Research Article

Critical Thinking and The Digital Forensics Examiner

Douglas A Orr1* and Buddy Tidwell2

1University of North Georgia, Dahlonega, Georgia, USA

2Champlain College, Burlington, Vermont, USA

*Corresponding author: Orr AD, University of North Georgia, Dahlonega, Georgia, USA. E-Mail:

Citation: Orr AD, Tidwell B (2019) Critical Thinking and the Digital Forensic Examiner. J Forensic Sci Digit Investig 2019:

Received Date: 02 August, 2019; Accepted Date: 31 August, 2019; Published Date:  5 September, 2019


Police investigators evolve in the modern law enforcement world according to a path of instruction that stems from more traditional investigative fields. These mature investigators, albeit potential digital forensic examiners, are very knowledgeable and the skill sets they obtain from academic study, academy training, and life experience in the field further their understanding of the discipline as a whole. In some instances, however, the novice digital forensic examiner lacks a more critical forensic mindset. Often, such an examiner is unable to translate their knowledge, experience, and critical thinking skills into the digital forensic environment. The authors will conceptualize and model the components of critical thinking as it relates to how digital examiners might begin to develop and apply critical thinking skills when faced with a crime involving the digital dimension. In doing so, the authors will expose key issues and provide a relevant technical forensic example demonstrating the successful application and flow of critical thinking during a mock digital forensic examination. Accordingly, we explain how an examiner might gain confidence to interpret, analyze, synthesize and evaluate digital evidence based upon mastering core forensic and file system knowledge.

Keywords:  Critical Thinking; Digital Forensic Examiner; Paul’s Model for Critical Thinking; Master File Table (MFT); New Technology File System (NTFS)


Police investigators evolve in the modern law enforcement world according to a path of instruction that stems from more traditional investigative fields. These mature investigators, albeit potential digital forensic examiners, are very knowledgeable and the skill sets they obtain from academic study, academy training, and life experience in the field further their understanding of the discipline as a whole. Typically, a police officer is not immediately an investigator. A newly hired police recruit can expect to attend, in some instances, a twenty-two-week police academy where the recruit will learn rudimentary legal concepts, tactical contingencies when it comes to call response, and practical self-defense strategies. Most academy curriculums do include very basic investigative courses that leverage various critical thinking skill sets against legal concepts such as standards of proof and the material elements of a crime. Also included is crime scene response and the chain of evidence. Recruits are given progressive instruction that highlights the dimensional aspect of their chosen field [1].

Once the recruit graduates from the academy, they will most likely be assigned to a uniformed training officer within their respective agency for a period of up to four months much of which involves calls for service in a marked police vehicle. If the recruit emerges from this training period successfully, they are assigned primary calls for service to which they arrive in their own patrol vehicle. Being the primary officer on the call, they bear the responsibility of handling it legally, ethically, and efficiently. If the call for service cannot be resolved at the time or requires specialized attention, the uniformed officer generates a report and sends it to an investigator for follow up.

Investigators, or police detectives as they are called by many, are usually those persons who have been selected or promoted to the rank and who are known by their peers to possess certain skill sets conducive to case resolution. This is because, while they were in uniform answering calls for service, they developed critical thinking skill sets that allowed them to more closely observe people, places, the things they do and the times they do them. Being solely responsible for case resolution as an investigator further caused them to refine these skills as they methodically brought each case to some sort of closure. It should not surprise us then that such an individual would be selected or chosen to become the department’s digital forensic examiner. In some instances, however, the novice digital forensic examiner lacks an even more refined critical mindset. Often, such an examiner is unable to formally translate their knowledge, experience, and critical thinking skills into the digital forensic environment.

