Monday, March 16, 2009

Sunday, March 01, 2009

Forensic Focus survey results

676 people completed the recent Forensic Focus survey and of those a large number included comments and suggestions in addition to answering the 9 questions. The first thing I'd like to do is to thank all respondents for their time and I'd also like to assure everyone that each answer, comment or suggestion has been read carefully - in fact, they've been read a number of times over the past few weeks. In addition, I thought that readers might be interested in the results of the survey (in broad terms, together with my own thoughts) and what those results may mean for the future direction of the site. So without further ado, let's get started:

Q1. What were your main reasons for registering an account at Forensic Focus?

The most common answer was the forums, with the newsletter and downloads section in second place rated almost equally.

Q2. How important for your own needs are the following sections at Forensic Focus?

Unsurprisingly perhaps, given the previous answer, the forums were ranked as very important by most respondents. I was interested to see that papers and articles were the next highest priority. The newsletter and daily news (i.e. homepage news items and RSS feed) ranked just a little below this with training/education links next. Still important but a little less than I had expected were interviews and job vacancies. The remaining options (e.g. events calendar, email group, LinkedIn group and videos) were all rated as somewhat important.

Q3. What computer forensics qualifications or certifications do you hold or intend to pursue?

The results here suggest that a college or university degree at Bachelor's level are the most common qualifications held (with an MSc also quite popular in terms of current uptake and future intentions). Interestingly, the CCE and GCFA qualifications were less well represented than I had expected in terms of those who currently hold these qualifications but this was somewhat balanced by the figures which suggest they're high on the to do list for a lot of people in the next 12 months. What about training from the big 3 forensic software vendors (Guidance Software, Access Data and X-Ways)? Taking Guidance and Access Data first, the overall figures for Guidance were somewhat higher but for each company about half those who responded had taken training already and about half intended to do so in the next 12 months. The total figures for X-Ways were lower, especially as far as those who had already undergone training were concerned, but there was a strong showing in people intending to take X-Ways training over the next 12 months - not as many as those planning to train with Guidance or Access Data but certainly enough to suggest that X-Ways training is attracting a lot of interest.

Q4. How would you rate your current level of knowledge/expertise in the following areas?

As might be expected, collection/imaging, analysis and presentation skills were rated highly. Standards and legislation knowledge was rated as good and forensic laboratory management expertise was rated somewhere between average and good. The only other option, mobile phone forensics knowledge (handset/SIM/cell site analysis) was rated as below average to poor.

Q5. How much would you like to improve your expertise in the following subject areas in the next 12 months?

I think that this question and the next are the most relevant as far as the future of Forensic Focus is concerned. So, what skills are people most interested in developing? The simple answer to that seems to be...all of them! Every option presented received overwhelming support. Now, in a sense, that's not too surprising given the way the question is phrased, it almost goes without saying that any skill is something which people would like to see improved upon. With that said, a detailed look at the figures does reveal some interesting information. Firstly, if I had to pick one answer where the responses were ever so slightly less enthusiastic than the others it would be forensic laboratory management, but keep in mind that the overall desire to improve in this area was still very high. I think most of us would understand and expect this to be the case, I don't think we're at the stage yet where managing a lab is the primary ambition for most people working in the field, the greatest motivation for most practitioners is still probably the investigative process itself rather than higher level management. What else do the figures reveal? There are three main things which stood out: 1) Even though confidence in existing skills is high (see Q4) there's no evidence of over-confidence. On the contrary, continual improvement seems to be the highest priority for nearly all who completed the survey. 2) Enthusiasm for expertise in the areas of standards and legislation is just as high as for more technical matters (imaging, analysis, etc.) I was a little surprised by this, perhaps unfairly I had expected there would be a difference. 3) The desire to improve knowledge of mobile phone forensics was very high, in fact it was second only to computer analysis by just a few percent. In light of the related result for mobile phone forensics in Q4 I think this suggests there's a perceived demand for this skillset. The results for Q8 in relation to mobile forensics seem to confirm this.

