This active lesson plan considers artifact analysis from the perspective of applying hash functions to authenticate evidence and identify contraband as well as how hash functions can be used to filter and triage data as part of an investigation. A overview video outlines the structure of the active lesson plan.
Cryptographic hashing is the first tool of choice when investigating any case; it provides a basic means of validating data integrity and identifying known artifacts. Recall that a hash function takes an arbitrary string of binary data and produces a number, often referred to as a digest, within a predefined range. Ideally, given a set of different inputs, the hash function will map them onto different outputs. CyBOK Forensics Knowledge Area P(28)
Learners complete FIVE blocks of activities that are designed to support them in developing understanding and awareness of applying hash functions in forensics. Using a real-world case as a staring point, instructors support learning through the following activity blocks:
Overview of Hash Functions. The first block of activities supports learners in understanding some of the applications and qualities of hash functions from consideration of actual cases.
Authentication of Evidence. The second block of activities supports learners in appreciating the use of hash function in terms of authentication of evidence.
Identification of Contraband. The third block of activities are designed around supporting learners in appreciating how hash functions can be used in forensics to identify contraband.
Same vs Similar. The fourth block of activities are designed to support learners in appreciating the opportunities and challenges in applying hash functions to support digital investigations.
Hash Functions in Forensics. The fifth and final block is designed to conclude the active lesson plan and align material with that presented in the CyBOK.
The active lesson plan can be adjusted to accommodate many of the United Kingdom qualification levels. In its current form the active lesson plan is targeting learners at Levels 6 and 7 on the Regulated Qualifications Framework (RQF) and Credit and Qualifications Framework (CQFW) in England and Wales, Levels 10 and 11 on the Scottish Credit and Qualifications Framework (SCQF) and Levels 6 and 7 on European Qualifications Framework (EQF).
The active lesson plan does not expect nor require an individual to posses significant knowledge in Computing Science, Mathematics or Law.
The FIRST block of activities supports learners in understanding some of the applications and qualities of hash functions from consideration of actual cases.
The block is structured as follows:
Hash Function [Presentation]. Instructor provides a brief lecture on the significant concepts of hash functions and how they relate to forensics.
Produce Summary of Case and Use of Hash Functions [Assignment]. Learners are required to produce a summary of a selected case and its use of hash function(s).
Presentation to Class [Activity]. Teams are to present a summary of their selected case and its use of hash function(s).
Identify Application and Qualities of Hash Functions discussed in Cases [Activity]. Teams are required to identify common applications and qualities of hash function(s) across the cases presented.
Class Collective on Application and Qualities of Hash Functions [Activity]. The class collectively discuss and debate the various applications and qualities of hash functions prior to agreeing on a set of applications and qualities.
Summary on Applications and Qualities of Hash functions [Presentation]. The lecturer or instructor provides an overview of the applications and qualities of hash functions as they relate to forensics.
The session begins with a brief lecture on the significant concepts of hash functions in forensics, in terms of the ability to take an arbitrary- element in the world and compress it to a fixed-length string.
Learners will use this knowledge in the consideration of court cases to begin to consider what the potential applications are for such a function in the world of digital forensics.
The lecturer or instructor should:
Present their own hash function lecture or provide it in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should set learners the assignment to produce a summary of the case that will act as the foundation for activities. The assignment will act as an entry ticket assignment and those learners that do not complete the assignment are not able to participate in the session or miss the opportunity to gain course credit.
Optional: the instructor can set the assignment as an activity at the start of the session.
The class will learn about the various different cases from the perspective of how hash functions are used as part of court cases.
The class should take notes during the session to support a subsequent activity in identifying emerging themes.
The lecturer or instructor should:
Prepare the presentations collected from teams, produce a running order and advise teams in advance.
Advise teams they have FIVE minutes to give their presentation. The team will be given a ONE minute warning and will be clapped off at the end of their allocated time. Teams should be advised they will not be expected to take questions but may be called upon in subsequent discussions.
