Industry News

Meet Magnet Forensics’ Training Team: Hoyt Harness

We’re continuing our “Meet the Forensic Trainer” series this summer with an introduction to Hoyt Harness, who joined the Magnet Forensics Training Team in August. Hoyt’s extensive instructional experience began in the US military and continued through the civilian law enforcement world, a great foundation for being a Magnet Trainer. Read on below!

Want to learn more about what courses are offered? Visit our Training & Certification page for more information.

MF: Tell us about your life before becoming a Trainer.

HH: I’m from Jacksonville, AR and retired as a sergeant with the Arkansas State Police after 21 years of service. The last 16 years of my career was spent organizing and supervising the Cyber Crimes Unit and Computer Forensics Lab. I was also tasked with organizing the Arkansas Internet Crimes Against Children Task Force (ARICAC).

Before my time in Cyber, I was a covert narcotics investigator and a SWAT sniper. Before the state police, I spent 5 years in the US Marines, another 7 years in the US Army, and a couple of years as a patrolman and narcotics detective for a local Arkansas police department. I’ve spent the past year running my own cyber investigation and digital forensics firm.

MF: What made you want to be a Trainer?

HH: I’ve been both a military and police instructor for the past 29 years and I absolutely love doing it. I also love cyber investigation and digital forensics. I’ll never be as good as I want to be or know as much as I want to know, but I’ve spared no effort in learning as much as I can and sharing what I’ve learned with others.

I serve on curriculum advisory boards for two Arkansas colleges, Arkansas State University at Beebe and Ozarka College in Melbourne. Even after retirement I’ve continued to teach digital forensics courses for the University of Arkansas’ Criminal Justice Institute. At this point in my life, I know it’s what I was put here for.

MF: What type of training have you taken part in personally? What is your favorite part of the role?

HH: Speaking only about cyber and digital forensics courses, I’ve attended over 1,144 hours of formal training, not to mention the countless hours I’ve spent on my own researching, testing, and validating. As a trainer, I’ve created training materials and courses ranging from simple self-navigating slide shows about how to read email headers to full courses covering everything from on-scene triage to final reporting.

I don’t think I have a favorite part per se. I really like preliminary research and course development, but I also like the open discussion and interaction of the classroom. It would be too hard for me to pick out just one area that I truly favored above the others.

MF: What excites you the most about a new class?

HH: The chance to earn their respect. That sounds like a pat answer, I know. What I mean is that I don’t walk into a classroom with the expectation that anyone owes me respect or favor just because I’m the instructor. I work to earn their respect and give them plenty of opportunities to earn mine. I admit when I’m wrong and say so if I don’t know the answer. When I do know it, I work hard to help students know as much about the topic as I do. I can usually tell when a class has decided that I’m okay and have something worth listening to. That’s what excites me most.

MF: Do you ever learn anything from the students?

HH: I’m a firm believer that anyone can learn something from anyone else. Every person you meet knows more about something or is better at something than you. We all have strengths, weaknesses, areas in which we may be very knowledgeable, and areas we could use help.

Being with a new group of people from diverse backgrounds and levels of experience affords me opportunities to learn from them and hone my teaching skills at the same time. It also expands my network.

I remember a time when it seemed most of the digital forensic community knew each other. It’s grown by leaps and bounds since then, and I value every opportunity I get to meet others, especially practitioners new to our profession.

MF: Is there a particular moment that stands out the most to you in your career in the classroom?

HH: There’s something that has happened several times and I hope it happens again. I won’t name any names here, but I will say that hearing your words in the mouths of those you taught long after the course has completed has to be a crowning achievement for any trainer. Honestly, there’s no paycheck that can compete with that.

The old saying goes, “Give a person a fish and feed them for a day. Teach them how to fish and feed them for a lifetime.” I’ll add to that by saying, “Teach them in a way that that enables them to teach others and you feed everyone.”

MF: What do students get out of training in person that they can’t get on their own?

HH: Learning on your own is a viable path toward self-improvement, I won’t argue that. Much of what I know was learned that way.

Attending in-person training, on the other hand, opens up new dimensions that just can’t be realized on your own. Opportunities include learning from peers, testing your ideas by asking questions, relating the material to real-world experiences shared by others, professional networking, etc.

I think today’s forensic practitioner must make the most of opportunities to attend classroom training, supplementing that with self-study. Further, they should also seek out and attend online self-paced and online instructor-led training as well. Our technological world moves fast and simply won’t wait for us if we don’t take advantage of every opportunity.

MF: How prepared do you feel students are to use Magnet Forensics products after taking the training course?

HH: I’m pretty new here, having only been working for Magnet about a month as of the time of this writing. Magnet Forensics tools such as AXIOM, ACQUIRE, RAM Capture, Process Capture, and others, are very intuitive tools to begin with.

Even so, the overarching thing about our training philosophy that was obvious to me from the moment I walked in the door was that the purpose of the training team isn’t to simply teach students which buttons to push.

Instead, Magnet Forensics training courses provide the technical detail a practitioner requires so they understand both what the tool is doing and why that’s important. We cover necessary computer science and generic digital forensic topics, together with detailed information on tool usage.

We do this so that every student who completes one of our courses can feel confident that they’ll not only be able to effectively and expertly use Magnet Forensics software when the course completes, but be able to test it, validate it, and provide expert testimony about their work in a court of law.

Our software is used globally in the most serious of cases involving the greatest of consequences. The world needs Magnet Forensics-trained professionals to be the best there is. Our integrated approach to training and software makes sure they are.

MF: What is most unique about Magnet Forensics’ approach to training?

HH: The most unique aspect about Magnet Forensics training is also what I find to be the most appealing. We focus on helping students become as knowledgeable and proficient as they can, not only with our tools, but as digital forensic practitioners generally.

