Staying one step ahead of cyber criminals: How experiences from the frontline are crucial to digital forensics

Staying one step ahead of cyber criminals: How experiences from the frontline are crucial to digital forensics

Published: 16 Jun 2025, 9:35 p.m.

The ability to interrogate masses of complex data is one of the core skills that cyber security students are encouraged to develop. Of equal importance is the ability to relay the results of digital forensics in such a way that non-experts can understand. In the case of cyber-crime, that means clear communication and rigorous documentation – what Joakim Kävrestad describes as “soft skills” that are indispensable in today’s world. As Assistant Professor and Lecturer in data science at Jönköping University in Sweden, he draws on his experience as a former forensics expert with the Swedish police to capture his students’ attention, with dramatic insights into what happens when those skills come into play – and the consequences when they don’t. Combining technical competency with an understanding of human behaviour, Joakim is using CyBOK to give students a real-world education that can feed into a cyber resilient society.

You bring a unique lens to your work as a lecturer, having spent three years applying your own training as part of the Swedish police’s criminal investigations team. How did that experience shape your approach to delivering education in cyber security?

I spent a lot of time digging around in people’s digital devices and trying to find digital evidence to support criminal cases. Of the 400 or so cases that I was involved in, most were related to criminal activities around drug investigations, murders and sexual assault cases. Effectively, I was applying scientific methodology to analyse evidence that was used in law enforcement. The end result of almost everything we do in cyber, and certainly what I was doing with my role in the police, was writing a report.

Technical concepts need to be explained to lay people and those making the decisions in a process. In the case of criminal investigations, that’s legal scholars, who may think they know what digital forensics is but, in reality, that’s not their area of expertise. That was the biggest challenge I found that I think still exists today, and something that I focus on in my current role as a lecturer – emphasising to students that as much as they might have technical competence, that will be wasted if they cannot communicate with other disciplines. If we can’t write a clear report, the value of our findings is effectively lost.

In Sweden we don’t have mandatory participation in education – we have to work to get students to attend lectures which means we put a lot of effort into convincing students that these subjects are worthwhile! I’ve been able to draw on my experiences, and telling stories about those experiences, to get students to connect with the subject matter in a way that makes it more interesting. As an example, I can easily pique their interest by telling them what kinds of crimes are difficult to detect!

You worked on CyBOK’s First Cycle Course in Higher Education, which has been key in developing a comprehensive cyber security curricula. Why did you feel it was important to create this course and how has it shaped up?

The challenge today is not so much about accessing source material – which students can and easily do via YouTube and ChatGPT. Our role as educators, I believe, is acting as guides who can help students to understand which information is correct, what to prioritise and how to navigate it all.

I’m particularly interested in developing open educational resources, which is something that CyBOK also does. I was curious to see what happens when students have access to a cohesive resource like this, and how it might be used to solve the competence gap which is one of the biggest problems in cyber. If CyBOK is used in the right way, it has the capacity to spark students’ interest in other aspects of cyber security such that it’s a far more comprehensive reference material than say, a textbook might be. The idea with this course was to develop a module where students can thoroughly explore how to organise and structure information to create an ongoing security process in an organisational context. At the heart of that is the ability to monitor a system and to act when something goes wrong.

Penetration testing, which involves hacking a system to see if it can be hacked, is one way of identifying weaknesses in order to mitigate them through security controls. Then there is the ability to develop capabilities in data collection and intelligence to identify when an incident happens, known as incident management and response. Lastly, there’s forensics, which relates to analysing the data and understanding the nature of an incident so you can recover from it.

I’m definitely not an expert in all of these areas, so the benefit of working with CyBOK has been that it opens up the potential for those of us working to develop university curricula to share and use each other’s material. That has meant that I have been able to develop a module in forensics, where my strengths lie, while being able to pool knowledge from others who are experts in their respective fields.

Most students don’t like report writing or communications training, so the main challenge we have is to make it clear how important that is. I’ve been able to draw on my own experiences to highlight how much this matters, sometimes in ways that’s meant talking about my failures! There was one particular case where myself and a colleague had to investigate the digital files of a suspect in a sexual assault case. This led to the discovery of some questionable material on the suspect’s computer. Whilst we were fairly sure this material probably wasn’t illegal, the prosecutor insisted that we look further into it. That meant spending a lot of time going through an entire database of material.

One of the biggest problems with data is precisely this; there can be a mass of data and it’s impossible to look through all of it. We can miss things if we go too broad in scope. I use this example to illustrate how we need to move towards a more intelligent approach to forensics. We should have talked to the investigator on the case about what to look for. Again, this shows how much we need to train students in the “soft skills”, that is, being able to communicate what is important, why and what we need to focus on.

I had another case where an investigator brought me a computer from a drug investigation. When I looked at the pictures from the case, I saw the investigator had seized drugs from inside of another computer. The investigator, as lay person, didn't realise that the item was a computer, which meant I didn’t have all the evidence to look at. He was an excellent investigator but, in this case, he didn’t know what to look for, whereas I would have, had we had that conversation before. In another case, I had failed to document the details of an operating system on a computer from which an image was taken in a case that returned to court a year later. I didn’t have the answer when I was asked in court about the details – that’s the kind of mistake a defence lawyer could use. These are the challenges we need to train students to be able to handle.

How does Sweden’s approach to cyber security differ from the UK, and what do you think the two can learn from each other?

Aside from Sweden being in the EU while the UK is not, there are differences in the governance structure around how the direction of education is determined. There’s a greater degree of autonomy around educational programmes in Sweden, for example, with different governing bodies who make decisions about different aspects of the process. This can be beneficial in that it allows for a more tailored approach when considering the applicability of education to industry. However, in my opinion, shared responsibility is no responsibility, and that can be a stumbling block. The governance process in the UK is more rigorous, which is something we can learn from.

Sweden doesn’t have conflict built into our recent history – we didn’t participate in any of the world wars and we were not as affected as others. We have a very open culture as a result, especially in the public sector which maybe leads us to not think about security as much as the UK. Although that is changing now given the situation with NATO and the Ukraine, so we have a growing interest in security.

Joakim’s approach to teaching perfectly demonstrates how the art of storytelling matters just as much as the science, especially when it comes to enthusing the next generation of cyber security experts. In a field that is continually evolving in response to social and digital change, it’s an approach that will support CyBOK’s aims for cyber security to become a universally standardised subject