Getting Into the DFIR Field

Please note: I do not know much about job roles outside of Digital Forensics & Incident Response (DFIR). If you know you want to be in Cybersecurity but aren’t sure what area you want to be in, or if you’re interested in a field other than DFIR, here are some resources.

The following is my advice for getting into the Digital Forensics & Incident Response (DFIR) field. I have also posted links to the advice other DFIR professionals have offered via blog posts and videos.

  • Look at the job postings for the type of role you’re interested in to get a feel for the job requirements (certifications, prior experience, etc) and start working toward them. LinkedIn, Dice, Glassdoor, and Ninja Jobs are some suggestions. Certification requirements will differ based on the various roles within the DFIR field. I run a DFIR job board on Get Your Start in DFIR. Jobs posted here don’t require prior work experience in Digital Forensics or Incident Response.
  • Tailor your resume for the type of position you want, and put your resume on job sites like the ones listed above so recruiters can see it. This is how I’ve found most of my jobs, including my current DFIR position.
  • If you’re not on Twitter, you might want to get on Twitter. There’s a large DFIR community on Twitter and an even larger Cybersecurity/Infosec community. Check out the Forensicators of #DFIR on AboutDFIR for who to follow. You can also ask questions on Twitter (use the hashtags #DFIR and/or #AskInfosec). Many people are willing to jump in and offer advice. A lot of us are also on the Infosec Exchange Mastodon instance. Use the #DFIR hashtag there as well.
  • Attend conferences (virtual or in-person). Virtual conferences often have a place to chat online with other professionals. See the DFIR & Cybersecurity Community Events site for conferences and other events. Attend security events in your area such as BSides or try to see if there are any local Cybersecurity meetups.
  • Start a blog. Even if you don’t have experience, you can document what you’re doing and learning in a blog. See Tips for Starting a Blog on This Week in 4n6
  • Never stop learning. Check out the Free and Affordable Training Site. A lot of it is what I’ve needed to learn (and still need to learn) as an Incident Response Analyst. The learning requirements are most likely different for someone in a strictly digital forensics role. As I come across new things I don’t know, I look for free training and add it to the list. I also created an Incident Response Training Plan using freely available online courses starting from complete beginner to IT. It covers networking, programming/scripting, linux, malware analysis, log analysis, PCAP analysis, digital forensics and more.
  • Participate in CTFs and Challenges. There is a list of ongoing DFIR/OSINT/Blue Team CTFs and Challenges on the training site. Some of them have public profiles that can be shared showing your progress, or you can earn badges. Any one-time DFIR related CTF events are listed on the DFIR Related Events page of the Cybersecurity & Community Events site. I have seen CTF participation listed under preferred qualifications in job descriptions for roles that are entry-level to DFIR.
  • For more resources such as DFIR Blogs, Books and YouTube Channels, check out the Resources section.

I also recommend watching the videos and reading the blog posts below to learn about the different roles within DFIR and how get started:

Job Search Tips

If you’re interested in a law enforcement or a cybersecurity position that strictly does digital forensics, searching job sites for “digital forensics” or “computer forensics” should result in those job postings.

For jobs like Incident Response where many times you are doing digital forensics investigations alongside other aspects of an investigation such as malware analysis, and additional duties related to cybersecurity, the job description might use terms like “investigations”, “endpoint investigations”, “host-based analysis”, “root cause analysis” or other similar terms that describe digital forensics. If you come across an incident response job posting that just mentions triage and escalation, it likely won’t involve digital forensics investigations.

Certifications also differ for strictly digital forensics jobs and Incident Response jobs where other aspects of cybersecurity are involved. The certifications listed on this page are based on US jobs postings for jobs entry-level to Digital Forensics & Incident Response.

How common is it for Incident Response positions to involve digital forensics and malware analysis? The image below shows the combined results of polls conducted on LinkedIn and Twitter.

DFIR Professionals work in law enforcement or in Cybersecurity (CSIRT, CERT, SOC, or other IR Teams). Here are some job titles:

  • Digital Forensics Investigator
  • Digital Forensics Examiner
  • Computer Forensic Analyst
  • Computer Forensics Examiner
  • Forensic Analyst
  • Incident Response Analyst
  • Incident Response Consultant
  • Intrusion Analyst
  • CERT Specialist
  • Incident Response Engineer
  • SOC Analyst (Typically Level 2 or 3)
  • Cyber Security Analyst (“Security Analyst” and “Cybersecurity Analyst” are generic titles that can cover a number of different roles. For example, you might read a job description for a “Security Analyst” and realize it’s a SOC or Incident Response position, other times it could be more a compliance or other type of cybersecurity role. So if you see that job title, be sure to pay attention to the description.)