Advise teams that they all have to speak and to consider how they will pass between members efficiently.
Advise teams that presentation slide decks will be made available after the session, but learners should still take notes to support subsequent activities.
Use a stopwatch and commence the presentations with teams.
Teams will use their collective notes and other team presentations to identify the different applications in terms of how hash functions are used as part of court cases.
The lecturer or instructor should:
Advise teams to identify at least TWO common applications of how hash function are used in cases that the team has devised from watching the presentations.
As teams discuss, the lecturer or instructor should wander between them to observe discussion and actions.
Issue a ONE minute warning that teams should finalise their identified applications. Pause the discussion and convene the class after the time has elapsed.
Advise teams now they have to identify at least THREE desirable qualities that such hash function should exhibit that would underpin the applications they have identified.
As teams discuss, the lecturer or instructor should wander between them to observe discussion and actions.
Advise teams, they should now spend FIVE minutes produce a single presentation slide that briefly captures the applications and qualities.
Issue a ONE minute warning that teams should finalise their identified presentation slide.
As teams discuss, the lecturer or instructor should wander between them to observe discussion and actions.
Collect the presentation slides from teams in preparation of the next activity.
Teams will present the themes they have identified from the previous activity as well as engage in a discussion with the rest of the class.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed as to shape the discussion in a particular direction.
Advise teams have TWO minutes to present the applications they have identified from the prior presentation as well as desirable qualities.
Select ONE of the applications OR qualities to discuss with the wider class and ask for their comments and thoughts.
Continue to ask for teams to present either based on the discussion or what they have observed when teams were producing their slides or using a random number generator. The instructor should osciliate between considering of hash applications and qualities.
The lecturer or instructor should provide a brief overview of the themes identified in the prior activities and relate them to the already established material that is presented and discussed in the CyBOK.
The lecturer or instructor should:
Advise learners of some of the application and qualities of hash functions that have emerged from consideration of all the various cases.
Relate the applications and qualities of hash functions to those presented and discussed in CyBOK.
Provide space for learners to raise any questions or address any gaps in understanding.
The SECOND block of activities supports learners in appreciating the use of hash function in terms of authentication of evidence.
The block is structured as follows:
Overview of Using Hash Functions for Authentication [Presentation]. Instructor provides a brief lecture on the use of hash function for the authentication of evidence.
Mapping to a Fixed-space [Activity]. Learners participate in an activity that afford understanding of how many elements in the world are mapped to a fixed-space for various reason.
Limits of Fixed-space [Activity]. Learners participate in an activity design to appreciate the limits of a fixed-space and the probability of collisions.
Overview of Richard Miller Vs State of Missouri [Presentation]. Learners consider a legal case that highlights the limits of DNA testing.
Reflecting on the Limits of Fixed-space [Activity]. Learners are expected to reflect on previous activities to appreciate the concept of collisions and significance for forensics.
Collisions [Presentation]. The lecturer or instructor provides an overview of the concept of collisions and relates it back to the CyBOK.
The session begins with a brief lecture on the significant concepts of using hash functions for authentication of evidence.
Learners will use this material as well as consideration of other traditional evidence in physical crimes to appreciate the use of hash functions for authentication of evidence.
The lecturer or instructor should:
Present their own using hash functions for authentication of evidence lecture or provide it in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The class will learn about the long established concept of discerning one element of evidence from another and how authentication is a central aspect of any court case.
The present block will support learners in making connections between common elements and relating to the present topic.
The lecturer or instructor should:
Examples include: - Book (International Standard Book Number) - Toy Gun (Firearm serial number) - National Insurance Card (NI Number) - Currency note (Currency cypher or serial number) - Toy Car (Vehicle Identification Number)
The lecturer should then advise that they have a bag of goodies that relates to the topic.
