Read as Eric Robi talks about his career as a Computer Forensics Expert. Find him at www.ellumadiscovery.com/blog and on his Twitter feed in the sidebar of this interview.
What do you do for a living?
How would you describe what you do?
As the President, my primary duties are to run the day to day aspects of the firm, and ensure marketing and sales are on target. However, over the years I have personally worked as a computer expert in hundreds of cases. Nowadays our staff of computer forensic analysts and eDiscovery experts work on a variety of different projects daily.
For example, a typical day will involve using a mix of technical skills and consulting skills. Recently we worked on a project involving misappropriation of trade secrets and our overall goal was to work with the law firm to analyze the data in the case so that we could understand how an employee stole information and to see who helped him. It involved searching and analyzing large quantities of emails and documents from email servers, desktops and proprietary databases. We indexed and processed the data we collected and then honed in on the key emails and documents for the legal team to review.
What does your work entail?
Our work involves a blend of soft skills and technical skills. One of the most important qualities I look for in people that work at Elluma is a ‘digital detective’ mindset. In other words, a computer forensic analyst has to be incredibly curious about how computers work and how people behave. We infer people’s behavior from looking at the data they leave behind on computers.
Generally a typical work week may involve some forensic examination using a tool such as EnCase, a lot of work in spreadsheets, preparing reports for attorneys, writing declarations and processing data. In addition to giving expert advice to attorneys about the electronic evidence in a case, an eDiscovery expert will spend a great deal of time suggesting strategies and explaining how particular events happen on a computer. For example, we are often asked to explain how a specific file ended up on a computer and when it was accessed or changed. Doing this requires a technical ability to use many different software tools, but also being able to explain in layperson’s terms how different computer processes work.
What’s a typical work week like?
A work week will involve many communications with various clients. Depending upon the stage of a lawsuit, a computer forensic analyst here might do different things. Near the beginning of a case an analyst might perform a data collection – i.e. make a forensic image of a computer, server or mobile phone. If it’s later in a case, the analyst might try to figure out what an employee was doing at a certain time – perhaps he might try to figure out if an employee was sending emails to a competitor, copying files to a USB drive, or what websites he visited. Later in a case, the analyst may search a large set of documents and find ones that are in a particular date range and contain certain keywords. This is done using both eDiscovery tools like NUIX or computer forensic tools such as EnCase.
Once the searching and filtering is done, the attorneys will need to review the emails and documents so an eDiscovery expert will then prepare the responsive files for upload to our online document review platform and then train the attorneys how to use it. At another stage of a case, an analyst may have to a write a declaration regarding the specific steps he took to do all this work.
The work we do is incredibly varied and each case is quite different so that keeps things quite interesting and fun. I enjoy the fact that what we do is not terribly repetitive and requires me and my analysts to keep on our toes all the time.
How did you get started?
I started Elluma Discovery in my bedroom in 2002. Early on I worked as a computer forensic expert witness. I’ve testified in dozens of cases both civil and criminal. As the company grew I moved out of the bedroom and added staff. Early on, it was a nascent field and there were only a few hundred people in the world working in it. The term eDiscovery didn’t become common until a few years into my career. At first it was mostly referred to as computer forensics. However, as the industry grew, I realized that it didn’t make sense to treat eDiscovery and computer forensics as different disciplines so I decided to integrate tools and techniques from both disciplines.
Today I see eDiscovery and computer forensics as part of a continuum and we try to use whatever tool is best suited to a particular task. We use a broad array of hardware and software tools now and that has necessitated a substantial investment that I was not able to make when I started out.
What do you like about what you do?
I love computers and technology and I love figuring out how things work. This job affords me the perfect opportunity to learn about what is new and cutting edge. The computer forensic industry by necessity has to parallel the computer and technology industry at large. Each time Microsoft releases a new version of Windows we need to learn what kind of new artifacts we can analyze. Similarly, the iPhone was introduced in 2007 and because it quickly evolved into such a game changer we are now seeing a great deal of requests to recover data such as text messages. Social media such as Facebook didn’t even really exist in the early 2000s and now we frequently find ourselves collecting data from these types of services.
Because the burgeoning changes in technology are now too rapid for the layperson to stay on top of, I particularly enjoy working with our clients to analyze data and put it into context in a case. For example, there may be several versions of a contract and the fact that we can show a progression of changes made by several people can be incredibly important in a lawsuit. Showing the context might involve multiple sources of evidence such as email, a computer and a cell phone. To me it’s really interesting and fun putting all the pieces together to tell the story of what actually happened.
What do you dislike?
I really enjoy most aspects of my job, but of course the hours can get quite long at times. Sometimes clients can be difficult to deal with, but that is true for any job and much of my job deals with educating our clients about the process and how technology works.
How do you make money/or how are you compensated?
