Introduction

Digital Forensics & Incident Response (DFIR) is a very rewarding field that has its complexities and challenges. It has some of the hardest working individuals and smartest minds in the Cybersecurity industry by virtue of how fast the field is advancing. New technologies, new threats, and new adversarial techniques constantly keep incident responders on their toes and ensure we are all keeping up with modern trends in real world scenarios. However, one area that needs improvement in DFIR is clear guidance on how the next generation of practitioners can break into the field. There is a load of information nowadays that can overwhelm any prospective young professional who is looking to dip their toes into the DFIR world and without the proper guidance, they can get lost extremely fast. That is why I decided to create a short 5-part blog series that will provide a clear roadmap for those that are looking to become DFIR practitioners.

The way I am going to structure this 5-part blog series is as follows:

• Part 1 – Cybersecurity Fundamentals
• Part 2 – Windows Forensics
• Part 3 – Windows Memory Forensics
• Part 4 – Threat Hunting
• Part 5 – Specializations

Each blog will go into detail on a particular focus area for folks to spend their time and efforts on to properly stay on track and become well positioned to succeed in not only landing a career in DFIR, but also exceling at it.

My Path

Before diving into it, I wanted to share my path that I took to break into DFIR. I constantly get asked this question which helped motivate me to take the time to draw up this 5-part blog series since I feel it will benefit so many people. My path getting into DFIR was very interesting to say the least. There were some setbacks, some risks taken, and some luck involved to getting to where I’m today. I knew from a young age that I wanted to work in tech in some capacity, but it wasn’t until high school that I knew I wanted to work specifically on computers. I started my journey at Penn State University in 2010 where I first majored in Computer Engineering. After a few semesters went by, I knew my heart wasn’t in it anymore and I needed to pivot myself to something that was a bit more broad and more enjoyable for myself. I eventually transferred to the New Jersey Institute of Technology (NJIT) in 2012 and enrolled in the Information Technology undergrad program with a focus in Cybersecurity. This switch put me on the right track to learning some key fundamentals in Information Technology at the time, such as network topologies, network security, programming, website development, database management, system administration, ethical hacking, and computer forensics.

During this time, I also interned for Northrop Grumman in NYC in the RF Engineering department as a RF Drive Tester (TL;DR I drove around NYC overnight to test the network stability of Northrop Grumman’s mobile broadband wireless network for NYC’s workforce). I would go on to graduate in 2016 with a Bachelor of Science (BS) in Information Technology and embarked on my post graduate career. This is where things became a bit interesting for me.

I was offered a full time Network Engineer position in California once I graduated that I turned down to stay home and close to family. Many at the time thought I was a bit crazy for turning down a decent salary at a well-regarded company, but I knew I didn’t want to uproot my life and start my career on the west coast thousands of miles away from home. Instead, I took a 6-month contract job as a PC Setup Technician to earn some money after graduation and continue to learn the basics in IT, now in a postgrad world. It was at this company that I met a good friend of mine who went on to play a pivotal role in my journey (back to him in a moment). When my contract expired, my colleague left to join Kroll (a consulting firm that has a widely recognized digital forensics and incident response practice) and I left to join a small company that specialized in tax processing as an ETL & Data Extraction Programmer. I realized very quickly that programming was not the career I wanted and with a bit of good timing, I reached out to my colleague who left for Kroll and asked if they were hiring which, at the time they were looking for a new Associate to join their Digital Forensics Lab in NJ.

He was kind enough to refer me to the position and I eventually was hired for the Associate role in their Digital Forensics lab. Immediately, I knew I wanted to work in Digital Forensics and Incident Response as an investigator. My manager at the time recommended I enroll in a SANS course to get the training I needed and so about 1 year into the job, I enrolled in FOR500: Windows Forensic Analysis and obtained the GIAC Certified Forensic Examiner (GCFE) certification in January 2021. A few months later, a Zero-Day exploit known as ProxyLogon occurred and Kroll responded to a large volume of these engagements to which I assisted from afar at the Forensics Lab. Due to my efforts in extending my hand during those few months of intense work, I was able to join the DFIR team in an official capacity and never looked back. My path was not straightforward, but I wanted to share it with those who were curious as to how I got to where I am now. Luckily, I will be sharing a more straightforward path that should help those looking to break into the field.

Stage 1 – Cybersecurity Fundamentals

For Part 1 of this blog series, we will focus on Cybersecurity Fundamentals and how to obtain them. This will be the most preference dependent stage outside of what we will highlight in Part 5 in this blog series due to the fact that there are many options that someone can take to obtain these fundamentals. I will simply provide my thoughts on some of the best ways to achieve these fundamentals due to my own knowledge, past experiences, and insights I have gained from some of my peers in the industry.

