Part 1: ‘You have got to have the hunger. Digital forensics is not just what I do, it's who I am’
We met with certified SANS instructor and principal forensic analyst, Jason Jordaan, to get the top tips for moving into the digital forensics field. Whether you currently work in cyber security or have no experience in the field, this two-part Q&A covers all things digital forensics with all the resources and advice you might need to make a move into this space in cyber.
1. Firstly, it would be good to get a little bit of background on yourself, Jason, and how you got into working in digital forensics?
“So, I started with working in law enforcement. I have always been the nerdy type, like some of the senior SANS instructors. Unfortunately, in South Africa at the time, when you finished school, if you didn’t go to university you had to do conscripted national service. I then joined the police and found I have somewhat of a knack for investigation, so I quickly got transferred and stationed into the detective service. I did my police degree and worked my way through the ranks that way.
"Fast forward a couple of years, I got transferred out of the police to our national anti-corruption agency, predominantly to do digital forensics, where I was tasked with setting up a fully functional digital forensics lab. When I left there in 2014, I was the national head for digital forensics. In 2014, I then decided to move into the private sector, still doing digital forensics work but now also doing a lot of incident response engagements. One of the big reasons I also decided to leave is that I had the opportunity to start teaching for SANS and if I stayed in government, I wouldn’t have been afforded those opportunities to devote my time to teach others. I pretty much haven’t looked back since!”
2. Did you do any studying alongside working?
“During my time in the police and Special Investigation Unit, I did my police degree and then I did a master’s degree in forensic investigation. I then went back and did a bachelor of science degree in computer science. After that, I did an honour's degree in information systems and following that, did a master’s degree in computer science; I'm currently working on my PhD in computer science. After I finish that, I am probably going to do a law degree or something like that. It’s safe to say that I’ve never stopped studying, which is a major trait of digital forensic practitioners.”
3. Is studying an imperative part of the job?
“If you’re in digital forensics specifically, you are constantly studying because the field is changing all the time. Not only do we have to contend with changes in technology, but we also must contend with changes in the law and legal systems. Therefore, we need to make sure we keep up to date with the two disciplines of computing security and law.”
4. How do you manage learning alongside your job?
“You have got to have the hunger to learn. Digital forensics is not something that I do, it's who I am. It’s my lifestyle. Keeping up to date with these things is not something I do just because it’s necessary, but because it’s something I’m genuinely passionate about."
5. Do you think that this passion and hunger is a necessary characteristic that digital forensicators should possess?
“Not even necessarily in digital forensics, but in cyber security in general. We push this ongoing learning at SANS and are constantly contributing back to the community with our webcasts and free resources. If you listen to Eric Bassel (CEO at SANS) talk, he constantly talks about our mission, and that mission is working to make the world a better place and we do that by sharing our knowledge. I think if you want to be successful in this field you must have that hunger for learning and be self-directive. There are lots of resources out there! For example, if you attended all our summits last year, you would have earned over 100 CPEs, and they were free! So, the resources for somebody to learn are there, you just have to go out and find them.”
6. Do you think there is a current skills gap in DFIR? If so, can you talk to us a little bit about why?
“I do think there is a skills gap. This is not uniquely a South African thing; this is happening all over the world. A lot of people get into digital forensics and get qualified in a particular tool. Those tools don’t necessarily impart all the true digital forensic skills. They don’t impart the legal knowledge, investigative knowledge, core computing knowledge or the understanding of data systems and structures. So, very similar to what James Lynne said in the previous article for ITWeb, if you want to be good at cyber security, you must have these core foundational areas. An analogy I have used before: An accountant will use Excel in their job. Now, I am certified in Excel, I can use it, but does that make me an accountant? No."
7. Do you see a rising need in digital forensics and incident responder experts?
“Yes, without a doubt. Again, this isn’t unique to South Africa but a worldwide problem. If you see the increase in cyber crime just in general, law enforcement agencies are under huge amounts of pressure to do more. There is a growing shortage for skills in those areas and the private sector is having to step in and have those skills responding to incidents. It’s a bit of a crisis as, going back to the skills gap, there is definitely a need for more people, but we need more of the right people with the right training."
8. Is there any particular trends you see around South Africa with cyber security experts moving into digital forensics?
“We have seen a lot of people moving into the digital forensics space. There are a lot of people who brand themselves as digital forensicators, even just in general, IT shops and places along those lines. But quite a few of these people who are providing these services are not trained or qualified, and unfortunately the marketplace isn’t sophisticated enough to know the difference; it becomes a price determining factor. What is more concerning for me, is that with digital forensics, there is often a person’s life that sits on the other end of it. There also isn’t a body or framework in South Africa that can regulate this, and that is part of the problem."
9. Is there any particular ‘hurdle’ that readers should be aware of if they are considering moving into digital forensics?
“One of the biggest hurdles in South Africa is the lack of available training. Most of the training available is vendor-based training. I would say most of the decent digital forensics training is offered outside the borders of South Africa, so if you look at one of the biggest hurdles included with this training, it’s cost. The value of the currency in South Africa, compared to the US dollar or the pound, isn’t good. So, there are hurdles in this regard as people will take the local training of how to use the tool instead of how to learn the deep level of technical skills in digital forensics. We haven’t done many courses in South Africa from a SANS perspective, but, if I look at the people who I have known over the years who have done a FOR500 (WindowsForensic Analysis) or a FOR508 (Advanced Incident Response, Threat Hunting and Digital Forensics) course, the level of skill of those people compared to the average is incredibly different. But, if you are willing to learn for free, and you explore all those free resources, there actually are no hurdles.”