Dual-Role Group Dynamics as a Practical and Inclusive Framework for Teaching Digital Forensic Analysis - Think Like a Hacker and Think Like an Investigator

Abstract

Cybersecurity is one of the most dynamic and challenging fields today, with constantly evolving digital threats. Digital forensic analysis, a subfield of forensic science, focuses on the examination of digital media and components to report, explain, and justify events that occur in a digital context. As a subfamily of forensic sciences, digital forensic analysis applies specific methods, techniques, and procedures to ensure that the collected evidence is valid and unquestionable. To prepare future information security professionals, hands-on education that goes beyond theory and emphasizes realism and engagement is essential. Traditional teaching approaches in this area are often limited to theoretical instruction, lacking the immersive and investigative dimensions required to address real-world challenges. This paper presents an innovative dual-role, group-based methodology - Think like a hacker, think like an investigator - that integrates collaborative learning, gamification, and standard-based forensic practice. Students alternate between designing attack scenarios and performing forensic investigations, following internationally recognized frameworks, such as NIST SP 800-86 and ISO/IEC 27037:2012. This bidirectional learning process develops both adversarial and investigative thinking, enhancing critical analysis, teamwork, and methodological rigor in the research process. The methodology was applied in the Digital Forensic Analysis course at ISTEC - Instituto Superior de Tecnologias Avançadas (Lisbon, Portugal), where it demonstrated promising outcomes. Students reported greater motivation, a deeper conceptual understanding, and improved readiness for professional cybersecurity environments. By combining open-source and no-cost tools with a dual-role group dynamic, this approach contributes to a more inclusive, engaging, and practice-oriented cybersecurity education.

Introduction

Digital forensics is a vital area of forensic science and cybersecurity that focuses on the legally sound acquisition, preservation, analysis, and presentation of digital evidence. Traditional theory-based teaching methods are often insufficient to prepare students for the dynamic and complex challenges of real-world investigations, creating a need for innovative, practice-oriented pedagogical approaches.

This work proposes and evaluates a dual-role teaching methodology—“Think like a hacker, think like an investigator”—designed to bridge theory and practice. Digital evidence must meet strict legal principles: it must be admissible, authentic, complete, reliable, and believable. To support this, the methodology aligns with two key standards: NIST SP 800-86, which emphasizes incident response and investigation stages, and ISO/IEC 27037:2012, which focuses on proper identification, collection, and preservation of digital evidence. Their complementary strengths highlight the importance of an integrated approach.

The proposed teaching model consists of two macro activities and five micro-steps. Students first design realistic cyberattack scenarios (“think like a hacker”), using techniques such as malware, encryption, steganography, and evidence manipulation. They then switch roles (“think like an investigator”) by creating forensic images, exchanging them with other groups, analyzing the evidence using recognized tools (e.g., FTK Imager, Autopsy), and presenting reconstructed incident narratives.

The methodology was evaluated using metrics related to incident typology, information-hiding techniques, and technologies used. Scenarios incorporated advanced techniques such as encryption, anonymization, rootkits, log alteration, memory forensics, and anonymous networks, while leveraging a wide range of open-source and free forensic tools. This ensured realism, technical depth, and accessibility.

Results show several benefits: enhanced hands-on learning, collaboration, critical skill development, gamification-driven motivation, exposure to diverse scenarios, and gradual progression from simple to complex cases. The dual-role approach strengthens analytical thinking by allowing students to experience the full lifecycle of a cyber incident.

Overall, the methodology represents an innovative contribution to cybersecurity education by integrating offensive and investigative perspectives within a single framework, grounded in international standards and accessible tools. Future work includes validating the approach across different complexities, extending it to other cybersecurity domains (e.g., ethical hacking, incident management), and integrating frameworks such as MITRE ATT&CK, ENISA taxonomies, and AI-driven scenarios to further enhance learning outcomes.

