This active lesson plan considers the challenges and opportunities that cloud computing represents to forensic investigations and investigators. Learners need are afforded the opportunity to appreciate the transition in forensics from considering single systems to distributed systems that comprises of many elements and connections.
The activity plan is designed to support learners in appreciating the fundamental characteristics of cloud computing, how these differ from the traditional model and how this presents opportunities and obstacle for forensics. An overview video outlines the structure of the active lesson plan.
Cloud computing is fast emerging as the primary model for delivering information technology (IT) services to Internet-connected devices. It brings both disruptive challenges for current forensic tools, methods and processes, as well as qualitatively new forensic opportunities. CyBOK Forensics Knowledge Area P(24)
Learners complete FOUR blocks of activities that are designed to support them in appreciating the opportunities and obstacles for forensics in distributed systems. Using cloud computing as the basis, instructors support learning through the following activity blocks:
Cloud Computing and Forensics. The first block of activities is designed to support learners in cementing foundation in understanding the fundamentals of cloud computing and how these relate to forensics.
Forensic Challenges in the Cloud. The second block of activities is focused on supporting learners in developing an awareness of the opportunities and challenges that cloud computing represents to forensics.
Software-as-a-Service (SaaS) Forensics. The third block of activities affords learners the opportunity to gain insight into apply outcomes from prior activities to artifacts in the cloud.
Cloud Application Forensics. The fourth and final block is designed to conclude the active lesson plan and align material with that presented in the CyBOK.
The active lesson plan can be adjusted to accommodate many of the United Kingdom qualification levels. In its current form the active lesson plan is targeting learners at Levels 6 and 7 on the Regulated Qualifications Framework (RQF) and Credit and Qualifications Framework (CQFW) in England and Wales, Levels 10 and 11 on the Scottish Credit and Qualifications Framework (SCQF) and Levels 6 and 7 on European Qualifications Framework (EQF).
The active lesson plan does not expect nor require an individual to posses significant knowledge in Computing Science, Mathematics or Law.
The FIRST block of activities is designed to support learners in cementing foundation in understanding the fundamentals of cloud computing and how these relate to forensics.
The block is structured as follows:
Forensics in the Cloud [Presentation]. The lecturer or instructor provides a brief lecture on the central concepts and principles of cloud computing and how these represent challenges as well as opportunities for forensic investigators.
Five Facts about Cloud Computing [Activity]. Learners are given the opportunity to reflect on their prior knowledge and experience of cloud computing. The rationale is to engage and excite at the start of lesson plan.
Coverage of Cloud Basics [Presentation]. The lecturer or instructor ensures a foundation for all learners with coverage of cloud basic shaped by the prior knowledge of the class.
The session begins with a brief lecture on the significant concepts of Forensics in the Cloud, in terms of the central concepts and principles of cloud computing and how these represent challenges as well as opportunities for forensic investigators.
Learners will use this material in subsequent activities to begin to appreciate the significance challenges that cloud computing presents to digital investigations.
The lecturer or instructor should:
Present their own information processing lecture or provide it in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
Learners will initially consider five facts they know about cloud computing. The rationale behind the activity is for students to engage and consider the prior knowledge they have on the topic.
The lecturer or instructor should:
Organise the class so that leaners are organised into groups with EIGHT members.
Issue learners with five index cards and advise them to number the index cards one to five.
Advise leaners they have 10 minutes to write five concepts or facts they know about cloud computing, one for every card. Advise learners they may phone or text a friend not in the class to help them complete the activity. Issue a ONE minute warning when time is about to elapse.
After time elapses ask learners to form pairs and determine if they have any matches. Advise learners to set aside cards that do not match.
After sufficient time has elapsed ask the pairs to join with another pair at tables to form a group of FOUR members. Ask pairs to determine, if any of their matched cards match any of the matched cards of the other pair.
After sufficient time has elapsed again ask the TWO groups of FOUR members to collapse into a group of EIGHT members. Advise the table to compare their matched cards of both comprising groups and tally their score.
Wander between groups collect their scores and check the index cards.
Advise the class of the leaderboard in terms of matched concept and reward the top three tables with a small reward to recognise achievement.
The lecturer or instructor should give a brief lecture on cloud computing material that relates the prior knowledge demonstrated by learns with relevant material in the CyBOK.
The lecturer or instructor should:
Collate the concepts and knowledge from the cards collected in the prior activity and use it to shape the lecture.
Present their own cloud computing lecture or provide it in advance for students to consider that is aligned with relevant material in the CyBOK on cloud computing, specifically the essential characteristics, service models, cloud service providers and their responsibilities.
Refer and steer lecture in line with the knowledge and concepts gain from the index cards.
Permit time for questions to address any misconceptions or issues with the material presented.
The SECOND block of activities is focused on supporting learners in developing an awareness of the opportunities and challenges that cloud computing represents to forensics.
The block is structured as follows:
Responsibilities in the Cloud [Activity]. Pairs initially consider the responsibilities of clients and providers in the service context.
