Life of a forensics and incident response engineer

I have grown to never fully trust that I will be able to attend meetings scheduled in my calendar. As a forensics and incident response engineer for one of the top 10 alexa websites (As of 2017), things turn up quite unexpectedly and quite often. In this post, I wanted to highlight certain aspects of digital forensics, incident response, its pros and cons and what you should do to be sane or to keep growing. In the end, I also touch upon certain recommendations I have for people who plan to enter this field and be passionate about it.

Digital Forensics is based of science in which you apply knowledge of information security, computer systems, networks and programming to analyze 5 W’s (what, where, when, why and who) whereas incident response is an interdisciplinary field and lays out certain practices and procedures involving everything including digital forensics along with laws, crime, psychology, human factors and communication. The combination of the two is what makes life interesting. Fortunately, I get to practice all of this day in and day out. Since the number of fields I listed above are very broad and each field has a lot of depth, gaining complete understanding will take a lifetime (or even more) and as such, there is always something new to learn, apply and play with. As one peels off evidence (think hard drive or memory capture) layer by layer, it tells a story (or supports or refutes one you had in mind). In the end, there is utmost satisfaction in using every part of your working mind to analyze things that happened in the past, how to stop the bad guys before they get in, predict what they would do next and how to protect the organization from further harm.

Incident responders are like firefighters in the digital world, where the equivalent of a fire is a security loophole, an attack, vulnerability/risk or anything that can potentially harm an organization’s systems/networks. Recall the 2 obvious responses of people when they are faced with danger – “fight” OR “flight”. For an incident responder, there is NO flight! When one is always in constant “fight” mode, it builds certain skills which are extremely valuable for a lifetime. For instance, seasoned incident responders are calm, have great self control and take cool, collected decisions even when the world is burning down on them. They build up this unnatural stamina to face extremes. This is the positive side of incident response. On the other hand, the cons include burnouts which affects one’s physical and mental health. One has to strike a balance between fight mode and break mode (forced-flight) to lead a sane life.

If what I described above made you excited about a life filled with new puzzles every day and want to learn more about how to get started in this field, I would recommend starting off with solidifying the fundamentals of computer science (call this layer 0). This means understand every single bit and byte involved in network protocols, understand how operating systems works, learn to program (efficiently), learn data structures, compilers, how to build websites etc. Once you get to a stage where you know how the basic blocks of a computer work, jump to information security (layer 1) and repeat the same thing, however this time using your layer 0 as a foundation. Learn the basic principles, cryptography, ciphers, network security protocols, application security concepts, web security. When you reading about all this, always think how each and every concept ties back to the basic principles of computer science (layer 0). Now build layer 2 on top of information security which is digital forensics. This time learn about host based forensics and network forensics (all the the while thinking about how layer 1 and layer 0 are working underneath this). There will be a lot of “AHAs” and “Oh GOT IT!” during your journey of discovering the beauty of the field of digital forensics. The incident response layer goes hand in hand with the digital forensics layer where concepts run in parallel. I recommend starting out with reading the NIST guide to computer security incident handling, blue team handbook or taking a SANS class.  Additionally, learn the basics about laws in your country with regards to evidence handling. Hopefully by this time, you will be armed with the skills you need to get started off as a forensics and IR engineer.