Reviewed by Scar de Courcier, Forensic Focus
On the 14th-17th of October 2014, Magnet Forensics ran its first remote training course on the essential knowledge required to properly use Internet Evidence Finder, Magnet’s flagship software solution.
The course was set up with the aim of aiding digital forensics investigators who are completely new to IEF, or investigators who are not used to working with digital forensics solutions but require their use on certain cases.
Rob Maddox, Magnet’s Director of Global Training, put the course together and described how it was developed:“We designed the 3-day IEF Essentials course for new and experienced digital forensics professionals who are incorporating Internet Evidence Finder (IEF) into their investigative workflows.
The primary focus of the course is to assist digital forensics practitioners with the three primary stages of their investigations: locating, analyzing, and presenting evidence in support of their cases. As a former police officer and detective, I can appreciate the anxiety that an examiner experiences while they’re waiting to enter the courtroom for their testimony. Whether the examiner is from the public or private sector, each has the responsibility of articulating their findings to a non-technical audience. If the examiner lacks the confidence in their abilities, or in those of their forensic tools, it makes for a very uncomfortable experience on the witness stand.
The IEF Essentials course was developed with the express goal of ensuring the students leave the training with this confidence. During the extensive hands-on instructor-led exercises, students learn about configuring IEF to maximize its effectiveness, while exploring key artifacts at the physical disk level, in order to gain an understanding of their importance.
At the conclusion of the 3-day training event, both new and experienced forensics professionals will have the confidence they need in their abilities, and those of IEF, to articulate where IEF locates evidence, how it processes the evidence, and what user and system behaviors could have generated the evidence.”
In preparation for the course, I received a textbook which covered all the materials we would be using, as well as a USB stick with a trial version of IEF. These arrived about a week in advance of the course itself, which gave me the chance to review the material ahead of time. As someone who is fairly new to forensics, I found this very useful and it helped to allay some of my fears regarding the level of practitioner at which the course would be aimed.
On the first day of training, all the students logged in remotely and introduced ourselves using the ‘Chat’ function. This was set up from the very beginning as a place to ask questions and interact with other students and with the instructor. There was also a “raise your hand” option which allowed students to send an alert to the instructor if they missed something or required clarification. This was very helpful and meant that all of us could keep up with what was happening. There were a couple of technical mishaps on my side due to my computer crashing, but even despite this it was easy to catch up with what was going on and to understand the course content.
The course began with an overview of Rob’s own experience, which helped us to understand his background and qualifications and get to know the trainer. Rob then ran through a brief history of Magnet and a description of the kinds of cases in which evidence from IEF is used.
There were a few example cases that were used throughout the course, which helped us to see how the different elements could be cross-referenced with each other. For example, finding Skype artifacts that mentioned unique terms or names, we could then cross-reference these with other evidence, creating a well-rounded case. These could then be plotted on a timeline, making them easier to visualise.
The structure certainly worked well and enabled the students to move through the material quickly without anyone being left behind. It was also very useful to be able to “play along” with the instructor; Rob would demonstrate an action and describe what it would be used for, and we were then encouraged to do the same on our machines. We repeated some of the exercises several times, and each time added to my understanding of IEF and its place in digital forensics investigations.
Another thing that really helped my own understanding was that we used IEF alongside some other tools. For example, we would frequently find some evidence in IEF, and then move over to FTK Imager to compare what it looked like there. This allowed us to see where the data in IEF was coming from and how it could all be linked together in an investigation. Rob also explained how, when presenting as an expert witness, it helps to be able to demonstrate evidence using several different tools, and showed us how to do this with the test cases we were using in the training.
I had not previously taken part in any live online training, although I attend a lot of webinars and have done courses where the materials were posted online. I was unsure whether the “real-time” aspect of the course would mean that it would be too fast-paced or easy to get lost, however this was not the case. At times it was challenging, but in the right way; making the students think, rather than making us feel lost. There was more than adequate provision for questions and requests for re-explaining certain points, and Rob also volunteered to help anyone who was confused or lagging behind after class.
The computers were left on after class as well, so we had the opportunity to continue working using the materials provided, going over the concepts we had learned during the day. The materials that had been sent in the post – the textbook and USB – were also good for this as they provided ongoing exposure to the resources.
I asked Rob what specific challenges are associated with both remote and on-site training, and which approach he as a trainer prefers.
“The live online training environment is really the best of both worlds. It allows students the opportunity to actively participate in a live course, from the convenience of their office or home, and helps them reduce the operating and training costs associated with traveling to an on-site course location.