Critical thinking is a process that leads us to judgment. Consequently, the ability to think critically should rest in a set of skills that include interpretation, analysis, synthesis, and evaluation. Here we will explore critical thinking as an ability and how digital forensic examiners might further develop, refine and employ such skills when faced with a body of digital evidence. Later in this chapter, the key elements of critical thinking skills in digital forensic investigations will be outlined and discussed. By discussing key issues through practical and technical contexts, we explore a specific relevant case study demonstrating the successful application of critical thinking skills in a mock digital forensic examination and call for the necessity of examiners to possess the skills of interpretation, analysis, synthesis, and evaluation. Utilizing these four essential skills, an examiner might gain the confidence necessary to test inference and make deductions based upon core file system and artifact knowledge, specific forensic tool application, discover relationships of key material facts, and reasonably weigh each piece of evidence in the context of the crime.

Critical Thinking Defined

Exploring the different conceptions of critical thinking throughout the literature is beyond the scope of this chapter. However, we outline some of those conceptions here in this passage to lay a contextual foundation for how the examiner might model their approach to critical thinking. We call it critical thinking. Yet, some have labeled it higher ordered thinking, creative thinking, or problem solving [2]. We, however, agree with Harris [3] and contend it to be, at least in the context of this chapter, a cyclical process of analyzing a problem, generating a solution(s), implement the best solution, and then appraise the efficacy of such a selection. It is critical to creative. Then, creative to critical. Suffice it to say it is a problem-solving cycle we will refer to in this chapter as critical thinking.

Modern conceptions of this process have produced agreement on three approaches: philosophical, psychological and education. Philosophical agreements about critical thinking amount to reflections of consistent skepticism combined with methodical and repeated investigation to “overcome the inertia that inclines people to accept the suggested form of knowledge at its face value” [4]. Psychological agreements constitute critical thinking as an approach of processes and skills within a practical context. Within their respective contextual and personal constraints, they make the concept more practical and relevant. Sternberg [5] framed it as a problem-solving practice rather than an ideal. In other words, the context, and the limits imposed by such contexts, may determine the application of certain critical thinking skills [4]. Educational agreements concern methodologies or pedagogies that develop these critical skills among prospective thinkers. Here in this chapter, we will subscribe to the psychological concepts outlined in contemporary literature.  We pause to mention a brief word concerning the distinction between ability and skill. Although many use these terms interchangeably, they are indeed fundamentally different concepts. Skill is usually defined as the capacity to do something well [6]. Ability, on the other hand, deals squarely with the thinker’s ideal competence [7]. Consequently, if learners “acquire a mastery of critical thinking skills, they consequently acquire an enduring critical thinking ability” [4]. The critical thinker can wield their ability to utilize theoretical models operationalizing these skills to produce an outcome that will lead to judgment [8]. The aforementioned skills in particular are interpretation, analysis, synthesis, and evaluation. The goal of such a model should be to produce objective thought. Once such model is from Richard Paul. Paul’s model [7] is prized here because it can be contextualized across disciplines. It consists of three parts: elements of reasoning, standards of thought and intellectual traits. For the discriminating individual, a refined understanding of the elements of reasoning places the individual in a class where they can conspicuously identify flawed arguments and intellectual defects. This accomplishes two purposes: to challenge our own bias and empathize with a contending perspective. Ultimately, such a model encourages an objective perspective (Figure 1).


Figure 1: Richard Paul’s Model [7].


Conspicuously absent from the literature relating to criminal investigation is a connection of traditional investigative methodologies to the way in which digital forensics examiners to their job or plan their investigations. Emerging literature in the field of digital forensics does indeed deal with newly crafted concepts and mythologies. However, these methodologies deal directly with more procedural and less cognitive strategies. Once more, digital investigative departments or agencies simply do not routinely record, analyze, or report their investigative behaviors perhaps because it is of no use to them. One of our purposes here in this paper is to encourage these agencies to collect such information.

