This active lesson plan considers the data acquisition challenges for evidence in terms of encryption. The active lesson plan specifically considers the different legal and technical approaches to overcome encryption. An overview video outlines the structure of the active lesson plan.
The legal approach as defined:
The legal approach relies on compelling the person with knowledge of the relevant encryption keys to surrender them. This is relatively new legal territory and its treatment varies across jurisdictions. In the UK, the Regulation of Investigatory Powers Act 2000 specifies the circumstances under which individuals are legally required to disclose the keys. Disclosure may run counter the legal right against self-incrimination and in some jurisdictions, such as in the United States, it is not yet definitively resolved. CyBOK Forensics Knowledge Area P(17)
The technical approach as defined:
The technical approach relies on finding algorithmic, implementation, or administrative errors, which allow the data protection to be subverted. Although it is nearly impossible to create a complex IT system that has no bugs, the discovery and exploitation of such deficiencies is becoming increasingly more difficult and resource intensive. CyBOK Forensics Knowledge Area P(17)
Learners complete FOUR blocks of activities that are designed to support them in appreciating the significant challenging in overcoming encryption. Using real-world cases staring points, instructors support learners through the following activity blocks:
Overcoming Encryption. The first block of activities is designed to motivate learners to consider the different routes to overcome encryption for the purposes of digital investigation.
Legal Approaches to overcome Encryption. The second block of activities is designed to motivate learners to consider the different legal approaches to overcoming encryption used across the world.
Technical Approaches to overcome Encryption. The third block of activities is designed to motivate learners to consider the different technical approaches to overcoming encryption.
Acquisition. The fourth block is used to conclude the active lesson plan and is focused on aligning the outcomes of the activities with material presented in the CyBOK.
The active lesson plan can be adjusted to accommodate many of the United Kingdom qualification levels. In its current form the active lesson plan is targeting learners at Levels 6 and 7 on the Regulated Qualifications Framework (RQF) and Credit and Qualifications Framework (CQFW) in England and Wales, Levels 10 and 11 on the Scottish Credit and Qualifications Framework (SCQF) and Levels 6 and 7 on European Qualifications Framework (EQF).
The active lesson plan does not expect nor require an individual to posses significant knowledge in Computing Science, Mathematics or Law.
The basis of the activities in the lesson plan is the In re Boucher case.
Sebastien Boucher crossed the border between Canada and the United States. Boucher was in possession of a laptop that was powered-on when he crossed the border. Inspection of the laptop suggested that Boucher was transporting child exploitation images. The laptop was powered down and Boucher was arrested. The laptop was subsequently powered-on but the contents were encrypted and material could not be decrypted. Unable to inspect the drive there was no way to locate and identify the child exploitation images on the laptop. Boucher was asked to provide the password that would grant access to key to decrypt the drive.
The FIRST block of activities is designed to motivate learners to consider the different routes to overcome encryption for the purposes of digital investigation.
The block is structured as follows:
Encryption. Instructor provides a brief lecture on the significant concepts of encryption.
Produce Summary of Case. Learners to produce a summary of the case that will be used in subsequent activities.
Overview of Case. Lecturer or instructor to provide an overview of the case as to ensure all learners are starting with the same knowledge.
Discussion on the routes to overcome Encryption. Class to have discussion on the potential different routes to overcome encryption.
The session begins with a brief lecture on the significant concepts of encryption, in terms of the challenges it represents to digital investigations.
Learners will use this material to appreciate the challenges around expert evidence and handling evidence.
The lecturer or instructor should:
Present their own encryption lecture or provide it in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should advise learners to produce a summary of the case that will act as the foundation for activities.
Optional: the lecturer or instructor can set this as an entry ticket activity as in they are required to complete in advance of session.
The lecturer or instructor should provide a brief summary of the Boucher case to the class.
The motivation for providing the overview is to:
address any misconceptions or gaps in understanding that students may have developed when considering the case in advance.
support those students that have no adequately considered the case in advance as to ensure they can effectively contribute to the activity.
Learners are going to consider the various possible routes that could be used to overcome encryption for the purposes of digital investigations.
The lecturer or instructor should:
Instruct learners to gather into groups of FOUR members and to assign each other a number between the range.
Learners are then set the task of considering the different approaches that can be used to overcome encryption for data at rest.
State a number and state that for the learner that is assigned that number they will be given a few minutes to consider the problem, write down the answer and pass it to their neighbour.
The process should continue until all group members have completed the task and no longer than 20 minutes total, representing a FIVE minute block for each student.
Chair a discussion and ask learners to provide different possible routes to overcoming encryption for the purposes of digital investigations.
