SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Failure and Frustration — Real Learning

This week I've got a short rant about education and a link to an interesting video on the subject. One of the best ways to really learn something is to teach it and if you think you haven't got any knowledge worth sharing, well you're probably wrong, but there's a list of research projects in the links so get cracking and get to sharing your knowledge.

Speaking of sharing, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, please send it to

Good reads and such:

  • Doug White released the results of his Digital Forensics Certification Study.
  • Kristinn Gudjonsson had a post recently on Updating log2timeline on the SIFT workstation, this should be very useful as Gudjonsson keeps extending the tool.
  • For those who want to contribute to the community through interesting research, but who can't think of a specific research project, here's a nice list of projects intended for digital forensics students hosted over at Forensic Focus and there are links from there to other research ideas from other sites. Get to it!
  • Ig's blog released a series of great posts on Volatility. There's a convenient link to the whole series.
  • Every year at this time SANS has a tradition of posting predictions for the next year. This year's post is titled Security Predictions 2011 & 2012 - The Emerging Security Threat.
  • Lastly I came across this wonderful presentation from Dr. Tae called Building a New Culture of Teaching and Learning.

    As I watched the presentation, I thought of my own experience in university and how it compared to Dr. Tae's presentation and how it compares to a typical SANS training course. Dr. Tae goes through several points about why education is broken, including the fact that schools do a poor job of hiring good teachers, the instruction is impersonal and not hands on, etc.

    Now, I'm biased because I do teach for SANS, but even before I was involved with SANS as an instructor, I was a student attending the training. SANS does a great job of hiring phenomenal instructors, but they are not full time instructors, they are practitioners who also teach. Every time an instructor teaches they are evaluated by the course attendees. If the attendees don't rate the instructor as exceptional, the instructor may not last long.

    SANS courses are hands on. Students get their hands dirty, so to speak, through a variety of practical exercises. Often times, these exercises involve concepts or tools that are completely foreign to the students and that can lead to frustration and failure. But as Dr. Tae points out in his video we learn through trial and error and trial and error and trial and error... Real learning involves failure.

    As Rob Lee, the lead for the SANS Forensic Track says, if you're not frustrated during a course you either know the material already or you don't care. Being frustrated means you're learning.

    I also like that Dr. Tae touches on what makes someone an expert. Just because a student gets an A in a course, does not make them an expert. Just because you've taken a SANS course and aced the corresponding GIAC exam does not make you an expert. The course and the certification are only the beginning. Mastery of anything takes thousands of hours of work.


  • For those who have ever received (or sent) a puzzling text message from an iPhone, there's an auto-correct hall of shame called Damn You Auto Correct. Be warned, though the content is all screen-shots, some of the text may be NSFW.

Coming Events:

Digital Forensics Case Leads for 20101202 was compiled by Dave Hull. Hull is a SANS Community Instructor, incident handler and digital forensics practitioner in a Fortune 10000 corporation (and sometimes at large). If you have an article to suggest for the Digital Forensics Case Leads please email it to