Friday, May 17, 2013

Ever Get The Feeling You’ve Been Cheated?

The famous John Lydon quote strikes me as an appropriate title for a blog post on the state of digital forensics academic programs in the United States. I have been a hiring manager for high tech investigations teams since about 2007 and was involved in assessing candidates for the teams that I was before I became a leader. During the early years, it was rare to see applicants who had degrees in digital forensics, but I’m finding it increasingly common in recent years. One of the things that I have been struck by is how poorly most of these programs are doing in preparing students to enter the digital forensics fields.

It’s not just undergraduate programs that are failing to produce good candidates. I have encountered legions of people with masters degrees in digital forensics who are “unfit for purpose” for entry level positions much less for positions that require a senior skill level. The problem almost always isn’t with the students. They tend to be bright and eager people who just aren’t being served all that well. One of the core issues that I see with the programs that aren’t turning out prepared students are the people who are teaching them. It’s almost universal that programs who have professors who do not have a digital forensics background are turning out students who don’t understand digital forensics. This seems like an obvious and intuitive statement, but given how many digital forensics programs there are who are being lead and taught by unqualified people, it apparently isn’t obvious enough.

If you want to learn to be a good digital forensics examiner, you have to be taught be people who are good digital forensics examiners. If you are interested in learning digital forensics from an academic program, it is your responsibility to look beyond the promotional material and be an informed and educated consumer of your education. The last thing you want is a massive student loan and a degree that looks good on a resume, but then falls apart during a technical interview for that great entry level job that you had your heart set on. One of the best ways to make sure you don’t get burned is to carefully study the backgrounds of the professors who will actually be teaching your classes. We’re a bit too early in the development of the digital forensics field to see a host of full tenured professors with PhD’s in Digital Forensics, but that doesn’t mean you can’t screen out professors who have no earthly clue what they are teaching. Pay very close attention to the curriculum vitae of the people who are going to be teaching your classes. Does the CV show any actual interest in the field of digital forensics? I have seen many CV’s for people teaching digital forensics who don’t show any research or training in the digital forensics field. What it looks like is that we have quite a few institutions that have decided that the digital forensics field is hot right now and to capitalize on it, they press unqualified professors into teaching digital forensics classes just so they can lure paying students (and their tuition money) into their programs. Avoid these programs. Your future depends on it.

We are in a time where there are many fine academic programs available to aspiring digital forensics people who wish to learn digital forensics and launch successful careers. Unfortunately, there are more bad programs than good ones. It’s vital if you are going to spend the time and money getting an education that you don’t get cheated. It’s your life and your responsibility to look beyond the glossy promotional material and make sure you are trusting the right people to get you where you want to go.

9 comments:

  1. Eric,
    Nice write up. And it hits a bit at home for me since I'm teaching part time now (Intro to Computer Forensics). I'm curious to what you are seeing versus what you feel students should know coming out of these schools. Is it specific knowledge that they should have, experience in doing x, y, and z?

    Part of the reason I'm asking is because I'm revamping the course I'm teaching and trying to determine what I need to include in the time I have, balancing lecture versus lab/hands on time, and still have them come out with some knowledge or skills.

    Now mind you one of the things I was stressing in my class is that my course alone will not prepare you to go right out and start acquiring hard drives, but to experiment on their own, read what else is out there, and get additional training (SANS, EnCase, FTK, etc).

    I think the other part is how many experienced people are out there that want to teach (or can teach for that matter)? Having knowledge of the topic doesn't mean one can necessarily teach it well, or have the ability to stand in front of 20-30+ people every week and lecture. I certainly have a lot of room for improvement, but I enjoy doing it.

    So while I agree with some of your points, I don't think the blame lies completely on the schools...but then I guess my opinion might look a bit biased (it's not meant to be).

    ReplyDelete
  2. Nice write-up. It reminds me advice I got at one point in time about how to look into college programs. To focus on the professors, their backgrounds, and what they are doing now in the field. The professors are what makes or breaks any program.

    > If you want to learn to be a good digital forensics examiner, you have to be taught be people who are good digital forensics examiners.

    Tom beat me to the punch on this but what can be done to make good digital forensics examiners want to teach the next generaion. What I see from afar is that good examiners are more than willing to put together a training but not a college course. I think the lack of examiners wanting to do this contributes to the problem. The universities just make things worse by hastily putting together curriculums to jump on the latest bandwagon.

    ReplyDelete
  3. I used to work at a prominent university which had a program in "High Technology Crime Investigations." Since I didn't have to actually pay for the (overpriced) tuition, I was in the program for a year as a non-degree student to check it out and decide if I actually wanted to finish it. It was too easy, I learned almost nothing, since I was already working in the field, and finally decided to ditch the whole thing when one of the "experts" confused SMTP and SNMP multiple times in a class.

