Si: Welcome, friends and enemies to the Forensic Focus Podcast. Today we’re talking with Chuck Cobb from Magnet and we’re going to be talking about a fair few things. But Desi and I are together again. It’s been a little while because Desi’s been gallivanting around the world and then regretting gallivanting around the world, I believe. If I’m not mistaken correctly, you seem to have come back with a bit of a travel hangover.
Desi: I regret leaving Southeast Asia, but then I think I just got COVID again, so that seemed to be going around. Spent four days recovering from that.
Si: You see, if you never talk to anyone, there’s no risk of getting ill. That’s my policy; if I stay indoors, there are no challenges whatsoever.
Desi: I definitely think that’s untrue on a massive metal cylinder in the sky.
Si: Yeah, let’s just recycle the germs amongst ourselves. It’s all good fun. But you’re back to health now and all up and running, yeah?
Desi: Yep, back to health. Thank you. It’s good to be back.
Si: So, Chuck is joining us from Magnet, as I said already. Chuck, please feel free to, to introduce yourself. We’re a known entity and people still come and listen, which is a surprise, but there you go.
Chuck: Nonetheless, right?
Si: Yeah, exactly.
Chuck: Yeah. And Des, I hope you get better quickly. I just got back from Toronto a couple of weeks ago and thought for sure I dodged it, but the metal tube got me on the way home. So I’ll start with a warning for both of you guys and for the entire audience: I don’t look Italian, but these hands move a lot and I tend to be an expressive hand-talker. It may cause seizures, all the flapping about, and if so, I do apologize.
My name is Chuck Cobb. I get the pleasure of leading the training organization at Magnet, and I’ve done so for the past eight years which have been eight great years for Magnet in its development. The 12 years prior to that, I did the same job. Actually, I started as an instructor at Guidance Software. But I spent 12 years over at Guidance back in the earlier NCASE days and was part of the training team and eventually became the leader of that team as a VP. And prior to that, I was a copper in law enforcement here in Southern California. I was a Riverside County Sheriff’s deputy and detective, and one of the founding members of a task force out here called the Catch Task Force, which is one of the California State Task Forces on, this is how old that is, high-tech crime, we weren’t even calling it cybercrime then. We were calling it high-tech crime, and that goes all the way back to 2000. And anything before that, I’m not going to talk about because I’m that old.
Si: Yeah, Desi’s the young one amongst us. I can still talk about a few things from 2000, but yeah. Occasionally I say something and he’s like, “What’s that?” Yeah.
Desi: I don’t really understand what happened with the world before the internet. Like, we’ve just always had it, right?
Chuck: Yeah. And I can see, you know, how very, very different that was. And I don’t know how I did things before the internet. So I’m not sure if that shows you just how old I really am, but absolutely I do sometimes. And the coppers who are talking like we had a Thomas book, which isa thick map guide, and that’s how you figured out where you were going when you got a call for service. And you know, you spend the first few minutes frantically going through the book, looking for what grid coordinate this house is at and now it just pops up on your screen with a map. So yeah, I’m with you. I don’t know how we did it before.
Si: Map reading is a skill of the past. I love it. And it’s something I actually learned to do, obviously like you at the point where sat nav was but the twinkle in the eye of the person who was thinking it up, but yeah.
Chuck: You know, Simon, I still spit-shine my shoes too, although no one seems to know how that’s done either anymore.
Si: All right. Okay. So you and I are clearly of the same era because I was taught to do that, as well. So yeah. Anyway, and I have a pair of shoes I need to clean coming up, so I will be breaking out the requisite toolkits and stuff like this. But anyway, so you did come into training from a technical background, albeit an early technical background. How have you found that, well, we all know how the environment has changed, but how have you found the training in forensics has changed over that sort of period of time?
Chuck: You know, in so many ways, drastically, and then in other ways it’s still the same. Because the platforms by which we deliver, candidly, the depth of knowledge of the instructors today, I thought I was, you know, Johnny on the spot years ago, and I look at the team now and I’m just like, I think I was just a bumbling idiot at this point when I look at how well the team teaches.
So, the approaches have become more consistent with instructional design that is, you know, done in other L&D, learning and development environments. And so it’s been professionalized I think a lot. I think the delivery platforms that are online and we’ll probably talk about this some more, but in a post-COVID world, they’ve become kind of the standard, and that requires a little bit of a different approach.
Recorded training has come in, but I think a lot of it, it’s funny, I’ll sit in a classroom theoretically just to check on my team’s doing sometimes and it feels like it was only yesterday because some of the questions, you know, you always think, especially coming from law enforcement, and when I went to guidance, there were students there, introduced themselves and they’re all doctors and this, that, the other thing. And I’m like, “What am I doing standing in front of this room?” And then you realize, hey, they’re new to a very technical field and while they certainly will learn, you actually do, standing up in front of the class, know what you’re doing. And the students for all those years have asked some of the same questions that they do now.
So there are some similarities, but there’s been a lot of development that to me is really, really exciting, and where things are going as far as how people learn to do things, we’re in such an interesting time right now with online learning, with micro learning, some of the things that we’re probably going to talk about later.
Desi: I just have an interest with your kind of experience over those years, like you say, that some of the students are asking the same questions. Do you find any differences in the generational changes in students?