For example, a prospective student might get the impression that our AX100 course is a basic AXIOM information course that can be skipped in favor of the higher level AX200 course. This might be a rash decision, however. Because AX100 is foundational doesn’t at all mean that it’s basic and simple. We’re fitting as much digital forensics knowledge into a week as other organizations fit into two weeks.

Magnet training philosophy absolutely wants every practitioner to be as good with our tools as they can possibly be, so we devote the classroom time necessary to achieve that. Even so, artifact-level forensics expertise is what’s most important and every course reflects this ideology in the exact same way our tools do.

An AXIOM user can make the most of automation and intuitive connections made by the software, but there are always multiple ways to get even to disk level views from any other view in the user interface.

Our software and training consistently emphasize the data and telling the story the evidence wants to tell. As a Magnet student myself, I came away with a reinforced knowledge of digital forensic truths that clearly separated me from the push button examiner crowd.

MF: Why do you think certification is important to examiners?

HH: In my mind, certification is important for two reasons: practitioner validation and credibility. Digital forensic professionals know that they must validate their tools to verify that they do what they’re supposed to do.

The last couple of decades has demonstrated that this concept applies to us as practitioners, also. Much of what we understand about computer science and digital forensics is theory-based. This means that something we theorize about may not have been proven to be absolute fact, but so far we’ve failed to find a condition that disproves it, therefore our theory works.

At the examiner level, on the other hand, we might have a flaw in our workflow process or have misunderstood something that so far seems to still work for us, even though it’s wrong. Failing to recognize that the concepts of clusters, for example, does not apply at the physical disk level probably won’t cause a forensic exam to fail or be wrong in its conclusions, but still shouldn’t be passed on to other examiners as knowledge.

Worse yet, we might be called to the stand to explain something that, until that moment, we didn’t realize we didn’t fully understand. This has happened more than once in real-world cases.

Certification crucibles like Magnet training courses combined with the Magnet Certified Forensics Examiner (MCFE) help to correct the validation issue before things turn disastrous by providing practitioners an unbiased appraisal of their practical skills and knowledge.

The MCFE also provides a tangible means for practitioners to confirm their expertise in courtrooms all over the world. Every digital forensics professional who has ever given expert testimony in a court of law was subject to intense scrutiny before being qualified to render opinions. Magnet Forensics goes a very long way toward easing the burden of proof for our examiners via our training and MCFE.

MF: How do you manage to keep up on the latest trends in digital forensics?

HH: I love this profession and believe very much that it’s my mission in life. I read books, professional publications, blogs, and more on a daily basis. I love to experiment, so I’m constantly trying and testing new things that allow me to learn from doing.

I also enjoy a pretty broad range of interests that help with general knowledge, too. I keep up by sharing what I know with others and exposing my theories and experiments to the world for critical feedback. You need thick skin to do that, but it’s worth it. I’ve been wrong and very embarrassed at times, but I’ve learned a lot and I continue to learn.

I also repeat training courses. The idea that a practitioner can take a given training course and have learned all they need to learn from that topic area for life is completely false. Technology and digital forensic science advances rapidly. Any training course that’s not constantly updated and revised to reflect current knowledge will have a very short shelf life.

Magnet Forensics training courses are as close to the metal on this as one is likely to experience. Updates happen constantly and new knowledge is added all the time.

Part of what drives this is the aggressive development posture of our dev team. Even if computer science stood still, advancements to Magnet software come on a daily basis. I’m a Magnet Forensics trainer, yes, and I teach courses as I’m assigned, but I’m a student every day, even when I’m teaching.

MF: What trends do you see coming down the pipeline in digital forensics?

HH: I’ve made predictions in the past that haven’t come to pass, so I’m a little hesitant to speak about this. I know for certain, however, that today’s digital forensic practitioners are the brightest and most driven that they’ve ever been.

Having started doing this work in the early 2000’s, I’ve seen the field shift from only a few forensics tools to a flood of them. One might expect that the practitioner’s toolbox would be loaded these days with a haphazard array of software applications, but that hasn’t been the case.

Instead, practitioners have become more focused and ecosystem-aware. They’re making very smart choices about the primary tools they use. They want them to be interoperable, capable of using output from other tools, and deliver data products that can be used by those tools. They look for tool providers who establish partnerships with other companies for this purpose. They want to leverage the latest technologies such as artificial intelligence (AI) and graphic data visualization. They’re spending the funds they have on ways to reduce interface complexity that puts the focus on the evidence without burdening examiners to learn ten different tools that don’t share a common user experience. They want support from humans who think like they do.

If I were to predict anything, it’s that the future will belong to the providers and their tools that do what the practitioners are asking for. Also, expect 5-1/4” floppies to make a distinct comeback. =)

MF: Any final words of wisdom you’d like to share?

HH: I don’t know how wise someone might consider these to be, but here are ten things I’d offer:

  1. Be a student every day.
  2. Validate, validate, validate!
  3. Change the world one person at a time, starting with you.
  4. Don’t forget to go home.
  5. Share what you know.
  6. Don’t take anyone’s word for it.
  7. The command line is not your enemy.
  8. Learn regex and keep it simple.
  9. Repeat #2.
  10. Don’t look in another’s bowl to see if they have more than you. Look to see if they have enough.

Thank you, Hoyt! Welcome to the Training team and to Magnet Forensics overall—we look forward to seeing your future contributions.

Follow Hoyt on Twitter, and connect with him on LinkedIn here.

Read our previous interviews with VP Training Chuck Cobb,  Director of Training Operations Jamey TubbsChris VancePatrick Beaver, Doug Estes, Lyn Goh, and Larry McClain.

To be notified when future posts in our series go live, please be sure to subscribe to our blog (enter your email to the right)!