Just to make it clear, any image I've created is like a random (real life) image for the students. They have no idea what is on the image and only have a list of questions to answer. They don't get the documentation I made for the images. That is for my benefit, not theirs.
The list of questions given to the students are identical to those I have received on past cases. "What USB devices have been connected? When was the last shutdown? Were data wiping tools used? Does file X with hash value XX exist? and so on."
They are flying a flight simulator and have no idea what is in store for them once they open the image. Just like a real case, or at least as close to real as possible.
I am with Brett on this one.
I grasp how fantastically fun it would be to generate random data in "real flight simulators", some forensically valuable, some just misleading obfuscation, and some of no value; thereafter releasing students to find the meat…
I am sure that you are more than qualified (and certainly much more qualified/experienced than myself) on the matter, but you are actually seemingly also partially on my side. 😯
The raised point is only that IMHO there is a "gap" between the experience a student/practitioner can learn on images of type #2 and the one he/she can learn from a "real case" image or from a type #3 image.
As well, I am confident that the images that you or Brett "handcraft" are as good as they can be, but this in no way implies that they are as complex as a "real case" or that they completely fill the hole/gap I described earlier.
They are flying a flight simulator and have no idea what is in store for them once they open the image. Just like a real case, or at least as close to real as possible.
Sure ) , but they are using an already very advanced flight simulator, like
http//173.248.147.74/~ikeahack/wp-content/uploads/blogger/_XGRz6uWGK3I/SwqxgRaSvuI/AAAAAAAAHGM/VatDUO79fhw/s1600/Deskoptions5-701450.jpg
but not something *like* this
http//
Now, being in the business, you may well - much better than me - consider this gap/hole as either non-existing or too small/trifling to be considered worth of note, but if it actually exists and can even partially be filled by some automated or partially automated tool, at least thinking about the possibility of doing something about it doesn't seem to me a bad thing.
Maybe noone will ever be able or have the time/knowledge to make such a tool, or of a tool capable of creating a "type #3" image, but maybe it could be useful to easen your manual creation of type #2 images, or help in making those images faster (i.e. allowing you to make "more" images or to make the same number of "more complex" images, still of type #2 but more similar to type #3).
And - more generally - a man can dream wink
jaclaz
Theoretically, the best would be #4 (or was it #5?).
Use real case material, and present it to the students.
Problem with real life material is limited educational scope. Someone might use say BleachBit, but not timestomp, and encryption. Over an intense course, I can bring up about two dozen areas of study. I would be "lucky" if three would be used in a single real life case.
How could this be resolved?
Theoretically, the best would be #4 (or was it #5?).
Use real case material, and present it to the students.
Problem with real life material is limited educational scope. Someone might use say BleachBit, but not timestomp, and encryption. Over an intense course, I can bring up about two dozen areas of study. I would be "lucky" if three would be used in a single real life case.
How could this be resolved?
Ah, well that is a generic kind of issue with education, as I see it, and IMHO a slightly different issue.
Digital forensics is a strictly "technical" field, the student that comes out of a 4 (or more) years long course should be IMHO be able to tackle a forensic investigation on a hard disk and produce a report that can be used in a court, this should mean that he/she is given both a "wide", mostly "theoretical" set of notions, a suitable "open mindedness" on the procedures, some hands-on on tools commonly used in an investigation of this kind but also some real (or "nearly real") case experience.
The point I was raising was that a good, smart, willing kid, after having seriously studied for 4 or more years is seemingly not capable of doing an investigation by himself.
My observation comes mainly from
- the kind of questions raised in the forum by people that recently got their BSc (or that are near to getting it)
- the (apparent) difficulty in getting an internship or "first job"
- the kind of ads that are published in the "job vacancies section"
[/listo]
As said elsewhere #1 may be due partly in the poor quality (or lack of proper "focus") in the education (besides personal qualities/attitude of the student).
#2 may be due to a general "crisis" of available jobs in the field (but then there would be no ads in the "job vacancies section")
#3 may be due by firms all wanting to have the same (BTW non existent or "rare") "ideal" candidate max 28 years old, BSc or Master, at least 3 or 4 years experience in the same exact field, carrying at least a couple additional certifications, willing to work anyway for a relatively low wage, and additionally being good at human relations with customers, capable of managing a team, and current with two or three high end Commercial tools.
I don't think that much can be done for #2 (if the reason is a job crisis in the field), nor for #3 and some of the IMHO exaggerated "profiles" in those ads.
But possibly something can be done for #1, giving the students - at least the more willing - the possibility of having a more complete (and more "practical") experience when exiting the UNI.
Mind you these are "general" problems, not confined into the digital forensic field, common to many "technical" careers/studies, a sort of detachment between what is taught in courses and what happens on the workplace.
jaclaz