental information on that.
And being up to date in those areas based on the type of exam you’re going to do, because
that’s the big thing is you get writing. I’m also dyslexia and ADHD. I’m like a combo pack.
So with that, it makes it very interesting because you’re not doing the same thing every
day, but it means I’m constantly having to do a learning. So yes on the certifications,
a huge variety out there, but a lot of people have started to specialize. I keep myself
well rounded so not necessarily specializing in one place, but a lot of people emerging
in the field there, I’m only going to be doing computers, I’m only going to do mobiles. IOT
almost. There’s actually not that many people doing IOT right now, but you’re kind of seeing
subsets come out just because the knowledge base is so large.
Do you think that there’s a strength and weaknesses to either? You personally, do you recommend
still staying well rounded or do you see benefits in a specialty?
I think it’s better to stay well rounded because you see too many trends change with. So we
have devices that they talk about Apple right now is how they’re changing their firmware,
and they’re locking computer forensic tools essentially. That’s really what it’s doing
is disabling the port. So you look at that and say, “Well what’s the future of doing
Apple forensics? That’s my specialty.” Then you just kind of cut yourself off and you’re
like, “Great. Now I need a new career path.” It’s like, “Okay you’re going to go open a
food truck?” So you got to adjust and say, “Hey, let me see that I have some other skillsets
associated with it.” There is a massive technology merging happening
no matter what, where all of our different electronics are kind of coming together, and
you’re seeing … I always joke, I said, and they put out an article where it’s Cortana,
and Alexa, and Siri, how they’re the new version of the Heathers, the new best friends of each
other that are trying to rule everyone because that’s multiple platforms, and that’s really
we�re having to look and research. And so people understanding that and understanding
things like the cloud I think are really important because that’s really where data is ending
up going. Now, sort of moving on from that to sort of
the workforce. What types of companies and organizations can a forensic professional
expect to work with? Are you mostly working on sort of contract basis, or do any corporations
feature or hire an in-house forensic expert? A lot of them hire an in-house forensic expert.
They become part of their risk assessment team a lot of times. So you’re usually communicating
to them, reporting with the legal department, which you wouldn’t expect to be. You’re like,
“Why aren’t I part of IT?” But a lot of times you’re reporting to the legal. I’m surprised
in how many corporations, I never would have guessed it, have internal forensic examiners
because you never know when there’s going to be a response to an HR issue, a compliance
issue, whatever it may be. That might not be a breach where we’re used to seeing that
kind of on the security side, and on the forensic side you kind of get all the little pieces
as well. So they’ll have one to two guys in a company
that is a multi-billion dollar company who just do digital forensics. So I think there
is always a call for that. There’s also lots of people out there that have external hires
as far as doing it in contracting as well. Okay. Can you tell us a little bit – I know
you sort of come to computer forensics from the sort of corporate or private sector. Can
you tell us a little bit about the difference in your sort of day-to-day work between corporate
private versus law enforcement, how your skills vary, what your activities are and so forth?
So, corporate, I have a lot more regulations is really what it comes down to. I have a
lot more restrictions, there’s extra paperwork associated with it, there’s a lot more consent
that you have to get from the different parties involved to make sure that you’re able to
access every layer of the digital data that they have. So you do get bobbed with a little
bit of the paperwork in comparison to law enforcement where they kind of get one tier
of paperwork, and it gains them access to a lot of different things. The other thing
is the type of data that I’m looking at. I prefer looking at the corporate style and
civil data than I would want to look at the law enforcement data, and I have a lot of
respect for those that do do it because it’s very hard to see the digital crimes that are
happening on that side. That is actually an area that I’m sure you’re
going to have someone talk about that in the law enforcement side, but they actually had
to start dealing with the how do you cope with the type of data you see. Digital forensics
doesn’t uncover unicorns and rainbows all that time. So it’s like you have to be prepared
for that zombie unicorn that’s in there that’s like, “Oh this is bad. I didn’t expect to
see this.” Now, do you need to be on kind of one career
track or the other? I mean we talked about specializing before, but do computer forensics
professionals move freely between sort of law enforcement and private sector?
Oh absolutely. I think they can. A lot of law enforcement when they retire and they
go private sector, they’ll make sure they stay a sworn officer with a group that they
did work with, and volunteer their time into some of the organizations that are out there’s
like ICAC, Internet Crimes Against Children. They can volunteer that way. So they’ll stay
current in both ways. If they decide to start their own shop, obviously doing this type
of thing it’s all about making sure you have the right letter of engagement, consent agreements,
and of course insurance because you’re dealing with people’s data. So you want to make sure
