Do my homework....anyone?

You are correct, but it boils down to being an investigator or not being one.

It's great to know a nibble or a word or a TB or GB, but if you can't investigate then you can't formulate proper search strings, you don't know how to do anything if it doesn't come up in the first Google hit, And there is another problem.

I've met so many people who Google something, and take the first hit as the end all be all. Doesn't matter what that hit is, it's the answer and they go fourth with it. Would you not validate your findings with an image to see if the images match, if the md5's are the same? Why not try to validate your findings with google, yahoo, ask.com, etc. It's because its NOT taught to anyone.

IMHO and the opinion of lots of others you have the gift of investigation or you don't. You can teach basic investigative principals to help someone get better, and they can over time, but I think it's much easier to be an investigator or detective and then get into computers, than to be in computers and try to learn to investigate. I'm talking about a good investigator, not just a run of the mill one. There are lots of really good investigators on here, but alas they post less and less.

I'm working on a book not from a technical side, but from an investigative side, how to investigate computer forensics, too much we learn technical things which we may or may not ever use, how about getting some training in how to find what we need anytime and use it practically.

Reading, researching and analyzing are essential skills both for successful students and for anyone hoping to work in an analytical field such as forensics.

That about sums it up. But maybe we might want to also ask

a) What is the level of 'teaching' the students actually receive?
b) Why is the suggestion being made that some (not all students) do not understand the path to researching?
c) Isn't there another aspect as well to consider and that is what is the level of reading materials actually available from the University?

This is an interesting set of questions. Over the past 10 years or so I have gotten the impression that educational institutions have been "jumping on the band wagon" and setting up courses in CF to harvest students.

I really question the quality of the intruction and courses overall and can say that based on some of the newb questions we have seen here lately I am not encouraged. One of the things that a university is primarily supposed to instill in the students is how to think through and research a problem. I haven' t seen too much of that in some of the questions we have seen lately.

Further as to the quality or level of the of the instruction. Some questions have been posted here of late that had the assignment problem set out. I noticed that the assignments were almost verbatim one of the old honeynet challenges (HINT TO STUDENTS the Honeynet challenges and Scans are classics, if you don't have that site bookmarked you should do so). Are some instructors just regurgitating old course material? Anyone else notice that as well?

You are correct, but it boils down to being an investigator or not being one.

It's great to know a nibble or a word or a TB or GB, but if you can't investigate then you can't formulate proper search strings, you don't know how to do anything if it doesn't come up in the first Google hit, And there is another problem.

I've met so many people who Google something, and take the first hit as the end all be all. Doesn't matter what that hit is, it's the answer and they go fourth with it. Would you not validate your findings with an image to see if the images match, if the md5's are the same? Why not try to validate your findings with google, yahoo, ask.com, etc. It's because its NOT taught to anyone.

IMHO and the opinion of lots of others you have the gift of investigation or you don't. You can teach basic investigative principals to help someone get better, and they can over time, but I think it's much easier to be an investigator or detective and then get into computers, than to be in computers and try to learn to investigate. I'm talking about a good investigator, not just a run of the mill one. There are lots of really good investigators on here, but alas they post less and less.

I'm working on a book not from a technical side, but from an investigative side, how to investigate computer forensics, too much we learn technical things which we may or may not ever use, how about getting some training in how to find what we need anytime and use

I couldn't agree with you more. There is a saying that "you can put a geek into the cop but you can't put a cop into the geek". There is a definite way of thinking that comes from being an investigator first rather than a "techy" person that provides a fundamental skill set that is necessary for CF. This was a huge policy fight in the US and Canada back in the early days. Factions wanted to use IT staff to do the work and it took years to convince the powers that be otherwise. The criteria to do CF in my pre-retirement agency was a minimum of 2 years as a frontline criminal investigator before you could be considered for introductory CF and computer technology training that you had to pass with a minimum score, and only then would you be eligible to receive in-depth training. I am not saying that you have to be LE or ex-LE, all I am saying is that you need to remember that CF is an investigative function first, you need to know the rules of evidence in your jurisdiction, how to evaluate the weight of the evidence, how to disclose the evidence gathered, how to maintain a chain of evidence, follow leads, and so forth. All these things apply to digital evidence no differently than physical evidence handling which is investigative procedure 101. I recall a newbie here that proposed using a web based tool to pull some meta data from a set of files he was looking at. He did not consider that such a procedure could hoop his evidentiary chain of custody (material not under custody and control once it was being accessed by a system he didn't control). This is a fundamental flaw of being too concerned with the technical rather than the legal aspect of a procedure.