Critical Thinking Skills in Context

The most basic element of success for a digital forensic investigator is first to possess the skill of interpretation. One might be utterly ineffective in the role of computer forensic examiner if they lack the interpretive skills inherent to an effective investigator. Consider what this means for a moment. As mentioned in the beginning of the chapter, most evolve from a defined path through a police academy, patrol, promotion to detective and then onto specialization into digital forensics. At the police academy level, basic survival and other core skills are taught. Skills taught can also include difficult physical and mechanical skills like shooting, driving, defensive tactics, along with some instruction related to interviewing witnesses and suspects, correctly noting observations, and writing reports based on those notes and observations. It is on the street that the potential investigator hones their skill of interpretation by establishing the context of criminal behavior and identifying explicit arguments from victims, suspects, and witnesses distinguishing them from ordinary descriptions, technical explanations, and summaries. Perhaps the ultimate refinement to such a skill includes the capacity to consider and constantly weigh inductive measures of reason against more deductive methods of thought. In other words, do we form a hypothesis and consider the evidence accordingly or do we reflect on the evidence as a whole and form an opinion?

As uniformed responders receive a practical and repeated test of their critical thinking skills, the stakes are high as they detect deception, use persuasive language, make logical inferences, and deductively reason each proposed hypothesis made to them by fellow investigators. This is the skill of analysis. Uniformed officers who are agile at these things are many times driven to become detectives or investigators. As investigators, they navigate dynamic and rapidly evolving incidents to make judgments based on their own analysis of the evidence. And this judgment only comes about following the careful testing of a hypothesis. As Turvey [9] suggested, “Each time we succeed at failing to disprove something, we come closer to understanding the meaning beneath the specific patterns that we find”. This is the inductive method in its purest form.

The deficit of this particular skill is sometimes readily apparent in the private sector. Assuming such a person has never been a commissioned police officer, private or corporate investigators rise to their position absent such experience. A fine of example of this exists in the polygraph profession. Experienced police officers and investigators who graduate from polygraph academies enter the profession with neatly schemed interviewing postures. Following the examination, they are able to extract information from suspects where persons without law enforcement training experience difficulty managing the interview with a disagreeable suspect. Indeed, non-commissioned or otherwise privately trained individuals may not bring with them some of the implied biases that develop over a very storied law enforcement career. This trait is desirable in the investigator. Suffice it to say that there exist respectable investigators from both paths. But, without question, those persons with law enforcement experience are more sought after than those without. It is a select few, however, that will move seamlessly from investigator to examiner. Crucial at this juncture is the skill of synthesis. Today, it is inevitable that almost every crime contains a digital dimension and that the investigation of that crime will require some level of expertise to identify, collect and preserve the evidence associated with it. In the not too distant future, it is likely that core digital evidence handling and recovery skills will become part of basic curriculums taught at police academies across the world. Until then, however, it remains to the highly skilled investigator turned examiner to know where on the device the evidence might be, why it might be there, its absence, and, if it does exist, in what way specifically is it associated with other artifacts tangential to the crime at hand. Fortunately, we are not calling for reinvention when it comes to digital examination. The same methodologies, the same logic, and the same reasoning apply in the digital landscape as it does in the physical world of investigations. The key to cogent evaluation calls for examiners to possess the same level of familiarity with the digital dimension that they did over time within their physical environment (people, places, the things they do, and the times they do them). They must invest in learning to assess convergent relationships behaving inside the digital dimension of our world just as they likely did when they were on uniformed patrol or assigned to a detective division. The ubiquity of social media has crippled or stalled the unprepared investigator, examiner or agency. Research involving Social Network Analysis and its many applications has given many agencies pause to reconsider their approach as they evaluate social media and its participants. Adding to this the prospect of evaluating data in motion and its relationship to data at rest on a device that might contain anywhere from one to five terabytes of data causes the examiner to frame such data within cultural and even global structures of thought.

All of this brings us to consider why critical thinking skills are so important. In most westernized societies, legal bodies have in place certain protections for the accused. In the US, for instance, accused persons are presumed innocent. Giraud [10] states “The reason we should pursue critical thinking is that we want to get the right ‘bad guy’-not just pin it on ‘a bad guy,’ but solve the case and convict the right ‘bad guy’. Flaws in our critical thinking process may result in the conviction of the wrong person, which means the right person (the actual perpetrator) goes free.” Refined critical thinking skills will not only advance the examiner’s ability to solve the case at hand but also enhance their character as it relates to the morality of freedom and liberty. In order to provide the reader with a comprehensive understanding of how the examiner might use critical thinking skills practically as well as theoretically, we illustrate these skills within the constructs of a mock investigation involving the forensic examination of digital devices. Each critical thinking skill is operationalized to underscore how it is an examiner might better interpret, analyze, synthesize, and evaluate digital artifacts as they relate to a frequently investigated crime.

