The lesson plan considers the significance of applications as valuable sources of user interactions that can act as valuable and powerful evidence within the legal process. The active lesson plan scaffolds leaners in developing understanding and awareness around the value of applications in terms of user interactions and this is relevant to Forensics. A overview video outlines the structure of the active lesson plan.
Application forensics is the process of establishing a data-centric theory of operation for a specific application. The goal of the analysis is to objectively establish causal dependencies between data input and output, as a function of the user interactions with the application. Depending on whether an application is an open or closed source and on the level of the accompanying documentation, the analytical effort required can vary from reading detailed specifications to reverse engineering code, data structures and communication protocols, to performing time-consuming black box differential analysis experiments. Alternatively, forensic tool vendors may license code from the application vendor to gain access to the proprietary data structures. The big advantage of analysing applications is that we have a better chance of observing and documenting direct evidence of user actions, which is of primary importance to the legal process. CyBOK Forensic Knowledge Area. Pg 23.
Learners complete FOUR blocks of activities that are designed to support them in appreciating the significance of applications in terms of repositories of user interactions. Using real-world applications and a relevant case, instructors support learners through the following activity blocks:
Application Forensics. The first block of activities supports learners in appreciating the benefit and risks to application forensics.
Case Study: Web Browser. The second block of activities supports learners in the valuable information that can be learned from a popular application with individuals.
Study of Web Search History. The third and block of activities will afford learners the opportunity to apply knowledge from prior activities and relate to a relevant case.
Application Usage as Evidence. The fourth and final block is used to conclude the active lesson plan and is focused on aligning the outcomes of the activities with material presented in the CyBOK.
The active lesson plan can be adjusted to accommodate many of the United Kingdom qualification levels. In its current form the active lesson plan is targeting learners at Levels 6 and 7 on the Regulated Qualifications Framework (RQF) and Credit and Qualifications Framework (CQFW) in England and Wales, Levels 10 and 11 on the Scottish Credit and Qualifications Framework (SCQF) and Levels 6 and 7 on European Qualifications Framework (EQF).
The active lesson plan does not expect nor require an individual to posses significant knowledge in Computing Science, Mathematics or Law.
The FIRST block of activities supports learners in appreciating the benefit and risks to application forensics.
The block is structured as follows:
User Interactions and Applications [Presentation]. The lecturer or instructor provides a brief lecture or overview on the significance of user interactions with application as they relate to the legal process.
Unicorn Pitch [Activity]. Learners will form teams and pitch a successful application that will enable to become a Unicorn start-up, that is a rare and valuable company.
Blueprint for Good Applications from the Forensic Investigator Perspective [Activity]. Learners will form new teams to identify common criteria for permitting applications in an Enterprise from the perspective of a Forensics investigator.
Unicorns vs Investigators [Activity]. Learners will identify the opportunities and obstacles in using application data as part of a forensics investigation.
Class Discussion on Using Application Data [Activity]. The class will consider and discuss some of the common potential opportunities and obstacles identified by teams.
Opportunities and Obstacles in using Application Data [Presentation]. The activity block will conclude by relating activity outputs with material in the CyBOK.
The session begins with a brief lecture or overview on the significance of user interactions with application as they relate to the legal process.
Learners will use this material to appreciate the opportunities and challenges around application forensics.
The lecturer or instructor should:
Present their own admissibility lecture or provide in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The aim of the activity is to focus learners on considering their prior knowledge and thoughts, in terms of building a successful start-up application. The expectation is that learners will come to consider applications from primarily two perspectives: that of the user and that of the provider.
In terms of the user, in what the qualities and feature they seek and what would engage them with the application. In terms of the business, what drives individuals to engage with their application and business model they will employ. These aspects relate back to the CyBOK in terms of ensuring learners appreciate that while valuable user data may be generated it may not be easily accessible due to business model choices.
The lecturer or instructor should:
Advise learners they have to self-organise into teams of no more than FOUR members and no less than THREE members.
Advise teams they have 30 minutes to produce a TWO minute pitch with accompanying single presentation slide for an application for a given market that will enable them as start-up to be classed as a Unicorn. A company that is effectively rare given its perceived value. Advise learners they have few restrictions, other than the application must be focused at the consumer market and most be realistic in its claims and benefits, for example the application can not predict future lottery results.
Wander between teams as they form and create their ideas and companies. Motivate learners to consider the perspective of users and of business owners.
Collect the presentation slides from teams and collate them.
Use a random number generator to randomly select teams to present. The lecturer may favour to select teams on what they have observed as to shape the discussion in a particular direction.
Remind teams they have TWO minutes to present and led the class in applause by clapping the teams off when time has elapsed.
Continue to call teams until a sufficient number of pitches have been presented.