Single System versus Distributed Systems [Activity]. Learners consider the differences and similarities between forensic investigations on traditional single systems versus distributed systems.
Forensic Challenges in the Cloud [Presentation]. The lecturer or instructor delivers a brief lecture on the primary challenges in conducting forensics in a distributed environment.
Learners will form pairs in this activity initially to consider the typical structure of a cloud computing environment before moving onto to consider the responsibilities of customers and clients for different service models.
The rationale is that this should support learners in appreciating the significant challenges of data ownership and service responsibility and how this impacts on forensics.
The lecturer or instructor should:
Issue learners the Responsibilities in the Cloud Activity Sheet.
Recap material on cloud service providers, specifically in terms of the different terms of Software-as-a-Service (SaaS), Platform-as-a-Service(PaaS) and Infrastructure-as-a-Service (IaaS).
Advise the learners they have been issued with the typical layers of the cloud computing environment. Advise them they have FIVE minutes to organise the layers from top to bottom.
After time has elapsed advise learners to form pairs and spend another FIVE minutes sharing and refining their arrangement of the layers. Advise learners to discuss any difference and attempt to form an agreed structure.
After time has elapsed, use an audience response system, such as Mentimeter, and present three or more different arrangements of the layers. Ask the class to vote on the arrangement they think is most accurate.
Advise learners of the outcome and communicate the significance of each of the layers as well as emphasis the significance of data ownership and service responsibilities as indicated in the CyBOK.
Advise learners they not have 15 minutes on their own to determine service responsibilities and data ownership for two actors, the customer and the cloud service provider, for each of the previously discussed service models. Learners should spend FIVE minutes on each service model.
After time has elapsed advise learners to form pairs and spend another FIVE minutes sharing and refining their perception of who is responsible in each of the service models.
After time elapses, use a random number generator to select pairs to present.
Use a few pairs for each of the service models and ask the pairs to present their rationale and thinking.
For each of the service models, address any misconceptions and emphasise the correct solution.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecture or instructor provides an opportunity for learners to engage and consider the differences and similarities between forensic investigations that would typically occur on a single system, for example a mobile phone or laptop, and that of a cloud computing environment, that is an environment comprising of many different elements and connections.
The lecturer or instructor should:
Advise learners that they are going to ask a question and all learners must be prepared to answer, but no learner is permitted answer unless called upon.
Advise learners that a video will be shown and questions will follow a theme of how what is observed is different or similar to extracting evidence from cloud computing.
Identify a video from the Video Resources and permit time for learners to watch the video either privately or collectively as a class. Optional: learners can watch the video in advance of the session.
The questions are designed to emphasis thinking around the challenges of forensics in the cloud as well as with the aim to relate the activity back to material in the CyBOK.
Ask the first question related to logical acquisition and give sufficient time for the class to consider the question. It is also valuable to display the question to the class.
Select a learner at random and ask them to pick a number between 1 and the number of learners in the class. Consult the class register and call upon the learner that has the associated number. If the learner is not present, continue the process until a learner answers the question.
Continue the process so that several learners attempt the same question, unless it is not felt necessary.
After a sufficient number of learners have answered the question, move on to the next question.
Continue until all the questions have been tackled.
Advise learners that they should spend FIVE minutes reflecting on the activity and note any thoughts or misconceptions.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should give a brief lecture on Forensic Challenges in the Cloud material that back to the relevant material in the CyBOK.
The lecturer or instructor should shape and steer the brief lecture inline with experience with students in the prior activity.
The lecturer or instructor should:
Present their own Forensic Challenges in the Cloud lecture or provide it in advance for students to consider.
Align the presentation with relevant material in the CyBOK on cloud computing, specifically logical acquisition, cloud as the authoritative data source, that logging is pervasive and distributed computations are standard.
Permit time for questions to address any misconceptions or issues with the material presented.
The THIRD block of activities affords learners the opportunity to gain insight into apply outcomes from prior activities to artifacts in the cloud.
The block is structured as follows:
Overview of Cloud Application Forensics [Presentation]. Instructor provides a brief lecture on the significant concepts related to Cloud Application Forensics.
Produce Summary of Case Study [Assignment]. Learners are required to produce a summary of the case being considered in the class.
Overview of R v Andrewes case [Presentation]. Instructor provides an overview of the case to the class to ensure every learner is starting from the same point.
Committing Curriculum Vitae Fraud [Activity]. Teams will adapt a Curriculum Vitae for a series of employment opportunities using a cloud application.
Tracing changes [Activity]. Teams will identify themes in the adaptations made in the Curriculum Vitae using the cloud application.
Identification of Emerging Challenges and Opportunities [Activity]. Class discuss the potential challenges and opportunities that emerged from the activity.
The session begins with a brief lecture on the significant concepts related to Cloud Application Forensics.
Learners will use this knowledge to appreciate the upcoming challenges in terms of legal and privacy concerns as part of digital investigations.
The lecturer or instructor should:
Present their own lecture on Cloud Application Forensics or provide it in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should set learners the assignment to produce a summary of the case that will act as the foundation for activities. The assignment will act as an entry ticket assignment and those learners that do not complete the assignment are not able to participate in the session or miss the opportunity to gain course credit.
