Why Even Bother with Academia
To be honest academia wasn’t even on my radar. An opportunity presented itself and after careful consideration I decided to pursue it. However, before saying what my final deciding factor was for starting this journey it’s necessary to reflect on our DFIR field and how academia supports it.
There has been an issue within our field that seems to be growing with each passing year. The issue is obvious for those who are active on DFIR forums, mailing lists, and conducting interviews to fill positions. Eric Huber (A Fistful of Dongles) addressed this issue in his post Ever Get The Feeling You’ve Been Cheated? Eric made a lot of great points in the post so it’s well worth the read. I wanted to pull out two quotes to highlight the issue I referenced.
“During the early years, it was rare to see applicants who had degrees in digital forensics, but I’m finding it increasingly common in recent years. One of the things that I have been struck by is how poorly most of these programs are doing in preparing students to enter the digital forensics fields.”
“One of the core issues that I see with the programs that aren’t turning out prepared students are the people who are teaching them.”
The issue is some academic programs are not preparing their students for a career in the digital forensic and incident response fields. I’m not talking about skills such as students not being able to run tool XYZ since this can be easily addressed through training. The deeper issue is students not being able to analyze and evaluate DFIR problems to come up with solutions. Like Eric, I don’t fault the students to a certain degree. The blame goes to the academic programs that are hastily putting together information security and digital forensics programs to jump on the bandwagon.
As practitioners in this field we have a choice to make. We can either continue on with not hiring students coming out of these programs, ignoring their requests for homework answers in forums, or be irritated about those doing a disservice to our field by being unqualified and doing casework. Or we can do something different; we can try to change it by being involved with academia and sharing our insight/expertise to improve the curriculum. When I was presented with the opportunity this is what my decision came down to. My choice was simple; to use my ability to put together a course that helps students in their careers in the digital forensic and incident response fields. In the words of Jon Rajewski about why this should matter to all of us; “they are the future generation of digital forensic / incident responders”.
Why Academia and Not Training
My decision to start my journey into academia wasn’t solely to help those entering the DFIR field. I also wanted to help provide curriculum to benefit those already in the field. At the time I had an idea about why training wasn’t an option but I couldn’t quite put my finger on it. That was until I started looking into the differences between education and training. The difference is illustrated in Peter Fabri’s storywhen he went back to graduate school. He contrasted the two by saying “training is concerned with acquiring a skill” while “the aim of education is broader than training”. He went on to say education “strives to prepare learners to be analytical thinkers and problem solvers by facilitating the learning of principles, concepts, rules, facts, and associated skills and values/attitudes”.
It might be more helpful to put the difference between education and training in the context of DFIR. The paper Computer Forensics: Training and Education compared the difference as saying training "has the goal of training students for an occupation within the computer forensics field". The paper further states “training is also limited in that it focuses students’ attention on current techniques and methods rather than processes”. On the other hand, the paper explained education “destines to educate students on the needed capabilities but goes a step further in attempting to teach the students a greater level of detail on the goings on behind the scene”.
Continuing on exploring this difference is the article Education versus Training: Selecting the Right Lifelong Learning Experience (I highly recommend reading this article). As it relates to training the article explains:
“The bottom line is to seek training to acquire skills and knowledge for short-term advantage. Training brings the learner up to the level of others in the industry and will tend to make them the same as the experts they seek to emulate”
As it relates to education the article says:
“Education is different. It should be used to acquire a mindset not currently owned or to deepen a mindset already possessed”
“Education broadens the learner, makes him different from everyone else and helps him think in his own way to solve problems that have not been solved before. Of course educational programs include training in the skills and knowledge of the discipline, but they go further to develop thinking abilities, attitudes and behavior patterns that might be classified as a mindset. In this sense, training programs do not include education but education programs often include training.”
The key difference between education and training as it relates to digital forensics and incident response is one’s goal is to equip the learner with the skills, techniques, and methods to tackle a known problem while the other’s goal is to develop the learner into an analytical problem solver to tackle any problems they may face. To illustrate this point it might be helpful to share two experiences I’ve seen in my career. Numerous people in DFIR have attained most of their skills and knowledge through trainings and they weren't developed into an analytical thinker through a formal education. At times this puts them at a disadvantage.
One day I was leading a local forensic group meeting on walking them through an analysis on a test image. I wanted everyone to participate so I provided an option to use free or open source digital forensic tools. As I was going through the analysis someone in attendance said “I could do this if I had “insert commercial forensic tool here”. This person wasn’t approaching the analysis as a problem solver and saying what tools can help me carry out my process. Instead they fell back on their training and without the tool they were trained on they were helpless.
Another example is one I see online. In these instances it’s people who are new to finding malware on systems but they have recently completed some training on the topic. They have a system where they must find malware. In an effort to use their newfound memory forensic skills they try to virtualize the system, dump the memory, and then try to analyze the memory to find the malware. This is a good technique but they never take a step back to look at the problem they must solve and the process to use to solve the problem. Again, they fall back on their training to try to solve what they are faced with.
This key difference is why I felt more aligned with academia with trying to educate others into the DFIR mindset as opposed to instructing others on a specific skill. As the Education versus Training: Selecting the Right Lifelong Learning Experience article states I wanted the learners to be “acting after deep thought and analysis; broad” instead of “acting out of new habits and skills; narrow”. I wanted the end result to be “makes you different from others, thoughtful and mindful, educated” and not “make you the same as others with the same training, measure up”.
These were the two primary reasons why I started my journey into academia; why I’m using my DFIR practitioner mindset and skill set to be a DFIR educator. The other perks such as research resources and extra income were just icing on the cake.
0 comments:
Post a Comment