Assign a number to each learner in the class (e.g. attendance list with number assigned to each student). Use a random number generator to select a learner.
Advise the randomly selected learner that they can identify two peers to join them.
The randomly selected student is then advised to draw an item from the bag.
The trio are then permitted ONE minute to huddle and determine how the object relates to the topic.
After time has elapsed, advise the trio of learners to tell the class how the item relates to the topic today and to sit down.
The instructor should continue until the bag is empty or cease when it has became obvious what the common theme is between the items.
The instructor should advise how each item they placed in the bag relates to the topic.
The following activity is designed to focus the attention of learners on the limits of mapping to a fixed-space and concern of collisions.
Learners will use the experience of the activity as a foundation for subsequent activities that are designed to cement the concept of collision-resistance and significance in forensics.
The lecturer or instructor should:
Advise learners to form groups of no less than FIVE members and no more than SIX members.
Advise the self-organised teams to identify a leader.
Advise team leaders that they have to assign roles of writer, runner and point manager.
Issue each team with a distinct number.
Ask the class a trivia question from the collection. Advise teams they have ONE minute to determine their answer, write it on the sticky note, write their group number on the back and get it to the front of the room.
Use a stopwatch, issue a 10 second warning prior to the time ending. Any team not able to get their stick note on the board before time has elapsed receives ZERO points for that question.
Advise the class of the answer and then review the answers as well as allocating points.
Continue until all questions are complete or the primary lesson (regarding probability of collisions of collisions has been made).
Upon completion of activity relate the questions and answer back to the concept of probability of collisions.
Tally points, identify winners and allow them, in descending order, to select their prizes.
The lecturer or instructor at this point should provide a brief summary of the Richard Miller Vs State of Missouri case to the class.
The motivation for providing the overview is:
relate the activities considered previously to the limits of mapping to a fixed-space as well as significance to forensics.
address any misconceptions or gaps in understanding that students may have developed so far in the lesson.
The aim is for learners to consolidate the outcomes of the prior blocks and relate them back to using hash functions to authenticate evidence and primary conceptual concerns in the application of hash functions.
The lecturer or instructor should:
Issue the reflection questions to learners.
Advise students that they are expected to answer TWO questions and have FIVE minute window to do so, and that a ONE minute warning will be advised at the end of each window.
Ask the learners to anonymously write their answers on a piece of A4 paper.
Advise that you want learners that both answers must not exceed a single-side of the A4 page.
Advise learners are expected to reflect on the prior activities and consider how they relate to the concept of using hash functions to authenticate evidence.
After time has elapsed, advise the learners to discuss their answers with their peers in groups.
As the groups discuss, wander between groups and discuss the answers produced by individuals in the group.
Convene the class and briefly discuss the questions and the answers you have observed while wandering between groups.
Collect the answers generated by learners.
The aim is to familiarise learners with the collision resistant and the significance to hash functions and forensics.
The lecturer or instructor should:
Present material around the concept of collisions and hash functions.
Provide an opportunity for learners to address questions and/or address any misconceptions.
The THIRD block of activities are designed around supporting learners in appreciating how hash functions can be used in forensics to identify contraband.
The block is structured as follows:
Overview of Using Hash Functions to Search for Contraband [Presentation]. Instructor provides a brief lecture on the significant concepts on the application of hash function to identify contrabands in corpora.
Case Study: Apple Inc Child Sex Abuse Material (CSAM) solution [Activity]. Instructor progresses the session with a video to engage in the difficult topic of contraband, searching and identification.
Produce Summary of Research Paper [Assignment]. Learners are required to produce a summary of the research paper being considered in the class.
Overview of Research Paper [Presentation]. Instructor provides an overview of the research paper to the class to ensure every learner is starting from the same point.
Class Debate: Digital Dog Sniff [Activity]. Structured classroom debate around the concerns of conducting live analysis of main memory or not.
