The 2023 SANS Report: Digital Forensics, published by SANS Institute in May 2023, profiles the distinct disciplines within Digital Forensics and Incident Response (DFIR) through interviews with practitioners who specialize in each niche. Written by Heather Mahalik and Domenica Crognale, the paper covers eight DFIR specialties, drawing on firsthand perspectives from SANS-affiliated instructors and forensic experts on how they entered their fields and what it takes to succeed in each.
DFIR disciplines covered:
- Windows/Mac Forensics — identification and analysis of computer artifacts, with Chad Tilbury and Sarah Edwards noting that macOS investigation remains a comparatively under-explored specialty next to Windows-heavy corporate environments
- Threat Hunting (Intelligence) — analyzing adversary tactics, techniques, and procedures (TTPs) to inform decision-making, a discipline Katie Nickels describes as open to entry-level analysts as well as experienced SOC or incident response staff
- Incident Response (IR) — the cyclical process of preparation, identification, containment, eradication, recovery, and lessons learned, which Taz Wake says requires broad technical exposure since incidents rarely happen on familiar systems
- Cloud Forensics — analyzing artifacts across providers like AWS, Azure, and GCP, a fast-growing niche that Terrence Williams calls a "DFIR melting pot" combining most other disciplines with large-scale data analysis
- Mobile Device Forensics — securing and analyzing data from smartphones and related media, with Jessica Hyde emphasizing that creating and studying original test data is the fastest way to build expertise
- Malware Analysis and Reverse Engineering — dissecting malicious code to determine functionality and impact, which Lenny Zeltser notes overlaps with system administration, network engineering, and software development skills
- Network Forensics — capturing and analyzing on-premises or cloud traffic to trace attack activity, a skill Phil Hagen says underpins most other DFIR specialties including IR and malware analysis
- Memory Forensics — analyzing volatile memory for evidence not present in the active file system, which Mathias Fuchs says benefits from classical computer science training and lower-level language experience
- Ransomware IR — a subset of incident response combining network forensics, malware reversing, and legal/negotiation knowledge, which Ryan Chapman notes is one of the most visible and consequential DFIR specialties today
Despite the range of technical specialties, the paper's practitioners converge on the same underlying pattern: curiosity and hands-on experimentation matter more than formal computer science credentials. Nearly every expert interviewed pointed to self-directed learning, community knowledge-sharing, and a willingness to keep pace with constantly evolving artifacts and tools as the real differentiator for success in DFIR.
The cybersecurity workforce faces a global shortage of more than 3 million professionals despite close to half a million jobs created in 2022, according to (ISC)²'s Cybersecurity Workforce Study, a gap the DFIR field mirrors on a smaller scale.