Chuck: Oh my gosh, yes. Oh, absolutely, absolutely. As you alluded to earlier, you grew up with it. It’s second nature to you. And in the early days when I was an instructor, the confused looks of just the simplest of tasks, it just wasn’t there, right? But you guys grew up hands on it. So generationally, I would say that back in those days, there were a lot of people who were afraid, like, I’m going to break something and I’m going to do something that’s going to screw stuff up. And today it is all about, I’m going to break something, right? Because that’s how I’m going to learn. I’m going to set up an environment, I’m going to screw it up and I’m going to watch how it broke and take it apart.
So the generational posture towards learning and the way that we learn has developed quite a bit and I see a different generation now where, like I said, they want to go out and they want to break things and you’ll see the mind racing. As soon as you give them a tidbit of information, they’re processing it, how they can test it and how they can apply it in a real-world setting. And it and it just kind of germinates from there more so than it did when I was doing the job or when I was an early instructor.
Desi: Okay. Yeah, that’s really, really cool.
Si: Tell you one thing I have noticed though is that of late, familiarity with the command line is a thing of the past. I know Desi’s going to be okay, because he’s a Linux guy, as well. But actually I was in a class recently, which was a Windows-based software class, and quite a lot of people were unfamiliar with the command line. They knew how to use the tools really well and they understood a lot of the theory behind it, but actually just because somebody was like, “Can you open the command prompt?” and somebody went, “What’s that?” So I think there are some interesting things that we’ve moved away from.
Chuck: Simon, it reminds me of a global economy in some ways where people argue the middle class is disappearing. There are folks in the younger generation than my own who are wizards at the command line and I watch them and I’m just awed by what they can do, and then there are the ‘command what?’. But that middle where probably you and I used to be where it’s like, okay, I could probably write an end script, I can do things from the command line and string together some Python stuff and, you know, things like that. To me, that group is getting smaller and smaller and it’s just the haves and the have nots is kind of what I’ve seen.
Si: Yeah. no, that’s interesting. And with regard to, I mean, let’s talk about Magnet for a minute, but also obviously for the rest of this conversation. But let’s talk about Magnet for a minute. I mean, in terms of things like scripting, Magnet has that capability?
Chuck: There are some capabilities towards it, not so much on the command line. Our focus really is on the automation pieces, streamlining things on. And a lot of the work, you know, you talk about scripting, it can be viewed in so many different ways. When we talk about things like the automate tool where we’re taking workflows and we’re taking third-party tools, command line tools, and we’re allowing those to interact so that something can be processed from stem to stern using whatever tools you want in building a workflow, there’s the scripting aspects and the workflow creation aspects of that. But if you’re making a comparison to say, ENDscript, which was a power tool for NCASE, still is a power tool for NCASE, not so much in that realm.
Si: But, Magnet is, I mean, you have unified training, which takes you through all of your tools and shows you how they all work together. That’s my understanding of it.
Chuck: Yeah, that is one of the key things that the training organization does. And it’s really an exciting time when it comes to that, because, you know, like I said, having led the team here for the past eight years, we take an approach of very, very hands-on interactive training. We don’t do the traditional, “Hey, here’s how you use our tool. We’re going to show you how to work through a case from stem to stern.” and we’ll talk more about that. But we’re all about the how and why. And so I’ve had a great time. And man, have I gotten a good group of people around me who can deliver this.
But up until about two years ago, I would have told you that we’re not doing a complete job. And the reason that I would say that is, sure, we could look at extractions from mobile devices that others had pulled, but we couldn’t extract really with any effectiveness ourselves. Felt like we were the premier analytical tool, and I still believe that we were, but it wasn’t until the the recent partnership and the marriage between ourselves and and Grayshift that brought Graykey and Axiom and all of our other tools together that now things are really, really exciting again, because now we can take an examiner or a potential examiner and teach them from stem to stern and really be realistic about what it is that they need to learn, not, “Oh hey yeah, here’s all the computer stuff. And by the way, you’ll need to learn mobile.” It’s all together now. And even with the acquisition of Grify bringing in those tools.
So now the challenge becomes the marriage of all these tools and the automation has allowed us to access more data and bring more data in. So in some ways we’ve kind of moved the bottleneck a little bit. And so now we can process that data with things like Automate and we’ll and I’ll make reference to Magnet One here and how that works in just a moment. But now we’re processing that tool. But now, how do you look at all that data?
And so one of the ways is, look, where we want to get into a review-type platform that allows, you’re always going to need the forensic examiner, and I’m going to slip up and just keep using the word ‘forensicator’ repeatedly in here because that’s the term that I’m used to. So you have forensicators, but we’re democratizing that evidence with the approaches that we’re taking.
What we want to do is have automation and examiners process stuff, maybe refine it to a certain extent. But in a review-type platform, investigators, prosecutors and other consumers of that data are where we really need to get that data to if we’re going to not just move the bottleneck, but break the bottleneck and clear it.
And if we’re going to have, in Magnet really is, and it’s one of the great things I love about working there, we do care about the mission, we do care about social impact. And so when we talk about training, we’re talking about how do we improve that social impact? And by taking these tools and moving it further down the line, now you’ve got investigators and prosecutors. But those are all new students because we’re never going to get to the point where things just, there is no solve-the-case button, and back in the day, we used to talk about find-evidence button, and I would love to say, you know, I’m an old dog. I don’t believe that thing is ever going to exist because the forensicator’s always got to be there to help process and truly understand things. And if you take that and you think about it, say, dates and times, right?