Step 1 – Identify what career in Cybersecurity you wish to pursue before you graduate high school:

Yes, high school. This is a crucial step as this will help determine what schools and programs you should be pursuing to enroll in that specialize in the career you want to land, thus putting you in a position to follow the appropriate path of that specific career. For example, if you want to work as a SOC analyst, then the school and/or program you choose will need to align with the specific path to become a SOC analyst. To start, I first recommend creating an account with SANS and reviewing these three guides the SANS Institute has published on their website:

• The Ultimate Guide To Getting Started in Digital Forensics & Incident Response (DFIR)
• 20 Coolest Cybersecurity Careers
• Cyber Security Roadmap

Step 2 – Enroll in a 2-4 year program at an accredited university. This can be in the form of an undergrad or accelerated program:

Once you have reviewed all three guides and decided what career in Cybersecurity interests you the most, the next step is to research and enroll in a 2-4 year program that focuses on Cybersecurity or DFIR. Now this part is extremely important and will influence how the next phase of this process will look like for you. There are quite a few options nowadays for folks looking to break into DFIR, but I want to focus on the two most straightforward options.

Option 1: Enroll in a 4-year university at one of the schools listed below that are generally considered to have some of the most recognizable Cybersecurity or DFIR undergrad programs:

• USC Viterbi School of Engineering: Technology and Applied Computing Program
  • Major: Intelligence and Cyber Operations | Minor: Digital Forensics
• Champlain College: Division of Information Technology & Sciences
  • Option 1 – Major: Digital Forensics
  • Option 2 – Major: Computer Networking & Cybersecurity | Minor: Computer & Digital Forensics
• Utica University: Cybersecurity Program
  • Major: Cybersecurity | Specialization: Digital Forensics and Incident Response
• Bloomsburg University of Pennsylvania: Digital Forensics and Cybersecurity Program
  • Major: Digital Forensics and Cybersecurity
• University at Albany: Digital Forensics Program
  • Major: Digital Forensics
• Stevenson University: Cybersecurity and Digital Forensics Program
  • Major: Cybersecurity and Digital Forensics
• Purdue University: College of Liberal Arts | Purdue Polytechnic Institute
  • Option 1 – Major: Digital Criminology
  • Option 2 – Major: Cybersecurity
• Penn State University: College of Information Sciences and Technology
  • Option 1 – Major: Cybersecurity Analytics and Operations
  • Option 2 – Major: Security and Risk Analysis
• George Mason University: Cyber Security Engineering Program
  • Major: Cyber Security Engineering
• University of Maryland Global Campus: Cybersecurity Technology Program
  • Major: Cybersecurity Technology

Option 2: Enroll in an accelerated program listed below that are also generally considered to have some of the most recognizable Cybersecurity or DFIR undergrad programs:

• SANS Institute: Homepage
• Western Governor’s University: Homepage

Option 2A: If enrolling in the SANS Institute, consider one of the two programs below:

• Applied Cybersecurity Certificate (ACS) Program: This is best suited for those who are 18+ years old and already have 2 years’ worth of college credits that want a more cost effective and accelerated option in addition to hands-on experience and certifications. It consists of 4 courses (12 credits), 4 GIAC certifications, the duration is 10-18 months, and a 100% online option is available. The ideal curriculum pathway is as follows:
  • ACS 3275: Security Foundations | SEC275 + GFACT
  • ACS 3401: Security Essentials | SEC401 + GSEC
  • ACS 3504: Security Incident Handling & Hacker Exploits | SEC504 + GCIH
  • ACS 4500: Windows Forensic Analysis | FOR500 + GCFE