My personal income varies with the profitability of the company but it is six figures annually.
How much money do Computer Forensics Experts make?
A starting computer forensic expert or eDiscovery analyst’s income will depend on several factors. In a large city, someone with a computer science degree from a recognized university might start at $70,000+ per year. On the other hand, someone with no degree, no experience and just a forensic certification without much technical background will have trouble finding a job. It can be a somewhat difficult field to enter because employers highly value experience and the learning curve to perform useful tasks is pretty steep. The stakes in a lawsuit can be very high, so employers are quite cautious about letting entry-level people perform much front-line case work.
For someone without a lot of experience, it may be more productive to try finding employment at a larger firm that will have a sufficient variety of case work and a training program where entry-level employees can improve their skills.
Generally most job opportunities will be in the larger cities such as Los Angeles, Chicago, New York, Dallas, and Washington D.C. etc. In a smaller city entry-level employees might expect to make $40,000 or less depending upon their experience and skill level. A formal degree in computer science, computer engineering or information technology is quite desirable. Some universities such as the University of Southern California now have minors or specializations in computer forensics. These kinds of programs can be quite helpful in getting that first job.
How much money did/do you make starting out?
When I started the company in my bedroom I made about $65,000 the first year. An entry level person might expect to make $40,000-$75,000 depending upon the city, the kind of degree (computer science is very desirable), and what kind of forensic classes and certifications they have.
What education, schooling, or skills are needed to do this?
A degree in computer science is very desirable, but not essential. Almost everyone I know in eDiscovery and forensics has a 4 year degree from a recognized public or private university. I don’t know anyone working in the field that has a degree from a ‘for profit’ university. If you don’t have a degree in computer science, a related technical field can be very useful. Beyond that, certifications such as the Certified Computer Examiner (www.isfce.com) or EnCE (www.guidancesoftware.com) can be very helpful. There are also certificate programs from schools such as California State University Fullerton, Extended Education (http://www.csufextension.org) that can be very helpful. Without some kind of certificate or formal training in the field of computer forensics or eDiscovery it would be difficult or impossible to get a job interview.
What is most challenging about what you do?
There are many challenging aspects of the job, but it’s certainly a challenge to keep up with the continual changes in the computer industry. That said, I enjoy the continual education process. Building processes for new tools we acquire is also an interesting challenge. That said, probably the most challenging, yet rewarding part of the job is helping to solve my clients’ problems and arrive at the best outcomes.
What is most rewarding?
The most rewarding aspect of the job is to make it possible for my clients to achieve their goals – and the objectives can be quite varied. For example, in a recent case we located key deleted emails and other evidence buried in a very large dataset that proved my client’s ex-employee stole trade secrets. That case settled for over $2,000,000. It’s rewarding to know that our work made this outcome possible. In other matters I’ve helped the wrongly accused avoid a lifetime in jail on more than one occasion. There’s a lot of satisfaction in knowing that I essentially helped save someone’s life.
What advice would you offer someone considering this career?
The hours can be pretty long and a lot of training is required on a continuing basis. Besides getting a technical degree and formal training or a certification, the most important thing to have is a very curious mind. In order to do this job effectively, you have to have an insatiable desire to figure out what someone did and how they did it – only by finding and interpreting computer data. If you think what a detective does is cool you’d be off to a good start. You should be fascinated by how computers work and want to learn more on a daily basis. If you’re not comfortable working with computers and data intensively on a daily basis this is the wrong field for you.
How much time off do you get/take?
I probably take less time off than some other professions, but I personally take 3 -4 weeks per year on average.
What is a common misconception people have about what you do?
Many people think that our software and computers do everything and that important data can be found ‘automatically’ without much human intervention. Nothing could be farther from the truth. Although having good software tools is important, there is still a great degree of manual configuration, manipulation and time required to locate and analyze data. Interpreting the data you have found for the attorneys takes a considerable amount of time. It’s important to be comfortable with the idea that a big part of the job is educating your clients on how technology works.
The legal industry always trails several years behind cutting edge technology and if you’re looking to be in an area that is truly bleeding edge, eDiscovery is probably not going to be the most rewarding career unless you are on the software development side.
What are your goals/dreams for the future?
My goals are to continue to grow the services side of the company, but also to start a software division that will address the needs of smaller law firms that have eDiscovery needs but find current solutions too expensive.
What else would you like people to know about your job/career?
I love the interesting confluence of technology and the law. It’s a constantly evolving field and I enjoy interacting with a lot of very talented, smart people on a daily basis. Things move quickly and deadlines can be tight which means work is always interesting and challenging. There is a huge amount of growth potential in the field of eDiscovery and computer forensics and it will undoubtedly continue to grow and evolve quite rapidly. The increasing use of artificial intelligence in space to me is a truly fascinating development that I’m sure will only increase rapidly over the next decade.