Let’s start with a little bit about you. How did you come to your current role? What about training resonated for you, relative to other roles?
My digital forensics career has afforded me the privilege of attending over a thousand hours of digital forensics training courses, as well as of experiencing the teaching styles of dozens of instructors and the delivery methods of countless curriculums.
Of all those courses, there are just a few that stand above the rest. Those courses remain memorable because of the instructor and how the training was delivered. What made those courses so enjoyable was the manner in which the subject was taught – not with death by PowerPoint or drawn out lectures, but with hands on activities, small group exercises, and active engagement. This was the source of inspiration that sparked my endeavor to become an instructor.
While still working as a law enforcement officer, I decided to pursue my teaching ambition by becoming a POST certified instructor. I helped develop modules for the Robert Presley Institute of Criminal Investigation (ICI) Financial Crimes and Identity Theft Investigation courses, based on my real-life experiences as a detective.
I also assisted as a subject matter expert in the creation of the ICI Technology in Investigations course. I took highlights from the multitude of courses I attended to try and deliver the most enjoyable and memorable training experiences to my students.
What I enjoy most is conveying difficult subject matter in a way that is understandable to all. This leads to the most satisfying moment in the training environment – when students get that “Aha!” moment. You can see it in their eyes. Their demeanor changes. Then you know they have finally grasped the concepts. There is so much satisfaction to be gained from knowing that your students walk away with a complete understanding of the subject matter.
I joined MSAB in 2011 and started delivering their logical and physical certification courses late that year. Although I enjoyed teaching the foundation of digital forensics with the focus on MSAB tools, I wanted to create something new and more advanced. I started delivering ideas at conferences in Android forensics, advanced hex analysis, and advanced app analysis. Those concepts eventually made their way into the Advanced Acquisition and Advanced App Analysis courses that MSAB offers today.
In July of 2017, I was fortunate to be selected as the Global Training Manager for MSAB. Now I lead a cadre of trainers around the globe, who all, with their unique backgrounds, instill their knowledge and experience into their students. And even though I am the manager for the training team, I still have the opportunity to deliver training courses, presentations, and workshops, as training will always be near and dear to my heart.
What one thing about digital / mobile forensics training do you wish everyone knew, and how does MSAB training embody it?
Everyone entering the field of digital or mobile forensics needs to have the foundation of what digital forensics is. Relying on your forensic tools to do the job, without an understanding of what you are doing, will lead to failure down the road, especially when it’s time to testify in court.
Some people refer to this as “push button” forensics. Examiners need to have the rudimentary understanding of what digital forensics is, how data is stored, and what processes are used to retrieve the data.
We have to remember that the tools are just the vessels to extract and display the data, so that we do not need to toil tirelessly to obtain and interpret the data ourselves. The tools present the data to us in an easy-to-understand fashion. But we need to know what the tools are doing – how to recreate the steps ourselves, if need be – if not for validation’s sake, then for when our tools do not get us the data we expect.
MSAB provides our users with these basic fundamentals, as well as advanced users with instruction on how to deal with those situations where tools fail – whether it is failing in extracting data from unsupported, locked, or encrypted devices or failing to decode unsupported apps.
A perfect example of this is our Source Mode feature built into Spotlight. Sure, you can see the different chat messages that were sent back and forth between suspects in the chat view within the tool, but you can also see where XRY parsed that data so that you can verify its integrity.
Every bit of data that can be found within the report can be traced back to its origin for validity.
As mobile forensics evolves, how have you observed tools and processes adapting, and what associated challenges affect the way examiners work?
As with computer forensics, we have seen devices grow from small computers with small amounts of RAM and storage to devices with very large amounts of storage. It is akin to comparing the time necessary to acquire 5 ¼ inch or 3 ½ inch floppy disks decades ago to acquiring gigabytes of data.
Mobile forensics has seen that expansion and a lot more – from when it took minutes to acquire a device to it now taking hours; from when it was manageable to view all of the data from a device in a spreadsheet style view to the almost overwhelming amount of data today.
Tools have evolved over time to adapt to these new challenges. Our extraction tool, XRY, for example, continues to be enhanced to offer greater speed during extraction, and it also allows users to make choices when it comes to the data they are after:
- Acquire now and decode later
- Process options to decide what data types to acquire
- Time filters
- Whether you want to have video thumbnails, content recognition or advanced file extraction looking for files embedded within other files
Our analytical tool has evolved to speed up the analytics of the massive volumes of data that users are confronted with after extraction. It is no longer viable to simply scroll through all the data within one single view. XAMN utilizes powerful filtering options to get to the data much more quickly.
How does training adapt to both challenges and tool evolutions, such that it puts examiners in the best possible position for both investigations and court testimony?
