Paul, you're currently conducting research into continued professional development in digital forensics for your Master's degree. Could you outline your project for our readers?
My area for the dissertation is to look at continued development, specifically with digital forensics practitioners, because I think when looking at other professions such as medical, legal and teaching, there’s a lot of focus on doing continued development or lifelong learning. There’s quite a few different names for the same thing; depending on which researcher you speak to, they could have the same or different meanings.
Craiger in 2008 made a distinction between what is defined as ‘training’ and what is defined as ‘education’, so there are two trains of thought there.Education is learning skills at a tertiary institution such as uni, college or technical college, and training is more on the job, more specific, like vendor training, becoming competent on a certain tool, like FTK from AccessData or EnCase from Guidance, or the host of tools that are available.
The idea of the research is seeing how it’s done in other professions and then looking through a structured questionnaire, which is based on the General Medical Council’s questionnaire that they sent out in 2011, to find out how the practitioners currently do it and then to try and come up with a framework that could aid other practitioners that maybe are battling with it. Not necessarily practitioners who have been in the field for an extended period of time but maybe people that have just finished qualifying. You’ve finished qualifying, now what? I’ve done my Master’s, now what?
I think it’s exciting in the sense that it’s new ground; obviously digital forensics being – I wouldn’t say in its infancy, but it’s changing continuously – whereas if you look at the legal profession, continued learning was already addressed in 1916, which is a very long time ago. So digital forensics is always playing catch-up. So we’re trying to minimise the effects of the catch-up, trying to be a bit more proactive than reactive.
Have you had any preliminary results back yet?
I haven’t had many results back; the participation survey’s been a bit slow, so not really. I’ve obviously gone through the literature, looked at some of what the pioneers in digital forensics have highlighted with regard to education, training and so forth. So short answer: not really.
But the idea, what I’d like to achieve from the survey, is to take the findings or the recommendations or the framework, and actually pose it back to the people that participate through a Delphi review and ask them, is it feasible, do they agree with it, or not? So it’s basically a two-stage approach to the research – it’s not just about publishing the findings, it’s actually to get people who are in the field to try and maybe validate the findings, which would make it hopefully more useful.
You've been studying digital forensics for a while now – what is the most challenging aspect of your area of study?
I think – and that’s the reasoning behind the research – it’s trying to get hold of information or published papers in the field, because it’s a vast field and there’s certain areas where there’s a lot more focus than in others. For instance, I come from a Unix background, so I would say Unix forensics for me is quite important. When one goes out to look at what papers have been published at conferences and at higher education institutions, there’s very little on that, whereas other areas like network forensics, mobile forensics and social media get a lot of focus. I understand that there’s obviously a need for it, but I think there’s maybe a lot of focus on just certain areas rather than across the board. I understand it’s difficult, because it is a new field and I think we are playing catch-up.
To take a look at South Africa for instance, we only started in 2008 at the university of Cape Town with the post-graduate degree or diploma in computer forensics. So I think that itself is also an issue. You need to get people in at undergraduate level, who finish school and maybe are looking at a career in forensics, to actually get them in and get them up to speed so that when they go into their Master’s, they can actually contribute a lot more to the field. They’re not just trying to play catch-up, so it’s easier for them to identify an issue and try and address it.
As we heard in the talk at DFRWS today, there’s a lot of issues that need to be fixed. It’s easy to say “just do it” but we need people that are at a certain level, that they can actually take on something like disc encryption. Disc encryption’s been a long time coming, when you think about when computers first came about, so you don’t want to be waiting another thirty or forty years to break the encryption. Along with the forensics, there’s always going to be anti-forensics.
Doing investigations doesn’t always work like the series that you see on TV; CSI shows a very glamorous portion of it, it doesn’t always work like that. I think a lot of people have touched on it – getting results from an analysis of a disc can take weeks, and in an hour of TV they’ve analysed everything, they’ve caught the guy within thirty minutes. I’m really passionate about it because I think it’s challenging – my background was as an electrical engineer, so I like it when you’re faced with a problem and then you come up with a solution. And that’s exactly what an investigation is, you’re working from the results and you’re actually trying to find out, how did this happen?
And then trying to be objective about it, so that if it does go to court or anything you’re just presenting the findings. And I think that’s the thing is that one needs to be emotionally disconnected from what you’re doing, and as humans that’s difficult. Like with child pornography, it makes most people’s blood boil, but when you’re presenting the facts you need to do just that, present the facts. So you want to be a better person, you want to be a better investigator, a better software engineer, you learn as you carry on with your career, which is fun.
What do you do in your spare time?
In my spare time, I’m into music so I love going to shows. In South Africa we’ve got some fantastic blues players at the moment, Albert Frost, Dan Patlansky who was nominated for best blues album in the world for last year, which was phenomenal. He’s a fantastic guy and I think it’s nice to see that South Africa is different – the musicians have a lot of time for their fans. They’ll stand there and sign autographs for two hours if they have to, and they’ll chat to you.
So I like listening to music but I also like making music. I play guitar and I used to play drums and bass. I’ve got an audition coming up for bass playing with a bunch of guys at work, they’ve got a band, they need a bass player and a drummer, but I can’t do both! When they heard I played guitar they said “OK, we can maybe do with three guitarists”, so we’ll see what happens.
I’ve got a dog, I like going for walks. I live in Cape Town, so there’s loads of beaches to go walk on. We’ve also got beautiful scenery around Cape Town. Saturdays or Sundays I’ll either be taking the dogs for a walk on the beach or in the forest, there’s a nice Tokai forest where people go to run and walk and take their dogs for a walk, and there’s cycling and horse trails, it’s fantastic. With the climate in South Africa, it’s fantastic being outdoors. So if you’re an indoor person then I think it’d be a bit boring in South Africa, but if you’re an outdoor person then you’re going to enjoy it. But that’s why when you come to Europe in winter, it’s quite miserable!
But it’s fun, it’s all about learning and growing as a person, that’s what I do.
Paul van Ramesdonk is a Master's student at Cape Town University, South Africa. His current research looks at ongoing training and education in digital forensics, and the survey is accessible here.
Forensic Focus interviewed Paul at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.