Forensic Investigator

What does a Forensic Investigator do?

While an investigation is happening, there’s usually a lot of communication between the investigator and your IT manager so that you don’t need to wait for the final report to get the information you need to eradicate the problem(s) and harden your systems. Here are the typical actions a PFI would take.

Preliminary research

Forensic investigations begin with some research on the company. The PFI needs to “scope” out the merchant’s environment. This means finding out where their critical data resides, the systems that connect to it, and how the data flows in and out of the network.

Onsite data gathering

The forensics team then goes onsite and gathers data from identified devices (or in select cases may be able to acquire the data remotely). They may get the data from every single device, or, in the case of larger, disparate environments, from a representative sample of in-scope devices.


The investigation team brings the data back to their headquarters and analyses it thoroughly to confirm whether a data breach actually occurred, to determine what data the attacker was able to steal, and to discover which vulnerabilities were exploited in the breach. This is the longest part of the investigation and could take from several days to several weeks to pinpoint the attack.


About a week after the initial data acquisition, the investigator will issue a short preliminary report that shows whether or not they’ve discovered any indicators of compromise or other overt evidence of a data compromise. After the forensic data has been fully analysed, the investigator will submit a complete final report that includes how the attack happened, which vulnerabilities were exploited, and what data was at risk.

Path to become a Forensic Investigator

If you intend to go for the field of digital forensics, it is highly recommended that you get specialized in the field from an early stage in your cybersecurity career. The following points lists a typical career progression for a Forensics Expert in a large-scale organization or consultancy.

  • Junior Forensics Analyst
  • Senior Forensics Analyst
  • Senior Forensics Manager

On the other hand, there is another possible scenario that some folks prefer to get through to become forensics experts. They start off their career as law enforcement officers. They spend some years there to get the sufficient experience for moving forward in their career. Additionally, they receive on-the-job trainings to specialize finally as full time Forensics Experts.

Relevant courses

Security Analyst Security Technician Penetration tester Information Security Manager