The Physical Crime Scene

To illustrate the concept of critical thinking skills and its relationship to applicability, we consider this through the lens of an investigator. In this mock scenario, we assume police received a call from a neighborhood resident who heard a gunshot being fired somewhere close by. Patrol officers respond, clear the scene for any threats, and they discover a female victim who appears to be deceased just outside the residence in question with a gunshot wound to the chest. Officers notice the presence of a firearm near the decedent’s right hand. Without any more information being provided at this point, we consider the immediate possibilities that trained investigators might conjure as they consider this scenario [11]. To interpret the incident, the investigator assigned to the case might consider the main actors. Exactly who did this? Is this person a victim of a crime? Or, was this self-inflicted? The investigator might also consider scene location. Did the shooting occur where the deceased remains (primary scene) or was the body moved by a third party (secondary scene)? The investigator might then also consider third party interpretations. Are there any witnesses to corroborate what occurred? To analyze these facts and circumstances, the investigator will form a hypothesis or hypotheses to discover flaws through synthesis and further test the veracity of discovered evidence through evaluation to ultimately form an opinion or judgment.

For the investigator at a physical crime scene, the issue here seems rudimentary. There is a deceased person with a firearm near their hand who suffered from gunshot wound to the chest. The immediate overarching question for an investigator is to determine the nature of the incident. The shooting may be self-inflicted or it may be a homicide. If it is a homicide, the investigator will need to determine if the shooting occurred at the location of the discovery or at another location. If there are witnesses, the investigator will have to weigh the veracity of their statements. By way of their ability, investigators will use their skills to methodically arrive at a judgment. While the evidence of a contact wound, stippling (powder tattooing), or even the absence of such evidence may lead the investigator to form a variety of initial hypotheses, the investigator will need the expertise of the digital forensic examiner to further advance this quest for judgment.

The Digital Crime Scene

Now, consider the investigation in the digital context. A novice computer forensic examiner receives a laptop computer from the scene of a death investigation involving a possible suicide of a female victim. A witness who knew the victim told investigators that the circumstances concerning her demise do not make sense. The witness maintains that they had frequent contact with the victim and knew her attitude to be positive and outgoing, inconsistent with a depressed person contemplating suicide. The request from the lead investigator calls for a full investigative forensic analysis of the laptop computer to detect and recover relevant evidence related to circumstances surrounding the death of the victim. The examiner is tasked to provide any information that supports or refutes the possibility that this death was a suicide. Using the most basic computer forensic skills, the novice examiner acquires a forensic image of the laptop and then adds the image into proprietary forensic software to begin the digital investigation.

To distinguish a suicide from a homicide calls for the examiner to interpret the elemental dynamics of each one. In this instance, the most obvious might be the presence of a suicide note. Almost immediately, the novice examiner discovers a document named My Diary.rtf on the desktop of the victim’s laptop. The last few diary entries contain phrases such as “life is pointless” and “Maybe I should go through with it.” The implication that this item might provide corroboration for suicide is readily apparent. Absent any more information, consider the immediate attraction that a novice examiner might face in this scenario. In this instance, there is perhaps a temptation to take the initial discovery at face value as it tends to corroborate the most apparent and convenient theory that a suicide did indeed occur. However, examiners must analyze such discoveries and ultimately make their ultimate judgments defensible. Thinking critically about this item demands that the examiner test certain hypotheses before moving on and accepting this item at face value. Figure 2 below shows the examiner's view of the file, the file’s location and a preview of the relevant content of the document.


Figure 2: Examiner’s view of the questioned document in proprietary software.


