Forensic computer analysts investigate computer-related crime (cybercrime), including data breaches, security incidents and other online criminal activities
As a forensic computer analyst, you'll use a range of specialised software and other techniques to secure, retrieve and analyse data linked to a range of criminal activities. These illegal activities can include:
- network intrusions
- online scams and fraud
- political, industrial and commercial espionage
- terrorist communications
- the use of illegal images
- theft of confidential information.
Your investigations can centre on data stored on a range of devices, including personal or work computers, tablets, mobile phones, the cloud and flash drives.
You could be working for the police or other law enforcement agencies, for a specialist computer forensic company or investigative team, or large companies such as banks.
You will investigate a range of crimes where the computer can either be the object of the crime, for example when criminals carry out hacking or spamming, or where it is used to commit a crime, such as online hate crimes or the possession of illegal pornography. It can also be used for illegal communication and data storage.
As a forensic computer analyst, you'll need to:
- secure a system or device so it can't be tampered with
- use a range of forensic tools and software to extract and analyse data
- deal with highly sensitive or confidential data or images, depending on the type of case you’re investigating
- recover damaged, deleted or access hidden, protected or encrypted files
- unlock digital images that are locked to hide the identity of a place or person
- examine data from mobile phones and satellite navigation systems to trace people or places
- follow electronic data trails to reveal links or communication between individual or groups
- collect information and evidence in a legally admissible way
- write technical reports based on your findings and, if required, give evidence in court as an expert witness
- present findings of on-going incidents to other members in the investigation team, law enforcement agencies and clients
- keep up to date with evolving cybercrime methods and developments within the digital forensics field
- undergo security checks and vetting procedures
- work to relevant ISO accreditations.
- Typical starting salaries for forensic computer analysts range from around £21,000 to £25,000 a year.
- With experience, you can earn £30,000 to £45,000 a year.
- Analysts can earn up to £80,000 in more senior roles.
Salaries vary depending on your specific skill set, the region you're located in and the size and type of company you work for.
Gaining professional qualifications and certifications can help you to move up the salary scale.
Income figures are intended as a guide only.
Working hours generally range from 35 to 40 per week, although you will need to be flexible as exact hours will depend on the type of assignment or investigation you are working on.
Some organisations require 24/7 cover, with staff working on a call-out rota, allowing for fast responses to information and cyber security or criminal incidents.
What to expect
- Much of your work will be office or computer lab based but you will have situations where you will need to travel to off-site locations to visit clients, attend meetings or go to court. You may also have to attend the scene of crime so that you can help with the seizure of items or examine devices in situ.
- Digital forensic opportunities are available throughout the UK and internationally. Organisations and companies tend to be located in cities or towns.
- You may face restrictions on how much you are able to talk about your job outside work, particularly if you work in government, the Ministry of Defence or police departments. This is due to the sensitive nature of some of the information you may encounter. You might also have to view information and images that you find distressing.
- If you're involved in cyber forensics roles, you may be required to act as an expert witness and give evidence in court cases.
- Some roles require employees to be security cleared.
Most recent entrants to the profession are graduates. Some employers specify a degree or Masters in computer forensics, or related areas such as cyber security. Others, particularly larger organisations, may be more flexible and accept a range of computing or science, technology, engineering and mathematics (STEM)-related subjects for graduate schemes in this field.
The following subjects may increase your chances:
- computer forensics
- cyber security
- computer science
- mathematics, physics and other STEM subjects
- network engineering
- networks security
You could also choose to undertake further study. The National Cyber Security Centre (NCSC) lists certified Masters degrees in cyber security and closely related fields from a range of universities.
It's also possible to take a cyber instrusion analyst higher apprenticeship or a cyber-security technical professional degree apprenticeship.
Entry without a degree is possible by starting in an entry-level position and working your way up by undertaking further training and industry-specific qualifications and certifications.
You'll need to have:
- a willingness to keep up to date with the latest forensic computing techniques, tools and software, such as FTK, EnCase, Cellebrite and XRY
- understanding of operating systems, e.g. Windows, Mac, iOS and Android
- analytical and problem-solving skills
- patience and a methodical and well-organised approach to work with the ability to adapt to changing priorities quickly
- an enquiring, investigative mindset with excellent attention to detail
- written and verbal communication skills for writing reports on findings and conveying technical information to technical and non-technical people
- the ability to identify patterns or trends across large amounts of data
- an aptitude for working under pressure and to deadlines
- decision-making skills and the ability to interact with a range of people and communicate decisions effectively
- the ability to manage expectations
- integrity and impartiality and be compliant with issues of confidentiality
- security clearance - this may be necessary if you have access to sensitive information.
Relevant work experience is a great way of gaining insight into this field and will enhance your future employment prospects. The confidential nature of the work, however, means it can be difficult to secure work shadowing or short-term work experience. You may be able to secure a summer internship or year-out placement in computer forensics, as these are available within a range of organisations.
Experience of computer network administration, operating systems, software and data analysis is also useful. You can get this by doing a year in industry if you're on a sandwich degree course or through summer work placements. You could also start to develop up your own programming and web development skills by setting up your own website or blog.
Other ways to get experience is through competitions such as the Cyber Security Challenge UK.
Key employers include law enforcement agencies and computer forensic companies specialising in digital forensic investigations.
Any organisation or employer susceptible to security incidents and data breaches may offer opportunities in computer forensics.
There's a high demand for digital forensic professionals and career prospects are excellent for this area of work, particularly if you're willing to travel.
There are a number of graduate schemes and entry-level opportunities across all sectors, including:
- financial service organisations - including banks and accountancy firms
- forensic computing companies and consultancies
- government agencies
- government departments - both national and regional
- government intelligence and security services - including GCHQ and MI5
- IT and telecommunications companies
- police forces and law enforcement agencies - such as the National Crime Agency (NCA)
- the public sector - including the health sector.
With experience there are also opportunities to work as a self-employed consultant.
Look for job vacancies at:
The fast moving and constantly changing nature of cyber-crime means you'll need to keep up to date with the latest developments in your field and be prepared to learn new investigative methods and software.
Your employer may encourage and support you to undertake training and accreditation in forensic computing techniques, tools and software. This may include Forensic Analysis and Cell Site Analysis, FTK, Data Recovery, Expert Witness, Forensic Toolkit, Encase, XRY, Cellebrite, X-Ways and ISO 17025 and ISO 27001 accreditation.
There are a number of recognised industry-specific qualifications and certifications suitable for computer forensic professionals, including:
- GIAC Computer Forensic Certifications
- 7safe Digital Forensic Training
- CREST professional qualifications
Professional bodies include BCS, The Chartered Institute for IT, CREST and the Chartered Institute of Information Security. Membership of these can aid your professional development throughout your career.
You may start your career by getting a place on a graduate training scheme or via an entry-level job. This could be in a support technician role or in a related role such as network engineer or developer. With experience you could then move into an analyst role.
As you gain more experience and develop your skills through professional development courses and relevant industry certifications, you can progress towards a senior analyst role, leading a team of analysts and related staff, and eventually become head of security. With experience, self-employment as a security consultant is also possible.
The Cyber Security Building resource outlines roles available at different stages from trainee through to more senior positions. Cyber Security Challenge UK also provides an overview of career development pathways and typical roles open to cyber sector professionals.
Alternative pathways could include a move into a different but related role, such as that of cyber security specialist or penetration tester.