Saturday, September 4, 2010

Take Vienna

Napoleon once said that if you start to take Vienna – take Vienna.  This is the same advice that I give people who are interested in obtaining an academic degree in digital forensics. If you start to study digital forensics – then study digital forensics.  If you are passionate about digital forensics and you want to break into the field by obtaining a digital forensics degree then do it properly.

With the increasing popularity of digital forensics, we are seeing an explosion of academic programs that claim to prepare students for a career in the field. Some of these programs are well suited for this task and others appear to be a great waste of time and money. 

For example, I have observed quite a few programs that label themselves as computer forensics programs, but offer very little in the way of a proper computer forensic education.  Many of these programs are nothing more than classic computer science programs that offer a handful of computer forensic classes by instructors whose CVs don’t indicate a mastery of the field.

It’s not that students won’t benefit from academic programs that teach foundational  information technology skills such as networking, programming and databases as they prepare for a career in digital forensics.  Some of our greatest digital forensic gurus studied disciplines like electrical engineering (Harlan Carvey), computer science (Jesse Kornblum) and mechanical engineering (Eoghan Casey).  However, we live in a time where those who are passionate about the field have many opportunities at the academic level to build a strong foundation in digital forensics early in their careers. 

If you are going to get a degree in digital forensics then get  a proper degree in digital forensics.  The digital forensics program at Champlain is a good example of what appears to be solid program. I have heard very good things about this program from at least one of my trusted peers who has hired their graduates.  Champlain offers a bachelor’s level degree in Computer and Digital Forensics.  Instead of a handful of token computer forensic classes layered on top of a traditional computer science curriculum, this degree program appears to be specifically designed to prepare students for a career in digital forensics. It is also offered online and at the Champlain campus.

If you look over the curriculum, you will see that they offer nine specifically branded forensics courses including an internship.  These courses include content specifically geared towards digital forensics such a pair of foundational computer forensics courses, but also courses in areas such as anti-forensics and network forensics.  A nice bonus is that students can get some training in areas such as white collar crime, forensic accounting, criminal law and criminal procedure.  This program also provides students with the opportunity to obtain grounding in general information technology skills such as networking.

A critical consideration when making the decision on what degree program enroll in is not only the strength of the material, but who is teaching you that material.  I like to review the CVs of professors who teach computer forensic courses to get a feel whether these are people who actually have experience in the field or if it’s just a side thing for them.  A lot of the people I see teaching digital forensic classes are people who appear to have very strong backgrounds in computer science, but look very weak when it comes to digital forensics. It’s a bad idea to get a computer guy, even a highly skilled one, to act as an expert witness in a legal case instead of an actual digital forensics expert. It strikes me as an equally bad idea to have that same computer guy teach people digital forensics.

With a program like Champlain, you get an instructor like Jonathan Rajewski teaching some of your classes.  Jonathan might not have a PhD, but he has real live experience in the field and has worked as a full time digital forensics practitioner before he became a professor at Champlain.  In fact, according to his biography, he continues to work in the field as part of the Vermont ICAC Task Force.

The rub with a program like this is that it comes at high price.  The online program costs $540 dollars a credit hour.  The campus based program is going to cost you over $27,000 a year.  Student loans can be a horrible burden if you borrow more money than your degree is ultimately worth.

Another interesting looking program that I don’t have much familiarity with is the Bachelors of Science Program in Technology Forensics at the University of Advancing Technology.  If you look at their online course content, it has a similarly strong focus in actual digital forensics just like the Champlain program does.

Network Security 2010

SANS Network Security 2010 in Las Vegas is mere weeks away.  Get your seats if you haven’t done so already.  The seats at these events can sell out before the event.  For example, Jonathan Ham’s FOR558 Network Forensics class already has a waiting list.

I’ll be acting as Rob Lee’s Teacher’s Assistant for FOR408 Computer Forensics Fundamentals. This class has been expanded to a sixth day because of all of the new forensic goodness that has been added.  I can’t wait to meet all of the students and help Rob turn them into lethal forensicators.



    this is where I took my classes at... you are required to obtain a nationally recognized certification before you graduate (CCE or GCFA are good ones) and a 120 hour internship is required.....

