For those who don’t know, in addition to my work at Magnet Forensics, I teach Mobile Device Forensics at George Mason University. In addition to teaching the skills necessary to acquire and parse data from mobile devices, I attempt to share information that will be useful to my students who are entering the DFIR workspace.
Obviously, finding a first or next position can be challenging in any field, but specifically in “newer” or less established fields like DFIR. It also appears to be a hot topic! Lesley (AKA @hacks4pancakes) recently tweeted asking what infosec thing her readers wanted for the holidays, and a great number of the 500+ responses were related to finding a new or first position.
I tried to include information here that is useful for both the seasoned professional, the career switcher, and those trying to get their first DFIR role right out of school. There have been quite a lot of posts about getting started in the field, the goal here is more specific to job hunting in DFIR.
Job Search Terminology
One of the things I like to talk about is how the terminology in our field isn’t very standardized and that it makes looking for positions a little difficult.
If you have tried to look for a job in Digital Forensics/Incident Response, you may have noticed some terminology differences around what our job titles are in this field. So as an aid to my class, I created this matrix and I thought it may be helpful for others looking for positions in Digital Forensics. After showing the below to my students and seeing their response, I realized this was something that may help others in the community. To find a possible job title that may be used in the field, grab any term from each of the three columns. Note each column has an option for none.
This can be quite fun as you explore some of the possible titles that may apply. I will say, I have had some wacky titles and that any of these can be preceded by a “level” modifier such as Senior, Mid, Junior. For example, in one job my title was Senior Mobile Exploitation Analyst. I hope that this helps someone who is looking for a position in digital forensics. If you have other additions for the matrix, would love to know about them so we can expand the list of possible job titles in the field.
Where to Look
So now that you have some search terms down, where should you start looking? Well, you can find some of these positions on your typical board posting websites, and I would definitely look for positions there. That said, there are some locations that are more specific to our field. Ninja Jobs for example is a job search platform specific to information security and specifically include both Digital Forensics and Incident Response listings. A quick search with those two sets of keywords yielded 76 active openings! Additionally, aboutDFIR, which has a wealth of information and resources for DFIR, recently added a dedicated jobs page specifically for DFIR candidates. Forensic Focus has a job vacancies forum that has been around since 2005. Many of those positions tend to be in the UK and EU, so if that is your region of interest, it is a great place to look!
What to Apply For
The short answer – anything and everything!
Now that you have some search terms to use on the more general job sites and some specific DFIR specialty job sites to look at, don’t be discouraged! One of the largest mistakes I see is that career switchers and those right out of school will often limit themselves to “entry level” positions. Specifically, for career switchers, this may not be the case. This may be your first DFIR position, but do you have expertise from working at a help desk? Networking? A SOC? Development or scripting? This could be very relevant experience! Don’t be afraid to apply for mid-level positions instead of limiting yourself to only entry level positions. You may be more than entry level and not even know it!
Another sometimes discouraging thing is that often time the posts will have what appears to be ridiculous requirements. Don’t let that discourage you! Sometimes those positions are written the way that they need to be written because of requirements imposed by a statement of work. This is often the case for jobs where it seems like the requirements are impossible to find. They just may be, but apply anyway. Often some of the requirements can be waived or fulfilled after employment. For example, if a position requires a specific certification, and you have experience and a different certification, you may still be a viable candidate. Apply anyway! Often times, the only steadfast requirements that cannot be waived or substituted with other experience or credentials is citizenship status in a specific country. There are plenty of “mid-level” jobs that senior examiners with years of experience wouldn’t qualify for on paper. Don’t be discouraged, apply anyway. The worse that happens is you don’t hear back. Alternatively, you could be just the right candidate! I have often hired people who didn’t meet the specification laid out in the job requirement, but they had the right mix of skills when I met with them.
Another note, if you are applying for a contracting position, a good question to ask the company is if the position exists today or if it is “subject to award.” A position that is subject to award means that the company is collecting resumes and filling their pipeline if they win the work. It is still valuable to apply for these positions, but it is important to keep in mind that they may not be available today or tomorrow.
The more flexible you are, the more successful you may be. If you are open to relocation, that will broaden your chances. You may have picked the area you really want to dive into, but being flexible is important here. You may not get your dream job immediately, but applying for positions where you can gain requisite skills can be valuable for the career switcher and student alike. If you are considering law enforcement or military, the entry process is quite different and will vary by organization. Keep in mind that these processes can be quite lengthy.