So as a young forensicator, “Oh, cool. Look. I’m looking at a date. That’s so exciting. I know the smoking gun details.” But then you realize. “Wait, there’s like five dates associated with this file. Why? What do they mean? This is really confusing.” And then you realize, “Wait, none of that’s actual because it’s all tied to a time zone in a system date.”
Okay, so if you take that and you take all that understanding and knowledge that forensicators have to get, and now you just have a review platform that shows you a date and time that this file or this text was sent and you’ve got an investigator whose like. “Yes! That’s what I’m looking for.” But whoa, whoa, whoa, maybe it’s not, and we need to make sure that we give them the right scope of understanding of what they’re looking at without trying to turn them into forensic examiners.
So, it’s exciting in that we have this great opportunity and we have more data and we’re producing better results, but tying all of the different solutions and applications in this, and Magnet One comes into this because it basically takes a hub approach of how you access data, how you store data, how you’re going to process it, how you’re going to present it, and it brings it all into one environment.
And so you’re going to have consumers at all ends involved in Magnet One. So that’s a really interesting training challenge, especially because as things move to the cloud, training for cloud-type applications is very, very different. Cloud-type applications change, which we probably can talk about as we talk about mobile devices and the importance of that. So it is an exciting and challenging time on the training side. But man, what an opportunity to have an impact tying all of these different solutions together. Sorry if I’m long-winded, guys; feel free to take out the shepherd’s hook and pull me off stage anytime.
Si: No, it’s all good.
Desi: That’s a really big challenge. So, the listeners that have listened, I used to work for a training organization now, and kind of create training as well within organizations as well, and it’s always a massive challenge pulling it together. So what is the approach that you use within Magnet to go about that? Because we’re talking about a range from traditional dead-disk forensics to mobile forensics to everything. You’ve got a huge variation in who’s going to be using the tool in terms of, you’ve got the review at the end that you have a very wide base, but then you might have people who are using very specific portions of that workflow across all your products and platforms.
So yeah, like I’d love to hear how you firstly, contextualize the problem and then go about creating the curriculum to be most impactful for each student that’s coming through.
Chuck: And I know you’ve been involved in training just because of the context of that question because you’ve looked at ‘how do you take apart this beast?’ And so we take a couple of different approaches and sometimes we have to really push them across the organization. The way that we look at these things is from a newbie, forgive the term, examiner to an elite-level certified person, there’s a body of knowledge and that body of knowledge might apply in some use cases to certain people, but then not to others. Like enterprise investigations are a little bit different than law enforcement investigations. So, how do we deliver this? So we tend to take this apart when we look at the instructional design and we’re trying to figure out, what are the foundational things?
One of the ways that we do that is we don’t do what a lot of vendors do. Now, in our field, there are a lot of vendors who don’t do this on the technical training side. So that’s good, but the way that we do it is we do not necessarily assume that the incoming student is going to have all of their foundational knowledge coming from an academic setting. The bits, the bytes, the binary pieces, the concepts of file systems. We can’t assume that every one of these examiners went to a university to learn this stuff. So we’re going to at least offer the opportunity to start there with that foundational stuff.
Like our AX100 course, of course we teach it using Axiom, but I’ve got to be honest with you, we designed it so that it could be a tool diagnostic. The content of the AX100 course could be taught using any tool. And we did that on purpose because those are the foundational pieces. Now, once you move from 100 to 200, the way that we want to approach this is now, so we’ve covered the academic piece or some part of it, now what we do need to do is make sure that you do know how to navigate and do things in the tool. But more importantly, we’ve got to make sure, what is the ideal outcome that you’re shooting for? What is it that you’re trying to find? What is the case that you’re trying to close?
So we’re going to take not only click here, open there, we’re going to put that into scenario-based training and that for us is the great differentiator because we’re going to take theoretically maybe a criminal case and we’re going to open it and we’re going to walk through that case. And we’re going to take it to conclusion, to the point that you’re preparing a report. And by doing so, when we do that, we’re going to show you, “Hey, you’re going to go to this menu option. Hey, here’s how you do this thing.” So we take it from that scenario-based approach, driving towards an outcome that should align with the majority of the student’s use cases.
Now, different folks are going to use the tool in different ways and there’s no way that we can build a specific curriculum for every use case. So what we try to do is find that middle point, if you will, where the skills are consistent across all of these different use cases. Now, maybe the interpretation of the data is different. The reporting is different, but the skills to access and examine the data are fairly consistent. And then we build the courses around that outcome.
Desi: Yeah, that’s really cool.
Si: You’ve got a variety of delivery methodologies that I’ve seen. And you’ve got self paced training online and, sort of, micro-learning stuff. Is this an area where you’re putting some of that foundational knowledge so that if somebody perhaps is coming to it a little blind, new, that they can then go and pick up on, “Okay, I need to brush up on my hex, or I need to understand file formats a bit better. There’s a micro-learning thing I can pick up.”
Chuck: Yeah. You know, this could be a two-hour conversation in and of itself. And candidly, myself being guilty of this too, many of us forensicators believe that we are the all-knowing and yes, we were the masters of all things and we understand how to do everything. And one of the things I’ve always enjoyed and I don’t stand in front of a class, thank God, anymore because it would be really scary for that class, but one of the things I always enjoyed is having a seasoned examiner in the course and then go over some specific thing, how to do something and watching the look on their face like, “I didn’t know that.” Like, “Oh my gosh, there is knowledge.” And then watching the look that follows, which is usually, “Oh crap. I haven’t been doing that. I need to go back and open some cases.” So, as an instructor I used to kind of shoot for that.
