This document is a draft to define the terms critical thinking and creativity for the effort of developing a ‘universal’ rubric. To demonstrate the application of the definitions, the MCSI Digital Forensics exercise Analyze memory dumps using Volatility (mth-sample-crit/474163d9-7b5f-4ddd-a0d7-e8705f1f6a48) was used to measure critical thinking and creativity. The analysis supports the design of a universal rubric and the addition of critical thinking and creativity grading specifications for the MCSI platform.
Adding critical thinking and creativity to the MCSI platform must align with video and report submissions. The absence of audio limits assessment of verbal explanations of a student’s process; however, written and visual submissions can still demonstrate both skills. Accordingly, assessment of critical thinking and creativity in this context relies on visual cues, reports, annotations, commentary (provided in video submissions), source code, artifact selection, and submitted outputs, rather than on verbal explanation.
Facione (1990) operationalizes critical thinking for assessment and instruction with six core components, which are summarized in the following table.
| Component | Meaning |
|---|---|
| Interpretation | Understanding and expressing the meaning or significance of experiences, data, or events. |
| Analysis | Identifying relationships among statements, questions, concepts, or data. |
| Evaluation | Assessing credibility of statements and logical strength of arguments. |
| Inference | Drawing conclusions based on evidence. |
| Explanation | Justifying reasoning, methods, and interpretations. |
| Self-regulation | Reflecting on one's own reasoning and being open to revision. |
The rubric aligns with each of these components in the following ways. Interpretation is required: the rubric states that interpretation is demonstrated when the student explains what the output means and why it matters. Submissions must include annotations, commentary, and explanations, not just raw data. The methodology scope requires describing or showing the sequence of analysis (e.g., image info, process list, network, persistence), which corresponds to analysis as structured, logical reasoning. Evaluation is addressed in that students must justify plugin choices (“why those were chosen”) and, if using alternative tools, justify them by capability and outcome. The methodology section demands justification of steps and plugin use; the rubric explicitly states that a minimal list of commands without justification does not demonstrate critical thinking, which aligns with explanation. Inference is evidenced when students connect artifacts (e.g., suspicious processes) to conclusions (e.g., evidence of compromise). In the MCSI context, self-regulation can be evidenced when students resubmit after incorporating assessor feedback.
The rubric effectively measures critical thinking by requiring justification of methods, interpretation of forensic data, and explanation of relevance. It goes beyond a standard checklist to require reasoning. The alternative method/tool selection option further strengthens this by focusing on outcome-based assessment.
In summary, the existing criterion from the exercises specification can be used to assess critical thinking when combined in context to the respective exercise. For example, the rubric for analyzing a memory dump combines:
critical_thinking”: {
“criteria_from_spec”: [
“document_alternative_tool_if_used”,
“must_document_methodology”,
“methodology_documented”,
“output_interpretation_demonstrated”,
“objective_achieved”,
“artifacts_submitted”
]
Creativity is defined as generating or recognizing ideas, alternatives, or possibilities that are original, flexible, insightful, or unusually thorough (e.g., Treffinger et al., 2013). In the context of memory dump analysis, creativity can appear as novel approaches to analyzing a memory sample, custom program to parse or dump memory, unconventional, though effective sequencing of actions to extract data from memory, or synthesis of multiple programs to achieve the exercises objective(s).
The rubric defines creativity in the sample_definitions as “originality or depth beyond minimum: approach to timeline/IOCs, choice of plugins or analysis steps, or thoroughness of interpretation.” The same types of evidence as for critical thinking methodology, artifacts, and interpretation are used to judge quality and depth. However, creativity is addressed via optional review (expert or peer) and is not required for pass/fail of an exercise. Accordingly, the rubric acknowledges and allows assessment of creativity, though does not require it. Finally, every assignment does not have to demonstrate ‘original’ work or has to be graded on creativity.
The three creativity criteria below are strong, measurable, and aligned with the rubric’s definition of creativity. They are distinct from core critical thinking (correctness and reasoning) and are observable and defensible in a forensic task.
| Criterion | Purpose | Measurability / use |
|---|---|---|
| demonstrates_original_approach | Novel analysis path, insight, or hypothesis-driven investigation; unusual, though valid sequence or plugin. | Primary creativity indicator. Evidence: methodology and annotations. Example: correlating svcscan with malfind and netscan to infer C2 behavior. |
| extends_analysis_with_custom_or_advanced_tooling | Creation or use of scripts/plugins (or "develops_or_uses_custom_tooling": scripts, grep pipelines, external parsers). | Best as optional or high-tier so non-coders are not penalized if coding is not in scope. |
| provides_enhanced_interpretation_through_technical_depth | Thoroughness with justification: advanced flags, filters, correlations, visualization; must explain why, not just "more options." | Good when tied to purpose and insight (e.g., "applies_advanced_analysis_options_with_justification") to avoid rewarding verbosity over insight. |
The following table is the definition of what the rubric measures.