    ReplyDelete
  4. I am a self employed digital forensic investigator and I train LEA and public/private sectors in cybercrime issues, but I am an associate lecturer at a university. On a part-time basis, I lecture mobile device forensics and cybercrime. I find that I have the benefit of being able to apply real life (anonymized)examples of cases to the textbook theory. This is always well received by students and they appreciate the fact that I know my work well and that I'm not just quoting theory at them.

    Another key point that I support is that students should seek external specialist training and certification (cost permitting) whilst studying. This will serve them well when they seek employment or even if they decide to work self-employed. A good understanding of open-source tools, such as Sleuth Kit, is a another fundamental benefit for them, helping them get to grips with how commercial forensic tools work.

    ReplyDelete
  5. I agree with this completely. This post should serve as a warning to those that are looking for bachelors or masters degrees in infosec.

    Personally, I've found that there are a lot of these online masters in "cyber security" or DFIR popping up lately from seemingly reputable schools. Many of which boast that they are NSA certified (I'm on my mobile, the actual name of thw cert escapes me). I've even contacted a few in regards to possibly earning an MS in cyber sec and computer forensics (to be fair I won't name them here).

    I'm noticing that while the programs can be run by CISSIPs and the like, the instructors themselves may not be qualified to teach the material in the first place. It's making the degrees worthless and terms like "cyber security" meaningless.

    I'm sure not all programs out there are like this. But potential students need to keep this in mind when looking for a program to take part in.

    ReplyDelete
  6. If you want to learn to be a good digital forensics examiner, you have to be taught be people who are good digital forensics examiners.

    While I appreciate the sentiment, I also think that it's more than that. In my graduate education, one of the things I found was that while the instructors were PhDs, none of them had ever taken a course on how to teach. When I thought about it, the same was true for my undergraduate education...yet, in order to teach high school and below, teachers need to have teaching certificates.

    There are a lot of good examiners out there, but not all of them are able to, nor interested in, teaching.

    If you are interested in learning digital forensics from an academic program, it is your responsibility to look beyond the promotional material and be an informed and educated consumer of your education.

    This is yet another area where the DFIR community falls short, in sharing. What's interesting about this is that academic courses have nothing to do with actual, real-world cases, and yet we see very little posted or shared online about the courses themselves. This simply leads to an institutionalized fear of sharing anything, even that which will appear in public.

    I don't think that we're really seeing a great deal out there with respect to course reviews, because coursework and OJT doesn't focus on writing ability, and there's an institutional fear of peer review. Even within many of the teams I've been a part of, there was no sharing of reports, even after they had been delivered to the customer (within the team itself). What this leads to is new generations of analysts who become unconsciously inculcated into this mindset, because as they go through their course of instruction, they see the reticence of the community to share information.

    Finally, as someone who came up through the ranks before there were any courses available in this subject, your education is up to you. If you're having trouble grasping the material, get help...start with your instructor. Dig beyond the course material itself. Some of my most profound learning during my graduate studies occurred when the instructor gave the class the core part of a program (for linear algebra, we used MatLab) so that we could explore and try different things, rather than spend all of our time scrambling to complete the assignment. This carried over to courses in digital signal processing and neural networks, as well.

    ReplyDelete
  7. Eric, you are right on the money. I have been doing forensics for 9 years in the law enforcement arena and never was able to obtain my degree (money, money, money). I have since then been searching for the elusive forensic degree but have found many are simply IT associated degrees with a peppering of forensic sounding courses that are included.

    ReplyDelete
  8. Eric, you are right on the money. I have been doing forensics for 9 years in the law enforcement arena and never was able to obtain my degree (money, money, money). I have since then been searching for the elusive forensic degree but have found many are simply IT associated degrees with a peppering of forensic sounding courses that are included.

    ReplyDelete
  9. I’m wondering whether Academia also suffers from the symptoms I witnessed in the IT training world. I used to teach an introductory course in Computer Forensics and Incident Response for a large international company that specializes in training IT and Management professionals. They offered no advanced forensics training, just the intro course with a target audience of IT professionals, who are usually the first line of defense and need to know the basic skills in preserving and handling digital evidence—I think that most forensicators would agree that a large percentage of IT professionals have received little or no training in this area.

    What amazed me was the attitude that any IT instructor with a background in server administration could teach the class. At the time, I was the only cleared instructor who actually worked in forensics full time. No one else had had any hands-on experience in the field of forensics, so they taught the course from their theoretical knowledge and perspective.

    I’m wondering whether this sort of attitude is also prevalent in academia and whether it also influences the development of the curriculums that result in producing unqualified graduates.

    ReplyDelete