But there are so many different platforms and ways that we’re delivering now. And we’ve talked about online self-paced. We were doing what we call OSP. Now, when we say OSP, we’re usually talking about that same content. We don’t see a reason to vary from that body of knowledge or the way that we’re chopping it up in between an in-person class, a virtual-instructor-led or an online self-paced class, that should generally be the same content.
Now, an online self-paced, you can go out and you can see anything from the recorded version of someone delivering something online and it’s just the talking head with a screen recording and no activity or interactivity, and that lasts, I have no idea how long it lasts because I usually fall asleep watching it.
Or, you can take the approach that we’re taking, which candidly is highly interactive. So, we use software simulation in our online self-paced. We use virtual machines. So if the training shows you, say we’re starting a new case, we’re going to go ‘file’, ‘create new data’. If you see the instructor do it, you can bet that the pause that follows is going to sit there until you do it too, right?
And this is because if you were sitting live in a classroom, you would need to build that case that we talked about from beginning to end if you’re going to get value as the week progresses. So we’re going to force you to do that in the online self-paced format, too.
And with the pandemic, man, everything got pushed out online. A lot of it was instructor-led, but online self-paced, which you can call ‘micro-learning’, and we’ll talk a little bit about micro-learning, online self-paced became a premier way of doing it.
Now, it’s interesting in different countries. In the UK, at the beginning of the pandemic, I couldn’t ram online self-paced training down anyone’s throat at any price point with any content. In the US it was consumed a little bit more comfortably. But over time now, it has gained some credibility for us and we see strong consumption of OSP. But we talk about these things also as micro-learning. And so, for me, micro-learning means that we’re going to take each educational point and we’re going to break it down to its smallest independent component that can make sense.
Amazing, great for the future of learning, it allows people who might not have even two hours a day to dedicate to a traditional online self-paced class to still make progress as they go, and it’s completely consistent. I mean, you know, I was changing the battery on my Jeep the other day, and the newer Jeeps have this auxiliary battery that is one of the most horrific designs or concepts I’ve ever heard of. So they bury it in the wheel well, so that if you have to change it, you can’t actually get to it. So of course I Google it. And what you notice is when they bring you the YouTube video, they don’t just bring you the video, they bring you the time splice where it’s talking about that. Well, that’s micro-learning; we’re going to focus on just this skill.
Now, for us as educators, we want you to be contiguous and sequential in that learning, but we introduce an interesting challenge when we go to micro-learning and we make it widely available because people will use it almost as a hybrid help system and they will use it to say, “How do I do X? So, so go back to our time and date scenario, right?” Someone says, “Okay, yes, I have access to a class that is contiguous, but I just want to understand the dates and times. So how do I get to dates and times and Axiom?” Boom. Here’s your little micro-learning block. “Well, gee, there’s more than one date and time that it’s exploring, what does that mean?” Boom, here’s your little micro-learning block.
But if you go to this contiguously and sequentially, you know what’s missing up here is that one that was way back here that gave you the foundation that the damn time and dates are set by a system or a piece of hardware or something like that. So, micro-learning is super, super powerful, but as we design that, we have to really be thinking about the instructional design. We need to make sure that folks are aware, “Hey, by the way, there’s a component of this you’re now missing. It’s back there in that module.”
And man, you can imagine the complexity. Keeping these things up, especially for a company like Magnet where things are evolving so quickly, new solutions are coming out, old ones are evolving, and of course, from the product and the design team, “Hey, we need to change how this the GUI looks how the interface looks because it would be better this way.” Yeah, you’re right So it took you a day. You just set this team back two months because now everything is outdated.
So there are certainly some challenges to it. That being said, what it can deliver I think is absolutely amazing because with these same training components, we have a reusability of content potential here. Now, how you do something, it’s great in a formal training class, it’s also a really powerful little resource for someone who had to call tech support because they didn’t know how to do something and tech support helped them and oh, by the way, here’s a link to some content. It’s super helpful for the docs team as they’re writing, “Hey, this is how the system works and this is what it does.” Not traditional formal training, but hey, here’s a little video that actually helps you with that. Believe it or not, it’s good on the marketing side as new features come out. How do you use the new feature? Because I just took AX300, I’m not going to take it again next week, because things have changed. So how do we keep people up to speed on product changes? So micro-learning is really, really an interesting thing, especially because sociologically we’re accepting it, we’re leaning towards it.
And when I go and I visit classes, one of the interesting things is sometimes I get beat up by the students. I’m like, “Okay, guys, what can we do better? What can we do better for you?” And so often a student will bring up like, “Yeah, stop doing the dang online learning. Okay, help me. Why? Well, because I like to travel and my supervisor won’t pay for me to travel anymore because the online learning is so good.”
I’m like, “Man, I want to help you, but I can’t.” And so it’s good; it’s where things are going; it’s exciting; and I think it gives us depth and breath and gives us more examiners; and it’s a key to that thing that I spoke about earlier, where we have this democratized evidence and we have these end users. They’re not coming to a class, man. They need to know how to do something with that review system and maybe they take a quick 10-minute review with a quick test before they get access to the system. And that’s how they learn. Again, it’s all micro-learning and online learning stuff.