Conclusion

In 2016, researchers from University College Dublin [12] identified five major challenges faced by digital forensic analysis professionals when handling digital evidence in a rapidly evolving technological environment. The five challenges identified are as follows [12]: 1) Data Complexity : Managing large volumes of heterogeneous data requires advanced data reduction and filtering techniques before analysis. 2) Diversity of Sources : The lack of standardization in the analysis of diverse data sources, such as operating systems, file formats, and devices, makes analysis difficult. 3) Consistency and Correlation : Current forensic tools often identify fragmented evidence but fail to support effective correlation and contextualization of the evidence . 4) Data Volume: The exponential growth of storage capacity and connected devices demands increased automation to process information efficiently. 5) Temporal Synchronization : Unifying time references from multiple sources, timestamps, and other temporal aspects is challenging in digital forensic analysis. Despite living in an era of constant technological evolution and transformation, which at certain times enhances the activity of the investigator and at other times enhances the activity of the hacker, these challenges are still very relevant and applicable today. The dual-role teaching methodology presented in this study directly addresses several of these challenges in a controlled academic context. By engaging students as both attackers and investigators, this approach fosters a deeper comprehension of digital evidence, adversarial behaviour, and procedural rigor. This bidirectional dynamic enables learners to experience the entire investigative lifecycle, from data generation and concealment to evidence extraction, correlation, and timeline reconstruction, effectively mirroring the complexity, diversity, and synchronization problems faced by real-world professionals. Furthermore, the framework integrates hands-on, standard-based learning through the use of NIST SP 800-86 [4] and ISO/IEC 27037:2012 [5], ensuring consistency with industry and legal best practices. The exclusive use of open and no-cost forensic tools promotes inclusiveness and accessibility, preparing students from diverse academic and socio-economic backgrounds for realistic cybersecurity challenges. Beyond its pedagogical innovation, the model helps overcome traditional limitations in digital forensics education, such as insufficient engagement, lack of realism, and fragmented understanding between theory and practice. Preliminary implementations indicate that the methodology not only motivates students but also develops analytical reasoning, collaboration, and methodological discipline. The Think like a hacker, Think like an investigator methodology represents an innovative, practical, and inclusive framework for digital forensic education. By integrating recognised standards (NIST SP 800-86 and ISO/IEC 27037:2012) and open-source tools, it equips students with both technical competence and investigative mindset, preparing them to address the evolving challenges and threat in the modern cybersecurity landscape.

References

[1] M. Antunes and B. Rodrigues, INTRODUÇÃO À CIBERSEGURANÇA - A INTERNET, OS ASPETOS LEGAIS E A ANÁLISE DIGITAL FORENSE, Lisbon: FCA, 2018. [2] J. G. Heiser and W. G. Kruse, Computer Forensics: Incident Response Essentials, 1st Edition, Addison-Wesley, 2001, p. 392. [3] A. Yeboah-Ofori, \\\"Digital Forensics Investigation Jurisprudence: Issues Of Admissibility Of Digital Evidence,\\\" Journal of Forensic, Legal & Investigative Sciences, vol. 6, pp. 1-8, 5 2020. [4] K. Kent, S. Chevalier, T. Grance and H. Dang, Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication, 2006. [5] ISO/IEC 27037, ISO/IEC 27037:2012 Information technology - Security techniques - Guidelines for identification, collection, acquisition, and preservation of digital evidence, International Organization for Standardization (ISO), 2012. [6] R. Ramadhan, P. Setiawan and D. Hariyadi, \\\"Digital Forensic Investigation for Non-Volatile Memory Architecture by Hybrid Evaluation Based on ISO/IEC 27037:2012 and NIST SP800-86 Framework,\\\" IT Journal Research and Development, no. 10.25299/itjrd.2022.8968, pp. 162-168, 2022. [7] Exterro, \\\"FTK Imager - Exterro,\\\" Exterro, [Online]. Available: https://www.exterro.com/ftk-imager. [8] \\\"Autopsy - Digital Forensics,\\\" Autopsy, [Online]. Available: https://www.autopsy.com/. [9] The Volatility Foundation, \\\"The Volatility Framework: Advanced Memory Forensics,\\\" [Online]. Available: https://www.volatilityfoundation.org. [10] G. Palmer, \\\"A Road Map for Digital Forensic Research,\\\" Digital Forensic Research Workshop (DFRWS), Baltimore, MD, 2001. [11] M. Pollitt, \\\"A History of Digital Forensics,\\\" in Advances in Digital Forensics VI, Springer, Ed., New York, IFIP International Conference., 2010. [12] D. Lillis, B. Becker, T. O\\\'Sullivan and M. Scanlon, \\\"Current Challenges and Future Research Areas for Digital Forensic Investigation,\\\" in The 11th ADFSL Conference on Digital Forensics, Security and Law (CDFSL 2016), Daytona Beach, FL, USA, 2016. [13] ENISA, \\\"Reference Incident Classification Taxonomy, European Union Agency for Cybersecurity,\\\" 2018. [Online]. Available: https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy. [14] ISO/IEC 27035, ISO/IEC 27035-1:2016 Information technology - Security techniques - Information security incident management - Part 1: Principles of incident management., International Organization for Standardization (ISO), 2023. [15] NIST, NIST Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide, National Institute of Standards and Technology, 2012. [16] M. Corporation, \\\"MITRE ATT&CK Framework,\\\" MITRE, [Online]. Available: https://attack.mitre.org. [Accessed 3 September 2025].

Copyright

Copyright © 2025 Ivo Ricardo Dias Rosa. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.