Advise teams to spend 10 minutes reflecting on the pitches they have observed as well as their pitch. Advise them to identify FIVE qualities that make for a successful application, either from the perspective of user engagement or business rationale.
Issue a ONE minute warning before time elapses.
Collect the FIVE qualities from teams and advise them the material will be used in subsequent activities.
Permit time for questions to address any misconceptions or issues that emerged during the session.
The aim of the activity is to motivate learners to consider what would make a good application from the perspective of a forensic investigator. The expectation is that learners will come to consider that will extensive user engagement and logging may prove valuable data, gaining access to that data, how it is generated and the level of volume also presents challenges.
The lecturer or instructor should:
Advise learners they have to self-organise into teams of no more than FOUR members and no less than THREE members. The members of the team should be different than the prior activity. The rationale is this will afford learners an opportunity to interact with other members of the class but also present a break from the though-process in the previous activity.
Advise teams they have 30 minutes to produce a TWO minute pitch with accompanying single presentation slide for criteria for permissible applications for a large multinational company. Emphasise to teams they are producing criteria from the perspective of a forensics investigator, not from the perspective of a manager or security engineer.
Wander between teams as they form and create their ideas and companies. Support learners in reflecting and balancing the challenge of extensive user engagement data and gaining accessing it.
Collect the presentation slides from teams and collate them.
Use a random number generator to randomly select teams to present. The lecturer may favour to select teams on what they have observed as to shape the discussion in a particular direction.
Remind teams they have TWO minutes to present and led the class in applause by clapping the teams off when time has elapsed.
Continue to call teams until a sufficient number of pitches have been presented.
Advise teams to spend 10 minutes reflecting on the pitches they have observed as well as their pitch. Advise them to identify FIVE common criteria that would satisfy most of the pitches they observed.
Issue a ONE minute warning before time elapses.
Collect the FIVE common criteria from teams and advise them the material will be used in subsequent activities.
Permit time for questions to address any misconceptions or issues that emerged during the session.
Teams will use their collective notes, their own research and other team pitches to identify the opportunities and challenges around using application data as part of a forensics investigation.
The lecturer or instructor should:
Advise teams that they are to produce a ONE slide presentation that covers THREE opportunities for application data in forensics and THREE obstacles or challenges in using that application.
Issue the start-up pitches and common criteria produced by all teams from the prior activities to the class. Advise teams they have 30 minutes to produce their slides and can use their own research, collective notes and outputs from prior activities to produce the slide.
As teams produce their slides, the lecturer should wander between groups to observe discussion and actions.
Collect the presentation slides from teams in preparation of the next activity.
Teams will present the opportunities and obstacles they have identified from the previous activity as well as engage in a discussion with the rest of the class.
The lecturer or instructor should:
Use a random number generator to randomly select teams to present. The lecturer may favour to select teams on what they have observed as to shape the discussion in a particular direction.
Advise teams they have TWO minutes to present and they are only expected to present a SINGLE opportunity or obstacle, but not one that has already been raised.
Teams that do not have a unique opportunity or obstacle should be clapped-off without presenting to inject some engagement and humour into the session.
After a sufficient number of presentations, for example THREE presentations, pause and engage the wider class and discuss some of what has been presented.
Continue to ask for teams to present either based on the discussion or what they have observed when teams were producing their slides or using a random number generator.
The lecturer should provide a brief overview of the themes identified in the prior activities and relate them to material presented in the CyBOK.
The lecturer or instructor should:
Advise learners of some of the themes that have emerged from consideration of the opportunities and obstacles in using application data for forensic purposes.
Relate the material to that discussed in the CyBOK.
Provide space for learners to raise any questions or address any gaps in understanding.
The SECOND block of activities is designed to support learners in the valuable information that can be learned from a popular application with individuals.
The block is structured as follows:
History of the Web Browser [Presentation]. Instructor provides a brief lecture on the significant concepts of admissibility of evidence.
Produce Summary of Case [Assignment]. Learners produce a summary of two cases that will act as the basis for subsequent activities.
Overview of Case [Presentation]. Lecturer or instructor to provide an overview of the cases as to ensure all learners are starting with the same knowledge.
Search History of Brain Walshe [Activity]. The lecturer or instructor will show a video of search history being read to the defendant Brain Walshe. Learners will watch the video and note down some of the search history.
Friend Flummox [Activity]. Learners are required to devise an exam question that will challenge a peer in the class on the topic of what are the sources of forensically interesting material from a web browser.
Themes from Friend Flummox Activity [Activity]. Instructor leads class discussion and activity on the themes that emerged from the exam questions.
Web Browser Forensic Sources [Presentation]. Instructor provides brief lecture on six main sources of forensic relevant data for web browsers.
The session begins with a brief lecture on the evolution and changes web browsers. The expectation is that learners will come to appreciate that the aspects that are valuable to forensic investigators, such as capturing user engagement, have been fairly consistent over a number of years and have only increased.