I get chastised by mod and a few others for my view on this.

@forensicakb - for the sake anyone reading the above comment I feel I should clarify that I have no problem whatsoever with your views on this subject, my frustration has always been with the way you've expressed those views. Constructive criticism should always be welcome but it needs to be delivered with tact and sensitivity if it's to be taken on board (and not become counter-productive).

@all - This is a good discussion and despite what some might think, I often despair as much as anyone at some of the posts in these forums. It's tempting, even seemingly intuitive, to think that we can put in place some kind of quick fix but I'm far from convinced that's the case. The real problems, many of which have been brought up in this thread, run deeper and are more widespread than anything we could ever fully address here with technical measures only. That doesn't mean I'm not listening, though, and will continue to listen to all suggestions for improving the way we do things at Forensic Focus.

One last comment - without trying to downplay these issues we also (IMHO of course) need to keep them in perspective and act accordingly. Yes, there are students out there who almost certainly will never possess the full range of skills and human qualities which a good investigator needs. Yes, some of them may post from time to time and raise concerns. However, let's not forget the other students who post and are clearly well equipped and highly committed to carrying on the work of the first generation of computer forensics investigators - they need to be supported and encouraged to ask questions without fear of ridicule or contempt if the industry is to move forward.

I just came across this article today, which, whilst not directly relevant certainly backs up Jamie's comment regarding that problems "run deeper and are more widespread" http//www.theregister.co.uk/2010/11/01/comp_sci_graduates_need_more_skills/

Just to make things crystal clear.

I have no problem with anyone, including students, asking questions. What I do have a problem with is what this whole post was about in the first place, which is not necessarily asking questions to help yourself to learn but essentially posting your entire question as posed by a university lecturer.

I assume that it will be a case of a quick copy-and-paste job, a bit of editing, and then handing it in as their own work. This is where the true problem lies. By all means ask questions RELATED to an assignment or paper, but don't be lazy and just post the entire question and expect everyone else to do the work for you.

I don't have a problem with students at all, I was one not that long ago and I know that there are good and bad examples of such, just as their is in the field itself. The good ones will ask sensible questions, the lazy will just expect everyone else to do it for them.

Great article. I was particularly interested to read about the study into Morris dancing (although it won't come as a surprise to anyone who's seen me on the dancefloor - there's definitely something going badly wrong there which needs investigating!)

I just came across this article today, which, whilst not directly relevant certainly backs up Jamie's comment regarding that problems "run deeper and are more widespread" http//www.theregister.co.uk/2010/11/01/comp_sci_graduates_need_more_skills/

Good find azrael. I did note the complaint about a lack of resources crept into the equation

Talking to academics, they of course complain about the funding, and point to a double whammy that the Dotcom boom lured good people into industry, and reallocation of funding to the study of Morris dancing has made it worse even before the new cuts. (The Morris dancing example is a real one.)

My couple of cents.

A certain part of this discussion sounds like the business-IT alignment discussion all over.
Only in this case investigator-IT alignment.

you can put a geek into the cop but you can't put a cop into the geek

No offence but stating that either one of the skills is pre-dominant over the other is too simplistic in my opinion. In the field of business-IT alignment those most successful proved to be those sufficient with, at least to some extent, both skills.

This isn't about your background or skill set, but opening up toward the other expertise as well. For one with a background in IT this means getting up to date with forensics, law, investigative techniques, etc; for one with a background as a police investigator this means getting up to date with computer architecture, nibbles, GiB, GB, etc.

