Reducing Time to Competency: A Trainer’s Look at Different Learning Approaches
By Danny Norris, Forensics Trainer
Time to evidence is a concept most of us are familiar with. It expresses the idea that, when conducting an examination or analyzing intelligence, the quicker we can find answers to our questions, the better.
Digital forensics training can be thought of in the same way for new examiners. What is the best and fastest way to become a competent examiner? What is the best way to train individuals with various learning styles? How do we reduce that time to competency?
The Myth of Theory-Based Training vs. Tool-Based Training
Like many other examiners, I was a criminal investigator with no understanding of computer science or data storage concepts when I started my digital forensics journey. Thankfully, I’ve seen a trend of law enforcement agencies hiring individuals with a background in computers. For me, I started by speaking with examiners from other agencies, started to get good at Google-fu, and began consuming YouTube videos, podcasts, and books while seeking out formal training.
I learned there were two different perceived concepts of training in the digital forensics community: “theory-based training” or “tool-based training”.
I was repeatedly told theory-based training, provided by a neutral organization, was better for new examiners, while tool-based training was better for more experienced examiners. I thought this made sense at the time and bought into this concept completely. Over the next several years, I attended training that I perceived as theory-based. Eventually, when I found myself in the position of having to lead and mentor other examiners, I also recycled this theory-based training ideology.
Since becoming a full-time trainer at Magnet Forensics, I have learned just how very wrong I was.
Theory-based vs tool-based training is a myth which needs to be completely and entirely dispelled. Simply put, you can’t teach theory without using software and you can’t teach software without providing the theories behind how it works. Quality training must provide both.
Finding New Ways to Teach Complex Concepts
As a forensic trainer, I am always looking for new and better ways to teach complex concepts as simply as possible. Sometimes I find inspiration in unexpected places.
My sons participated in marching band, and each year I was in awe of how quickly and efficiently they learn their show. Band leaders take one hundred or more teenagers and within just a couple of months teach them a precision-required routine while memorizing complex music.
How is this accomplished?
The answer is, from day one of the marching band season, they are on the field actively engaged in the process and coaching each other through the routine. There are no long-winded lectures that allow their minds to drift or forgettable power point presentations. They are actively engaged with their instruments as more experienced teammates guide them throughout the learning process.
This should be no different for students learning digital forensics. Students should have constant interaction with data, using the forensic tools they use daily, with the guidance of experienced examiners.
Focusing on What Matters
I have attended training that utilized an unnecessary number of tools which overcomplicated issues.
Too much time was spent teaching the user interfaces and the instructors preferred settings—versus highlighting the value of the data to an investigation. This was especially frustrating when I attended a class listed as advanced. I wanted a deeper dive into the data but instead I was learning how to use another tool.
Different tools were often introduced just to illustrate a point without having a practical use in the real world. I would then return to my lab and struggle to remember what tool was used when and what settings the instructor recommended to best leverage its capabilities. This led to frustration and a lack of confidence.
I have also tried to mentor someone using software they received at a training that wasn’t used in our lab. I didn’t recognize then that a more efficient method would have been to learn the concepts and real-world methods needed while using the software I worked with daily.
Additional Tools or Additional Concepts?
What about additional tools to validate your primary tool? An examiner’s time is best spent analyzing the data in search of answers as they relate to a topic of concern. Validation is extremely important and I submit that it is best done by reviewing the source of the data not by simply comparing the results of two different tools.
Your primary tool should have the ability for you to easily navigate to the source location so it can be validated. Magnet AXIOM does this well, and within seconds you can validate any artifact as you conduct your analysis. Time spent repeatedly teaching a new examiner how to interact with various tools can better be spent reviewing the registry, databases, plists, json and XML files, and file systems. Knowing these concepts is where new examiners gain their confidence with their tools of choice.
Once I understood that I didn’t need to process evidence twice, I was able to more efficiently clear cases and better provide investigative teams with actionable intelligence.
Magnet Forensics Training
I never realized there was a better way until I joined the Magnet Forensics Training team. Our team is very focused on providing training that closely resembles what examiners do in the real world. Through a variety of courses, examiners will not only learn how to best leverage Magnet AXIOM and our other products, but they will also learn the fundamentals of digital forensics and principals of data storage. We teach methodologies to approach and review evidence which helps students become more effective in an environment of ever-increasing volume. In our advanced courses it is presumed the students understand our tool which allows us to focus on that deep dive into the data.