Analogous to the physical world, the novice examiner is now present at the digital crime scene, has discovered a very relevant piece of evidence in the case and now must either accept it or challenge it using critical thinking skills. Controlling for all the facts gathered to this point, a witness has come forward with the belief that suicide does not make sense in this case as the victim outwardly exhibited a positive mindset and was generally very happy with life. The novice examiner must now challenge the assumptions and inferences presented by this document. What is the nature (legitimacy) of this document? Who was the author of this document? When was this document created relative to the time of death for the decedent? When was this document modified? What, if anything, does the metadata in this document suggest? If, for example, the document was created following the suspected time of death, the novice examiner has taken the initial step to disprove the suicide hypothesis. Accordingly, accepting the validity of such a document then at face value was not an acceptable option in this line of inquiry.

To further refine these skills into a workable investigative model, the examiner must break this question of legitimacy into a series of smaller solvable questions. Methodically exploring the evidence, according to these questions, is the essence of a digital forensic examination. To do so will require the novice examiner to know file system characteristics in the Windows Operating system. In this case, they should possess some artifact knowledge about document metadata and also know how their proprietary software tool (or a variety of other open-source tools) works in order to answer these vital questions. The alternative is to accept the document at face value, forgo such questions and accept the disproved suicide hypothesis. The digital beat for the novice examiner is no different than that of the patrol officer. They must know people, places, the things they do, and the times they do them. At a higher level, the knowledge base must be comprised of the file system and artifact knowledge, tool-specific knowledge, and critical thinking skills. The first question the novice examiner might ponder is when, or on what date, the document was created. The question seems simple enough, given that the novice examiner knows that the operating system is Windows 8 in this case, and that operating system is built on the New Technology File System (NTFS). The novice examiner also knows that files created in the NTFS file system have various and respective dates and timestamps associated with them. A novice examiner must also know that those dates and times are tracked in a Master File Table (MFT) record relating to that particular file recording those times in UTC. This allows the operating system to display the time to the user natively with a local time bias applied. Finally, a critical piece of knowledge to the novice examiner is that they know how their own proprietary forensic software tool applies the local time bias. This is critical in order to determine if they are viewing the raw UTC time displayed or the local time that was displayed based on the setting in the registry of the local machine. As one might imagine then, the creation date of a particular file in a digital forensic examination requires a deeper understanding of the operating system, its relative artifacts and the proprietary software tool in use. Indeed, an experienced examiner trained in the use of such tools might be able to move more quickly through this critical thinking process than the novice examiner. Is the answer to this question apparent? Figure 3 shows the examiners view in a proprietary forensic tool of the file’s metadata dates and times.


Figure 3: A proprietary forensic tool displays the created times of the document.


Assuming that times are a critical factor in this case, the novice examiner is faced with the decision to either accept the time zone interpretation this tool displays or independently verify the timestamp through other means. Is this time being displayed in UTC? Is it displayed with the host examination machine’s time bias applied or is it displaying the time bias of the questioned laptop? Proprietary and open-source tools display these times differently. During digital forensic investigations, the question about authoritative timestamps should be considered at every turn. A closer examination of this tool’s interface indicates that these times are being displayed in the time zone UTC +00:00. The interface to a forensic tool may appear busy in its appearance when evidence is loaded, making it difficult for novice examiners to know where to look for such settings and displays. The novice examiner should be familiar with the interface to determine exactly where to search for settings, adjustments, and display items such as this as shown in figure 4 below.


Figure 4: The implied time zone setting for files in this case--UTC +0:00.


In order to see the file’s timestamps (the created, modified and accessed times as they were at the time the file was created), it will be necessary to determine what the time zone settings were, including the active time bias in the victim’s computer, at the time the day the file was created. A check of the time zone setting in the registry to the victim’s computer is the best way to determine this. Of course, a novice examiner would need to possess such knowledge along with how to access the computer registry to verify this critical piece of information and apply the correct bias to the times currently displayed in UTC +0:00. The critical thinking process will be thwarted if the examiner is not familiar with file system and registry knowledge. By examining the registry setting using the same tool, the novice examiner employs pseudo-verification - verifying the tool in use with that same tool. Viewing the registry time zone settings in a tool designed for that purpose indicates that the machine was indeed set to Pacific Standard Time but was, however, set to adjust (spring forward in this case) for Daylight Savings Time. This is evidenced by the fact that Pacific Standard Time is GMT-0800 (or GMT-480 minutes) and the time zone setting is indicated at GMT-7 (GMT-420 minutes) (Figure 5).