Desi: I really love the micro-learning thing because it goes to, we were talking earlier about the start of the internet, I guess, and how people solve problems is ‘just Google it’ kind of thing. And then you’ve mentioned as well you tried to solve your battery problem and you just went to YouTube and it’s funny how like and people who put videos on YouTube, it’s completely like non-technical people or non-cyber-technical people I guess, but they’re just like, “I solved this thing at home and I’m just going to create a YouTube video so other people will like watch it and you can solve the same thing.” And it’s funny that humans organically have done that, and then it’s quite a useful method in formalized training.
Chuck: It really is. Sometimes it scares me a little bit because the part of that story that I didn’t tell you was, there was a way to bypass that battery so that you didn’t have to worry about it. I looked that up and did that first. I’m glad I had an extra box of fuses because that did not work the way that the gentleman said that it would work. And so, and you’re going to want to slay me as a Linux guy, when I was in the lab, I would adhere to that saying of, yeah, “Linux is free if you don’t value your time.” Because you’ve got to figure this stuff out on your own, man. And I don’t have time to do that; I would rather go to a reference or a formalized training.
And now it’s different and all of that is there, but back, it was then just kind of experimentation. And, you know, we make jokes about the ‘YTCE’, the YouTube-certified examiner, because they’ve gone out and they’ve picked up a tidbit of this, “Oh, I know how to do that. I looked it up. Oh, I know how to do that on YouTube.” So there’s incredible power in it, and maybe I’m being the old dog, but there’s also some inherent risk for those same reasons.
There is a body of knowledge in that body of knowledge, maybe you don’t have to know every bit of it, but darn it there’s a thread that runs through it. If you’re going to, on the law enforcement side, we are talking about people’s freedom.
Desi: Yeah, true.
Chuck: We are really dealing with key issues here. And even on the corporate side, you’re talking about employment. On the national security side, we need to protect the integrity of that educational journey, both as a vendor ourselves, and as a community, we’ve got to be thinking about that and making sure that newcomers benefit from that socialized approach. But in some way, if you’re going to be in a position that influences people’s future, there has to be some certification or qualification that goes with that.
Si: I mean, it’s interesting, because I too have been on YouTube recently to look up something to sort out my wife’s car. In this case, it happened to be the key fobs that we needed to sort that out. But you highlighted one of the things that it’s an advantage to you for, which is that you get new products and you can start to showcase a new feature as micro-learning straight away. And when you control the whole platform like you do, that’s great, because you can expire old content and you can bring in new content. I went through four different key fobs that were predating my wife’s before I found the right one that actually matched what I needed. And that’s a constant thing for us in forensics because everything’s constantly moving. It’s like that.
But my question is that, Obviously, this presents a slightly different challenge from a financial perspective, which is, I recently did just pay a reasonably large amount of money to go and sit a course for a week and you go and you do a course and you come out at the end of it. How are you accommodating your profit margins on training, or is it part of my license that I have access to it, or how is it panning out for you in that?
Chuck: You know, sorry, that’s an ever-changing dynamic, candidly. So, our curriculum is built by, we’ve got somewhere on the order of 20 full-time folks who areformer forensicators. Even at the end of a career or if they’re mid-career, these folks don’t come cheaply and they are not dull knives; they are sharp knives who are researching and developing things. So the quality of that content we kind of have to protect by compensating those people. And as a business, we have a responsibility to at least break even for the organization as we continue to do this.
Now in different fields, you’ll see training be a cost center and a giveaway. People, and I will probably receive a bunch of hate mail behind what I’m about to say, and you guys may be the recipients on my behalf. I have found over the 20 years that I have been involved in digital forensics training, that which is free has no value. People tend to walk right past those things that are free and not take the value and see them seriously. Now, that sounds like a blanket statement. There are certainly exceptions to that. But if you look at the mission that Magnet has of making sure people get the desired outcomes from our tools, free isn’t a great approach because it is very, very difficult to build that in as a cost center because it’s going to take away from somewhere else in the business, usually where we’re developing new code, new software and those things. So what we shoot for is to have a reasonably-priced course that is reflective of at least the value that you’re going to walk out with.
Now, going forward, it’s a really interesting dynamic because we start to talk about things like in-app help. So, the mode today is, “Hey, you know what? I probably don’t even have to go to YouTube.” If we as a software vendor take the time and build things properly, can we integrate some of that video learning into the product itself? How big does it make the files, et cetera. But then again, if you end up in an online environment, does it matter? It’s just an issue of bandwidth. So you start to see a shift of this content and where it will be delivered to drive those outcomes.
So if our mission is to drive customer outcomes first then we have to, as an organization, look at, where do we place this stuff going forward? Currently, we are still going to monetize that, but we also do things like our tap pass, and I think we’re up to 15 different courses right now, and we have somewhere around a little over USD$6,000 price tag. And we have people who attend all 15 courses for that investment, and we love to see him because if we can get you to sit in three Magnet classes in a year, number one: it shows your commitment to learning; and two: it shows that we we’re winning you over with our approach, which we believe to be effective in making a difference, having a sociological impact. So we’re getting tighter and tighter with whatever workflow you’re doing back in the lab.