Consolidate and advise learners that there are two broad routes, legal and technical, and these will now be considered in more depth over various activities.
The SECOND block of activities is designed to motivate learners to consider the different legal approaches to overcoming encryption used across the world.
The block is structured as follows:
Research Compelled Decryption and Key Disclosure Approaches for Country or Region. Team members research and teach each other about legal approaches to overcoming encryption across the world.
Presentation to Class. Teams will present thee guidelines they have generated to the class.
Identify Emerging Themes in Legal Approaches to Compelled Decryption. Teams to consider the common themes as well as any divergences between the legal approaches presented by teams.
Emerging Themes in Legal Approaches to Compelled Decryption Discussion. Class to have discussion on the common themes that emerge from the legal approaches presented by teams.
Themes in Legal Approaches to Compelled Decryption. Lecturer provides their own lecture on the similarities between legal approaches used across the world.
Learners will teach each other about the legal approaches employed to compelled decryption using the Jigsaw Active Learning approach.
Teams are to consider the legal approaches for a specific country. Each team member is to consider a specific aspect, consequently they are the expert for that particular aspect. Experts from each team are to meet and discuss their aspect, before returning to their team and teaching them about the aspect. The team as a whole will then devise a presentation.
The team presentation will be given to the rest of the class to support a subsequent activity that afford learners in understanding the similar themes that all such legal approaches exhibit across the world.
The lecturer or instructor should:
Advise learners to self-organise into teams of FIVE or FOUR members.
Issue the activity sheet and explain that teams are required to investigate in detail the legal approaches to compelled decryption for a specific county.
Teams are to identify a country they want to investigate and confirm it with the lecturer. If they do not have an agreed country then one should be allocated.
Teams should consider the legal approaches from specific perspectives with each member of the team acting as an expert for that perspective and accepted to consider it in more detail and educate the rest of the team on that perspective.
Experts should spend time considering the aspect in more detail before meeting with the same experts from other teams, i.e. experts are those considering the same perspective but for a different country.
Experts should discuss their perspective, share research and consolidate understanding before returning to their own teams and teaching them on the specific perspective.
Advise teams they are required to produce a presentation.
Collect presentation from teams.
The class will learn about the different legal approaches used across the world to overcome encryption from specific perspectives.
The class should take notes during the session to support a subsequent activity in identifying emerging themes.
The lecturer or instructor should:
Prepare the presentations collected from teams, produce a running order and advise teams in advance.
Advise teams they have FIVE minutes to give their presentation. The team will be given a ONE minute warning and will be clapped off at the end of their allocated time. Teams should be advised they will not be expected to take questions but may be called upon in subsequent discussions.
Advise teams that they all have to speak and to consider how they will pass between members efficiently.
Advise teams that presentation slide decks will be made available after the session, but learners should still take notes to support subsequent activities.
Use a stopwatch and commence the presentations with teams.
Teams will use their collective notes, their own research and other team presentations to identify themes and divergences in guidelines in legal approaches to compelled decryption.
The lecturer or instructor should:
Advise teams that they are to produce a ONE slide presentation that covers at least THREE emerging themes that the team has devised from watching the presentations.
Advise teams they should also identify at least ONE novel aspect or divergence between the different guidelines to support the admission of expert evidence.
As teams produce their slides, the lecturer should wander between groups to observe discussion and actions.
Collect the presentation slides from teams in preparation of the next activity.
Teams will present the themes they have identified from the previous activity as well as engage in a discussion with the rest of the class.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed as to shape the discussion in a particular direction.
Advise teams have TWO minutes to present the themes they have identified as well as any divergences.
Select ONE of the themes or divergences to discuss with the wider class and ask for their comments and thoughts.
Continue to ask for teams to present either based on the discussion or what they have observed when teams were producing their slides or using a random number generator.
The lecturer should provide a brief overview of the themes identified in legal approaches to compelled decryption that is informed by the prior activities.
The lecturer or instructor should:
Ensure they cover the perspectives of self incrimination, right to silence, key disclosure versus decrypted data, deniable encryption, time limited decryption and torture as well as any other interesting perspectives that have previously been raised.
Provide space for learners to ask questions or to address any misunderstandings.
The THIRD block of activities is designed to motivate learners to consider the different technical approaches to overcoming encryption.
The block is structured as follows:
Identify and Confirm Case. Learners in advance identify a case and source material where a technical approach has been used to overcome encryption.
Research Case. Learners self-organise into teams and research the case selected in the prior activity.
Presentation to Class. Teams will present thee guidelines they have generated to the class.
Categorising technical approaches. Teams categorise the different technical approaches into different categories.