Figure 5: Time zone settings as interpreted by a proprietary forensic tool.


An examination of the System registry file with a second registry tool verifies the same interpretation of the data and avoids pseudo-verification. However, in order to accomplish this critical thinking approach of independent verification, the novice examiner must again respect their digital beat-people, places, the things they do and the times they do them. Consider the acts involved in verifying this setting. An examiner must know that the time zone settings they seek are in the System registry hive. They must know how to export that registry hive from the forensic image for independent examination with a second registry tool. They must also know that, to examine the correct time, they should check the select key to determine which control set was in play at the time of machine shutdown. The novice examiner must also be able to navigate to, and interpret the values of, the registry hive to confirm the interpretation of the initial proprietary software tool. This may seem to be a daunting task to the novice examiner for a simple verification task such as this. Yet, verification of a circumstance to the trained investigator in the physical world would likely be second nature due of their familiarity with the real-world elements they are accustomed to such as eye-witnesses, informants, scientific test results, field test results, physical evidence, etc. Consider the verification example using Access Data registry Viewer in figure 6. Since the file creation time is August 2nd (a time that falls between March (when daylight saving time started) and November (the time when Standard Time will resume)), the actual time bias that should be applied is Pacific Standard Time (GMT-8:00) minus one hour for daylight savings time or Pacific Daylight Time (GMT-7:00). This is equal to a four hundred twenty-minute negative bias from GMT-420.)


Figure 6: Verification of Pacific Daylight time with Daylight Saving Time.


Where a timestamp is critical, the final question that a novice examiner must determine in this example is whether or not the toolset calculates this time value correctly based on the time value recorded in the MFT. If the tool does not correctly parse the value based on the wrongly hardcoded epoch or there exist other interpretation problems, all of the questions the novice examiner just answered are null. To synthesize this question among the others, the examiner must know where and how the time values are stored in the NTFS file system and then be able to examine the hex values and correctly interpret them to put the issue to rest. This needs to be accomplished using other independent but reliable tools to avoid trusting one single toolset. The inference would be that if two reliable tools both reported the same values, then the results are likely reliable. To do this, the novice examiner should use rudimentary tools and utilities to interpret the data as it exists in the file table. The amount of knowledge a new examiner would need to complete this verification is formidable. First, the new examiner would have to understand that, in NTFS, all files that are created are logged within the MFT in a sequentially numbered record that is 1024 bytes in size. They would need to know that every record is numbered and contains attributes about the file it defines and that the files times are created in the sequentially numbered record in two different attributes: the filename attribute and the standard information attribute. It would be exceedingly useful to be trained and familiar with a tool capable of exploring the MFT easily for this purpose. It would also prove helpful for the novice examiner to be familiar with utilities that can independently interpret the time values once retrieved from the MFT record. It is likely that if the examiner has not secured comprehensive training on the NTFS file system, or they are not familiar or trained in some mainstream tools, and that they have not performed a verification on the job such as this one, then their critical thinking skills may be significantly stunted. If the novice examiner is not familiar with the digital environment, they will not be able to think critically or perform the functions so that they might answer these critical questions.

To determine this final step of verification, a novice examiner might use a tool such as Access Data FTK Imager, a free but robust utility that displays the contents of the MFT. In Figure 7, the forensic image of the laptop is added to FTK Imager. Navigating to the file My.Diary.rtf, the properties tab indicates that the attributes about this file are stored in MFT Record number 29,804. Using a formula ($MFT record #) X (size of $MFT record in bytes) = (starting offset for the target $MFT record) allows the novice examiner to calculate the location of the MFT record for the purpose of examining the value in hexadecimal along with the embedded time stamps. In this case, 29,804 X 1024 = 30,519,296. This value, 30,519,296, is the starting offset of the $MFT record for My Diary.rtf from the beginning of the $MFT. See figure 7 for the record number, calculated offset and file system location for My Diary.rtf. In figure 7, the Master File Table (identified in the tool as $MFT) is selected and an examiner’s view of the Hexadecimal content is shown. The tool is navigated to offset 30519296 and is displaying the content of the MFT record for My Diary.rtf. The Created Time, Modified Time, the MFT record Change time, and the accessed time are all represented in eight bytes of hexadecimal and are standard Windows 64-bit date and time stamps [12].