    CF 105 CompTIA A+ Computer Essentials Exam Preparation
    CF 106 CompTIA A+ 220-602 Exam Preparation
    CF 110 Introduction to Computer and Digital Forensics
    CF 205 Computer Security Fundamentals
    CF 210 Operating Systems
    CF 215 Computer Forensic and Security Ethics
    CF 305 Seizure and Forensic Examination of Computer Systems
    CF 310 Advanced Topics in Computer Data Analysis and Recovery
    CF 315 Fundamentals of Computer Networks
    CF 405 Network Forensics
    CF 410 Intrusion Detection
    CF 450 National Certification
    CF 497 Computer Forensic Field Experience and Seminar
    CJ 111 Introduction to Criminal Justice
    CJ 155 Criminal Law
    CJ 217 Criminal Investigation
    CJ 221 Criminal Evidence and Procedure
    CJ 471 Criminology
    BA 363 Business Law
    AC 221 Financial Accounting
    AC 222 Managerial Accounting
    MA 106 Pre-Calculus Mathematics

  2. I debated about whether I'd point out some of the weaker programs and decided to take the "if you can't say anything nice" track with it. I also debated spending more time pointing out more strong programs, but thought I'd just stick with highlighting one of them. The Defiance program looks like a strong one. It has a nice blend just like the Champlain program. Students get a grounding in the fundamentals and also get exposed to advanced topics later in the program. Like the Champlain program, I like the fact that this program includes content in accounting and business law.

  3. Great post, Eric! Something else to point out, as a secondary concern depending on your goals, is to ensure the university you choose is properly accredited. For example, the Federal government's Office of Personnel Management has a regulation that reads, "At the time the education was obtained, the entire institution, applicable school within the institution, or the applicable curriculum was appropriately accredited by an accrediting body recognized by the Secretary of the U.S. Department of Education." The Dept of Ed makes this fairly easy to verify via the following link to their search page: If the school at which you are looking is listed as a recognized institution by the US Department of Education, then any credential you receive from that institution will be accepted for federal programs, to include employment, scholarships, grants, etc. While this is a Federal government requirement, many state and local governments also use this standard, and it can help you withstand aggressive legal challenges to your qualification as an expert witness.

  4. That's an excellent point, Ryan. One of the first things I do when assessing a program is that I look to see that it's accredited.

    Given the response I’ve had to this blog post, I will be doing a follow up post where I will talk about issues like accreditation.

    I'll also talk about obtaining a degree in the broader area of information security since there are an increasing number of good programs in that area that also incorporate digital forensics into their program.

  5. By no means am I a forensics specialist, but from various experiences I agree with your observations.

    I am seeing various community colleges include a forensics course or two. I've taken one myself. That class was good, taught by a LEA forensics specialist from an region forensics lab center. But it was just one semester. Not enough time to get ready get into the subject. For me, it was useful to be familiar with forensics concepts but not actually doing forensics.

    Many community colleges that include "forensics" take their computer instructors and have them do a forensics class. Cheap but insufficient. These course would be useful as introductions for further study elsewhere. If modified a bit, such courses could teach future sysadmins about forensics issues, what they can do to help the forensics process, and why they should NOT do forensics without extensive additional training and suitable aptitudes.

    One of the significant things that can get left out in the computer department adding forensics taught by regular computer instructors are the non-computer aspects of forensics. Things such as handling of evidence, documentation, chain of custody, giving testimony, and proper communications among the parties involved.

  6. Eric,
    You present many great points! J.D. Abolins mentioned a great point as well! IT professors/instructors teaching "forensics" that have never been a practitioner or have experience in the day-to-day operations of a digital forensics lab/office. For example, there are institutions reaching out to law enforcement for guidance in developing their practical curriculum because they have no "hands on" experience. Universities/Institutions recognize that digital forensics is in a gold rush and everyone wants to be first, but I see there are lot of "digital forensic degrees" that lack substance. It is also good to see programs integrating business law and accounting into their curriculum, which is so important to the business side of digital forensics.

  7. Thanks, Brad and Jonathan. Those are both great comments.

    Brad also pointed out to me via Twitter that an internship is an important aspect of a student's learning experience. That's a great point. I'll talk about that in the next post I do on this topic.

