CCL analyst Jason Dickson shares his thoughts on one of CCL’s most exciting initiatives in recent years – a partnership with Cranfield University to deliver a new MSc course in digital forensics.
Jason Dickson writes:
When it was announced that CCL Forensics would be creating and presenting an M.Sc. Course in Digital Forensics at Cranfield University, the news provoked a mixture of reactions. While many of us were apprehensive at the scale and nature of the challenge – and the responsibility – of helping to prepare a new generation of forensic analysts for the task of navigating the fast-evolving world of computer forensics, we were also excited by the opportunities such work would create for CCL Forensics and ourselves.
In late 2021, we threw ourselves into the business of writing the lectures for the MSc course. As I did, I became keenly aware of the amount of material we had to cover, how much knowledge each of us has acquired over years of service to the company and, speaking for myself, just how much rummaging I had to do in the dank cobweb-draped recesses of my memory to recover details I needed to commit to PowerPoint pixels. For it is true that many of the forensic artifacts I needed to explain in the course of my lectures are nowadays routinely recovered, parsed and presented by the big forensic platforms, each one of which vies with its competitors to become the One Button Forensic Solution.
But as we have been at pains to explain to the students throughout the course, the tools are not infallible and if their data is challenged, we need to be able to explain the underlying structures even though they can be interpreted by big number crunching forensic programs. And so we have had to pick up old nuggets of knowledge, wipe away the accumulated grime of disuse, and present them as polished shining pearls of wisdom to our audience.
Much of the coursework is drawn from our own day to day usage, but reference to colleagues and older, prior educational material has helped fill in the gaps, if not in our own knowledge, at least in the place in the forensic ecosystem occupied by the information. It may not happen very often that we need to rebuild a partition from FAT tables or $MFT records – EnCase, X-Ways and other programs have been merrily doing that for us for years – but if a defence counsel were to say, “Yes, but how can you actually say that this folder structure in this handout is accurate?” we need to be able to explain how headers and bitmaps and FAT chains and $DATA entries result in the diagram that counsel is objecting to.
If writing, re-writing and QAing of our lectures and practicals is challenging enough, presentation offers a much more personal set of problems. Not everyone is a natural public speaker. But everyone can at least give it a go. Whether one presents a lecture while referring to one’s own personal prompts on a notepad, or just cuts loose with a ‘stream of consciousness’ adlib delivery, generously larded with real-world anecdotes, the key objective is to get the knowledge into the mental toolboxes of the audience. An important part of that objective is the ability to ‘read the room’ and tailor delivery to suit the needs of the students; this is possibly the most difficult part of the task.
The project has presented us with some steep learning curves. To transition from practitioners to lecturers and course creators represents a level of involvement we have not experienced before. We have, of course, devised and presented internal training for CCL’s own use, and in our TALC and Mobile Bootcamp courses we have created structured and holistic training regimens; applying this experience to a course as important and wide-ranging as a Masters degree course has proven a challenge, but one which we have enthusiastically engaged with, we hope, excellent results.