Q6. How much would you like to see the following suggestions implemented at Forensic Focus?

This was very revealing and provided the clearest insight yet into what members would like to see at Forensic Focus in 2009. The results basically break down into two categories, those things people very much want to see either added or more of and those which they're still in favour of but to a slightly lesser degree. In the first category (i.e. things people *really* want to see) were reviews, article/papers, standards and online/distance learning. In the second category (i.e. still keen on but slightly less enthusiastically) were interviews, job vacancies/career guidance, research into psychological effects of computer forensics, conferences, competitions and a podcast.

Q7. Which option best describes your current employment situation?

No big surprises. Most respondents work in either law enforcement or as company employees, with consultants and students making up the bulk of the rest of the numbers.

Q8. How often do you examine the following evidence sources as part of your job?

This is another revelaing section. PCs/workstations, laptops/notebooks and USB flash drives/thumb drives were clearly the devices which are most often the subject of examination. Servers were then next on the list. Those devices which were least often examined were network devices (e.g. routers, switches), tape drives, portable entertainment devices (e.g. MP3 players, iPods) and game consoles. So far so unsurprising. What did strike me as interesting though were two figures: 1) PDAs (e.g. Palms, Blackberrys) were rarely or never examined by a significant proportion of respondents (I had expected them to be examined quite often) and 2) Mobile phones were examined somewhere between "sometimes" and "very often" by 45.6% of respondents. This struck me as an unusual figure given the number of people who had previously rated their knowledge of mobile phone examination as very poor but it would explain the high figure of those looking to improve their skills in this area.

Q9. Overall, how satisfied are you with Forensic Focus as a computer forensics resource?

91% of respondents were positively satisfied with Forensic Focus (the largest proportion of responses gave the site a mark of 6 out of a possible 7). 8% were neutral.

Q10. Additional comments or suggestions

A large number of people who completed the survey chose to enter comments in this section. On a personal note, I have to say I was overwhelmed by the number of positive comments left here - thank you all for your kind words, they're greatly appreciated. I was as surprised as I was delighted to hear that many people use Forensic Focus as their main or only channel for staying up to date with computer forensics issues. On a practical note, there were many useful comments and suggestions about what people like (or don't like) about the site and what they'd like to see added or improved. It's difficult to summarize things succinctly, some people wanted to see more of one thing and less of another while others wanted to see the exact opposite, but one theme seemed to be repeated with more frequency than any other and that was a desire for training/educational material built specifically to address real world scenarios.

Summary (or, where do we go from here?)

The first thing which struck me as the results of the survey started to come in was that this really is something I should have done a long time ago, it's a great way of taking the pulse of the membership and responding to their needs. I'm definitely going to make it a yearly event so expect to receive an email from me in about 11 months from now for the next one!

What have I discovered? Firstly, there's a huge appetite for learning - an appetite which doesn't seem to be diminished by any form of complacency, no matter how experienced the individual happens to be. Although the forums are the most popular area of the site this wasn't because people wanted to socialise or network, it was because that's where a lot of questions were answered. Secondly, although the forums are useful there's a desire for more structured learning with many people suggesting that it should be delivered online (as opposed to in a classroom). I think the benefits of online course delivery are clear in many cases but I suspect that because Forensic Focus has a global membership there's a significant proportion of members for whom distance learning is the only real option. Next, reviews (of software, hardware and training), articles/papers and standards are far more important to members than I had previously appreciated. Finally, there's a genuine sense of community and goodwill amongst the membership in relation to the Forensic Focus site and while I'm proud to have been involved in getting us to where we are now I also recognise two very important things - firstly, sincere thanks are due to all members for making the site what it is today and secondly there's a huge responsibility involved in taking us forward, what people learn from Forensic Focus can and most likely will be applied in situations which have the most serious consequences for those involved.

My thanks once again for everyone's participation in the survey - 2009 should be an interesting year!

Kind regards,