homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Getting Your First DFIR Job
Douglas Brush

Getting Your First DFIR Job

June 3, 2013

Recently, I spoke to students in a computer forensics class who will be graduating in the spring of 2013 about getting a job in computer forensics after school. We covered interview tips as well as performed mock forensic job interviews when I realized there are some pointers that I could share about the process from a hiring manager's perspective to help candidates better prepare for seeking that first position in computer forensics. While many aspects of getting that first job are common in any field, serious computer forensics professionals do have a mindset, attitude and passion that requires a certain approach when a candidate is looking for their first job in the field.

Resume/C.V.:

Generally a resume is skimmed and reviewed in about 20-30 seconds which means you need to make sure it is laid out in a way that gets you on the short stack of potential candidates. You want to consider ordering sections by your objectives, education, skills/tools/languages, experience, certifications, awards and professional organizations. Keep it simple, be concise (do not cram in too much information and keep it to 1 or 2 pages). Be sure to use keywords that will hook the reader. Remember your goal is to have that resume get you a phone or, better yet, live interview. Make the form follow the function. Also, be prepared to have several versions of your resume tailored to the position or positions you are seeking (IR, e-discovery, consulting). Your resume is a living document and one size doesn't fit all.

Know Your Audience:

You will rarely talk to only one person when seeking a position. Most of the time you will be dealing with someone in human resources, a hiring manager, department heads as well as other people you could potentially work with and each person has a different skillset, objective and need.

Do your research before your interview. Put on your investigator's cap and learn about the company you are interviewing with. It is also good to know if the person you are speaking with at that moment will have the technical background to appreciate a decompiler you wrote at 13 or if they are more concerned about your education history. Sites such as LinkedIn and the company's web site can provide a wealth of information about the people and organizational structure you could be dealing with. If available, read the financial statements to get a sense of the firm's financial strength.

It would also benefit you to try to ascertain how long their computer forensic department or service line has been around or why it was formed. Is the department new? Is it by acquisition of another company? Was the group a result of a new law or regulation? Many of these questions can be answered by taking the time to profile the firm to see if it is a fit for you before you apply.

First Impressions:

When you make that first contact with someone on the other end of the phone or in person, they will instantly be evaluating you consciously and sub-consciously. We are in a very technical field filled with computer science, math, acronyms and many of us feel more comfortable behind a monitor instead of in face-to-face situations. Step back and consider how you will be perceived and even try to think of this as a social engineering experiment of how you can gain further access into the system by your personal presentation and communication skills.

Beg, borrow or steal (ok, don't steal) and get a suit, clean pressed shirt and tie when you go to meet people. Being well dressed for an interview shows respect and consideration for the person interviewing you. This may be a position with a relaxed dress policy, but leave the Defcon 14 shirt at home and dress for success the first time in the door.

Speak clearly, slowly and make eye contact with the interviewer to give the person a sense of your self-assurance. When talking on the phone, you also need to project a sense of knowledge and confidence in your ability to perform the job. Again, this can be hard for many technically inclined people, but go with the mindset that this is a natural conversation about yourself and don't simply reiterate what's on your resume with lots of technical language.

Certifications:

Certifications can be a good, bad or ugly depending on your skills, experience and the position you are applying for. In many entry-level positions there will be some basic requirement for either a tool specific or tool agnostic certification. Take the time to get to know the various certifications and what they mean because some may be more applicable to your long-term career path than others. Conversely, you may be applying at a firm where a certain tool specific certification is not important because they use a different tool than what you are certified in.

Another thing to consider is too many certifications in too short of a time frame. This can give the impression that you simply got certified to be certified and may not possess the actual skills the certification represents. Also, many certifications require re-certification or continuing education that might not be in the budget at the company where you are applying. Remember, certifications should serve as a compliment to your experience, skills and character — not as a professional definition.

Questions To Be Prepared For:

There will be some common questions that you will be asked in many of the interviews. I can't stress this enough. There are no wrong or right answers in an interview! Just be honest with the interviewer because you are being evaluated as a role player and not expected to be all things to all people — it doesn't help anyone to have you playing 3rd base when you are better at 1st. Here are a few examples:

What tools have you used and/or are experienced with?

