This active lesson plan considers the steps, processes and loops an investigator performs when processing information as part of a digital investigation. An overview video outlines the structure of the active lesson plan.
The CyBOK presents the Cognitive Task Model from Pirolli & Card as an approach to understand how digital investigators process information from external data sources to final presentation of evidence.
This active lesson plan scaffolds and supports learners in devising their own cognitive task model before comparing and contrasting it with the model presented in the CyBOK. The rationale for this approach is for learners to actively engage with the cognitive process that investigators perform when extracting and analysing evidence, rather than just learning about it from the CyBOK.
Learners complete FOUR blocks of activities that are designed to support them in devising their own cognitive task model. Using a real-world case as a starting point, instructors support learning through the following activity blocks:
Cognitive Steps in Information Processing. The first block of activities supports learners in devising and understanding the fundamental steps to process information from external data sources to the final presentation of evidence.
Processes. The second block of activities supports learners in devising and understanding the abstraction and analytical processes that are used to progress between the major information processing steps (devised in the prior block of activities).
Loops. The third block of activities supports learners in appreciating the analytical information processing loops that are required to refine and improve evidence.
Cognitive Task Model. The fourth and final block of activities closes the lesson plan and learners consider the Cognitive Task Model from the CyBOK. Learners compare and contrast the model devised through activities in the lesson plan with those presented in the CyBOK.
The active lesson plan can be adjusted to accommodate many of the United Kingdom qualification levels. In its current form the present active lesson plan is design to target learners at Levels 6 and 7 on the Regulated Qualifications Framework (RQF) and Credit and Qualifications Framework (CQFW) in England and Wales, Levels 10 and 11 on the Scottish Credit and Qualifications Framework (SCQF) and Levels 6 and 7 on European Qualifications Framework (EQF).
The present active lesson plan does not expect nor require an individual to posses significant knowledge in Computing Science, Mathematics or Law.
The basis of the activities in the present active lesson plan is the Commonwealth vs Michael Fiola case.
Michael Fiola was an investigator for the Department of Industrial Accidents in the United States and was required to complete significant field work. The Department of Industrial Accidents provided Fiola with a laptop, cellular access card and data plan to support his role. Months after receiving the laptop, a red flag was received to state that Fiola was consuming excessive data, some 4x more than others in a similar role. Consequently, Fiola’s laptop was brought in for review by the company, and illicit activity and material was identified and located on the system. Fiola’s employment was terminated and criminal charges were subsequently sought.
The FIRST block of activities supports learners in devising and understanding the fundamental steps to process information from external data sources to the final presentation of evidence.
The block is structured as follows:
Overview of Information Processing. Instructor provides a brief lecture on the significant concepts of information processing and relevance in digital investigations.
Produce Summary of Case Study. Learners are required to produce a summary of the case being considered in the class.
Overview of Michael Fiola Vs Commonwealth case. Instructor provides an overview of the case to the class to ensure every learner is starting from the same point.
Devising the Cognitive Steps for Information Processing in Digital Investigations. Learners determine the information processing steps in progressing from external data sources to presentation of evidence.
Class collective development of Cognitive Steps. The class collectively discuss and debate the various possible information steps before collectively agreeing on a set of steps.
Cognitive Task Model. An overview of cognitive task model generated by the class is generated and can be used in subsequent blocks of activities.
The session begins with a brief lecture on the significant concepts of information processing, in terms of triaging information as well as how to reduce and expand data where relevant within the context of digital investigations.
Learners will use this material as well as consideration of the case study to consider the major information processing steps in digital investigations.
The lecturer or instructor should:
Present their own information processing lecture or provide it in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
The lecturer or instructor should advise learners to produce a summary of the case that will act as the foundation for activities.
Optional: the lecturer or instructor can set this as an entry ticket activity that will require learners to complete the activity in advance of any session.
The lecturer or instructor at this point should provide a brief summary of the Michael Fiola Vs Commonwealth case to the class.
The motivation for providing the overview is:
address any misconceptions or gaps in understanding that students may have developed when considering the case in advance.
support learners that have not considered the case in advance as to ensure they can effectively contribute to the activity.
Learners are expected to form pairs and identify the major steps in information processing within an investigation, starting with external data sources and progressing to presentation of the case.
The lecturer or instructor should:
Issue the activity sheet and advise pairs to consider the major steps in information processing of digital investigation in the context of the case.
Advise pairs to consider the incomplete cognitive model and start to think about what intervening actions an investigator would take to present a case from a selection of initial data sources.
Pairs should then consider the different possible actions and distill them down to central steps in the information processing of a case from the perspective of a digital investigator.
Advise pairs that they have to produce a presentation justifying the steps they devise. If the class is small enough then all pairs can present. However, in the situation where the class is large, suggest some at random will present. This will ensure pairs are aware that they may have to present and this will provide sufficient motivation to ensure they engage with the acitivty.
Wander between pairs and consider the major steps that groups are identifying so that they can be called upon later during a class-wide presentations.
Collect presentations and task models from students.
The aim is for learners to collectively agree the key steps in the task of information processing within the digital investigation.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed, rather than randomly, to demonstrate and discuss with the entire class any novel insights or gaps in understanding.
Present the starting and ending point for most digital investigation in terms of information processing, i.e. external data sources and presentation of the case.
Ask class to offer the next step, the lecturer will then take answers and discuss them with the class. Asking for further possible steps before agreeing on a specific step. The lecturer should shape discussion and call on pairs, informed by the experience of wandering between the groups during the activity and what they observed.