Personal Reflection on Digital Dog Sniff Class Debate [Assignment]. Opportunity for individual learners to reflect on the structured classroom debate.
Collective Reflection on the Digital Dog Sniff debate [Activity]. Class-wide consideration and reflection of the structured classroom debate.
Summary on Using Hash Functions to Search for Contraband [Presentation]. Conclude the session and motivate learners to consider the evidence collected by the class as whole as well as relate it back to the CyBOK.
The session begins with a brief lecture on the significant concepts of using hash functions to search or identify contraband within corpora.
Learners will use this knowledge to appreciate the upcoming challenges in terms of legal and privacy concerns as part of digital investigations.
The lecturer or instructor should:
Present their own lecture on the use of hash functions to identify contraband or provide it in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The aim is for learners to engage with the topic of identifying contraband in corpora and consider aspects such as appropriate consent and authorisation, searching and identification as well as legal protections from possessing contraband.
The lecturer or instructor should:
Advise learners they are going to watch an interview between a journalist and Apple Inc representative on the deployment of a solution that, in-part, identifies contraband with corpora using hash functions.
Advise learners to consider or focus on the approach of the Apple Inc representative to maintain audience focus on the concept of contraband, privacy protection and the difference between searching and identification.
Advise learners they have FIVE minutes to reflect on the interview and to make some notes in terms of immediate observations both the perspectives of individual users and from wider society in terms of detecting contraband on devices.
Collect notes from learners via an appropriate platform, such as a virtual learning environment, or physical notes. Advise students to ensure they have identified themselves on the notes, so that they can be returned.
The aim is for the present activity to act as practice for a structured classroom debate.
The lecturer or instructor should:
Advise learners that the class is going to debate the merits of the solution proposed by Apple Inc to detect contraband.
Issue the practice debate activity sheet.
Issue notes previously collected from learners that they generated from reflecting on the prior interview with the Apple representative.
Randomly label learners, either A or B, and advise them to self-organise into pairs of A and B.
Advise all learners labelled 'A' that they have to advocate the position that such a system should be deployed. Consequently, all learners labelled 'B' are to adopt the position that such a system should not be deployed.
Advise the class that pairs they have 30 minutes to prepare their arguments for their position and they will be provided with a FIVE warning before time elapses. After time has elapsed pairs will be numbered and selected at random to make their position clear to the class. Each learner will have FOUR minutes to make their argument to the class. Their partner will review and provide feedback to their partner before the wider class to do the same.
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed, rather than randomly, to demonstrate and discuss with the entire class any novel insights or gaps in understanding.
Ask the partner of the leaner to provide feedback inline with guidance on the activity sheet.
Open the question to the wider class, do not use an audience response system for the activity. Ask the class to raise their hand to offer any feedback to the learner in line with the guidance on the activity sheet.
Advise the partner of the learner, it is now their time to provide their position.
Repeat process of asking the respective partner to provide feedback and then the class.
Identify another pair to perform the debate, continue in this fashion until a sufficient number of perspectives and positions have been considered.
Reflect on the debate as a whole with the class. Provide general feedback in terms of the debate that has been so far witnessed.
Conclude activity by advising learners the present activity was a practice debate to get feedback and will be helpful for subsequent activities.
The lecturer or instructor should set learners the assignment to produce a summary of the case that will act as the foundation for activities. The assignment will act as an entry ticket assignment and those learners that do not complete the assignment are not able to participate in the session or miss the opportunity to gain course credit.
Optional: the instructor can set the assignment as an activity at the start of the session.
The lecturer or instructor at this point should provide a brief summary of the Fourth Amendment Search and the Power of the Hash research paper to the class.
The motivation for providing the overview is:
address any misconceptions or gaps in understanding that students may have developed when considering the case in advance.
support those students that have no adequately considered the case in advance as to ensure they can effectively contribute to the activity.