you have all that put into place before you start your own shop up.
Okay. Excuse me for a moment. What are some of the most common mistakes that computer
forensics aspirants make along the way? What is something that you could do that would
sort of put you back in your journey that you should watch out for?
Okay. So like actually pull out a little soap box, and we get a stand on it.
Please. So here’s my pet peeve. People forget that
it’s supposed to be a science, it’s not an art. You don’t just kind of walk in and be
like, “I feel like doing it like this today,” and it’s going to work out really well for
you. And so a lot of organizations that do have forensic people and a lot of people starting
into it don’t go through and actually do a proper validation of their tools, and they
don’t revalidate them because it would be nice like, “Oh our systems never change�,
but we’re dealing with digital data. And so it’s changing all the time.
So there’s a lot of that process and procedure that are missing. And as I deal with different
attorneys, I say, “That’s the first question you ask the other side.” It’s like, “What’s
your validation plan?” Because it’s kind of calling them out. It’s not necessarily about
what my personal certification is, it’s how is my lab actually functioning as a lab, and
people forget that aspect of it because it’s writing. They’re like, “Oh I don’t want to
do that. It doesn’t sound exciting, it’s not interesting.”
It doesn’t take long, but it’s maintenance. You have to do it. You wouldn’t sit and never
update Windows. We all suck it up through Catch Tuesday, and this is kind of your quarterly
patches that you have to do to your lab accreditation in a way. Not official accreditation, but
just every lab has to have validation, and they’re not doing it, and I think it’s really
going to catch some people, and it’s going to make horrible case law because as a digital
forensic person, I have the burden of proof. My job is to prove your innocence or your
guilt. It’s either side, it’s not just one side. It’s not like, “Oh everyone out there
is guilty.” No, it’s your proving innocence or guilt, and they forget that, and you have
an obligation associated with it. That’s my old school, “Here’s my little soap box. You
can put it away.” Great, great. Yeah and again that sort of
speaks to this sort of new generation of people who might have seen NCIS or whatever and think,
“I can just kind of come in on my instinct, and puppy my way through it.” Yeah, yeah.
Exactly. Yeah. You’re going to sit down like and are
going to open this computer, and you’re going to start reading this email, and you’ll say,
“It’s right there.” And it’s like, “Nope, it doesn’t work like that.”
Nope, nope. So again because this is a career path and because not everyone is already sort
of along the way, but might be watching this and thinking that they want to make a sideways
jump into computer forensics, what is one thing that a person could do or make in their
current job that would bring them a little closer to a full-time career in computer forensics
whether that’s reading in the evenings, or asking for initial responsibility at work,
or doing something hands on. What do you think? I think there’s a couple of different endings
that they can do. First off, before they decide to explore the field, remember one crucial
thing is no one can teach you to be the investigator part of it. They can teach you all the computer
stuff. Every single one of us that is a nerd, we can go through, we actually like our computers
and probably talk to it on occasion, all those things. That’s the easy side of it. The side
that’s very difficult to teach is really building up that, an understanding approach to the
data that says, “Okay, how do I know that Bob is talking to Sally, and they’re committing
these crimes together?” And that process is really that part you should look to refine
a little definitely, and make sure it’s something you like to do.
But in the evenings it’s the same thing that I do to maintain my career, which is a lot
of reading of what emerging technologies are, and how they’re going to impact forensics.
How can they be used in a crime? I sign up for free training all the time. This is, “Okay,
let me sit and watch this and see that experience for someone else.” I’ve actually billed every
manufacturer that makes technology for this space because it’s heavy RND in this space,
and start subscribing to their YouTube channels. I never thought I would say that, I feel like
I’m too old to say that I totally spend time watching YouTube, but I spend time watching
YouTube because there’s good content on there that walks me through it, and teaches it,
and then practice. The best data to practice on is your own because
you understand what it’s like to kind of through it and say, “Oh I did send that text message,”
or, “Oh, I did send that email.” And be able to know that you could find it means that
you could find it on someone else that you don’t know anything about. A lot of times
you’re just given a computer and you’re like, “I know nothing.” Great. Let’s see what I
can put together and find. It’s a practice field. I don’t think it’s one of those where
you can just read all that time, where you can just use certifications. I think it’s
a practice. I always encourage people to practice on their
kids. They’re minors who enjoy it. Look at what they’re doing. I know I’m going to get
so much crap for that, but at the end of the day that’s what I did with my kids. They have
an obligation. Watch out for the comments section. There’s
going to be a lot of 15 year olds down there. Yeah. They’ll be like, “No.”
“No, don’t do it!” It’s true. At the end of the day, one, it’s
a great way to start a conversation. I said, “Hey, you really shouldn’t be going there
