Wednesday, June 23, 2010

A Picture is Worth a Thousand Words.

Figure 2: Simple-minded frame-of-reference exampleImage via Wikipedia
Explaining technical information in any field can be a challenge. As many of us have experienced throughout our education, sometimes the most brilliant of people make the worst teachers. An expert may be extremely proficient and capable in their field, but unable to explain  technical information to non-experts in a way they can understand.

This is probably okay if you are a brain surgeon or a rocket scientist. It is not okay if you are a forensic expert, primarily because we are required to explain our methodologies and findings to non-experts on a regular basis.

As digital forensics experts,  communicating effectively with those whom we rely on to build the framework of our examination is a requirement, not an option.

As an attorney explains to me the framework of a case, I must be able to see the places where my expertise can be of use. If I cannot relay back to the attorney why certain digital information is of value to the case, how it can be used, and what it means, then I am not doing my job.

Becoming adept at explaining technical information with language in a way that non-experts can understand is a skill that every digital forensic examiner must learn. This skill requires much practice, discipline, and experience. It also requires the expert to truly be an expert in the subject  they are attempting to explain, because a person cannot adequately teach something they do not fully understand.

While the above paragraph paints a somewhat daunting picture, there is hope. When explaining technical information, it is best to provide your listener with as many visual aids as possible.

One of the biggest challenges in explaining technical concepts to a non-expert is finding a common ground from which to begin.  It helps to not only use verbal analogies, but visual ones as well.

Enter the explanatory image or diagram.

Below are some images I have made to explain the difference between what is gathered in a logical acquisition vs. a physical acquisition. I happen to use Photoshop because I have years of training and experience in using this software.  But a simple paint diagram can be just as  effective. We have been using stick figures for thousands of years to relay information.

I use these images to give me a place to begin from where both I and the non-expert can share a common frame of reference.  Pretty much everyone is familiar with an old fashioned filing cabinet.  I have dozens of such illustrations I have made that are packed away for when I need them, and they can be especially useful in court and for CLE Classes.

The first image below is used to explain a logical acquisition by showing that all you will be retrieving is files and documents in a file directory.  Just like reaching into a filing cabinet and pulling out the files and folders you are interested in. 

The second illustration is used to explain how a physical acquisition can be used to not only get the same files and folders shown in the first illustration, but how you can also get back information that has been deleted.

I equate the recycle bin on the computer to the wastebasket in the picture.  This shows how just tossing a file in the recycle bin on the computer is just like tossing a piece of paper in a waste basket.  You can just reach in there and get it right back.

The paper shredder is how I explain unallocated space.  It is still in the computer on the hard drive, but you have to find all the pieces and electronically tape them back together.  Just like you would find the pieces in a physical paper shredder and tape them back together to reassemble a document.

I have found this method very successful in communicating technical concepts to non-technical people. Even if they don't use a computer at all, they can still understand this because they have a reference point they can relate to in their experience.

Lars Daniel
Digital Forensic Examiner and Forensic Artist

Enhanced by Zemanta

No comments:

Post a Comment

I have moderated my comments due to spam.