Please note: I do not know much about job roles outside of Digital Forensics & Incident Response (DFIR). If you know you want to be in Cybersecurity but aren’t sure what area you want to be in, or if you’re interested in a field other than DFIR, here are some resources.
The following is my advice for getting into the Digital Forensics & Incident Response (DFIR) field. I have also posted links to the advice other DFIR professionals have offered via blog posts and videos.
- There are different job roles that conduct digital forensics investigations. Everyone’s path into DFIR is different. It helps to determine which role you want to be in. To learn more, see: What is DFIR, and How do Digital Forensics Roles Vary? by Hacks4Pancakes. Digital forensics jobs in the Public Sector such as law enforcement most likely have different requirements than DFIR jobs in the Private Sector such as working for a corporation. See Job Hunting in the Digital World by Jessica Hyde, How to Become a Digital Forensics Professional in 2021, and Getting Your Career Started in Cyber Forensics.
- Look at the job postings for the type of role you’re interested in to get a feel for the job requirements (certifications, prior experience, etc) and start working toward them. LinkedIn, Dice, Glassdoor, and Ninja Jobs are some suggestions. Certification requirements will differ based on the various roles within the DFIR field. I run a DFIR job board on Get Your Start in DFIR. Jobs posted here don’t require prior work experience in Digital Forensics or Incident Response.
- Tailor your resume for the type of position you want, and put your resume on job sites like the ones listed above so recruiters can see it. This is how I’ve found most of my jobs, including my current DFIR position.
- Build a home lab to become familiar with DFIR tools. It can be as simple as using VirtualBox or VMware on a computer along with DFIR related distros. I made a YouTube playlist of DFIR home lab videos. Also, check out The Evolution of My Home Lab: From Break-Fix to Forensics and How to Incorporate Home Lab Experience Into Your Resume. For home lab ideas, and to ask questions, there is a home lab community on Reddit. They also have a Discord Server.
- It helps to learn a programming language. Python is used a lot in DFIR.
- Join the Digital Forensics Discord Server. This is a great place to meet others in the field, learn, and ask questions. See: A Beginners Guide to the Digital Forensics Discord Server. The Cyber Social Hub is another good community to join.
- If you’re not on Twitter, you might want to get on Twitter. There’s a large DFIR community on Twitter and an even larger Cybersecurity/Infosec community. Check out the Forensicators of #DFIR on AboutDFIR for who to follow. You can also ask questions on Twitter (use the hashtags #DFIR and/or #AskInfosec). Many people are willing to jump in and offer advice. A lot of us are also on the Infosec Exchange Mastodon instance. Use the #DFIR hashtag there as well.
- Attend conferences (virtual or in-person). Virtual conferences often have a place to chat online with other professionals. See the DFIR & Cybersecurity Community Events site for conferences and other events. Attend security events in your area such as BSides or try Meetup.com to see if there are any local Cybersecurity meetups.
- Start a blog. Even if you don’t have experience, you can document what you’re doing and learning in a blog. See Tips for Starting a Blog on This Week in 4n6
- Never stop learning. Check out the Free and Affordable Training Site. A lot of it is what I’ve needed to learn (and still need to learn) as an Incident Response Analyst. The learning requirements are most likely different for someone in a strictly digital forensics role. As I come across new things I don’t know, I look for free training and add it to the list. I also created an Incident Response Training Plan using freely available online courses starting from complete beginner to IT. It covers networking, programming/scripting, linux, malware analysis, log analysis, PCAP analysis, digital forensics and more.
- Participate in CTFs and Challenges. There is a list of ongoing DFIR/OSINT/Blue Team CTFs and Challenges on the training site. Some of them have public profiles that can be shared showing your progress, or you can earn badges. Any one-time DFIR related CTF events are listed on the DFIR Related Events page of the Cybersecurity & Community Events site. I have seen CTF participation listed under preferred qualifications in job descriptions for roles that are entry-level to DFIR.
- For more resources such as DFIR Blogs, Books and YouTube Channels, check out the Resources section.
I also recommend watching the videos and reading the blog posts below to learn about the different roles within DFIR and how get started:
- Securing Your Future in DFIR (advice on how to get into the field w/Kathryn Hedley, Phill Moore, Jason Jordaan and Lee Whitfield).
- Getting Started in DFIR: Testing 1,2,3 by Phill Moore
- How to Become a Computer Forensics Investigator w/Amber Schroader
- Get Started in Computer Forensics: Entry-Level Tips, Skills and Career Paths w/Amber Schroader
- How to Start Your Career in Digital Forensics (Ways you can become successful in developing your career path in DFIR w/Heather Mahalik)
- Cache Up (learn how different people in the DFIR community got their start and their advice for getting into the field hosted by Jessica Hyde).
- Digital Forensics and Incident Response: Is it the Career for You? (What it’s like to be a DFIR professional and how to kickstart a career in DFIR w/Cindy Murphy)
- All Things Entry Level Digital Forensics and Incident Response Engineer DFIR (What the job looks like, the pros and cons of the job and what you can do to learn skills to start working toward a job in that field w/Brandon Poole)
- More videos can be found on my YouTube “Getting into the DFIR Field” Playlist
- Blog Posts
- How long does it take to get into the DFIR field? by Brett Shavers
- Getting Your First DFIR Job by Douglas Brush
- How to Get Started in the Field of Digital Forensics by Amber Schroader
- The Ultimate Guide to Getting Started in Digital Forensics & Incident Response (DFIR) by Heather Mahalik
Job Search Tips
If you’re interested in a law enforcement or a cybersecurity position that strictly does digital forensics, searching job sites for “digital forensics” or “computer forensics” should result in those job postings.
For jobs like Incident Response where many times you are doing digital forensics investigations alongside other aspects of an investigation such as malware analysis, and additional duties related to cybersecurity, the job description might use terms like “investigations”, “endpoint investigations”, “host-based analysis”, “root cause analysis” or other similar terms that describe digital forensics. If you come across an incident response job posting that just mentions triage and escalation, it likely won’t involve digital forensics investigations.
Certifications also differ for strictly digital forensics jobs and Incident Response jobs where other aspects of cybersecurity are involved. The certifications listed on this page are based on US jobs postings for jobs entry-level to Digital Forensics & Incident Response.
How common is it for Incident Response positions to involve digital forensics and malware analysis? The image below shows the combined results of polls conducted on LinkedIn and Twitter.
DFIR Professionals work in law enforcement or in Cybersecurity (CSIRT, CERT, SOC, or other IR Teams). Here are some job titles:
- Digital Forensics Investigator
- Digital Forensics Examiner
- Computer Forensic Analyst
- Computer Forensics Examiner
- Forensic Analyst
- Incident Response Analyst
- Incident Response Consultant
- Intrusion Analyst
- CERT Specialist
- Incident Response Engineer
- SOC Analyst (Typically Level 2 or 3)
- Cyber Security Analyst (“Security Analyst” and “Cybersecurity Analyst” are generic titles that can cover a number of different roles. For example, you might read a job description for a “Security Analyst” and realize it’s a SOC or Incident Response position, other times it could be more a compliance or other type of cybersecurity role. So if you see that job title, be sure to pay attention to the description.)
- Job Sites
- Get Your Start in DFIR (Global job board for DFIR jobs requiring no prior work experience in digital forensics or incident response)
- Job Postings on AboutDFIR