A resume and or CV is critical. I recommend treating these as living documents. The same with your LinkedIn profile. Besides, if you update your profile regularly with each training you attend, publication you put out, and skill you learn, you will be ahead of the curve. Additionally, it won’t look suspect to your current employer that you are updating your profile in preparation for a potential career move. There are sometimes resume reviews/workshops as part of infosec conferences. Seek these opportunities out and have your resume reviewed by someone who has worked as a hiring manager in the field. Make sure your resume includes all your infosec / DFIR related side projects – blogs, github, CTFs, etc. These will help you stand out. Additionally, include training you have received, lectures you have attended, and anything you have done to continue your education. While I am not going to dive into certifications in this post, please make sure to include them on your resume/CV.
As a working examiner, you will likely need keep your CV current to show your qualifications. This can be potentially to submit for proposals a contractor or consultant or to be accepted as an expert witness by a court. So as you continue to grow, speak, publish, learn, read, attend conferences, earn certifications, participate in CTF’s etc.; continue to update your CV.
If you are a career switcher, remember that your resume can list relevant cross-industry skills. This can include technical skills such as networking or it can include soft skills such as briefing executives. As the field is new, there weren’t always university programs and training specific to the industry. DFIR personnel came from a variety of backgrounds including computer science, engineering, and traditional law enforcement and investigations. Now there are a variety of university programs and training specific to the industry. You may consider pursuing higher education in the field or additional certifications. That said, it is still a great opportunity to seek positions while you are pursuing that more formal education or certification. Then once you have the degree or desired certification in hand, you will have experience on top of that and can pursue a new position armed with those new skills.
It isn’t always just about having the right resume and finding the position you are a perfect fit for online on a job search site. Sometimes the key to finding the right position is truly networking. And honestly, that can be a daunting task. This often comes down to someone at a company with an opening either a) making you aware of an existing or upcoming opportunity or b) someone providing a reference for you who either works where you have applied/are applying or knows someone there. But it doesn’t have to be if you are meeting with like-minded individuals.
There are a variety of national conferences out there, and I attend many of them. However, if you are trying to keep expenses low and meet and network with people in your vicinity, I suggest a couple of opportunities. I would suggest looking for a local Bsides conference. These are local, small conferences that tend to be low cost or free for attendees. A great way to network, and to add a little occupation-related social action to your resume is to volunteer to help with these events. Another great organization that has groups worldwide is HTCIA. The great thing about both Bsides and HTCIA is that you will learn something! Often these meetings and events have a lineup of great speakers and content. DFIR.training has a great list of associations as well – so joining one in your area may be a great way to meet other professionals. Another opportunity is to look for meetups. Depending on where you are geographically, there may be a DFIR or InfoSec “meetup”. Sometimes those are harder to find and they certainly don’t exist everywhere. I recommend carrying cards. Handing someone a card can make a big difference in being remembered, even if the card has your name and your blog or git repository along with your contact info.
Not all networking takes place in person. You can develop some great relationships as well as a reputation on social media. Now the key to reputations as they can be positive or negative. It is great to talk both technical and soft skills and follow different things such as the #DFIR on Twitter, the Computer Forensics sub-reddit, or participate in Forums like Forensic Focus or listservs. That said, try to keep it positive. Bashing another examiner, tool, company, may just be the kind of action a potential employer may be leery about having associated with them. That said, sharing and participating in technical social media forums is a great way to network with others in the field and increase your brand.
Branding can be critical for both the seasoned and new examiner. Branding can include your presence on social media. In addition to your public conversations, it includes the information you share, be it blog posts, scripts, open-source research contributions etc. I wrote a post a bit ago about sharing in DFIR that provides a wealth of different ways that you can get content out there, and doing any of these is valuable to branding.
Why take on this external sharing? Not only does it help spread the workload and save another examiner the research time you spent, this is how someone will validate your experience and knowledge. When I was in a role where I was interviewing and hiring digital forensic professionals, I interviewed students who had posted research via their university. Having read their papers provided me background on their studies and gave me places where we could deep dive during the interview, so I could understand more about their methods and gave them an opportunity to talk about an area where they spent significant amount of time. This helped me as someone helping make the hiring decision to understand what the candidate had the potential to do. Additionally, I have targeted candidates for positions based on their public body of work, these aren’t necessarily students. Need an idea for something to research and share? Check out the new communal research page on AboutDFIR for ideas and to volunteer to research.
Having written a tool that is used by the community goes a long way to getting you noticed! Another way to get noticed is by participating, and especially placing in a Capture the Flag (CTF) or challenge. And even better yet, the hiring manager or senior examiner can review this content! There was a great post by CryptoCypher on the Alien Ware blog about branding for students. Additionally, Phill Moore of thisweekin4n6.com will be speaking about branding at some upcoming DFIR conferences this spring/summer.
Hopefully, this post has helped you with some useful skills in finding your next DFIR opportunity and potentially inspired you to apply for a position that you weren’t sure if you should. What are your tips for job hunting in DFIR? Any questions or comments, feel free to reach out to me: firstname.lastname@example.org or on Twitter @B1N2H3X.
Good luck and happy job hunting!