Tools evolve, and laws, best practices and standards change over time.
Like the many other skills and tools officers use, mobile device forensics is a perishable skill requiring continued training to maintain proficiency.
Although many may be able to navigate their way around their mobile forensic software, there will always be methods, practices, intricacies and even functions that users are not aware of.
These can only come to light through vendor training. Training ensures that users know the ins and outs of their tools and how to use them to the best of their ability. Additionally, training helps users to be as efficient as possible in finding the data they need.
Training also prepares examiners for when their work is questioned. The ultimate questioning will be in the courtroom, starting with the voir dire and continuing throughout the trial during direct and cross-examinations.
Vital digital evidence may be thrown out of court due to the improper handling of the data during the course of the investigation.
The courtroom can be an incredibly stressful place, where the officer’s skills, understanding, and competence in using mobile forensic tools are called into question.
Having formal training with certification demonstrates competence in the field. Having a full grasp of the subject allows you to better relay information to the judge and jury, so that you are completely understood. It leaves no room for doubt as to your expertise, and it helps to establish credibility.
It also helps to ensure that the courts have trust not only in the extraction process, but also in the investigative process.
Additionally, how does training help support standardization efforts, like those we see in the United Kingdom?
Training in any form can be a great way to help support many disciplines in the digital forensics theatre. It can be used to introduce basic standards, such as ‘best practice’, or more specifically, as the question asks, to support certain standardization efforts.
In the UK, the Streamlined Forensic Report (SFR) was introduced into forensic science reporting long before digital forensics existed, and it was designed for forensic scientists to report their findings to the court.
MSAB has, for a long time, tried to help customers across the board with standardizing processes and procedures. As part of the standardization process, MSAB has now added the SFR template to the workflow. This allows users to follow their workflow and, at the point of the case data entry, complete all the other information that is required.
Where training really helps and supports this standardization is that MSAB instructors can see organizations’ workflows before training courses and can incorporate things like SFR into the already-written uniform training.
Prior to the course, the instructors will rigorously test and familiarize themselves with the custom workflow and SFR, in order to seamlessly dovetail all procedures into the upcoming course.
When users attend the training, they not only learn how powerful and intuitive the MSAB hardware platforms and software are, but they also learn and become accustomed to their own organization’s workflow and the populated SFR document. This tailored approach is hugely beneficial to our clients.
What have you found has been the biggest training challenge for students during the COVID-19 pandemic, and how has MSAB addressed it?
In late February and early March, we saw how the pandemic was impacting training. Our certification courses have traditionally been in a classroom, to offer students that hands-on, tactile feel of plugging a device into a computer and learning by doing.
The classroom setting is the ideal setting. We can construct exercises where things do not run smoothly all of the time. Otherwise, it would give students false expectations. They need to see what happens when an extraction fails, and understand how to troubleshoot difficult situations.
In digital forensics in general, one of the most common answers to many questions is, “It depends,” because there are so many variables when it comes to this field.
We started our online course development not too long ago, and one of the decisions made early on was to create all of our learning curriculum using a standardized methodology and tools. Our two-day certification classroom course just went through a massive rewrite using this new methodology, and it was rolled out in January this year. We have used these same principles to create our online on-demand course content.
When our classroom training courses started getting postponed or cancelled, we realized we needed to find another solution to get our users trained properly on our tools, so that they can continue to do their jobs to the best of their abilities.
In early March, we rolled out the MSAB on-demand online XRY certification course, and now we have over 300 students enrolled.
We also ran a successful pilot of remote live online certifications and intermediate courses.
What one benefit do you want every MSAB training attendee to walk away with?
I want our students to leave our courses having confidence in our tools and our company, knowing that we are there to help them whenever they need it.
From evidence handling to testimony preparation, MSAB training courses aim to give examiners the knowledge and skills they need to perform detailed forensic analyses and testify with confidence to their results.
What new or updated training offerings can we expect from MSAB in the second half of this year?
In addition to our traditional classroom versions of XRY Certification and Intermediate, we are now offering our advanced app analysis course as an online live option, ideal for those who cannot travel and are impacted by COVID-19. Our curriculum development team is also working hard on creating a brand new on-demand course for our XAMN Horizon product for analysts.
James Eichbaum is MSAB’s Global Training Manager and an instructor as well. He is a former peace officer, having served a combined total of 16 years with the Modesto Police Department and Stanislaus County Sheriff’s Office in California. As a detective with both agencies, James was a digital forensics examiner assigned to the Sacramento Valley High Tech Crimes Task Force. James possesses a Bachelor’s Degree in Information Systems Security and an Associate’s Degree in Computer Science.