Forensic Process Active Lesson Plan

The active lesson plan considers the significance of the forensics process and its importance in delivering evidence that is admissibility in a court of law. An overview video outlines the structure of the active lesson plan.

The defining characteristic of forensic investigations is that their results must be admissible in court. This entails following established procedures for acquiring, storing, and processing of the evidence, employing scientifically established analytical tools and methods, and strict adherence to a professional code of practice and conduct. CyBOK Forensic Knowledge Area. Pg 12.

Overview

This active lesson plan scaffolds and supports learners in understanding the importance of following a process to reliably produce a valid case. Learners consider flawed digital investigations before appreciating the strengths and significance of a strong digital investigation procedure. The rationale for the approach is to motivate learners to appreciate strong digital investigation procedures.

Structure

Learners complete FOUR blocks of activities that are designed to support them in understanding the importance of the digital investigation process. Learners are introduced to the significance of the forensic process through the following block of activities:

  1. Scientific Process. The first block of activities supports learners in understanding the scientific process and how it underpins a strong forensic process. Learners will also consider what makes a strong forensic process.

  2. Flawed Digital Investigations. Learners are expected to research and teach each other important aspects of the forensic process.

  3. Digital Investigation Stages. Learners will consider and apply the common stages of most digital investigation processes.

  4. Forensics Process. An overview of the forensic process is presented to learners.

Qualification Level

The active lesson plan can be adjusted to accommodate many of the United Kingdom qualification levels. In its current form the active lesson plan is targeting learners at Levels 6 and 7 on the Regulated Qualifications Framework (RQF) and Credit and Qualifications Framework (CQFW) in England and Wales, Levels 10 and 11 on the Scottish Credit and Qualifications Framework (SCQF) and Levels 6 and 7 on European Qualifications Framework (EQF).

The active lesson plan does not expect nor require an individual to posses significant knowledge in Computing Science, Mathematics or Law.

Case

The basis of the activities in the lesson plan is the Cuckoo's Egg.

Clifford Stoll, a research scientist, was working as a system administrator for the Lawrence Berkeley National Laboratory and was tasked by management to resolve an accounting error of 75 cents associated with unpaid computing usage. Stoll used a scientific process and thorough investigation to determine the error was the result of an intrusion from a hacker, under the employ of the Soviet Union.


Scientific Process of Digital Investigations

The FIRST block of activities supports learners in understanding the scientific process and how it underpins a strong forensic process. Learners will also consider what makes a strong forensic process.


Scientific Process

The session begins with a brief lecture on the forensics process and the importance of reproducibility as well as validity of the tools, procedures and actions taken.

Learners will use this material as well as consideration of the case study to intimately consider the major steps in the forensic process.

Instructions

The lecturer or instructor should:

  1. Present their own forensic process lecturette or provide in advance for students to consider.

  2. Permit time for questions to address any misconceptions or issues with the material presented.


Produce Summary of Case Study

The lecturer or instructor should advise learners to produce a summary of the case that will act as the foundation for activities.

Optional: the lecturer or instructor can set this as an entry ticket activity as in they are required to complete in advance of session.

Materials


Overview of Cuckoo's Egg

The lecturer or instructor at this point should provide a brief summary of the Cuckoo's Egg to the class.

The motivation for providing the overview is:

Materials


What makes a good forensics process?

Learners consider the characteristics exhibited by strong and poor forensic processes.

Instructions

The lecturer or instructor should:

  1. Instruct learners to gather into groups of FOUR members and to assign each another a number between the range.

  2. Ask learners to consider the characteristics exhibited by strong and poor forensic processes.

  3. State a number and state for the learner that is assigned that number they will be given a few minutes to consider the problem, write down the answer and pass it to their neighbour.

  4. The process should continue until all group members have completed the task and no longer than 20 minutes total, representing a five minute block for each student.

  5. Chair a discussion and ask learners to provide different characteristics of strong and weak forensic processes.

  6. Advise learners that in the subsequent activities the class are going to consider flawed digital investigations and how the forensic process did or did not contribute to the failure of the investigation.


Flawed Digital Investigations

The SECOND block is designed to support learners in considering the processes used in flawed digital investigations and how such processes contribute to the failure of the investigation.

Learners are to form start-up firms and to participate in a Jigsaw Active Learning design to research and teach each other the different characteristics of the forensic process through consideration of flawed digital investigations.

Instructions

The lecturer or instructor should:

  1. Advise learners that they should self-organise into start-up firms of FIVE or FOUR members and if not, make themselves known to the lecturer.

  2. Issue the activity sheet and explain that teams are required to investigate and consider the cases provided and the characteristics of the forensic process.

  3. Teams should consider the cases provided (or other cases the team have sourced) and the forensics process from specific perspectives - each member of the team acts as the EXPERT for that perspective.

  4. EXPERTS should spend time considering the aspect in more detail before meeting with the same experts from other teams, i.e. those considering the same perspective but for a different case potentially.

  5. EXPERTS should discuss their perspective, share research and consolidate understanding before returning to their own teams and teaching them on the specific perspective they have considered.

Materials


Digital Investigation Stages

The THIRD block of activities are designed to support learners in considering the common stages in most digital investigation procedures as well as appraising the case.


Beat the clock: Assembling Concept Maps of Forensic Process

Learners review the comprising elements of different stages of the forensics process. Learners will initially assemble a concept map, then attempt to beat their previous time.

Instructions

The lecturer or instructor should:

  1. Issue the activity sheet to support and guide learners through the activity.

  2. Advise learners to self-organise into pairs and that they are going to construct concept maps of the specific stages and steps in a standard digital investigation procedure.

  3. Advise pairs that they have up to FIVE minutes to assemble each concept map for a given stage. The lecturer will advise when ONE minute remains and when times elapses, the class will move onto the next stage. Until all stages are complete.

  4. The class will then reset and the process will begin again, but this time pairs have to complete each stage as quickly as possible. Upon completion of all stages, the pair should signal so that the lecturer can confirm their entry and record their time.

  5. Advise class of the overall winners of the competition by considering the pairs that performed best across all the stages.

Materials


Appraising the Cuckoo's Egg Investigation

Learners consider and appraise the case of the Cuckoo's Egg using the qualities of a digital investigation and application of concept maps (generated from prior activity).

Instructions

The lecturer or instructor should:

  1. Issue the activity sheet to support and guide learners through the activity.

  2. Advise learners they have 30 minutes to consider the Cuckoo's Egg case again and apply the previously generated concept maps to the investigation.

  3. Advisee learners they are to produce an appraisal that does not exceed TWO pages or 500 words from the perspectives of Data Provenance and Integrity, Scientific Methodology, Tool Validation.,Forensic Procedure and Triage.

  4. Learners should submit the appraisals to the virtual learning environment.

Materials


Forensics Process

The important characteristics of the forensics process as discussed in the CyBOK is presented to the class and related back to the activities that have been conducted throughout the lesson.

Instructions

The lecturer or instructor should:

  1. Present their own overview of the important characteristics of the forensics process for the purposes of digital investigations.

  2. Ask the class if they have any questions or do not any aspect of what was covered in the session.

  3. Ask learners to complete the Quad Fold Activity.

Materials