Figure 7: MFT record for My Diary.rtf showing timestamps.


To verify these timestamps, it is possible to select the eight bytes of hexadecimal 30 62 A3 C8 5D CD D0 01 01 and interpret them as Windows 64-byte date and time stamps in FTK imager on the hex interpreter tab. The result is that the created time interprets this value to 8/2/2015 at 7:59:47 as do the modified, MFT record change, and accessed times. All times interpret the same when compared to the time values rendered in the previously used forensic tool. Accordingly, the novice examiner has verified that the time stamps in question have been interpreted in the same manner by two reliable mainstream tools. But does this conclude the inquiry?

To evaluate the process then, the novice examiner must globally appraise the hypothesis of a suicide death by the following criteria. The file My Diary.rtf appears to be a file with incremental chronological entries and modifications made, day after day. If the novice examiner knows that opening a document and making changes to the body of the document will change the modified and accessed times of that document, why then are all the times (created, modified, accessed, and MFT record change times) in the file My Diary.rtf reflecting the same date and time? The novice examiner then arrives at a judgment that the timestamps support a narrative that this file was created on another volume and then deposited on this volume or the document was created in one session, not a series of days resulting in incremental modifications to the file.


Much time and resource go to developing and training new computer forensic examiners. To develop them absent a working critical thinking regimen is a disservice to the organization and the individual. The production of robotic button pushers capable of simply reviewing voluminous reams of digital content is no different than an investigator who knows only how to answer a phone and drive a car. To the contrary, we should seek to develop strong and capable digital examiners who possess objective and fair-minded critical thinking skills that interpret, analyze, synthesize, and evaluate the digital evidence of today with truth as their end goal. Will they have the courage to ask the difficult questions? Will they have the empathy to consider alternative explanations sometimes contrary to their own? Will they persevere to accomplish the difficult tasks not performed by others? Will they demonstrate the humility to admit their shortcomings? Will they possess the autonomy to move forward when others lag? Will their integrity be the light that others follow? Will their fair-mindedness and confidence light the fir  e that causes others to trust their judgment?


  1. Baker TE, Baker JP (1996) Teaching criminal investigation: A critical thinking approach. J Police Criminal Psychol 11: 19-26.
  2. Lewis A, Smith D (1993) Defining higher order thinking. Theory into Practice 32: 131-137.
  3. Harris R (1998) Introduction to creative thinking.
  4. Wang S (2017) An Exploration into Research on Critical Thinking and Its Cultivation: An Overview. Theory Pract Lang Stud 7: 1266-1280.
  5. Sternberg RJ (1986) Critical thinking: Its nature, measurement, and improvement. National Institute of Education. Washington, DC.
  6. Bailin S, Case R, Coombs JR, Daniels LB (1999b). Conceptualizing critical thinking. J Curric Stud 31: 285-302.
  7. Paul R (1993) Critical thinking: What every person needs to survive in a rapidly changing world (3rd ed). Foundation for Critical Thinking Santa Rosa, CA.
  8. Lipman M (1988) Critical thinking-what can it be? Edu Leadership 46: 38-43.
  9. Turvey B (2011) Criminal Profiling (4thed). Cambridge, MA: Academic Press.
  10. Girod RJ (2014) Logical investigative methods, Critical thinking and reasoning for successful investigations (1sted.) CRC Press, Boca Raton, FL.
  11. Mock Crime Scene (2019).
  12. FTK Imager User Guide - The Master File Table (2011) In FTK Imager User Guide - The Master File Table.