So we really do try to strike a price point that drives customer success and customer adoption while still not running the company into the red or impacting other parts of the mission that could be negatively impacted just on a financial front. So hopefully that kind of answers it.
Si: Yeah, no, definitely does.
Desi: And I 100% agree with that sentiment of people don’t value free. I watched a YouTube video of a guy that was trying to explain why you don’t reveal how much time something takes if you’re a very niche field of something because you charge your premium and then the person’s like “Oh, but if it only takes you five minutes I don’t want to pay as much”, but he’s like, “But I have 40 years experience doing this, so you’re paying you’re paying for my experience to make something. What does it matter how long it takes me?” and it’s this psychological thing because I guess we’re paid generally by the hour and that’s how most humans comprehend the value of something.
Chuck: Yeah, it’s transactional instead of value-driven sometimes. And we may occasionally have folks like, “You know, well, your classes are kind of expensive.” Invariably, that’s before they attend. Once they attend, and I take great joy every Monday sitting with my cup of coffee and looking at all the student evaluations from the week before and looking at the overall numerics over the years that we’ve been here, people walk away from the majority of our classes; can’t wait to get back in the lab and do new things, and they do, as I said earlier, feel confident, comfortable and more empowered to do their job. So at the back end, the question of the value rarely comes up. In eight years, I can count on one hand where I’ve ever had a customer say, “I don’t think that was worth what I paid for it.”
Si: Let me say another thing that certainly makes you feel you’re getting value is when you get a certification at the end of it. And I know that Magnet also does a certification. So what’s the certification about and how does that pan out?
Chuck: So, the way that we go about certification follows very much what we talked about earlier in the course content. What we didn’t want to do was create a certification that is simply, where do you point and click to do these things? Because that is just certifying how to use the tool. Now, you’re going to see some things coming out from us in the near future that we’re calling ‘qualifications’. If you think about the Graykey device, for example, there is how to manipulate it, connect it, get data off of a mobile device using it. Doing that mechanical act through this box is more of a qualification. A certification is now taking what you’ve extracted and being able to examine it and understand what is happening and reconstruct what has happened. So you’ll see qualifications from us, but our certifications are based on, “Hey, yes, I have the base core academic knowledge of the bits, bytes and what’s going on here; and I can actually go through and manipulate the data, look at it, understand what it means and report upon it.”
Again, those outcomes. So the certifications are tied to the ability to achieve the outcome. Of course, the larger one for us is the MCFE, which is based on our AX200 class. The way that we do our certifications is tied to some, but not all of our classes so that you are certified that you can do this kind of an examination or use the tool in this way.
Incident response investigations are a very unique beast in the digital forensics world when you compare it to a child exploitation type investigation or an HR investigation. And so we have certifications built around that skill set. So that requires the academic knowledge, it requires the knowledge of how to manipulate the tool, and it requires that you understand what it is that you’re looking at and can make decisions and build reports based on that.
Now, we could have taken, and I’m not saying that this is an irrelevant approach, it is a very relevant approach. Some organizations, both public and private, take a much grander, “Here’s your evidence file, you’re on your own and I need a fully blown out report and it better cover all of these things.” And so it becomes more of almost a thesis that takes weeks if not months to complete. There’s real value in that and I am not going to bad-mouth that. But, in a working world where a lot of examiners need to be able to say, I am competent at a medial level where a court will accept with this tool, we don’t need to go to that depth. We don’t need to take a busy examiner and say, “Hey, you’re going to need to take six weeks offline in order to complete this certification.” It’s almost like getting a degree.
I think people should do it and there’s value in it, but it doesn’t achieve the mission that we’re trying to achieve, which is social impact. We felt that we were better off having a very difficult certification process that wasn’t so based in an in-depth practical exercise. But still, when someone goes to court, they can be recognized as certified, not just using the tool, but in being able to achieve the outcomes.
So that’s the premise that we build these around. gBut as I said with the Graykey device, we wanted to make sure too, because what happens is there are folks who are using Graykey, but not using Axiom at this point, which is shocking to me, but yet it exists. And they can’t necessarily go to court and say that they use the Graykey device unless they have a Graykey certification.
So, if we build our certification completely on Axiom and being able to analyze, well, like, I’m not using Axiom, so therefore I can’t use Graykey. Well, we don’t want you to not use the most powerful extraction device that’s out there. So we’re looking at qualifications as a means to validate that competence, and then they can be certified in whatever tool they do look at that data with.
Si: So it’s more or less the equivalent of a technician to an examiner. A technician will do a technical role to follow a procedure and deliver something, whereas an examiner will actually be an investigative process.
Chuck: You know, maybe we should have named it ‘technician’ instead of ‘qualified’.
Si: It’s right. I only charge a small consultancy fee.
Chuck: I knew that was coming.
Si: It’s interesting that law enforcement is a major part of all the forensic marketplace, because that’s where this started off. It’s where we started off. It’s, it’s that kind of dealing with crime. But we’ve seen over the years that these forensic tools and Magnet being amongst them, it’s being brought into corporate environments, not only to deal with incident response or indeed, you know, fraud or some specific crimes, but also sort of generic HR investigations. You said this yourself. How are you finding that balance between extremely unpleasant material on one side and somebody who spent longer in the toilet than they should have and didn’t take their lunch breaks at the appropriate time on the other, and working all of that into a training course?
