Testing, testing, 1, 2, 3...
I have put off writing this blog for several reasons. Foremost among them, I know it will make me seem like a sore loser and may possibly earn the judgement of many people in the industry with far greater experience than myself, whom I have come to greatly admire and respect. That said, I have spent the last two years taking every single course I could find on Digital Forensics, because when I engage in learning anything, I tend to do so with my entire being and I jump headfirst into trying to become an expert on the subject. Perhaps that is a genetic disposition or possibly due to my military training. Whatever the case, I enjoy the hell out of learning. That is one of the reasons why I love the Digital Forensics field. Technology and techniques change every day, and to be an expert in this industry, you have to educate yourself daily just to keep up. I absolutely thrive in this atmosphere, as I have noticed others do as well. It’s part of the geek culture. We would rather spend our free time reading research papers than fantasy novels. (Even though, that has its time and place, too #wheeloftime) It wouldn’t be strange to see someone in this industry tanning poolside with a copy of Practical Mobile Forensics 2nd Ed. while vacationing in Florida with their family. (#Guilty)
From the day I was asked by my department to establish their first Digital Forensics lab, I began scouring the internet for every manual that I could get my hands on. I began listening to every podcast that I could find. I researched online courses and signed up for every free class that I could take. Thankfully, as I work in Law Enforcement, I have been able to attend free classes online with the National White Collar Crime Center (NW3C). I have taken free On Demand courses through Texas A&M and many other places. Luckily, I was introduced to the AboutDFIR.com website early on by Andrew Rathbun, who is also a moderator for both the site and the Digital Forensics Discord Server. There, I was able to find a lot of free training to complement the paid training I was taking through Magnet Forensics.
The Magnet courses were my first real introduction to deep diving into digital forensics. I was able to really get familiar with the tool that I would be using every day in my work. The instructors were more than just highly skilled and knowledgeable, they were fun and personable too. I am friends with each of them on social media, in fact. Digital Forensics is a very friendly industry with countless people who will reach down to help you up. It is in no way, that I have seen, a ladder where everyone above you is stepping on your neck to succeed. It is a great field with great people working together to increase knowledge and help one another learn and overcome obstacles.
One of the greatest examples of that for me has been the NW3C courses. Most individuals wanting to get into the field are forced to pay thousands of dollars to colleges, private vendors, or the SANS Institute to obtain learning and certification. For those of us in Law Enforcement, there is also the NW3C, which is funded by federal grants to provide technical training to those working for FSLTT agencies. As I have stated before, I have taken just about every course imaginable in these past two years, to include the super expensive SANS FOR585 Advanced Smartphone Forensics course, (which I will discuss next) and the courses at NW3C have been my absolute favorite by far. They are incredibly in-depth and technical, with a lot of information crammed into one week of learning, but they are fun and engaging with instructors that are entertaining as well as insightful. I absolutely love their method of Teach, Show, Do, Review for reinforcement of concepts. Their use of Capture the Flag (CTF) exercises to implement practical skill is the most fun and the best way of both learning a skill and measuring ability. It is far better than taking an extremely complex open-book test with only a minute and a half per question. The anxiety-induced adrenaline dump caused by such tests actually make them pointless for measuring knowledge or skill. It becomes more a test of your ability to locate answers quickly in a multitude of books.
And with that, I get to the part that will most likely earn me a few boos and jeers. I absolutely loved my week of learning in the SANS FOR585 class. I learned so much in those few days and had a great time doing it. Each day had its own manual, which is given in both physical and digital form. The audio of the classes are available for download so that you can listen to them over the four months you are given to prepare for the exam. I listened repeatedly on my commute home, many times over. You are given two practice tests, which admittedly, I did not take advantage of. Partly this was because of my busy schedule at work, and also because of the extreme anxiety I had over the thought of taking a timed test that everyone says is the hardest they have ever taken. I just kept procrastinating to avoid the anxiety. This could very well be the reason why I failed the GIAC certification exam by a single question. And while some may think it is my failure that makes me say that I think the test is a poor measure of knowledge and ability, I know that I would say the same were I to have passed. I can make this statement because I have passed similar certifications with the exact same thought. While it is great to be recognized as an expert by some simply because you have a few letters after your name, it only says that you were able to successfully pass one test. The reason that I truly love the program that NW3C has embraced, is because finding the answer to a question is fun and practical. It isn’t just locating a sentence in a manual. I really think that SANS should reevaluate their method of testing even though, the class was amazing. They utilize the same Teach, Show, Do, Review method of learning reinforcement. Which is 100% the absolute best way to teach anything if you need to become an expert quickly. I was also fortunate enough to have Heather Mahalik teach my class, so it was a lot of fun and felt more like a bunch of friends hanging out and talking geek than a rigid graduate level technical class. However, given the short amount of time to cover such vast amounts of information, the course does move fairly fast and there were some questions on the exam that were difficult or impossible to find in the texts. SANS will even tell you that “the Certification Objectives of the GASF may not line up exactly with the modules in FOR585” Regardless, I learned a great deal from that class, and while I feel that I definitely got my money’s worth, I think that for an exam to cost $1200 with an $800 retake, they should really consider either giving more time to each question, or creating an entirely new method of evaluation, much like they have done over at NW3C.
But, that’s just my two cents. Take it for what it’s worth. You will absolutely gain a plethora of knowledge from taking a SANS course, as you will any NW3C or private vendor course. (i.e. Magnet, Cellebrite, Oxygen, etc.) If you are as fortunate as I am, you will be able to take them all and hopefully become a better Forensic Examiner in the process. More importantly, you will meet so many amazing people along the way and be welcomed with open arms into an emerging industry that is high speed and high tech. However you choose to learn, I hope that this article helps you find some clarity, but remember one thing. It is only this man’s opinion. You have to determine for yourself what method of learning works best for you. Also, you don’t always have to have the alphabet soup beside your name in order to get ahead in this field.
Happy hunting! Now, go get your nerd on!