I think this shouldn't be an us-or-them discussion. Saying one side is pre-dominant over the other is largely the attitude problem, that is only a catalyst to the issue.

Being able to formulate search strings doesn't make you an investigator either. Ask Google, Bing, Yahoo, millions (possibly billions) of people formulate search strings everyday. Are they investigators? A few of them at most.

IMHO there is only one aspect that makes one a TRUE investigator an insatiable desire to find the truth. Often this boils down to be able to consider ALL possibilities and to get adequately competent in the domain (material) he/she is investigating. What I personally think also helps is being a tenacious b*****d 😉

My second point is that there are people taking short cuts in all stages of life students, criminals, cops, lawyers, bankers, managers, etc. Alas what society has done for a long time (and is still doing) is even rewarding such people for it.

So if we want our students to become good/adequate investigators we should teach them to be and this shouldn't be limited to the institutions. IMHO for "us investigators" setting the right example is best way to teach them.

You are correct, but it boils down to being an investigator or not being one.

While I agree with what you are saying here I have to strongly disagree with your perception that you must be a sworn officer to have the investigator skills. Having spent 6 years and 9 months working in an LE lab with 20 odd staff, with sworn and unsworn staff working side by side I saw no evidence to support your stance. Yes each group brought a different skill set to the team, and provided both groups were provided with appropriate training and mentoring there was no difference between them. On the whole unsworn staff with a degree in computer science, or engineering were able to get up to speed faster than sworn officers with little or no computer experience, this is not to say that once they were up to speed the sworn officers were not able to contribute just as much as the unsworn ones. The big problem with sworn staff was that they had a turnover of around 2.5 to 3 years. The point at which they become really valuable is around 2 years, so you spend 2 years training them to get 1 year of really good value from them. On the other hand unsworn staff stayed for around 5 or more years. In fact the attrition rate of staff due to stress of exposure to CP was much higher amoung the sworn staff than the unsworn.

We had problems with sworn staff and we had problems with unsworn staff. However overall we had a high level of sucess with both groups. To simplify any problems to 'he is not a cop therefore he is no good' is displaying a level of ignorance that I find quite astonishing.

I think your perception is the result of either poor selection processes or poor training practices.

A couple of key points need to be recognised. Firstly you must employ people with the right level of motivation, this does appear to be getting harder with the younger generations (I hate to say that as it makes me sound much older than I am). However there appears to be a much larger expectation of rapid promotion and over expectation of high pay amoung recent graduates. Secondly you also must use effective selection processes, a interview and review of a cv will not cut it. I have seen people perform extremely well in an interview and look exteremely good on paper who cannot figure out how to open a PC case. This is why practical assessment is the only way to go.

One last comment - without trying to downplay these issues we also (IMHO of course) need to keep them in perspective and act accordingly. Yes, there are students out there who almost certainly will never possess the full range of skills and human qualities which a good investigator needs. Yes, some of them may post from time to time and raise concerns. However, let's not forget the other students who post and are clearly well equipped and highly committed to carrying on the work of the first generation of computer forensics investigators - they need to be supported and encouraged to ask questions without fear of ridicule or contempt if the industry is to move forward.

Jamie I think you are making a really good point here. I think the main contributing factor to the perceived 'flood' of idiotic student questions is the fact that the number of students must be significantly higher now than it has ever been. This is simply due to the number or programs available. Five years ago there would have been a handful of undergrad courses in digital forensics, now there are hundreds. So it is hardly surprising that a few lazy students are popping up around the place.
At our college alone we have around 250 students studying digital forensics, I have yet to see any posts from those students. If you extend those numbers to the number of programs offered around the world there must be tens of thousands of students out there. If we are only seeing a handful of bad/lazy questions it is actually not too bad.

@DFICSI Any student copying and pasting answers from here or any other forum is running a high risk of being caught for plagiarism, a fairly serious offence in the academic world.