Chuck: It’s always been a challenge. I dare say it is more of a challenge now than ever, as corporate uses these tools more and more. So for me, as a leader and for our curriculum team and our whole training organization, we’re always looking at this. When does that body of knowledge, because there’s such overlap in some of the skills and techniques and approaches, but when did they differentiate enough that it warrants a completely separate training course for it?
And I’ve got to be honest with you. To date, the majority of the times we have found that let’s look at the technique of pulling some kind of a log file. Well, that is a completely different log and a completely different thing that I’m looking for in an HR investigation versus what I would be in an a criminal investigation or an intrusion investigation, right? Because now that log is super important to me because that’s going to tell me when the bad things started to happen. So the technique, the methodology of getting to a log and understanding what a log is and how to process that log is fairly standard, but the interpretation and which log it is varies.
So, usually we have been successful by teaching the technique and then within the curriculum identifying the use case for the students, who are both in the same class. And people pause because like, “Well, you know, it’s a law enforcement class and I don’t need to know how to do that.” You do occasionally hear that. But then you also hear from corporate investigators, “Oh, you know what? I can use that.” And I always think of, and I will date myself yet again, the original Jurassic Park, “Life finds a way”, right? And when you put a piece or a piece of knowledge or a skill set in front of someone, you are deciding as an instructor or curriculum developer, how you think they’re going to use it. And I’ll be damned if you show someone who you don’t think gives a hoot about this, well actually now go back to the lab and find a way to use it that is really unique to them and their scenario and get powerful results with it. So that has been a benefit.
Now, if a class reaches a point where it actually differentiates so much, then we will in fact break them off into what you might call an enterprise or corporate class versus an LE class, and we have done that in the past. What’s interesting is what I find is that people cross-attend those classes, right? I end up with a bunch of coppers in what I wanted to be a private sector class, and the private sector folks in the law enforcement class.
And rarely do they go, okay, well, with the tap pass occasionally, because they can attend anything they want in those 12-month periods. So sometimes a tap holder will come out and say, “Well, that was kind of 50% the same class.” We’re like, “Yes, that’s that’s why we labeled them differently. But we warned you that these were.” But more often we get people like, “No, no, I did that on purpose because I want to see what the cops are doing or I want to see how I would do this if I ever leave law enforcement and I’m in the corporate world” or, “Hey man, I work intrusion investigations as a copper and most of the training that I get on the law enforcement side is towards CSAM or these kinds of things. I want to understand how to investigate a network intrusion. So I took that class on purpose.”
So we divide them when we really have to, but we have actually split classes in the past only to fold them back together again, based on the attendance data.
Desi: I think it’s really interesting, as well. So, my current role, I work in insider threat and we’re seeing, I think more of a convergence between law enforcement and enterprise investigations, not necessarily the forensics themselves, but from our perspective sometimes we come across CSAM material or material that needs to be referred. And so understanding the need for protecting the data and handing that off in the best possible way to law enforcement. So having the joint training and understanding the challenges and the goals of each is super beneficial and in classes. And actually I was just thinking about the classes being online. You’ve got the online self-paced, but then you still also run online classes with groups. How do you foster, because for me, personally, I really like online self-paced. That’s how I learn really well. But the best thing that I think you get from in-person classes is the interactivity between your classmates. So how do you go about fostering that in the Magnet ones?
Chuck: Man, it is, that is such an interesting thing and we learned it early on, but it really became a focus during the pandemic and just the human dynamic of how people feed off of each other. So if you get a class that starts out kind of quiet and you don’t find a way to get them talking, it doesn’t matter if there really is a couple of people who really would like to communicate, the class stays quiet and they’re less communicative to each other. They’re slower to answer questions and so you have to find a way as an instructor to get them rolling.
And once you get them rolling online, it actually works very, very well because well, in 2019 before pandemic, the tools were okay at communication within the students themselves cross-collaboratively, but then they all developed and now there’s a perfect opportunity for students to talk to each other without the instructor being aware of subgroup communication.
And one of the best tools we found, well, one of them is dad jokes, because I don’t know how we ever went down the road, but my team started telling dad jokes, and it just became like a brand or trademark for us. So we have this category of dad jokes and I see in the evaluation where people are talking about these dad jokes.
So, but that’s an example of a way to break the ice and get people to be interactive. But another one that we’ve found is some gamification. You know, we use Kahoot! and it is amazing to see people who might not have otherwise said a word, “Oh, we want to see who the smartest is. Okay. I’m in.” And so you get that gamification going, it increases the attention because they know the questions we’re going to ask are based on the block that we just taught. And so it becomes barstool trivia. Like I want to win, man, and this becomes the focus and that fosters a ton of communication and camaraderie. And one of the things that I ask of the team, we use this term that we call ‘instinctive alliance’. And what I mean by instinctive alliance is when you come to one of our classes, and this is really true across Magnet, but I really drive it home in the instructors, when you teach a class, you’ve really succeeded as an instructor if at the end of that class, the person walks away, in six months from now when they run into a scenario that they don’t understand or a time crunch or some crisis, as human beings, we automatically think about, “Who are my friends, who are my allies that I can count on?”
I want Magnet as a whole to be one of those allies that you instinctively think, “I need to call Magnet because I need help with this.” or, “I need to call, you know, whatever instructor, Larry McClain, whomever I need to call that individual because, man, I remember when we were learning in class, that guy was sharp. He knows this stuff. And he said, ‘if you need something, give me a call.’” So that instinctive alliance philosophy is something that we really asked the instructor to strive for.