Magnet Forensics courses are designed with an understanding that one size does not fit all and there are a variety of ways adults learn. There are no long-winded lectures or forgettable PowerPoint presentations. Instead, students will work with data using the tools available to them in their own labs. They will simultaneously watch and listen to an experienced examiner as they work with the data themselves. Students will also be provided with material they can review at their own pace.
We offer in-person, virtual, and online self-paced courses. Our in-person courses are for students that learn better with group interaction in a team environment and is the best option for networking with other examiners. Our virtual classes offer students the opportunity to learn during live instruction while in their own environments and our self-paced courses work well for students that learn best without the pressures of having to keep up with other students.
At Magnet Forensics, we genuinely care about the success of our students. When class ends, our relationships continue. Each instructor believes that students deserve our support as they progress in their careers not only with our products but also with their case work. We have a saying: students get us for life.
How a Training Annual Pass (TAP) Can Help
So how long does it take to become a competent examiner? With a Magnet Forensics Training Annual Pass (TAP), an examiner can start with no prior exposure to digital forensics and within one year have the skills and knowledge necessary to be successful.
A TAP allows students to pay a flat price and, for the next twelve months, they can attend any of our world-class in-person, online instructor-led, or online self-paced courses. They can attend classes more than once if needed or desired. A student may take a class online but then later want to attend the same class in-person to network or bring additional questions to an instructor or other students. This is possible with a TAP.
Students also have the opportunity to earn four different certifications, at no additional cost. Certifications showcase an examiners’ expert-level competence to peers, internal stakeholders, and external audiences, including legal teams or clients.
Highlights of Training With Magnet Forensics
- Training that is consistent with real-world examinations.
- Training that accommodates a variety of learning styles.
- Utilization of the tools available to examiners in their labs.
- A deep understanding of digital forensic concepts and methodologies.
- A cost-effective solution to receive a vast variety of training.
- Time to competency reduced to within one year.
- The opportunity to earn four different certifications at no additional cost.
Recommended Training Path for Law Enforcement
- FORENSIC FUNDAMENTALS (AX100)
- MAGNET AXIOM EXAMINATIONS (AX200)
- MAGNET AXIOM ADVANCED MOBILE FORENSICS (AX300)
- MAGNET AXIOM INTERNET & CLOUD INVESTIGATIONS (AX320)
- MAGNET AXIOM ADVANCED COMPUTER FORENSICS (AX250)
- DIGITAL VIDEO INVESTIGATIONS WITH DVR EXAMINER (DV200)
- MAGaK (Magnet AXIOM & GrayKey) ADVANCED iOS EXAMINATIONS (AX301)
- MAGNET AXIOM macOS EXAMINATIONS (AX350)
- MAGNET AXIOM TO MAGNET AXIOM CYBER TRANSITION
- MAGNET AXIOM INCIDENT RESPONSE EXAMINATIONS (AX310)
Recommend Training Path for Corporate
- FORENSIC FUNDAMENTALS (AX100)
- MAGNET AXIOM EXAMINATIONS (AX200)
- MAGNET AXIOM TO MAGNET AXIOM CYBER TRANSITION
- MAGNET AXIOM INCIDENT RESPONSE EXAMINATIONS (AX310)
- MAGNET AXIOM macOS EXAMINATIONS (AX350)
- MAGNET AXIOM ADVANCED COMPUTER FORENSICS (AX250)
- MAGNET AXIOM ADVANCED MOBILE FORENSICS (AX300)
- MAGNET AXIOM ADVANCED iOS EXAMINATIONS (AX302)
- MAGNET AXIOM INTERNET & CLOUD INVESTIGATIONS (AX320)
- DIGITAL VIDEO INVESTIGATIONS WITH DVR EXAMINER (DV200)
Magnet Forensics Certifications
- Magnet Certified Forensic Examiner (MCFE) Prerequisite: AX200
- Magnet Certified macOS Examiner (MCME) Prerequisite: AX350
- Magnet Certified Cloud Examiner (MCCE) Prerequisite: AX320
- Magnet Certified Video Examiner (MCVE) Prerequisite: DV200