有东西天生coolabout the field of forensics. To the outside observer, the process of digging into evidence to help solve crimes or bring proof to a courtroom seems like something out of a Sherlock Holmes story.

如果我们正在谈论电脑取证，那么情节肯定会变厚！数字工具的复杂性使数字取证非常专门的工作 - 将法律制度和电子世界聚集在一起，调查犯罪和解决问题。

If that kind of pairing gets your brain whirring, keep reading! We asked experts in computer forensics to share about this fascinating career.

What is computer forensics?

Computer forensics (also known as digital forensics) is the practice of collecting, analyzing and reporting on data in a way that meets the standards of our legal system. So basically, anytime you need evidence from a digital device to use in court or any legal proceeding—computer forensics will be involved.

那么这是什么时候发挥作用？知识产权盗窃，欺诈调查，就业纠纷和破产调查等情境是计算机法医分析师的常见领域 - 但几乎不会划伤这些专业人士进入的表面。

此职业也可以根据雇主广泛变化。例如，一些法医分析师在执法部门工作，必须符合其国家作为执法人员工作的要求。

Certified forensic analyst and investigatorRyan Massfeller.explains that police forensic examiners must be sworn law officers in most states. “Many of the cases we work on deal with sexually exploitive images of children and cannot be processed by anyone outside of law enforcement.”

计算机取证的另一面private sector. Greg Kelley, chief technology officer ofVestige Digital Investigations，处理客户带来的案例，例如数据被盗或证据周围病毒和损害数据。

“每种情况都不同，”Kelley说。“即使我们在审查10台计算机以证明员工盗窃数据，情况和结果也不同。无论是对ESXi服务器的法医分析还是遇到尚未闻名的病毒，总会有不同的东西。“

While deeply in the realm of technology, computer forensics also merges with legal and law enforcement territory. There are plenty of rules to follow if you want a piece of evidence to be legally admissible.

“我的大部分时间通常是收购和处理要求，”Dennis Chow说，首席信息安全官员说SCIS安全。He explains that these often-tedious requirements exist so that the data used in legal proceedings is airtight and cannot be challenged or rejected as tampered with.

How do you become a digital forensic analyst?

According to the劳工统计局(BLS), professionals in digital forensic science often need at least a bachelor’s degree.¹More specialized training offered by the employer, a credentialing organization or a police academy may come later, depending on where you hope to work.

Kelley’s career began in IT with a computer engineering background. “Some of our clients were smaller law firms who started asking us if we could recover deleted files or examine a hard drive.” Kelley says looking into this demand led to specializing in computer forensics.

IT led to SOC (security operations center) analyst work for Chow, which in turn led to investigating malware. “With my written and verbal skills, I discovered working with legal teams was quite easy for me,” Chow says.

在执法方面，数字法医分析师通常需要毕业的警察学院或国家批准的警察培训计划。但技术的背景也很重要。Massfeller在申请在执法部门工作之前有一年的IT管理经验。

“在执法部门工作的大多数法医审查员通过作为警察的行列致力于侦探，最终在法医学中工作，”Massfeller说。“鉴于我的经验和技能，另一方面被雇用进入实验室，并转变为警察。”

数字法医分析师做了什么？

It’s helpful to get the bird’s-eye view, but what does being a digital forensic analyst really look like? We asked our experts to share some of the work they do most often, to help you see the inside of this career.

1.主动扫描

As a detective, Massfeller doesn’t simply deal with devices brought to the precinct. The LEO digital forensic analysts hunt for criminal activity. “Routinely we proactively scan peer to peer networks looking for torrents that are known to contain sexually exploitive images of children,” Massfeller says. When they find something—the process of obtaining warrants and evidence begins.

2. Filling out legal documentation

文书工作是为了满足收购要求，请求信息还是获得由法官 - 计算机法医分析师签署的逮捕令花了很多时间溺爱他们的“一世's。

Massfeller says he writes court orders and search warrants in the process of obtaining evidence. “We also write a full forensic report documenting the steps we took to find the evidence,” Massfeller says. Digital forensic analysts might need to present their findings in court—in which case documenting and adhering to restrictions is of utmost importance.

3.身体调查

“We examiners suit up in full body armor and execute a search of the property for electronic devices,” Massfeller says. “We also typically interview the suspect to find out about any passwords or browsing behaviors. Once the seized evidence is secured at the computer forensics lab we begin processing it in a forensically sound manner.

4.使用数字法医工具在设备上查找数据

This is where the digital forensic magic happens. “With computers we make a forensic image of the suspect’s hard drive behind a write blocker or with a cellphone using software and sometimes hardware exploits to download the information from the device,” Massfeller explains. When the information is obtained, digital forensic analysts search it for evidence.

“The most challenging aspect about the job is that you need to really find efficiencies in how you investigate each case,” Chow says. “You’re shifting and sleuthing against tons of data trying to find IOC’s or other mission objectives, and you typically don’t have much time.”

Digital forensic analysts will need to stay sharp in their critical thinking, as well as current technology and useful digital forensic tools to keep this process efficient, legally admissible and effective.

5. Presenting computer forensic evidence in a trial

如果数字法医证据参与了法律程序，分析师可能需要向法官展示他们的研究结果。

“在试验中，我们有资格作为专家证人，”Massfeller说是数字法医分析师的执法人员。“我们向陪审团展示了我们的调查结果，达成了判决。让每个人到期进程都是一个漫长的过程。“

6.及时了解技术

“这份工作有两个非常具有挑战性的方面，”凯利说。“第一个是与最新技术保持最新状态。”Kelley表示，包括操作系统，更新程序运行，取消宣例和新病毒和漏洞。

涉及违反或盗窃公司的证据或风险，各种个人和实体想要匆忙的答案。数字法医分析师需要在其技术游戏的顶级，以保持竞争力和有效的工作。

这并不是说你可以让每个人都开心。Kelley表示，其他最具挑战性的工作是令人满意的客户，他们不了解该技术。

“Client demands for getting answers sometimes test the capabilities of our tools, skills and even the laws of physics when it comes to the speed of the computers we use,” Kelley says.

在地平线上的计算机取证

计算机和数字取证的每种可能性是作为技术能力和访问增长的甚至更为重要。数字法医分析师从事数字问责制的关键工作，以及雇主以及执法组织依赖他们的技能 - 他们发现的证据。

“It is complex and challenging work in high demand,” Chow says. If that’s something that appeals to you, check out some of the precursors to computer forensics by reading our article “8个标志，您在网络安全事业中工作。”

¹劳工统计局，美国劳工部，职业前景手册[2019年5月8日获取的信息]www.bls.gov/ooh/。Information represents national, averaged data for the occupations listed and include workers at all levels of education and experience. Employment conditions in your area may vary.