Learners will use this material to appreciate the opportunities and challenges in using such application data.
The lecturer or instructor should:
Present their own admissibility lecture or provide in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should set learners the assignment to produce a summary of the case that will act as the foundation for activities. The assignment will act as an entry ticket assignment and those learners that do not complete the assignment are not able to participate in the session or miss the opportunity to gain course credit.
Optional: the instructor can set the assignment as an activity at the start of the session.
The lecturer or instructor should provide a brief summary of the Commonwealth of Massachusetts v Brain Walshe case to the class.
The motivation for providing the overview is to:
address any misconceptions or gaps in understanding that students may have developed when considering the case in advance.
support those students that have no adequately considered the case in advance as to ensure they can effectively contribute to the activity.
The lecturer or instructor will show a video of search history being read to the defendant Brain Walshe. Learners will watch the video and note down some of the search history.
The rationale is to captivate and engage learners with the value of search history and what it can contribute to the legal process.
The lecturer or instructor should:
Advise learners they are going to watch a video clip of Brain Walshe being read his search history. Learners should note the search history mentioned and will form pairs and discuss the search history.
Issue the Search History Activity Sheet to learners.
Play the Brain Walshe Search History video clip. Advise learners to reflect on the search history as they watch the video.
Advise learners to form pairs and spend 10 minutes comparing search history and discussing any notes and thoughts they had on the recovered search history.
Open an audience response system activity, such as Mentimeter, ask learners to submit some of the themes of the discussion had between pairs.
Steer the conversation towards the significance of application data being used to signal individual intention, but also how data could be interpreted and if there are other explanations.
Advise learners they have FIVE minutes to reflect on the activity and should make notes. Suggest to learners to reflect on that search history is just one aspect of a web browser and to consider what other aspects may provide valuable data.
--
An engaging activity to motivate learners to engage with the different potential sources of data from web browsers that may be valuable to a forensics investigation. Learners are required to devise an exam question that will challenge a peer in the class on the topic.
The goal of the activity is to focus learners and to generate curiosity as well as to provide an opportunity for learners to develop interpersonal and communication skills.
The lecturer or instructor should:
Learners can be as creative as they want in the design of the question, for example they do not need to restrict themselves to text.
Give the learners around TEN minutes to create the question.
Maintain and ensure energy in the room by walking through the class and advising when time is running out.
Instruct learners to form pairs or trios and exchange their exam questions. The pairs or trios then have TEN minutes to tackle the question. The questions do not need to be in exam conditions, learners can have fun and help each other out.
Collect all the exam questions from the learners.
The aim of the prior activity is to drive curiosity and interest in the challenge of sources of relevant data from a web browser to a forensics investigation. The lecturer should now focus the class by considering the themes that emerged in the exam questions and steer learners to areas of focus.
The lecturer or instructor should:
Ask learners to nominate any particular good exam questions. Nominators should present the exam question to the class and state the advantages of the approach.
Open the question to the class and ask them to comment on the question and how they would approach it.
Repeat process until a number of questions have been considered. Open an audience response system activity, such as Mentimeter, ask learners to submit some of the themes that emerge from these questions in terms of areas of focus.
Steer the consideration of themes along the significance of the different sources, such as search history, form data, temporary files, downloaded files, HTML5 local storage and cookies.
Permit time for questions to address any misconceptions or issues with the material presented.
The block should conclude by relating the outcomes from the prior activities to material in the CyBOK.
The lecturer or instructor should:
Present their own lecture on the importance of guidelines or provide material in advance for learners to consider.
Relate the material presented back to the forensic sources interesting to forensics investigators documented in the CyBOK.
Permit time for questions to address any misconceptions or issues with the material presented.
The THIRD and block of activities will afford learners the opportunity to apply knowledge from prior activities and relate to a relevant case.
The block is structured as follows:
Using Application Usage Data as Evidence [Presentation]. The session begins with a brief lecture or overview on using application usage data as evidence as part of the legal process.
Produce Summary of Case Study [Assignment]. Learners are required to produce a summary of the case being considered in the class.
Overview of State of Indiana vs Gaylyn Morris [Presentation]. Instructor provides an overview of the case to the class to ensure every learner is starting from the same point.
Gathering and Interpreting Application Usage as Evidence [Activity]. Learners then have to extract fictional evidence from application usage for the case study, that has been generated by their peers.
Practice Sharing [Activity]. Learners nominate and share strong or interesting examples they observed from the previous activity.
Class Collective Identification of Emerging Themes of Using Application Usage Data [Activity]. Learners consider as a class the emerging themes that comes from using application usage as evidence.
The session begins with a brief lecture or overview on using application usage data as evidence as part of the legal process.
Learners will use this material to appreciate the opportunities and challenges around application forensics.