The convenience of the live online platform is not without challenges, however. First are the host facility requirements. The location from which the online training is delivered needs to have adequate bandwidth to support the activity, which can include data uploads and downloads. The bandwidth must also be sufficient to support streaming audio, or video, with little interference, which could detract from the overall training experience. Most importantly, though, are the classroom computers the students will be connecting to remotely. The computers need to be appropriately-configured to support a consistent remote connection, with the right combination of processor capabilities, RAM, and hard drive space. They also must have all of the requisite software applications to support the learning objectives, beyond the baseline operating system, and IEF. The classroom computers also require ongoing maintenance, which must be conducted as updates become available for operating systems and other related applications, or when hardware components begin to fail over time. There needs to be a mechanism in place which allows the instructor to reimage the classroom computers once the course is completed, effectively resetting the computers back to a default configuration in preparation for the next class. Finally, there needs to be a hardware and/or software solution which allows the instructor to connect to the classroom computers being remotely-accessed by the students. In a traditional in-person class, it’s common for the instructor to walk over to a student’s location and provide one-on-one instruction. The live online class must have this same capability, which typically comes in the form of a Keyboard Video and Mouse (KVM) interface. Using the KVM, the instructor can connect to the student’s computer from the instructor station, and help the student with a question, or demonstrate a technique during a hands-on exercise.
All of these are the logistical challenges that must be overcome when building and maintaining an online classroom. But perhaps the greatest challenge is in the delivery of the online training content. There are typically two primary challenges in this category. First, there are the incidental troubleshooting issues which can arise during the delivery. Often these are beyond the instructor’s control.
The other, more critical challenge during the delivery of an online course is ensuring that the experience is on par with that of an on-site class. This is particularly challenging given that the room in which the instructor is teaching is filled with computers and monitors, rather than students. In an on-site course, the instructor has the benefit of scanning the audience, and reading the body language, to get that critical biofeedback which tells the instructor that they haven’t lost anyone. You can usually tell when someone didn’t quite grasp a concept, even if they haven’t raised their hand. So you try a different approach to your explanation to help reinforce the learning concept, and watch the light bulbs above the student’s head go from 40 W to 75-100 W. In an online environment, the instructor doesn’t have this luxury. Unless the student enters a comment or question in the chat interface, electronically raises their hand, or speaks up with an audio comment or question, the instructor has no idea if the students are following along, or completely lost, since the screen and cursor movement looks the same in either case. So it’s critical for the instructor to maintain constant “status checks” with the students by reviewing concepts, asking questions, and interacting on a one-on-one level that’s usually more frequent than what would be required in an on-site venue.
Although I’m comfortable teaching the live online format, I prefer the in-person classes, as they afford me the opportunity to connect with the students on a much more personal level, which you just can’t get from a mouse, keyboard, and microphone. As I mentioned earlier, it’s important for an instructor to continually monitor the students’ progress during the course to ensure the learning concepts are clearly understood. In a live classroom environment, you can periodically scan around the room, watch the body language, and facial expressions of the students, and spot those who are actively engaged in the training, and those who are having difficulty. Without singling out the students having trouble, you can take a break to ask review questions of the entire class which help reinforce the learning concepts, and see the moment when the one or two students having difficulty finally understand. In addition, an in-person setting also gives the instructor the opportunity to provide one-on-one instruction more easily, during the hands-on exercises. I’m not a big fan of “death by PowerPoint” when I teach, and tend to use a dry erase board instead, when reinforcing the learning concepts. Unfortunately, the live online platform doesn’t always lend itself very easily to this teaching style.”
Overall, my own experience with the IEF Essentials training was overwhelmingly positive. It was pitched at just the right level, remained interesting, helped not just with IEF but also with other tools, and provided the right number of breaks to ensure that the students didn’t get too fatigued but did manage to cover a lot of ground in just a few days.
Where and when is the training available? Rob elaborates:
“We offer the 3-Day IEF Essentials course in one of two formats, to meet the individual needs of the students. The first format is the traditional on-site option, where students travel to a specified training venue, and receive in-person instruction. The other format is the “live online” platform, where students login remotely to an online classroom environment, and interact with their instructor and fellow students through an online classroom interface.
We currently offer on-site training at least once a month, and the live online option every other month. Looking toward 2015, we will continue on this track, unless the demand for the online training requires the need to run a session each month. The training calendar on the Magnet Forensics, Inc. Web site will list the dates and locations for the on-site classes, and dates for the live online sessions. Currently, the live online courses are run on an Eastern Standard Time (EST) time zone.”
I would definitely recommend the course to anyone who is interested in furthering their own understanding of IEF specifically and digital forensics in general. If you are completely new to the field, this is a great place to start as the content is accessible and the course leader is very patient. If you have some experience in digital forensics already, then no doubt certain aspects of the course will already be familiar to you, but I am confident that any level of student will find something useful to take away from the IEF Essentials training.