M. S. Olivier. "Combining fundamentals, traditions, practice, and science in a digital forensics course". In: South African Computer Lecturers' Association Conference 2014 (SACLA 2014). Port Elizabeth, South Africa, June 2014


Digital forensics is still in a transition period from being a craft practised by technical people, to a science that can provide scientifically justifiable answers about root causes. The problem faced by the educator is that limited time is available to teach a course that is inherently multidisciplinary (including facets of technology, science, law and reporting). The specific concern addressed by this paper is the fact that some rather detailed procedures have developed over the years around the digital forensic craft; while it is not the intention of this paper to dispute the value of those procedures, a course presented in a limited time (such as a semester) may be consumed by the craft and not provide an opportunity to consider the scientific aspects (that are indeed still in their infancy, but that are essential for the future of digital forensic science).

Note that the inherited terminology of a previous era is still important. Some of the old techniques are still valid and practical, and continue to be used. However, where the validity or practicality of older techniques are beginning to be questioned (if not rejected outright), new developments often occur against the backdrop of the older techniques — and therefore the terminology and other details related to older techniques still need to be studied in order to comprehend new developments.

The thesis of the paper (as well as that of the course the paper describes) is that, while digital forensics necessarily focuses on details, it is possible to create an environment with reduced (but still realistic) complexity. By removing details it should be, the paper contends, able to design a course that covers a greater scope of topics without sacrificing the inherent detailed-oriented nature of digital forensics.

More specifically, the paper proposes a course that employs a breadth-first approach that, as briefly as possible, explores the scope of digital forensics, but in a realistic rather than abstract context. Whereas most courses have to choose between breadth and depth, this paper seeks to find a trade-off that achieves sufficient coverage of the subject area in sufficient detail during, say, the first half of a semester. In the second half new developments — in particular in digital forensic science — may be explored, with the students able to contextualise such forays while appreciating the low-level complexity inherent in such a new development.

The paper considers the requirements of using a simplified environment. It concludes category of textbook, a specific product (such as the Raspberry Pi) and an acute awareness of new developments in the field can be used to establish a suitable environment.

The course described in this paper was tested in 2013 — not for the sake of research, but as a practical solution to a dilemma that educators increasingly face as the scientific part of digital forensics develops. The course yielded some unexpected benefits (and challenges). The nature, rationale, unexpected benefits and challenges are presented in this paper as a case study. Formal research is required to confirm the envisaged and informally observed benefits and solutions to challenges.

