My Journey into Academia

Monday, September 2, 2013 Posted by Corey Harrell
The frequency of my blog posts was slowly decreasing until I finally reached the point when I decided to take a hiatus from jIIr. My decision to stop blogging wasn’t because my heart is no longer in it, I ran out of ideas, or I lost interest in sharing with others. My decision was the result of a time management issue. I’ve been focused on another endeavor that has left me with very little time for blogging. This endeavor has been my journey into academia. As I recently reached a milestone on this journey (developed my first course) I wanted to take the time to talk about why I went from DFIR practitioner to DFIR educator.

Why Even Bother with Academia


To be honest academia wasn’t even on my radar. An opportunity presented itself and after careful consideration I decided to pursue it. However, before saying what my final deciding factor was for starting this journey it’s necessary to reflect on our DFIR field and how academia supports it.

There has been an issue within our field that seems to be growing with each passing year. The issue is obvious for those who are active on DFIR forums, mailing lists, and conducting interviews to fill positions. Eric Huber (A Fistful of Dongles) addressed this issue in his post Ever Get The Feeling You’ve Been Cheated? Eric made a lot of great points in the post so it’s well worth the read. I wanted to pull out two quotes to highlight the issue I referenced.

“During the early years, it was rare to see applicants who had degrees in digital forensics, but I’m finding it increasingly common in recent years. One of the things that I have been struck by is how poorly most of these programs are doing in preparing students to enter the digital forensics fields.”

“One of the core issues that I see with the programs that aren’t turning out prepared students are the people who are teaching them.”

The issue is some academic programs are not preparing their students for a career in the digital forensic and incident response fields. I’m not talking about skills such as students not being able to run tool XYZ since this can be easily addressed through training. The deeper issue is students not being able to analyze and evaluate DFIR problems to come up with solutions. Like Eric, I don’t fault the students to a certain degree. The blame goes to the academic programs that are hastily putting together information security and digital forensics programs to jump on the bandwagon.

As practitioners in this field we have a choice to make. We can either continue on with not hiring students coming out of these programs, ignoring their requests for homework answers in forums, or be irritated about those doing a disservice to our field by being unqualified and doing casework. Or we can do something different; we can try to change it by being involved with academia and sharing our insight/expertise to improve the curriculum. When I was presented with the opportunity this is what my decision came down to. My choice was simple; to use my ability to put together a course that helps students in their careers in the digital forensic and incident response fields. In the words of Jon Rajewski about why this should matter to all of us; “they are the future generation of digital forensic / incident responders”.

Why Academia and Not Training


My decision to start my journey into academia wasn’t solely to help those entering the DFIR field. I also wanted to help provide curriculum to benefit those already in the field. At the time I had an idea about why training wasn’t an option but I couldn’t quite put my finger on it. That was until I started looking into the differences between education and training. The difference is illustrated in Peter Fabri’s story when he went back to graduate school. He contrasted the two by saying “training is concerned with acquiring a skill” while “the aim of education is broader than training”. He went on to say education “strives to prepare learners to be analytical thinkers and problem solvers by facilitating the learning of principles, concepts, rules, facts, and associated skills and values/attitudes”.

It might be more helpful to put the difference between education and training in the context of DFIR. The paper Computer Forensics: Training and Education compared the difference as saying training "has the goal of training students for an occupation within the computer forensics field". The paper further states “training is also limited in that it focuses students’ attention on current techniques and methods rather than processes”. On the other hand, the paper explained education “destines to educate students on the needed capabilities but goes a step further in attempting to teach the students a greater level of detail on the goings on behind the scene”.

Continuing on exploring this difference is the article Education versus Training: Selecting the Right Lifelong Learning Experience (I highly recommend reading this article). As it relates to training the article explains:

“The bottom line is to seek training to acquire skills and knowledge for short-term advantage. Training brings the learner up to the level of others in the industry and will tend to make them the same as the experts they seek to emulate”

As it relates to education the article says:

“Education is different. It should be used to acquire a mindset not currently owned or to deepen a mindset already possessed”

“Education broadens the learner, makes him different from everyone else and helps him think in his own way to solve problems that have not been solved before. Of course educational programs include training in the skills and knowledge of the discipline, but they go further to develop thinking abilities, attitudes and behavior patterns that might be classified as a mindset. In this sense, training programs do not include education but education programs often include training.”