Now, you’re going to get some folks who are there to learn. It’s like an Uber ride, right? Like, I’m here just to get from point A to point B. I don’t want to talk to you. I don’t care about any of it. And that’s fine, as long as you come away with knowledge. But the goal is to break down that outer shell and get them to involve themselves in the class and walk away wanting to attend more training and to consider us a peer as an organization and as individuals.
Desi: I really love using the dad jokes and you’ve got a list of them. I did attend an online SANS course once, and it was cross-continent, so different time zones, people were tired, that kind of thing. And it was sharing memes that kind of got the class together. Because I think we were using at the time, it was early COVID times, it was like using Slack. And so that was separate from the instructor and we were just sharing memes and that kind of fostered that talk initially amongst the students. And then it was just like so much better when you’re getting into content we need to talk about it. So humor is such a good tool for that. That’s awesome.
Chuck: It really is.
Si: I think the Magnet fundamentally has the attitude, the mission statement of societal benefit. It really suddenly reassures you as a student that a call will be met with not a, “Could you please sign this check before we give you an answer?” but an honest response to further society. I think that’s a fantastic way to take it.
And I’m going to say, there are plenty of things that make me incredibly happy in life, but it makes me very happy when a former student gets in touch and says, you know, can you tell me about this? Or is there something you can help me with? It is a wonderful, warm, fuzzy feeling that you’ve done something right somewhere. So yeah, definitely. I totally get that.
Chuck: I think it’s only secondary when we get the calls that they resolved a case using something that we specifically taught them in a class, and a child is rescued or further harm was prevented. Like, I’m a grumpy old man, but there are things that will bring moisture to my eyes and it’s knowing, as a former copper, I could come home and tell my family war stories of the difference that I made that day, but it was usually in an individual’s life, or maybe we were too late to make a difference. When we get an email from a student who was able to prevent something bad from happening specifically because of what we were able to teach them; the tool itself, yes, but because of what we were able to teach them, that’s when the everyday stories aren’t quite as glamorous sitting in this chair as they were in a black and white car. But dammit, they’re pretty impactful still, and I still will come to the dinner table and talk about, “Hey, did you see this case on the news? Yeah, that was someone who was using a Magnet tool and they sat in our class”, and see, my chin goes up right when we’re talking about it because it’s a point of pride and excitement. And that’s just part of the Magnet way. Like, we want to make that difference.
Si: No, that’s a fantastic attitude to have. Absolutely wonderful. And yeah, no, absolute pleasure .
Desi: So I think we’re getting towards the end, but I guess what’s something that’s potentially on the roadmap or in the future for Magnet training?
Chuck: Ah, roadmap. Yeah, every time I write one of them the product team comes up with a better idea and we shift. Because remember, hey, training is here to make sure that the products are successful and that our customers achieve the outcomes. So, I’m not going to play quantum leap and try to figure out exactly what the courses might look like in three years, hell, maybe not even in three months.
What I can tell you is training has always had some North Stars that we navigate to. And the first of that is making sure that we optimize the outcomes that our customers can achieve using our solutions, and that will remain a North Star. Aligning with what the product team needs from us because we have some really brilliant product people and engineers who then code out those ideas. So it’s important that we stay aligned behind them and stay flexible.
It’s important that we stay on top of delivery modalities and don’t get stuck in our ways. And this is hence the conversation we just had about the pros and the cons of micro-learning, right? Like, we do understand it, we do want to embrace it. What’s our experience on it? We cannot sit here and say, “Hey, classroom learning. That’s what we do. Take it or leave it.” If we care about our mission, at the end of the day we have an obligation to get out there and meet the people where they are and give the content to them the way that they need to consume it.
So I think we’ll continue to bring on really seasoned folks to deliver on that. The North Star for us is always driving the outcomes for the customers. So be it three years or five years from now or as long as I’m sitting in the chair or probably anyone in my chain of command sitting in this chair, that’s going to be the same. That’s what the future looks like is caring about the customers and making sure that they get the most out of these great ideas and great code work that the rest of the team is doing so they can have social impact. And hey guys, at the end of the day, you know, we do well by doing good.
And so it benefits the company, it benefits investors. It allows us to drive revenue and do more good things. So those things are kind of our North Star, and those things are going to remain true.
Desi: All right, awesome, awesome. Well, thanks so much for joining us today. It’s been a pleasure talking to you. It’s great learning about, like, I really enjoy talking about learning and trainings and how people learn and how you are all presenting it all together. So it’s been so much fun.
Chuck: Thanks for having me. I figured I might be really short and this would take about 20 minutes. But, you know, my jaw is sore, my throat is dry and I’ve overrun my gums as usual. But hey, thanks for the opportunity to do that. Great to chat with both of you. And even if it’s not on a podcast, man, anytime either one of you guys want to talk, feel free to give me a call.
Desi: Awesome.
Si: Thank you. Thank you so much.
Desi: Well, thanks to all of our listeners. As always, we’re glad that you could come and join us. For the source of truth for all of this, you can go to Forensicfocus.com where you can watch the video or listen to the podcast there. We also host on YouTube and wherever you get your podcasts from, and we hope to see you all next time. Thanks, everyone. Bye.
Si: Cheers.