• Bachelor’s Degree in Applied Cybersecurity (BACS) Program: This is best suited for those who already have 70 credits from an accredited community college or 4-year college that want to pursue an undergrad degree in addition to hands-on experience and certifications. It consists of 10 courses (50 credits), 9 GIAC certifications, 1 internship, the duration is 2 years, and a 100% online option is available. The ideal curriculum pathway is as follows:
  • 70 Transferrable College Credits (Covers Freshman and Sophomore Year)
  • Junior Year:
    • BACS 3275: Security Foundations | SEC275 + GFACT
    • BACS 3301: Introduction to Cybersecurity | SEC301 + GISF
    • BACS 3402: Effective Cyber Writing and Speaking | SEC402 & SEC403
    • BACS 3401: Security Essentials | SEC401 + GSEC
    • BACS 3504: Incident Handling and Hacker Exploits | SEC504 + GCIH
  • Senior Year:
    • BACS 3573: Automating Information Security with Python | SEC573 + GPYC
    • ACS 4498: Battlefield Forensics & Data Acquisition | FOR498 + GBFA (ACS 4___: Upper Division Specialization Elective | GIAC Certification)
    • BACS 4503: Intrusion Detection In-Depth | SEC503 + GCIA
    • ACS 4500: Windows Forensic Analysis | FOR500 + GCFE (ACS 4___: Upper Division Specialization Elective | GIAC Certification)
    • ACS 4508: Advanced Digital Forensics & Incident Response | FOR508 + GCFA (ACS 4___: Upper Division Specialization Elective | GIAC Certification)
    • BACS 4499: Internet Storm Center (ISC) Internship

Option 2B: If enrolling in Western Governor’s University, consider the B.S. Cybersecurity and Information Assurance Degree Program. The program currently offers two pathways: Associate degree holders and non-degree holders. This program is best suited for those who want to enroll in an accelerated program and also want to take Cybersecurity fundamental certifications that are offered by CompTIA which are included with this program.

• For Associate degree holders it consists of: 24 courses (93 credits), 15 certifications, the duration is typically less than 3 years, and is 100% online. The curriculum is as follows:
  • Network and Security:
    • Network and Security – Foundations
    • Network and Security – Applications
  • IT Fundamentals:
    • Introduction to IT
    • IT Foundations
    • IT Applications
  • Data Management:
    • Data Management – Foundations
    • Data Management – Applications
  • Risk Management:
    • Managing Information Security
  • Web and Cloud Security:
    • Managing Cloud Security
  • Ethics & Cyber Law:
    • Legal Issues in Information Security
  • Networks:
    • Networks
  • Capstone:
    • IT Capstone Written Project
  • Operating Systems:
    • Linux Foundations
  • Information Assurance:
    • Introduction to Cryptography
  • Scripting and Programming:
    • Scripting and Programming – Foundations
    • Introduction to Programming in Python
  • Wireless & Mobile Technologies:
    • Emerging Technologies in Cybersecurity
  • Business of IT:
    • Business of IT – Applications
    • Business of IT – Project Management
  • Penetration Testing:
    • Penetration Testing and Vulnerability Analysis
  • Hacking Countermeasures and Techniques:
    • Cyber Defense and Countermeasures
  • Secure Systems Analysis & Design:
    • Fundamentals of Information Security
    • Information Systems Security
  • Digital Forensics and Incident Response:
    • Digital Forensics in Cybersecurity

• For non-degree holders it consists of: 34 courses (123 credits), 15 certifications, the duration is typically less than 3 years, and is 100% online. The curriculum pathway is the same as above with the additional set of General Education courses as follows:
  • General Education:
    • Composition: Successful Self-Expression
    • Health, Fitness, and Wellness
    • American Politics and the US Constitution
    • Ethics in Technology
    • Applied Probability and Statistics
    • Introduction to Systems Thinking
    • Applied Algebra
    • Natural Science Lab
    • Introduction to Communication: Connecting with Others
    • Critical Thinking: Reason and Evidence

• The certifications included in this program are as follows:
  • CompTIA A+
  • CompTIA Cybersecurity Analyst Certification (CySA+)
  • CompTIA IT Operations Specialist (Stacked)
  • CompTIA Network+
  • CompTIA Network Vulnerability Assessment Professional (Stacked)
  • CompTIA Network Security Professional (Stacked)
  • CompTIA PenTest+
  • CompTIA Project+
  • CompTIA Secure Infrastructure Specialist (Stacked)
  • CompTIA Security+
  • CompTIA Security Analytics Professional (Stacked)
  • LPI Linux Essentials
  • ITIL® Foundation Certification
  • Certified Cloud Security Professional (CCSP) – Optional Voucher
  • Systems Security Certified Practitioner (SSCP) – Associate of (ISC)² designation

Conclusion

In order for the next great generation of DFIR professionals to have the best path to success, it all starts with the underlying educational path that is taken and the career within Cybersecurity that you want to focus on. Having this on your mind earlier on will provide you with a clear advantage when it comes to how to begin the journey. The purpose of this blog was to showcase how to begin that journey and highlight some of the key steps you should take to have the best path to success early on. The next blog in this 5-part series will focus on what comes after completing any of the aforementioned educational programs which will consist of diving right into the basics of Windows Forensics.