The key difference between education and training as it relates to digital forensics and incident response is one’s goal is to equip the learner with the skills, techniques, and methods to tackle a known problem while the other’s goal is to develop the learner into an analytical problem solver to tackle any problems they may face. To illustrate this point it might be helpful to share two experiences I’ve seen in my career. Numerous people in DFIR have attained most of their skills and knowledge through trainings and they weren't developed into an analytical thinker through a formal education. At times this puts them at a disadvantage.

One day I was leading a local forensic group meeting on walking them through an analysis  on a test image. I wanted everyone to participate so I provided an option to use free or open source digital forensic tools. As I was going through the analysis someone in attendance said “I could do this if I had “insert commercial forensic tool here”. This person wasn’t approaching the analysis as a problem solver and saying what tools can help me carry out my process. Instead they fell back on their training and without the tool they were trained on they were helpless.

Another example is one I see online. In these instances it’s people who are new to finding malware on systems but they have recently completed some training on the topic. They have a system where they must find malware. In an effort to use their newfound memory forensic skills they try to virtualize the system, dump the memory, and then try to analyze the memory to find the malware. This is a good technique but they never take a step back to look at the problem they must solve and the process to use to solve the problem. Again, they fall back on their training to try to solve what they are faced with.

This key difference is why I felt more aligned with academia with trying to educate others into the DFIR mindset as opposed to instructing others on a specific skill. As the Education versus Training: Selecting the Right Lifelong Learning Experience article states I wanted the learners to be “acting after deep thought and analysis; broad” instead of “acting out of new habits and skills; narrow”. I wanted the end result to be “makes you different from others, thoughtful and mindful, educated” and not “make you the same as others with the same training, measure up”.

These were the two primary reasons why I started my journey into academia; why I’m using my DFIR practitioner mindset and skill set to be a DFIR educator. The other perks such as research resources and extra income were just icing on the cake.
Labels:
  1. Anonymous

    Fantastic post, Corey. This is the best explanation of the forensic problem-solving phenomenon that I've seen thus far. Often, many forensic examiners will "stick to their guns" in terms of how to best solve a problem. This, however, ultimately limits said examiner's ability to efficiently and effectively come up with a solution.

    Unfortunately, this way of thinking really puts a cap on what the examiner is willing to learn, further instilling the belief that everything could and should be done ONLY with the tools introduced in training sessions. This mentality essentially advocates a closed mind, making it that much more difficult to become fundamentally analytical in forensic cases.

    To put it simply, it's like trying to force a puzzle piece into the puzzle when the best-fitting piece is only a few inches away. You just have to be willing to break away from old habits/processes and find that right piece.

    You communicate the issue very well in this post. Thanks for sharing.

    -Dan (@4n6k)

  2. Anonymous

    Will your course be available as part of the Champlain's online certificate/bachelor's program?

  3. @anon

    The course is apart of Champlains Master of Science in Digital Forensic Science. The program's curriculum looks pretty solid http://www.champlain.edu/computer-forensics/masters-digital-forensics-science/curriculum

  4. Phil C

    Corey,

    I've been a long time reader and really appreciate the awesome material you've presented on your blog. I'm somewhat new to the DFIR industry (working as an examiner for two years now) and I'm actually a little confused as to what your main point is about this article. Are you saying that it bothers you that people just give up and won't think outside of their training in order to solve a problem? It bothers me too, I just wanted to see if I was missing the mark on this post. I've learned over the past few years how important it is to be flexible and never give up just because no one knows the answer to a problem because it is through these endeavors that we begin sharpen our skills and provide new discoveries to the DFIR industry. I'm currently going through the Network Security & Admin route at Champlain, would have loved to take your course on Malware Analysis.

  5. @Phil

    The reason I wrote this post was to share my thought process about why I choose to develop a course. One reason was to share my insight and experiences to improve curriculum thus helping those entering the field. The second reason is because my the information to cover concepts, principles, and processes. Thus what I wanted to educate others in aligned more with an academic course so trying to be involved with the training aspect wouldn't accomplish what I wanted. To illustrate this point I had to highlight the difference between education and training

  6. Phil C

    Corey,

    Thank you, totally makes sense. I wish you well in your new endeavor.

  7. Awesome read. I am currently enrolled in the DFS Masters program at Champlain and remember discussing the degree vs certification argument in one of the courses. Which course did you develop?

  8. @John

    DFS540 Malware Analysis course

  9. I'll see you in 5 weeks :)

Post a Comment