Learners will form teams and participate in a class debate. The aim is to provide an opportunity for learners to develop skills and gain insight into the nuances and legal concerns when applying hash functions in the context of forensics.
The lecturer or instructor should:
Allocate learners to teams or advise them to self-organise into teams of no more than FOUR members and no less than THREE members. Assign each team a number and issue the class debate activity task sheet.
Advise teams of the position and inform teams that odd numbered teams should tackle the affirmative position while even numbered teams have to adopt the negative position.
After teams have been given sufficient time and space to prepare for the debate use a random number generator to randomly select an odd and even team to present.
Advise teams that the broad structure of the debate. Teams will initially present primary arguments, followed by secondary arguments and then rebuttals.
Inform the class that they are expected to listen respectfully to the arguments presented by both teams and they should make notes to support subsequent activities.
Advise the odd numbered team to take the floor, collect their evidence for their primary arguments and advise them to provide a copy for the opposing team. Inform the presenting team they have THREE minutes to present primary arguments and they will receive a 30 second warning when time is about to elapse.
Invite the class to clap the team off the flour and then advise the even numbered team to take the floor collect their evidence for their arguments and advise them to provide a copy for the opposing team. Inform the presenting team they have THREE minutes to present primary arguments and they will receive a 30 second warning when time is about to elapse.
Advise the odd numbered team to retake the floor, collect their evidence for secondary arguments and advise them to provide a copy to the opposing team. Inform the presenting team they have THREE minutes to present secondary arguments and they will receive a 30 second warning when time is about to elapse. Advise the team they may also want to start rebuttal of some of the primary points of the opposing team, but do not tackle the points directly at this stage.
Invite the class to clap the team off the flour and then advise the even numbered team to take the floor collect their evidence for their arguments and advise them to provide a copy for the opposing team. Inform the presenting team they have THREE minutes to present primary arguments and they will receive a 30 second warning when time is about to elapse. Advise the team they may also want to start rebuttal of some of the primary points of the opposing team, but do not tackle the points directly at this stage.
Advise the even numbered team to take the floor for the last time. Advise the team they have THREE minutes to respond directly to the points made by the opposing team and present their closing arguments.
Invite the class to clap the team off the flour and then advise the odd numbered team to take the floor for the last time. Advise the team they also have THREE minutes to respond directly to the points made by the opposing team and present their closing arguments.
Thank both teams and repeat the process with different teams for a few more cycles until the central learning outcomes have been achieved.
Invite the class to clap and thank the presenters one more time. Advise the class they have TEN minutes to consolidate any ideas and notes from the session as such notes will support subsequent activities.
Collect all the evidence and summaries from the remaining teams that did not present in the session. The material will be made available to the class as a whole for subsequent activities.
Learners are given the opportunity to reflect on the class debate as to reflect on the skills develop but also to mitigate against the free-rider problem.
The lecturer or instructor should:
Advise learners they are going to reflect on the activities they have completed so far in the lesson plan and are expected to submit an individual essay of no more than 1500 words.
The individual essay should reflect their own position on the topic tackled in prior sessions. Individuals are expected to drawn on the experience of the debates as well as the evidence they collected as part of a team, the evidence collected by their team as a whole as well as the evidence collected by other teams.
Advise learners that all the evidence collected from teams will be available via the virtual learning environment or appropriate service. Advise learners they should exhibit independent and critical thought by contrasting the evidence provided by others with the evidence they sourced.
Advise learners submission instructions and process are detailed in the debate reflection specification.
Learners are exposed to different perspectives and opinions in terms of the material presented, evidence sourced as well as remarks made by peers. The expectation is the opportunities the activity presents will further develop learner skills as well as widen understanding of the problem.
The lecturer or instructor should:
Summarises the central arguments presented during the debate as well as present some of the evidence submitted by the cohort.
Critique the evidence supplied by teams in terms of relevance, source, and overall quality.
Expose and emphasise the different remarks made by teams during the debate session.
