About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Friday, February 24, 2012

Lessons from a DFIR job search

Those of you who follow my blog know that I’ve long been trying to transition into computer security for a few years now. After the US Cyber Challenge I got a QA job at an antivirus company that gave me exposure to application security issues and malware basics, but I’d really been trying for a digital forensics or incident response (DFIR) job. As of last October, I finally got a job doing infosec – including incident response - at Bay Area-based social network (not Facebook).

While I was trying to transition over, I talked to a lot of experienced DFIR people about how they got into this. Ultimately, the path that worked for me ended up being a bit different than their suggestions, so perhaps these notes about what worked and what didn’t will help other people looking for forensic work.

Transition from Operations

Several people I’d talked to started in an operations type of role and then transitioned over, supplementing their sysadmin skills with additional study to make the jump to DFIR. This path is a logical one because sysadmins know how their servers work, their configuration, how to keep them running and reliable, and networking. They will have been exposed to security issues in OS hardening, firewall configuration, and patch management. Most likely they will have responded to incidents as well, at least a DDoS if not a server breach. Ultimately, I think this is the easiest path and the one that most forensics people will continue to come from.

Law Enforcement

Quite a few forensics people got their beginning in law enforcement, particularly federal. Some local police departments are also big enough to support some cybercrime officers – particularly in the Bay Area – but entering forensics through local police is very unreliable as all new officers are treated the same. They all go to the Academy and work patrol for at least a few years before they even have a chance to try for an investigative position like cybercrime. Federal law enforcement is a more reliable route, but with the current Federal budget positions are few and far between. You also have to be hired by age 35 and positions are all over the country. I tried for the FBI, but shortly after the written test they entered a hiring freeze that’s lasted a year so far. It’s still a viable route if you’re not picky about where you live or what agency you work for, but given my age and my wife’s living preferences, it’s not going to happen. At some point in the future perhaps I could get a civilian position at a cybercrime lab, but those are still uncommon.


A few people I talked to recommended going the consulting route, getting hired by a consulting firm and doing forensic work for them for a few years. By all accounts consulting is extremely hard work and requires a lot of travel, but the managers at the firm I talked to didn’t care about a low level of experience. As long as I had a handle on the basics, was comfortable with travelling and working very long hours, they would give me the training and mentoring. This seemed like a very likely route and would be a good one for other interested forensic people to follow, but it turned out the firm I was talking to stopped hiring for the time being and I got the job offer for my current job before I caught another firm’s interest.


As I was talking to the consulting firm, I was also applying for corporate jobs. Despite having a forensics certification, I had a hard time getting corporate interest due to my lack of experience. Some good contacts got me a couple interviews, but no offers. Hiring managers who were looking for DFIR people could generally find someone with more experience than me. That’s when I came across a posting for my current company. It wasn’t true DFIR, it was more spam and fraud with some additional application security issues in responding to XSS attacks. Still, it was close enough to some of the things I’d done in the past to get me an interview. During the interviews, I asked about what elements of security were covered under the security team, including incident response and forensics. Despite my lack of experience in this realm, my training and study of DFIR plus my previous experience with web app security encouraged the manager to create an infosec position to start building out an incident response capability. I got the job.

Hopefully these notes about my DFIR job search will help other new and inexperienced forensic hopefuls find a position that works for them. I’d love to read anyone else’s forensic job search stories, please share them in the comments.