| Rubric Key | Component | Requirement | Evidence | Alignment |
|---|---|---|---|---|
| critical_thinking | methodology | Steps and order of analysis (e.g., image info, process list, network, persistence); which plugins were used and why; how output was triaged or filtered and what was considered relevant. | Methodology section. Minimal list of commands without justification does not demonstrate critical thinking. | Analysis, Explanation |
| critical_thinking | interpretation | Explain what the output means and why it matters. Annotations or commentary on key lines/artifacts; expected vs suspicious; connection between artifacts and objective. | Annotations, highlights, commentary (written responses in video), or a report. Unannotated screenshots or raw output alone do not demonstrate interpretation. | Interpretation, Evaluation |
| critical_thinking | evaluation_focus | (1) Methodology explains reasoning behind plugin choice and analysis sequence. (2) Submission shows interpretation of output. (3) If alternative tool used, justified by capability and outcome. | Methodology + annotated output + tool justification. | Evaluation, Self-regulation |
| critical_thinking | alternative_method | Optional: require tool selection capable of extracting/analyzing RAM artifacts; define success by outcome; require justification that tool meets objective. | Tool selection, justification, and submitted results meeting criterion. | Inference, Explanation |
| creativity | original_approach | Novel analysis path or hypothesis (timeline vs process list, specific IOC); order and choice of steps; insight beyond cookie-cutter plugin sequence. | Methodology and artifact choice. | demonstrates_original_approach |
| creativity | custom_or_advanced_tooling | Scripts, custom Volatility plugins, or automation; plugins beyond minimum; depth beyond basic imageinfo and pslist. | Methodology, submitted artifacts, code/scripts if present. | extends_analysis_with_custom_or_advanced_tooling |
| creativity | enhanced_interpretation | Filters, correlations between artifacts, or visualization; technical depth in explaining why findings matter. | Annotations, commentary, methodology. | provides_enhanced_interpretation_through_technical_depth |
Examining critical thinking and creativity will require the use of formal definitions of these skills to assess students. Use of formal definitions (as in this report and the cited literature) when designing assignments and rubrics will support consistency. Additionally, it must be determined where these two skills will be assessed in the curriculum. Exercises can require students to explore multiple tools that perform tasks relevant to the course. Once students have practiced with a variety of tools, an assignment at the “Competent” or “Advanced Beginner” level could be used to assess critical thinking or creativity. Accordingly, critical thinking and creativity does not have to be assessed in every assignment.
For example, students could be provided a memory dump from a non-standard computer such as a smart refrigerator. The video/report submission would be used to examine the critical thinking and creative process that went into examining the memory from a device they haven’t analyzed before and that the tools they used within the MCSI course weren’t necessarily designed to analyze.
Critical thinking is the intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and evaluating information from observation, experience, reflection, reasoning, or communication, as a guide to belief and action. Operationally it is characterized by interpretation, analysis, evaluation, inference, explanation, and self-regulation (Facione, 1990). Creativity is the generation or recognition of ideas, alternatives, or possibilities that are original, flexible, insightful, or unusually thorough (Treffinger et al., 2013). In this context it can appear as novel approaches to solving problems, unconventional but effective sequencing of actions, depth beyond standard expectations, and synthesis of multiple perspectives.
The Volatility memory dump rubric applies critical thinking by requiring a justified methodology (steps, order, plugin choice, triage), interpretation of output (what it means and why it matters, with annotations and connection to objectives), and, when applicable, reasoned justification of alternative tools by capability and outcome. Accordingly, the rubric operationalizes interpretation, analysis, evaluation, inference, and explanation through concrete, observable evidence in submissions. The rubric applies creativity by defining it as originality or depth beyond the minimum: original approach (e.g., timeline vs process list), custom or advanced tooling (scripts, extra plugins, automation), and enhanced interpretation (filters, correlations, visualization, technical depth). These creativity dimensions use the same kinds of evidence (methodology, artifacts, annotations), though are framed as optional, higher-order quality criteria rather than pass/fail requirements. The rubric definition table and the creativity criteria explain how these definitions map onto this exercise; the JSON rubric_definition_table and creativity_criteria mirror that structure.
Facione, P. A. (1990). Critical Thinking: A Statement of Expert Consensus for Purposes of Educational Assessment and Instruction. https://www.qcc.cuny.edu/SocialSciences/ppecorino/CT-Expert-Report.pdf
Sternberg, R. J., & Lubart, T. I. (1995). Defying the crowd: Cultivating creativity in a culture of conformity. New York: Free Press.
Treffinger, D. J., Schoonover, P. F., & Selby, E. C. (2021). Educating for creativity and innovation: A comprehensive guide for research-based practice. Routledge.
| Criterion | Alignment | Definition |
|---|---|---|
| Methodology & Reasoning | Analysis, Explanation | Whether the approach to the task is planned, sequenced, and justified — not ad hoc. Logical sequencing with explicit step rationale; description of triage and filtering decisions. |
| Interpretation of Output | Interpretation, Evaluation | Whether the output, findings, or deliverable content is explained in context — not presented raw. Annotations on key output lines; explicit expected vs. suspicious distinctions; connection to the objective. |
| Evaluation & Tool Justification | Evaluation, Inference, Self-regulation | Whether reasoning about method and tool choices is explicitly evaluated and justified. Reflective evaluation of choices and output interpretation; justification of tool selection. |
| Criterion | Definition |
|---|---|
| Originality | Novelty of the product or approach — unexpected or inventive use of ideas, structure, or method appropriate to the task. |
| Generation & Selection of Ideas | Evidence of generating or selecting ideas, methods, or tools beyond the bare minimum — e.g., additional features, extra tools or scripts, richer structure, justified tool choice, or automation. |
| Value / Usefulness | Usefulness for the client/task — thorough, justified interpretation of output or implications; explanation of why findings or choices matter; meeting task needs with technical depth. |
Each criterion is scored on a 0–4 scale:
| Score | Label | Definition |
|---|---|---|
| 4 | Fully accomplishes | Product/work fully accomplishes the criterion; highly unique or strong extension/value; clear, justified, complete; rationales correct; no extraneous information. |
| 3 | Accomplishes with minor gaps | Accomplishes the criterion; unique but predictable/conventional; viable with minor errors or rationale gaps. |
| 2 | Somewhat accomplishes | Partially meets requirements; gaps, errors, or lacks clarity. |
| 1 | Does not meet minimum | Critical evidence (results, rationale, required output) missing. |
| 0 | No evidence / No product | No progress or nothing that resembles a minimal response; no substantive procedure or submission. |