The lecturer or instructor should:
Present their own using application usage data as evidence lecture or provide in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should set learners the assignment to produce a summary of the case that will act as the foundation for activities. The assignment will act as an entry ticket assignment and those learners that do not complete the assignment are not able to participate in the session or miss the opportunity to gain course credit.
Optional: the instructor can set the assignment as an activity at the start of the session.
The lecturer or instructor should provide a brief summary of the State of Indiana vs Gaylyn Morris case to the class.
The motivation for providing the overview is to:
address any misconceptions or gaps in understanding that students may have developed when considering the case in advance.
support those students that have no adequately considered the case in advance as to ensure they can effectively contribute to the activity.
The aim of the activity is for the learners to gain insight into how to analysis and consider the search history of an individual from the perspective of a forensics investigation.
The lecturer or instructor should:
Issue the Stump Activity Sheet to learners.
Advise learners they are going to create an application usage trail using a web browser for the accused in the case study. Advise learners that in generating the trail they should aspects that have been previously considered, such as misinterpretation of data points, i.e. interpreting data of usage from one perspective without considering an alternative, as well as anti-forensics techniques, i.e. purposely counterfeiting exculpatory evidence.
Advise learners that the class will vote on particularly creative, engaging and intelligent attempts at the activity.
Advise learners they have 30 minutes to generate the application usage data. Inform learners they will be issued a FIVE minute warning when time is nearly elapsed. Learners can generate the application data usage trail via:
Walk through the class as learners perform their task and discuss the topic and the approach they are adopting. Issue each learner with a piece of paper and pen as they perform the task.
After time has elapsed, advise learners to write their favourite colour on the paper in big lettering.
Advise learners they are going to pair-up with another learner after time has elapsed. Inform them to wander around the class and pair-up with another learner that has the same favourite colour. If there any remaining learners, assign them to each other.
Advise learners to swap their application usage data with their new partner.
Advise learners they have 15 minutes to assemble a convincing trail of usage data from the data providing, keeping in mind the tactics the other learner may have performed to stump them. Inform learners they will be issued a ONE minute warning when time is nearly elapsed.
Advise pairs they have 10 minutes to exchange outlines of the trails uncovered and their interpretation of the data. Respective partners should communicate if this is correct or what the other has missed. Inform learners they will be issued a FIVE minute warning to swap around during the time.
Advise learners they can now choose to nominate their partner's stump, either because they observed a quality they would like to share with the class or discuss with the class. Advise learners if no-one nominates, pairs will be selected at random. Use an audience response system, such as Mentimeter, or paper to collect nominations.
Select learners to present based on nominations or select learners if no nominations are received. Ask the learners to present their partner's stump and describe how they uncovered the trail, what their interpretation of it was and whether it is correct. Advise other learners to take notes as they observe the presentations.
The aim is for the class to broadly identify emerging themes of using application data, specifically the elements of data that are valuable but also in terms of how these data points can be connected, in such a way that may be inaccurate and so must be carefully considered.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed, rather than randomly, to demonstrate and discuss with the entire class any novel insights or gaps in understanding.
Briefly refresh the class on cases considered across the prior activities, emphasising examples of the data collected and how this has been interpreted.
Advise pairs they have FIVE minutes to reflect on the notes they have made from the prior activities. Advise them to speak to their partner to resolve any misconceptions and gaps.
After the time has elapsed, advise pairs they have 10 minutes to generate a shared note that highlights the key elements of application usage that can be learned from application forensics, concerns around interpretation and any misconceptions that neither can satisfactorily resolve.
Identify pairs at to random to stand-up and discuss ONE key element of application usage and concerns around interpretation of such usage from a forensics perspective. Ask one member of the pair to present it to the class while the other acts as note taker and writes the heading or name for the element on a white board.
Use an audience response system, such Mentimeter, and ask the class if they have any additional thoughts around the strengths and concerns of using such elements of application usage data from a forensics perspective. Request the note taker to add some of the comments to the whiteboard.
Thank the pair of learners and identify another pair of learners. Advise the pair to share an element and concern, not previously discussed. Similarly, one learner should present while the other notes the heading on the whiteboard. The class should then be asked via an audience response system for any additional thoughts that the note taker can add to the board. Continue in this fashion until a sufficient number of elements have been considered.
Summaries the key elements devised by the class and emphasise the more significant elements provided by leaners.
The FOURTH and final block is used to conclude the active lesson plan and is focused on aligning the outcomes of the activities with material presented in the CyBOK.
The lecturer or instructor should:
Briefly present again their own lecture on the use of hash functions to identify contraband or provide it in advance for students to consider.
Relate the presented material to the arguments, remarks and evidence provided by learners during the class debate to relevant material in the CyBOK.
Provide an opportunity for learners to address questions and/or address any misconceptions.
Ask learners to complete the Quad Fold Activity.