Armed with forensic skills, nerves of steel and lots of patience, digital sleuths are commanding top dollar to sift bits of evidence after hack attacks.

If e-business had a modern-day Sherlock Holmes, his name would be David Dittrich.

Dittrich, a security manager at the University of Washington, in Seattle, is one of a rare breed of security pros--the computer forensics expert--whose skills are getting ever more precious as the number of computer crimes spirals. These are the data detectives who search for digital clues remaining on computers after malicious [or black-hat] hackers have done their dirty deeds. Sleuths like Dittrich analyse email, Web site records and hard drive data, looking for clues to the identity of criminals and crackers, much like gumshoes examine crime scenes for fingerprints and stray hairs.

It's not just the number of crimes that's fueling the need for these skills; it's also the increasing sophistication of criminals. "The black-hat community is moving forward at a pace that outstrips the ability of the average system administrator or law enforcement agency," Dittrich said.

That means that both e-businesses and law enforcement agencies are paying plenty to find experts such as Dittrich to sift through evidence left behind at digital crime scenes, experts say. "The need for computer forensics is growing exponentially," said John Gunn, lab director of the San Diego Regional Computer Forensics Laboratory, the first multiagency, regional computer forensics lab in the United States.

The protection racket

Security consultants and auditors are well-compensated for their knowledge. In a survey of more than 7,000 IT managers, the SANS Institute found that security consultants, on average, make US$20,000 more per year than network administrators. Overall, salaries for all positions grew 11.5 percent to an average of US$65,424 in 2000.

Position Average salary Increase from 1999 Security consultants US$79,395 +13 percent Security auditors US$71,404 +11.3 percent Security administrators US$63,598 +11.6 percent System administrators US$61,440 +11.1 percent Network administrators US$58,399 +11.7 percent

Source: SANS Institute

The need is particularly acute at local, state, federal and military law enforcement agencies that host computer forensics divisions, which are looking for individuals adept at solving hacking and intellectual property cases.

Gunn said the job is intense and tedious and requires nerves of steel. Most specialists at the San Diego RCFL have years of programming or computer-related experience, strong analytical skills, and the patience to invest days taking apart a computer in search of evidence. And if things keep going the way they are, it probably won't hurt if these experts didn't mind overtime. Last year, the San Diego RCFL closed 400 computer-related cases. This year, Gunn expects the number of cases to double.

Other professional attributes needed to catch a thief, experts say, are strong computer science fundamentals, a broad understanding of security vulnerabilities and strong system administration skills. Dittrich, who has been analysing compromised systems and reconstructing the events since the early 1990s, uses these skills to seek information to reconstruct how a system was hacked. "The number and complexity of intrusions has increased at an alarming rate. I've been forced to find ways... to try to keep up with intruder tools as they have progressed in sophistication," Dittrich said.

Experts gather this data and create an audit trail for criminal prosecutions. They search for information that may be encrypted or hidden, along with unallocated disk space. Most cunningly of all, they set traps using vulnerable computers to lure malicious hackers into giving away themselves and their techniques.

Dittrich stressed that computer forensics specialists must have strong analytic skills and excellent verbal and written communication skills. That's because they're required to document their findings in detail, and they often testify at criminal trials.

The demand is being answered by several educational facilities, including the University of Central Florida, in Orlando, which offers a graduate certificate degree in computer forensics. The International Association of Computer Investigative Specialists, offers certification for computer forensics examiners. Demand for such courses is so high that the association's classes for the third quarter are already full.

Such courses are helpful for those IT managers or individuals who lack computer programming experience but who want to make the leap into computer forensics. Gunn, who conducted general investigations for the FBI before joining the RCFL, got up to speed with training courses offered by the FBI.

Computer forensics specialists like Gunn caution that IT managers interested in pursuing computer forensics as a career shouldn't expect that just by taking a few courses in the subject, they'll be able to track some of the world's slyest hackers.

That's because, as experts like Dittrich say, there's no way to stay ahead of the crooks. White-hat hackers at this point can only try to narrow the gap between themselves and the bad guys--and hope that the black-hat hackers don't get too fastidious when it comes to leaving behind digital footprints.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.