on the internet. Let’s talk about why.” But it’s a good way to kind of understand how
natural digital movement occurs. You can�t do that from fake data. You get that from
real people using it. Right. Let’s talk a little bit about the career
field these days. What’s the field like for forensics experts these days? Is it growing?
I assume it’s probably growing, but what are some ways that you can set yourself apart
in a potentially tight job field? Statistically it is growing. So that’s a positive
is usually when economies do better, then there’s more crime. More people going to court,
and all those things, that’s all the signs of a positive economy and everything else.
Things that you set yourself aside, again people laugh at me. They’re like, “That’s
not a digital thing.” But actually being a good writer is a huge difference because it
is a lot about your reports because that’s really your work product at the end of the
day, is making sure that it’s coming across clearly that you can convey those ideas in
written language because the other side is if you end up going and giving testimony,
you’ve got to be able to do it verbally. If you can’t do it written, you probably can’t
do it verbally. They kind of coincide with one another, and just kind of putting themselves
out there for it. If people don’t feel comfortable with that,
then they need to get comfortable with it. Old school joint host masters, things like
that. So you can actually start being comfortable about conveying information to other people.
It’s not like IT where you kind of sit in your zone and you may not share it with others.
This one, you’re going to share it with somebody. It’s probably going to be a lawyer too, which
they’re not always happy to hear what you have to say.
Mm-hmm (affirmative). So looking ahead now to the years the come, what is your sort of
spot prediction where the field of forensics is going to be gone in the years to come with
regards to technology changes, or procedures? I think it’s going to come down to a lot more
cloud and a lot more live. So those people out there that do have network skills, that’s
really going to become quite handy and a lot easier to kind of cross the bridge over and
be able to capture data in a digital forensic manner because that’s where the data is missing.
It’s not sitting on the computer so much anymore. It’s out there. It’s on someone else’s computer
now. I mean it’s on the cloud. And because of that, I think having that mixed skillset
will be a big deal. If I were to pick my area of knowledge is the weakest is actually probably
on the network side because I rarely do anything with network forensics anymore.
I’m doing either a dead box, I’m doing smartphones, or I’m doing IOT, which means I’m also doing
cloud, and I realized, I’m like, “Who had to pull back in those recesses to that other
partition of my brain?” And say “This is okay. Let’s review that old information I had in
there, and update it, and make sure I’m good to go.” But I think it’s an easier bridge
for people because that’s coming very, very quickly. In the next year probably being able
to understand a cloud architecture and where data is stored in the cloud, and how you can
potentially capture it will be an entirely unique skillset, and people will love having
that on their team. That’s fantastic. It’s a really great place
to wind things up. Do you have any final tips or encouragements to our potential computer
forensic aspirants? I think the biggest thing is don’t give up.
It’s never an easy transition, and it’s not … Every case isn’t one of those, “Yes, I
found this smoking gun. It was amazing.” A lot of times you’re like, “I found nothing.
I just looked at 100,000 different things, and I read through all of it, and I found
nothing.” It’s a process, and they’re not always going to be interesting, but at the
end of the day it’s that old school justice side of me. I always grew up wanting to be
Wonder Woman, so it was … I know I’m doing my best to prove an innocence or guilt, and
that’s why I really love this space, and I stayed with it for as long as I have.
We’re awfully glad that you have stayed with it for this long, and I would like to thank
you very much Amber Schroader for talking to us today. Just a reminder for those of
you watching this video, InfoSec Institute also features classes and online boot camps,
and in-person boot camps on computer forensics and many other topics. You can visit us at
infosecinstitute.com. If you’d like to read lots more about computer forensics, you can
also check out our daily updated blog at resources.infosecinstitute.com. Thank you for watching, and we’ll see you
again soon.

10 thoughts on “How to Become a Computer Forensics Investigator

  1. This video has answered a lot of my questions, I appreciate the time stamps in the description as well! That was very helpful! I now feel that this career is the RIGHT choice for me. Thank you for this video!

  2. Now I'm interested in computer forensics! I'm planning a career change now. But I have to know: If someone has a degree in Computer Security and now wants to cross over to Computer Forensics, does he have to go through 2 more years of schooling, or is there a better way to cross over?

  3. I have only high school certificate and computer engineering both hardware and software and I'm interested in cyber security and forensics and I need advise

  4. This video has answered a lot of my questions that I am looking for. Thank You For This video. I am Planning to start my Own Computer Forensics service, I have also got some experience by working for almost one year with Institute of Computer Forensics and Criminal Investigations. So I wish I will be really suceed in this fiels by helping the people.

Leave a Reply

Your email address will not be published. Required fields are marked *