Identify Emerging themes. Teams consider the common themes as well as any divergences between the technical approaches presented by teams.
Emerging Themes in Technical Approaches to Compelled Decryption Discussion. Class to have discussion on the common themes that emerge from the technical approaches presented by teams.
Themes in Technical Approaches to Compelled Decryption. Lecturer provides their own lecture on the similarities between technical approaches used across the world.
Learners are to identify a case study in advance of the session where a technical approach has been used to overcome encryption.
Learners are required to produce a summary and at provide least FIVE artefacts that can act as source material.
Learners will then form teams and select one of the case studies to consider in more depth.
The lecturer or instructor should:
Advise learners they should self-organise into teams. Learners should share their summaries and artefacts with other team members.
Advise teams that through discussion and ranking they should identify a case that they want to consider in more depth and share with the wider class.
As teams produce discuss cases, the lecturer should wander between groups to observe discussion.
Teams are to research the case (selected in prior activity) and produce a presentation that will be given to the class.
The learner responsible for the selected case becomes the leader of the team and they steer the presentation.
The lecturer or instructor should:
Issue the activity sheet to guide and support the teams.
Advise teams that the learner responsible for the proposed case is the team leader and that the team should produce a FIVE minute presentation of the case.
Collect the presentations from the teams, for example using a virtual learning environment (VLE).
The class will learn about the various different cases and technical approaches to overcome encryption from the rest of the class.
The class should take notes during the session to support a subsequent activity in identifying emerging themes.
The lecturer or instructor should:
Prepare the presentations collected from teams, produce a running order and advise teams in advance.
Advise teams they have FIVE minutes to give their presentation. The team will be given a ONE minute warning and will be clapped off at the end of their allocated time. Teams should be advised they will not be expected to take questions but may be called upon in subsequent discussions.
Advise teams that they all have to speak and to consider how they will pass between members efficiently.
Advise teams that presentation slide decks will be made available after the session, but learners should still take notes to support subsequent activities.
Use a stopwatch and commence the presentations with teams.
Teams will use their collective notes, their own research and other presentations from the class to classify each of the case studies in terms of whether they are technical examples of: exploitation of algorithmic, administrative, implementation errors or some other type of error.
The lecturer will then use an audience response system, such as Mentimeter, to collect class wide responses to the categorisation of cases.
The class should be advised that they will receive the slide deck and categorisation after the session.
The lecturer or instructor should:
Issue the activity sheet to the teams to support them in completing the activity.
Advise teams to discuss and consider the previously present cases and categorise them in terms of exploitation of algorithmic, administrative, implementation errors or some other type of error.
As teams discuss the cases, the lecturer should wander between groups to observe discussion and actions.
Return to the centre and advise the class that an audience response system will be to collect categorisations.
Progress through each case and ask the leader of the presenting case, what category they would place the case in and ask them to provide a rationale.
Open the discussion up to the class and ask if any team disagrees with the classification and rationale.
Continue until all cases have been considered by the class.
Open the audience response system and ask each team to enter their categorisation of the cases.
Present the result of the categorisation and provide slides to class.
Teams will use their collective notes, their own research and other team presentations to identify themes and divergences in technical approaches to compelled decryption.
The lecturer or instructor should:
Advise teams that they are to produce a ONE slide presentation that covers at least THREE emerging themes that the team has devised from watching the presentation.
Advise teams they should also identify at least ONE novel aspect or divergence between the different technical approaches.
As teams produce their slides, the lecturer should wander between groups to observe discussion and actions.
Collect the presentation slides from teams in preparation of the next activity.
Teams will present the themes they have identified from a previous activity as well as engage in a discussion with the rest of the class.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed as to shape the discussion in a particular direction.
Advise teams have TWO minutes to present the themes they have identified as well as any divergences.
Select ONE of the themes or divergences to discuss with the wider class and ask for their comments and thoughts.
Continue to ask for teams to present either based on the discussion or what they have observed when teams were producing their slides or using a random number generator.
The lecturer should provide a brief overview of the themes identified in technical approaches to compelled decryption that is informed by the prior activities.
The lecturer or instructor should:
Ensure coverage of oscillating popularity over time of favoured category approach, popularity of favoured category approach varies by context and platform influences popularity of favoured category approach.
Provide space for learners to ask questions or to address any misunderstandings.
The FOURTH block is used to conclude the active lesson plan and is focused on aligning the outcomes of the activities with material presented in the CyBOK.
The lecturer or instructor should:
Present the routes to overcome encryption in greater depth that are presented and discussed in the CyBOK.
Ask the class if they have any questions or do not any aspect of what was covered in the session.
Ask learners to complete the Quad Fold Activity.