  8. Maybe some of these professors should take an internship prior to teaching students digital forensics. I would equate the current model of most DF programs (going by what I have read from various sources) as, a Police Officer who has spent his/her whole career behind a desk, then going to teach recruits at an Academy on how to handle themselves on the street.

    I'd rather learn from someone who has been on the front lines than from someone who has been in "The rear with the gear".

  9. I think a strong program would benefit from a blend of people that Joe describes (experienced practitioners who wish to teach others) and passionate academics who have spent their academic careers preparing to get to a place where they can contribute greatly to the education of others in digital forensics. Gregg Gunsch over at Defiance is a good example of the passionate academic that you'd want to see part of a good program. You can check out his profile here:

    His LinkedIn profile isn't opened up very much to the public, but he has the phrase "Have a good time doing it" under his current role at Defiance. You want people teaching these courts and crafting these programs who enjoy this sort of thing. If they love it, they'll pass that love onto their students.

    My spider senses go off when I see someone teaching a class with a PhD in, for exmaple, Computer Science, but whose CV doesn't even suggest a mild curiosity about the topic much less any credible training or experience.

  10. Picking up on Brad's reference to colleges' "gold rush" with forensics programs, I am seeing other types of forensics disciplines being promoted. Forensic accounting is one I am especially seeing now. I don't have the knowledge to evaluate these programs.

    One computer forensics relative that might become a college "gold rush" is e-discovery. This might work out better than many of the computer forensics programs. But, again, the non-computer aspects are just as critical as the computer aspects.

    Re: internship, one of the grat opportunities for US citizens who are college students is the FBI Homors internships with the Regional Computer Forensics Laboratories (RCFLs).

    No RCFL internships in 2010, but opportunities resume in 2011. See the RCFL Internship FAQs page at

  11. That's an excellent point, Jonathan.

    eDiscovery is a classic example of a "gold rush" mentality. It was the wild, wild west when I first started working in that aspect of digital forensics. It's matured quite a bit since then. I'm curious if we'll see a Bachelor's degree in eDiscovery some day.

    An RCFL internship would be a fantastic opportunity for someone who wants to get started in the field.

  12. Great post, Eric. I'm in a community college program for Computer Forensics, with plans to transfer to Champlain next year. I'm really excited to work with people that have experience in the field. As you noted, the experiential component can be just as valuable as the academic component of the program.

  13. Eric,

    I agree that the professors, content and associations are of greatest importance.

    I feel compelled to mention my Alma Mater, University of Central Florida (UCF). While UCF does not presently offer a Bachelor degree, it does offer both a Graduate Certificate and Masters in Digital Forensics. I completed both programs (the MS is an extension of the GC).

    I found that the projects were relevant and well-composed. We used tools from the freely available Sleuth Kit (TSK) and Windows/Linux command-line tools. Frye/Daubert/4th Amendment/legal and Expert Witness/Report Writing were entire courses and the program has an Internship requirement.

    The instructors were the likes of Mark Pollitt (former FBI CART Chief and RCFL Director) and Dr. Phillip Craiger (researcher and Asst. Director of the National Center for Forensic Science). I also thought Carrie Whitcomb, Thomas Sadaka, Dr. Lang, and Dan Purcel (guest lecturer) were all extremely knowledgeable and good teachers.

    *NOTE* Mark Pollitt and Dr. Crager have recently moved to Daytona State College, so that program might be worth checking out also.

    Completely online and well-known/well-respected by many federal law enforcement agencies.


  14. How about Bloomsburg University? I was planning on going here to study CF. Here are the courses.
    56.117 Introduction to Computer Forensics

    56.123 Visual Basic 1

    56.223 Visual Basic 2

    56.217 Computer Forensics File Systems 1

    56.218 Computer Forensics File Systems 2

    56.317 Forensic Analysis in a Windows Environment

    56.348 Data Mining

    56.357 Database Design

    56.417 Advanced Topics in Computer Forensics

    56.476 Introduction to Computer Networks

    91.120 Accounting for Small Business

    91.326 Introduction to Fraud Examination

    20.101 English Composition 1

    25.103 Public Speaking

    53.111 Finite Mathematics

    28.295 Business Ethics

    43.101 Introduction to Criminal Justice

    53.141 Introduction to Statistics

    53.185 Discrete Mathematics