Optional: the instructor can set the assignment as an activity at the start of the session.
The lecturer or instructor at this point should provide a brief summary of the R v Andrewes case to the class.
The motivation for providing the overview is:
address any misconceptions or gaps in understanding that students may have developed when considering the case in advance.
support those students that have no adequately considered the case in advance as to ensure they can effectively contribute to the activity.
Teams are going to work in a round robin fashion to commit Curriculum Vitae Fraud using a Software-as-a-Service (SaaS) application, such as Google Docs.
The expectation is that this will support learners in appreciating the opportunities of having access to cloud artefacts, generated by Software-as-a-Service solutions, but also appreciating the challenge in actually gaining access to such artefacts when reflecting on the activity.
The lecturer or instructor should:
Advise learners they 30 minutes have to produce their Curriculum Vitae, maximum TWO pages, for a graduate job as a Forensics investigator. Learners should a Software-as-a-Service application (SaaS) that supports extensions or track changes, such as Google Docs. Optionally: learners may be advised to complete this aspect of the task in advance.
Advise learners they should organise into groups of no more than SIX members and no less than FIVE members. Assign each learner a number, one through six.
Issue the Round Robin Activity Sheet and advise the teams they are going to alter a Curriculum Vitae to secure dream jobs as Forensic investigators.
Advise learners to sit in a circle, and to pass their laptop or tablet to the peer on the right. Learners should select the job advert labelled the same as their assigned number. Learners have FIVE minutes to reflect on the job advert and adapt the Curriculum Vitae of their peer to secure an interview. Advise learners with a ONE minute warning before time elapses.
Signal to teams that time has elapsed. Advise learners to pass the system to the next peer on right. Learners have to perform the same activity again, but selecting the job advert numbered plus one from the previous one tackled.
Should end the cycle once laptops are back with the original owner.
Advise learners they are now going to use a Chrome Extension called DraftBack to review how the Curriculum Vitae has evolved in response to the job adverts.
Advise learners they have to produce a single presentation slide to document the changes that have made in response to the jobs adverts as well as tactics that have been employed, i.e. approach adopted by the fraudster. Learners will have 30 minutes to complete the task with a FIVE minute warning when time is nearly elapsed.
Advise learners to ensure their identification information is present in the footer of the presentation slide. Collect the presentation slides from learners via the virtual learning environment or via other appropriate means.
The expectation is that learners will identify themes in the adaptations made in the Curriculum Vitae using the cloud application, consider if any anti-forensic techniques have been deployed by some individuals as well as begin to consider how they would access such as cloud artefacts in the first instance.
The lecturer or instructor should:
Assemble a slide deck of the most interesting examples submitted by learners in terms of adaptions that they observed for a given job advert as well as tactics discussed.
Advise learners that the a slide deck has been assembled randomly that contains examples for each of the job adverts issued to learners in the prior activity. Advise learners that when called they have TWO minutes to present their slide.
Advise the class to take notes of the different adaptations observed and tactics that learners share.
After time has elapsed, initiate audience applause by clapping the learner of the stage and motion for the next speaker to come up.
Continue until each job advert has been considered.
Advise learners they have 15 minutes to reflect on the activity as a whole and ask them to consider and note down how an investigator could gain such insights if an individual was using an alternative Software-as-a-Service application.
The activity block closes with a class discussion on the challenges and opportunities in conducing forensics in the cloud that have emerged from completing the prior activities.
The lecturer or instructor should:
Advise learners they have 10 minutes to reflect on their notes from the previous activity.
Advise learners in their reflection to identify questions or aspects they need to clarify.
After time has elapsed advise the learners to exchange their notes with a peer. Advise the pairs they have 10 minutes to discuss the notes as well as try to address any questions they may have outstanding from the activity and/or their notes. Optional: advise learners after FIVE minutes that if they have not done so, ensure they have considered the each others questions.
Wander between pairs as they perform the activity and issue whiteboard markers to each pair or table of pairs.
After 10 minutes close the discussion. Advise pairs they have a further few minutes to distill their discussion down to at least ONE challenge and ONE opportunity of Software-as-a-Service applications and cloud forensics.
Advise pairs to use their whiteboard marker to come to the board and graffiti with their challenge and opportunity.
After a few minutes has elapsed, select some of the graffiti and ask pairs to identify themselves and explain it to the rest of the class.
Take a picture of the whiteboard and make it available on the virtual learning environment (VLE).
The FOURTH and final block is designed to conclude the active lesson plan and align material with that presented in the CyBOK.
The lecturer or instructor should provide a brief overview of the themes identified in the prior activities and relate them to the already established material that is presented and discussed in the CyBOK.
The lecturer or instructor should:
Advise learners of some of the application and qualities of hash functions that have emerged from consideration of all the various cases.
Relate the applications and qualities of hash functions to those presented and discussed in CyBOK .
Provide space for learners to raise any questions or address any gaps in understanding.
Ask learners to complete the Quad Fold Activity.