Provide space as well as opportunity for learners to present their own questions or opinions and remarks.
Provide an opportunity for learners to ask any remaining questions or concerns regarding the debate itself.
The aim is to conclude the session and motivate learners to consider the evidence collected by the class as whole as well as relate it back to the CyBOK.
The lecturer or instructor should:
Briefly present again their own lecture on the use of hash functions to identify contraband or provide it in advance for students to consider.
Relate the presented material to the arguments, remarks and evidence provided by learners during the class debate.
Provide an opportunity for learners to address questions and/or address any misconceptions.
The FOURTH block of activities are designed to support learners in appreciating the opportunities and challenges in applying hash functions to support digital investigations.
The block is structured as follows:
Avalanche Effect [Presentation]. Instructor provides a brief lecture on the concept of the avalanche effect and its relevance to the use of hash functions in digital forensics.
Block v File Analysis [Activity]. Learners consider the application of hash functions to identify fragments of files as well as complete files.
Produce Summary of Case [Assignment]. Learners produce a summary of two cases that will act as the basis for subsequent activities.
Overview of Case [Presentation]. Lecturer or instructor to provide an overview of the cases as to ensure all learners are starting with the same knowledge.
Approximate Matching [Activity]. Learners then consider the concept of using hash functions to identify potentially similar files.
Resemblance and Containment [Activity]. Learners consider the significant concepts of resemblance and containment as it relates to approximate matching.
Tailoring to the Task [Presentation]. Teams then tailor matching solutions to the given task.
Instructor provides a brief lecture on the concept of the avalanche effect and its relevance to the use of hash functions in digital forensics.
Learners will use this material to appreciate the limitations of hash function regards considering a single file or exact match.
The lecturer or instructor should:
Present their own admissibility lecture or provide in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should set learners the assignment to produce a summary of the case that will act as the foundation for activities. The assignment will act as an entry ticket assignment and those learners that do not complete the assignment are not able to participate in the session or miss the opportunity to gain course credit.
Optional: the instructor can set the assignment as an activity at the start of the session.
Pairs are going to manually execute a process to confirm if a file exists within a corpus. Pairs will then manually execute a process to determine if any very similar files exist in the corpus.
The lecturer or instructor should:
Advise learners they are to self-organise into pairs.
Issue the File Analysis Activity Sheet that will support and guide learners.
Advise pairs they have TEN minutes to manually step through the first algorithm and determine if the given file exists. Issue a ONE minute warning when time has nearly elapsed.
As pairs execute the process and execute them, wander between them and identifying interesting points being raised in activity.
Open an audience response system activity, such as Mentimeter, ask pairs to vote whether the file exists in the corpus or not.
The class poll is expected to confirm the file is not in corpus as strictly speaking the final is not present. The expectation is that some pairs will state the file is present as a very similar file is present in the corpus.
Ask the class if any of the pairs did identify the file or believe it is in the corpus. If not pair engages then initiate a discussion to tease out comments from the audience regarding the fact that a very similar file exists but the exact file.
Issue the Block Analysis Activity Sheet that will support and guide learners.
Advise pairs they have 30 minutes to manually step through the first algorithm and determine if the given file exists. Issue a FIVE minute warning when time has nearly elapsed.
As pairs devise algorithms and execute them, wander between them and identifying interesting points being raised in activity.
Open an audience response system activity, such as Mentimeter, ask pairs to vote whether the file exists in the corpus or not.
Advise learners they have FIVE minutes to reflect on the activity, relate back to prior activity and make notes. Suggest to learners they reflect on the significance of the avalanche effect and the impact it has in terms of file and block analysis.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should provide a brief summary of the Temple Island Collections Limited and (1) New English Teas Limited (2) Nicholas John Houghton case to the class.
The motivation for providing the overview is to:
address any misconceptions or gaps in understanding that students may have developed when considering the case in advance.
support those students that have no adequately considered the case in advance as to ensure they can effectively contribute to the activity.