Don't go beyond what you know and have experience with. If the lab at the school or where you are interning has popular commercial tool you never used and you do things in Python — don't say you use the commercial tool.

What operating systems do you feel comfortable with?

Like the tools, be able to discuss OS's that you have experience with and your depth of knowledge. You might be interviewing at a place that runs PCI investigations on client systems with Linux and you are a Windows person - this is fine, but it should be discussed early so there are no false expectations.

What languages do you know?

When asked about programming languages, stick to the ones you use often and don't rattle off everything you ever wrote a script with. Most people have a few languages they feel really comfortable in so be specific about them.

Are you willing to travel — if so how much (20%, 30%, 75% of the time)?

Many forensic jobs will require travel. Know your limitations and how comfortable you are being away from friends, family, pets and home.

How do you keep your skills current/what do you do to keep abreast of industry changes?

Computer forensics is not a passive field and requires you stay up to date with constant changes. Have a plan to keep abreast of technology and industry changes whether it is forums, blogs, social media, meet-ups, conferences, etc. and be prepared to explain.

Tell me about your lab environment at home?

You do not need to have a full rack with 24 processors running, but it is assumed that you have at a minimum a personal laptop with some virtualization support to test theories, scripts and tools.

Where would you like to be in the field 1, 3 and/or 5 years from now?

Questions such as these help both you and the prospective employer get a sense of your career path. Is this just a job you want to use as a jumping off point and plan to leave in two years, or are you looking to develop a career within the organization? Knowing your long-term goals will help you properly assess opportunities and whether the firm you are applying to can support you.

What are your salary expectations?

Money can be an uncomfortable subject with people but it is a necessary topic when compensated for your forensication efforts. "I dunno", "How much you got" or "1 million dollars" with a Dr. Evil impersonation are not acceptable answers. Talk to peers in the field and do some online research for salaries at the level you are applying for to get an idea of the ranges. Be prepared to have this conversation and understand that it can be negotiated.

Questions You Should Ask:

Interviewing is not a one way street. You should approach the situation with confidence and understand that the employer needs you as much, if not more, as you need them. Be prepared to ask questions and feel out the opportunity to make sure you are entering a situation that will meet your needs. Here are a few suggested questions you should ask during your interview:

What will I be responsible for?

How many hours a week are expected from me?

What benefits are included?

How much vacation time will I get? How is it accrued?

Can I meet people I might work with?

Can I see the lab?

What advancement opportunities exist?

How much training is available?

Deep Breath

Interviewing can take time and practice — you will not likely hit a home run your first at bat. After a few interviews you should start to get the feel for it and be more confident.

Be patient. You may not hear back right away and it can take weeks (if not months) to get through the interview and HR gauntlet at a firm.

Be specific. Know your current goals with the understanding they will change as you grow.

Be concise. Less is more and no one person knows it all.

Don't be afraid to say "no thank you" to a job offer. Don't take a position because you feel you will not have another opportunity. This is an industry where there are more positions than candidates.

Getting into the field of computer forensics is about a lifestyle choice not just about having a job. For many it is also an "off the clock" hobby. It is a passion reflected in how you approach everything else in your day-to-day life as you deconstruct, reverse engineer and hack to gain a deeper understanding of how things work. So take a deep breath and approach the process methodically with clear goals like any other challenge. Appreciate the opportunity to do something you are passionate about — not everyone is this fortunate.

And, good luck in finding your first job in digital forensics!

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
CTI_Blog_Image.png
Incident Response & Threat Hunting, Digital Forensics and Incident Response
January 23, 2023
A Visual Summary of SANS CTI Summit 2023
Check out these graphic recordings created in real-time throughout the event for SANS Cyber Threat Intelligence Summit 2023
370x370-person-placeholder.png
Alison Kim
read more
Blog
FOR577.png
Digital Forensics and Incident Response
September 22, 2022
NEW SANS DFIR COURSE IN DEVELOPMENT | FOR577: LINUX Incident Response & Analysis
FOR577: Linux Incident Response & Analysis course teaches how Linux systems work and how to respond and investigate attacks effectively.
Viv_Ross_370x370.png
Viviana Ross
read more
Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
370x370-person-placeholder.png
Emily Blades
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn