Rob, please tell us about your role as Director of Global Training at Magnet Forensics.
My role as the Director of Global Training for Magnet Forensics encompasses several unique yet interconnected responsibilities, which include training development and delivery; business development; de facto sales and marketing representation; and product development.
First and foremost, I have been responsible for developing the new 3-day IEF Essentials course. I basically spent the first two months in my new position locked in my office, surviving on energy drinks and microwave meals, while working on the new curriculum. Once I had the “beta” version ready, I delivered this to a select group of subject matter experts (SMEs) from the digital forensics community, and used their feedback to further revise the course into its current format and content. Once I felt the course was ready, I began delivering the new 3-day IEF Essentials class internationally in October.As we continue to deliver the course, I will also be responsible for maintaining and updating the contact, based on student feedback; new features which become available in our product line; and, most notably, changes in the behavior of the applications whose artifacts we support. This last component is probably the most challenging aspect of training development.
Anyone who manages a course that focuses primarily on Internet trace evidence always feels as if they are running uphill on roller skates. It’s not unheard of for you to create an instructional module for a Web-based client on Friday, only to have the behavior and artifact locations for the client change the following week. The browser and chat clients are notorious for this, so you just have to be flexible, and have the mechanisms in place to respond as quickly as you can when producing the related training materials.
My second responsibility involves managing the business aspect of our training program. In this role, I need to be appreciative of the “big picture” items, as they relate to our short-term, intermediate, and long-term goals for our organization. This required developing an initial business plan, which includes quarterly and annual benchmarks for monitoring our progress toward each of our training-specific goals, and ensuring they remain aligned with our organizational goals.
This role requires ongoing communication with our CTO, CEO, and members of our Sales and Marketing and Development teams. My work with the sales team often involves supporting new or existing customer relationships and ensuring that their training needs are being met; tailoring a custom course for a specific customer; and helping to support the efforts of the Sales and Marketing team as we increase our presence into new markets. My work with the Development team is also a very key role of my position.
As I’m on the “front line” with our products on a weekly basis, and continually conducting research into new and emerging Web-based applications, I’m able to provide the developers with real-time feedback from our customers on the performance of product lines during class; beta test new client releases against our course materials before their public release; and provide the Development team with input on how a given set of artifacts are behaving between versions, such as the browser or chat clients.
You started your career as a detective and white collar crime specialist. What prompted the decision to move into training?
I began my career in digital forensics completely by accident, probably not unlike a number of my colleagues. I was serving as a typical Detective, investigating the broad spectrum of crimes you’d find in any jurisdiction. On a Friday, I helped my lieutenant setup his new email account, and when I returned on Monday, there was a note in my mailbox stating I was the new computer crime specialist for our department. The new position within the Detectives bureau was prompted by our Chief, who had recently returned from training at the National FBI Academy, during which he learned about the emerging trends in computer crime. We really had no idea how to create a computer crime unit, so it required a lot of initial research and outreach on my part to other agencies with the experience, training, and equipment to support the position.
Through these contacts, I was directed to the National White Collar Crime Center (NW3C), whose mission was to provide free training in digital forensics and computer crime to law enforcement agencies within the U.S. At the time, NW3C had federal funds available to local officers such as myself, to receive an all-expenses paid trip back to their headquarters, for two weeks of training. After the first two days of learning about bits, and bytes, and hexadecimal, I was convinced that I had made a terrible mistake. Fortunately, the instructors were amazingly patient, and knew exactly how to present the concepts in a way that became much easier as the course progressed. They told me they were former law enforcement officers, who sat where I was sitting, and had the same “deer caught in the headlights” look on their faces when they attended the course.
So I left the course with a renewed confidence, and returned to my agency and jumped head first into the new position. Once I began to work my own cases, and respond to cases initiated by the patrol teams, I quickly realized the need to provide computer crime training to my fellow officers. So, with the help of a detective from a neighboring agency, we put together a 1-day internal “first responder” class, which taught general computer crime concepts, introduced the officers to digital evidence, and trained them in the proper techniques for preserving and collecting the associated evidence.
After training each of the patrol teams, I began to see an immediate improvement in the way in which the computer crime cases were forwarded to my attention, and how the evidence was being handled. As time passed, I was being approached by other officers who had an affinity for computer crime cases, and began working with them to further their skills. Eventually, we were able to have at least one officer per patrol team who could serve as a first responder for a computer crime investigation. As I continued to work with them, their confidence grew, as mine had, and they began actively looking for and expecting digital evidence in many of their investigations.
As my time in the Detectives division continued, I sought out as much training in computer crime and digital forensics as I could find. I was able to attend a number of exceptional courses from both the public and private sectors, and quickly became aware of the increasing trend toward investigations involving digital evidence. Unfortunately, our agency had a mandatory rotation with the Detectives division. So, just at the point at which I really felt comfortable in the new role, I was going to have to return to the Patrol division. I had a choice to make at this point. I could return to Patrol, and finish out the last ten years of my career, with intermittent opportunities to return to Detectives, and perhaps retire from an administrative role. Or, I could leave active duty law enforcement, and pursue a new career path in which I’m supporting the efforts of law enforcement. My father was a teacher while I was growing up, and I had been serving as a firearms and defensive tactics instructor for most of my time in law enforcement, and really enjoyed that aspect of my job. So I knew that teaching would be a very rewarding direction for my life to take.
While struggling with the decision, I had attended an advanced class with NW3C, and had the opportunity to speak with their Training Director, who stated they had an opening for a Computer Crime Specialist and trainer. I’m not usually one to believe in “signs,” but when they hit you over the head, you should probably take note. A month later, I traveled back to NW3C for an interview, and a week later had accepted the position. A month after this, I was presenting my first class in digital forensics at NW3C. To say that the irony was not lost on me would be an understatement, as I stood in front of the classroom where I had sat as a student just a few years prior.
While serving as an instructor with NW3C, I also became more actively involved with the International Association of Computer Investigative Specialists (IACIS). As a Detective, I became a member of the organization, and immediately found myself in a group whose support for law enforcement, and depth of knowledge, were truly humbling. The assistance I received from IACIS in the early stages of my digital forensics career was definitely a catalyst for future grown, both personally and professionally.
I continued my membership while at NW3C, and had the opportunity to complete my Certified Forensic Computer Examiner (CFCE). After receiving my certification, I returned several times as a volunteer trainer for the IACIS conferences in both the U.S. and Europe, and to serve as a coach for the CFCE process. My service as a trainer with IACIS afforded me the opportunity to give back to the organization, and to continue to serve the members of the law enforcement community.
After several years with NW3C, I had an opportunity to join the Training division at AccessData, and work with both the public and private sector digital forensics communities. In my role at Magnet Forensics, I’m able to continue this service in support of their missions. As I find myself teaching not only within the U.S., but also internationally, and I work with forensics professionals in places such as Brussels, Jakarta, Amman, Kuala Lumpur and others, it reinforces the idea of how globally-connected we are, and how easily our investigations can cross local, state, national, and international jurisdictions. It also reinforces my confidence that I made the correct decision over ten years ago, when I chose to begin a new career as a trainer.
I’m frequently asked if I miss active duty law enforcement, and my answer is always the same. Yes, is my immediate response, quickly followed by the comment that, as a Detective, I had an impact on reducing victimization on a local level. However, as a trainer, I can have an even greater impact, by empowering my students with the knowledge, skill sets, and confidence to accomplish their missions, within the public and private sectors.
What digital forensics courses does Magnet Forensics currently offer? What can students expect to learn?
We currently offer the basic 3-day IEF Essentials course, and I’ll begin development soon on a 3-day advanced course, which will be available in 2015. Once the advanced class has been developed, I’ll finish work on an IEF certification, for which the basic and advanced classes will be a prerequisite. I’d also like to develop a 5-day certification course, which blends the content of the two 3-day courses, into an accelerated 5-day format, for students who are seeking the IEF certification but are unable to attend two separate 3-day sessions. In addition to our core course offerings, customers always have the opportunity to work with us to customize a training session that’s tailored to meet the individual needs of their organization.
In your opinion, what makes a good digital forensics training course and what qualities are most important in an instructor?
The challenges for anyone presenting technical course materials to an audience of adult students, with varied experience levels, are numerous. If you make the materials too “geeky,” then you’ll lose the students who are relatively new to the field of digital forensics. Make the course too basic, and you run the risk of alienating the more advanced students in the course. So the goal is reaching a balance between the two, which keeps all of the students actively engaged in the course.
Another issue is the atmosphere in which the course is being presented. Adult students are often in attendance to gain job-specific skills and competencies, either by their own choice, or at the direction of their administration. As a result, the students want to leave the training event with an understanding of the nature of their work, and how the instruction you’re providing will help them do their jobs better. To help meet these needs, the course should be based on practical, real-world situations, and give the students opportunities to practice applying the techniques presented in class. In the field of digital forensics, this equates to scenario-based, hands-on exercises during which the students can immediately apply the learning concepts from the course, and practice techniques which they can employ when they return to work.
In developing the course, I wanted to ensure we meet all of these challenges, while creating an intellectually demanding, yet fun and relaxed atmosphere geared toward an adult learning audience. My ultimate goal for the course is for the students to leave with a better understanding of the key artifacts they will encounter, and the confidence in their abilities to immediately apply the learning concepts from the course once they return to work.
How important is it that someone teaching a digital forensics course has 'real world' investigative experience?
I think it’s very important for someone teaching digital forensics to have “real world” investigative experience, whether they come from the public sector, private sector, or have a background in both. During the initial introductions, as students and instructors are getting to know one another and describing their experience, I think there’s a level of immediate “buy in” from the students when they realize that their instructor has “been there done that,” and has an understanding of how the learning concepts from the course can be applied in the performance of their duties. An instructor with a background similar to that of the students can draw upon that experience when developing and delivering the course, relying on “real world” examples and scenarios which reinforce the learning concepts.
Forensic Focus members (especially those at the start of their careers) often find themselves needing to choose between academic courses, vendor training, non-vendor training, or pursuing various certificates. What advice would you give to someone in this situation?
I would offer a number of recommendations to the members who are either just beginning their digital forensics careers, or seeking to add to their existing knowledge in the field. These would include membership in professional organizations, and groups whose missions support public and private sector forensic practitioners; vendor and non-vendor basic, intermediate, and advanced training in the field of digital forensics; vendor and non-vendor certifications; and training developed specifically around the forensic software tools the students will be using on the job.
There are a number of professional organizations for both the public and private sector digital forensics professionals, often with free or with very affordable membership fees. Membership provides immediate access to often international resources of fellow practitioners, training, and certifications. Reaching out to the membership, someone just beginning their career can seek out recommendations for the essential forensic software tools, hardware, training, and certifications they’ll need to get started, not unlike my response to your question. Some of these groups would include the International Society of Forensic Computer Examiners (ISFCE); the International Association of Computer Investigative Specialists (IACIS); the High Technology Crime Consortium (HTCC); and, the High Technology Crime Investigation Association (HTCIA). In addition to the professional organizations, there are a number of free online groups, like Forensic Focus, and various forensic “wikis” which provide a wealth of resources to new, as well as experienced, digital forensics professionals.
As far as training is concerned, there a number of variables for your members to consider. First, I would recommend they assess their training needs, based on the background they’re bringing with them into the new position. If they’re just starting their careers, and don’t have the advantage of a computer science background, then courses in the foundational principles of digital forensics are invaluable. These should include instruction on binary and hexadecimal notation; partitioning; formatting; file systems and operating systems; and general concepts in computer crime, digital evidence, and forensics.
Next, they should build upon the foundation courses by attending intermediate and advanced training. To this end, I would recommend that they seek out classes which include more detailed explorations of operating system artifacts; the Windows registry; Internet trace evidence, and mobile devices. With this background, they can now begin the critical steps of “connecting the dots” in their investigations, and rebuilding a picture of user behavior, based on their understanding of where the artifacts are located, and how they are generated.
The basic, intermediate, and advanced courses in digital forensics are available from vendor, non-vendor, and academic sources. Having started my career in the public sector, I can appreciate the fact that training funds are often a challenge.
Given that the concepts taught in many of the basic courses are relatively fixed, these foundation courses can be taken from non-vendor or academic providers, which are often less expensive than those offered by a vendor. Another non-vendor option is the pursuit of a degree in forensics, while working in the field. There are a number of colleges and universities which now offer undergraduate and graduate degrees in digital forensics, as the field continues to grow. The really solid academic programs are those which blend the criminal justice, litigation support, and computer science disciplines. So before someone enters a degree program, I would suggest they research how the program was created, and what experience the instructors bring. In addition to formal training, there is also a growing genre of books available through most retailers on various topics of digital forensics, to help reinforce the concepts from the courses they have taken.
My next training-related recommendation is to attend vendor-specific courses designed around the forensic software tools the practitioners are using in their investigations. Granted, I work for a software vendor, but I would make the same recommendation if I still worked in the public sector. Courses developed and delivered by a vendor for their specific product line offer the students a level of understanding of the features and functions of the tool that is difficult to find in a vendor-neutral setting. In addition, most vendors offer a certification in the use of their products. In the daily performance of their duties, the knowledge and skills sets required to pass the certification are useful. However, the vendor-specific certifications become even more valuable during civil and criminal proceedings. If an investigator is presenting evidence recovered from a commercial forensic tool, or suite of tools, having a certification from the vendor helps add to the credibility to their testimony.
Speaking of certifications, this would be my final recommendation for someone just starting their career in digital forensics. There are a number of certifications within the industry, and they can vary from vendor-specific, to vendor-neutral, each of which being well-recognized within the field of digital forensics, and often stipulated to during the vetting process during an examiner’s testimony. Examples of some of the vendor-neutral certifications can include the CCE from ISFCE, or the CFCE from IACIS. There are also a number of certifications which are more discipline-specific, such as those centered around network security, so it really depends upon the primary focus of the practitioner’s duties, which one they may wish to pursue. Also, as I mentioned in my recommendation for vendor-specific training, I would encourage your members to pursue the certifications offered by the vendors of the software they’re using in their investigations.
When you're not training, what do you do to relax and unwind?
When I’m not training, I try to get off the grid and enjoy the outdoors. Living in Utah gives me the opportunity to explore the Wasatch and Uintah ranges up north, or the surreal landscape of southern Utah. One of my favorite ways to relax is to pack a tent, sleeping bag, camera, and fly rod on the back of my motorcycle, and weather permitting, just point my bike in a direction. I’d love to say that the camera is to photograph all of the fish I catch, but I’d be lying. I usually end up with more photos of the mountains, wildlife and other scenery than fish. But, I’ve always been a “glass is half full” guy, so I keep taking the camera with me.
Rob Maddox is the Director of Global Training at Magnet Forensics. Magnet develops the Internet Evidence Finder range of products, which helps international forensics professionals to find, analyse and present digital evidence. They also provide training for digital forensics professionals worldwide.