Now that you have your mind around what it takes to set up the equipment of the lab it is time to start looking at staffing the lab and the management of the flow of the lab. This can be the hardest part because you are dealing with people and what they need on top of what you need digitally. This is where the flexibility required to deal with digital data is required.

Hiring the Right People

When looking for people in digital forensics that have the skills you need to produce the proper results out of your lab there are a few factors to look at.

Focus of Lab

When deciding to do digital forensics it is important to know what type of data you are going to be dealing with. Based on the type of data will tell you where you want to focus on the skills for the team members you want in the lab.

 Focus of Cases

Not all good examiners can find data with all types of cases. If you are dealing with a lot of financial fraud cases you will want someone who understands how numbers work and what type of data they should be looking for. This is very different than the type of data you would be looking for with a child exploitation case. Understanding the data you are looking for makes a big impact on the skills you look for in a team member.

 Lab Feel & Attitude

Not everyone agrees that the feel or attitude of the lab matters, but it can affect the overall productivity of the lab if you get someone in that does not fit. Make sure if you are going to be strict on the processes that you pick team members that can follow clear directions and are okay with doing the same processes over and over.

Certifications

In a field like digital forensics where it is not regulated as a standard science, the industry is gauged by the certifications that the different examiners hold. Most of the certifications in the field of digital forensics are done by a vendor of some type. Some courses will include certifications as part of the course cost, and others will not. Make sure you read the fine print of what you are getting and also how often you will need to be recertified. All certifications should have a testing component and most will have a lab with it as well. It should not just be based on the attendance of the course.

I will break down the training and certifications into two categories based on vendors.

Software Vendors

All of the different specialized tools in digital forensics have a certification associated with them. Many times, these certifications are about the competency of the user in the operation of the tool in the process of an examination. Team members must hold multiple certifications in this category so that they are competent in the operation of multiple tools. Although people might have preferences on tools they must be able to use more than one tool. As mentioned prior the process of cross-validation is a requirement in the field to confirm that all the data was found in the investigation.

Training Vendors

The other vendors are those that provide training courses that are “vendor-neutral” that teach the fundamentals of the field. Be mindful of these course selections as many times the “vendor-neutral” side is not truly followed. You need to ensure the course focuses on the principles and what needs to be done in a process and no on a method of a tool. Vendors such as Paraben can offer courses like this that are not specific to tool operation such as the Digital Forensics Fundamentals Course. This course goes through what you should know to do digital forensics and discusses a large variety of tools in the course. The courses and certifications that fall in this category can be very expensive so shop around and look for both paid and open source options for learning. However, certification will typically have a fee with it.

Some training vendors include:

InfoSec Institute

SANS

ISC2

There are many more that fall in this category, ask others what courses they have liked. Make sure the method that is used for teaching is complementary to how you learn materials. 

When selecting team members make sure you vary what skills and certifications each team member has to keep your lab well rounded and skilled in a large variety of digital skillsets.

Management of Lab

Management is the hardest part of the process if you do not understand what the team members are doing. There are many courses out there that allow someone in a management position to learn the fundamentals of the processes that should be used. It is always recommended that at least one of these courses are attended.

Managing Expectations of Data

In addition to managing people, managers must also manage the expectations of the client with the data. This is the harder part of the equation because each case that is processed is going to have different data. It is important to understand and explain to clients the difference in data types and most cases the recovery of data. Clients can assume you can work a miracle and that doesn’t happen. Keep the expectations realistic and be honest and upfront with your clients.