Learners will form firms recruited by the case prosecutor. Firms have been tasked with devising and communicating an algorithm that will confirm that a given image is approximately similar to the one in the question.
The expectation the activity will scaffold learners to gain insight into the different types of approximate matching.
The lecturer or instructor should:
Issue the activity sheet that will support and guide learners.
Advise learners to self-organise into groups of no more than FOUR members.
Advise teams they have to devise an algorithm to demonstrates that the images in question are approximately very similar.
Advise teams that they have to produce a slide detailing their solution that they will subsequently present to class.
Advise teams to exchange their solution with another group. Groups should execute the solution they receive from the other group.
As groups devise algorithms and execute them, wander between groups and identifying interesting points being raised in activity.
The class will learn about the different algorithms devised by groups to demonstrate that the images in question are approximately similar.
The class should take notes during the session to support a subsequent activity in identifying emerging themes.
The lecturer or instructor should:
Prepare the presentations collected from teams, produce a running order and advise teams in advance.
Advise teams they have FIVE minutes to give their presentation. The team will be given a ONE minute warning and will be clapped off at the end of their allocated time. Teams should be advised they will not be expected to take questions but may be called upon in subsequent discussions.
Advise teams that they all have to speak and to consider how they will pass between members efficiently.
Advise teams that presentation slide decks will be made available after the session, but learners should still take notes to support subsequent activities.
Use a stopwatch and commence the presentations with teams.
Teams will use collective notes, the team solution and the solutions presented from other teams to identify themes and distinct aspects of solutions to the problem.
The lecturer or instructor should:
Advise teams that they are to produce a ONE slide presentation that covers at least THREE emerging themes that the team has devised from watching the presentations.
Advise teams they should also identify at least ONE novel aspect or divergence between the different solutions.
As teams produce their slides, the lecturer should wander between groups to observe discussion and actions.
Collect the presentation slides from teams in preparation of the next activity.
Teams will present the themes they have identified from the previous activity as well as engage in a discussion with the rest of the class.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed as to shape the discussion in a particular direction.
Advise teams have TWO minutes to present the themes they have identified as well as any divergences.
Select ONE of the themes or divergences to discuss with the wider class and ask for their comments and thoughts.
Continue to ask for teams to present either based on the discussion or what they have observed when teams were producing their slides or using a random number generator.
Shape discussion around the concepts of resemblance and containment as well as how different similarity classification approaches can be broadly categorised as bytewise, syntactic and semantic.
Open an audience response system activity, such as Mentimeter. For each presented solution ask teams to vote whether the solution can be categorised as an of bytewise, syntactic and semantic matching or something else.
Review results of class and discuss results with the cohort. Advise learners to spend FIVE minutes reflecting on the activities and to make notes.
Permit time for questions to address any misconceptions or issues with the material presented.
The block should conclude by relating the outcomes from the prior activities to material in the CyBOK. Specifically, the lecturer or instructor should cover the significant concepts of resemblance and containment as well as how different approximate matching algorithms can be classed.
The lecturer or instructor should:
Present their own lecture on the importance of guidelines or provide material in advance for learners to consider.
Relate the material presented back to the forensic sources interesting to forensics investigators documented in the CyBOK.
Consolidate themes from the prior activities and frame in the context of resemblance and containment. Highlight classification of approaches based on bytewise, syntactic and semantic and how all these factors have to be considered and tailored to the specific investigation and/or context.
Permit time for questions to address any misconceptions or issues with the material presented.
The FIFTH block is designed to conclude the active lesson plan and align material with that presented in the CyBOK.
The lecturer or instructor should:
Present the guidelines in greater depth that are presented and discussed in the CyBOK.
Ask the class if they have any questions or do not any aspect of what was covered in the session.
Ask learners to complete the Quad Fold Activity.