Use an audience response system, such Mentimeter, to consider each step and to ensure the majority of the class collectively agrees on the steps.
Conclude the session with a complete, class generated task model from all the case studies considered.
The aim is to familiarise learners with the cognitive task model and the various key steps in information processing from the perspective of a digital investigation procedure. Learners can appreciate the weaknesses and strengths between the presented model and those generated by the class.
The lecturer or instructor should:
Present the Cognitive Task Model from Pirolli & Card presented in the CyBOK.
Ask learners to spend a few minutes to reflect on the differences between the model presented, the class wide generated model and the model generated in pairs.
Provide an opportunity for learners to address questions and/or address any misconceptions.
The SECOND block of activities supports learners in devising and understanding the abstraction and analytical processes that are used to progress between the major information processing steps (devised in the prior block of activities).
The block is structured as follows:
Overview of Abstraction and Analysis Processes. Instructor provides a brief lecture on the different abstraction and analytical processes.
Devising the Abstraction Processes for Information Processing in Digital Investigations. Learners are expected to identify and discuss various abstraction processes that support progression through the task model.
Class collective development of abstraction processes. The class collectively discuss and debate the various possible abstraction processes before collectively agreeing on a set of them.
Cognitive Task Model with Abstraction Processes. An overview of cognitive task model generated by the class is generated that is complemented with abstraction processes.
Devising the Analytical Processes for Information Processing in Digital Investigations. Learners are expected to identify and discuss various analytical processes that support progression through the task model.
Class collective development of Analytical Processes. The class collectively discuss and debate the various possible analytical processes steps before collectively agreeing on a set of them.
Cognitive Task Model with Analytical Processes. An overview of cognitive task model generated by the class is generated that is complemented with analytical processes.
The block begins with a brief lecture on the processes that support individuals in progressing from one step to the last step in the cognitive task model.
Learners will use this material as well as consideration of the case study to consider the processing activities in processing through steps in digital investigations.
The lecturer or instructor should:
Present their own processes lecture or provide in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
Learners revisit the Cognitive Task Model devised from the previous block of activities. Pairs now consider the processes that support investigators in abstracting from external data sources to final presentation through consideration of the case.
Learners are expected to identify and discuss various abstraction processes that support progression through the task model. Learners should initially considers the steps from the bottom-up, i.e. from data sources.
The lecturer or instructor should:
Issue activity sheet and advise pairs they are going to consider a log file from the Michael Fiola Vs Commonwealth case.
Advise pairs to work from external data sources, i.e. the log file, and progress through the steps of the model (devised from the earlier activity) to present a narrative of what happened based on the evidence they can extract.
Pairs should then consider the different possible processes and distill them down to the most important processes that support them in abstracting from data sources to presentation of the final narrative.
Advise pairs that they have to produce a presentation justifying the processes they devise. If the class is small enough then all pairs can present. However, in the situation where the class is large, suggest some pairs will be selected at random to present. This will ensure pairs are sufficiently motivated to complete the activity as they may have to present efforts.
Wander between pairs and consider the major steps that groups are identifying so that they can be called upon later during a class-wide presentations.
Collect presentations and updated task models with abstraction processes from learners.
The aim is for the class to broadly devise the abstraction processes that are pertinent to the previously defined class-wide Cognitive Task Model for information processing in digital investigations.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed, rather than randomly, to demonstrate and discuss with the entire class any novel insights or gaps in understanding.
Present the starting and ending point for most digital investigation in terms of information processing, i.e. external data sources and presentation of the case, complemented with the initial and final abstraction processes.
Advise the class that they are going to collectively devise the abstractions processes between each cognitive step though .
Remind and discuss with the class the wider aim of abstraction processes in information process is to abstract from external data sources to higher-level understanding.
Begin with consideration of the initial step in the Cognitive Task Model, notionally the consideration of external data sources.
Reposition the Cognitive Task Model as a staircase and then ask the class for appropriate processes that would fit to progress up the staircase.
Shape discussion as likely to receive many different suggestions. Having said that, the lecturer will want to note the others in front of the class as to use them later. For example, by recording them on a whiteboard.
Continue in the approach until the most significant abstraction processes are detailed. It is not a concern if all are not documented or some are incomplete as a debriefing session follows the activity.
Use an audience response system, such Mentimeter, to consider each step and to ensure the majority of the class collectively agrees on the steps.
The lecturer should then conclude the session with a complete, class generated Cognitive Task Model with abstraction processes.
The class observe the second layer of the Cognitive Task Model, that is with key steps and abstraction processes. Pairs should be advise to compare and contrast the similarities and differences between the presented model and the model produced in class.
The lecturer or instructor should:
Present the Cognitive Task Model with abstraction processes, specifically the Pirolli & Card model from the CyBOK.
Ask learners to spend a few minutes to reflect on the differences between the model presented, the class wide generated model and their own pair model.
Provide an opportunity for learners to address questions and/or address any misconceptions.
Learners revisit the Cognitive Task Model devised from the previous activities. Pairs now consider the processes that support investigators in progression downwards through the task model.
Learners need to identify and discuss various analytical processes that support progression back through the task model. Learners should initially consider steps from the top-down, i.e. from presentation.
The lecturer or instructor should:
Issue the activity sheet and advise pairs they are now going to consider a second log file from the Michael Fiola Vs Commonwealth case.
Issue the interview transcript with Michael Fiola. Advise pairs that the interview demonstrates that Fiola disputes the original allegation.
Advise pairs they are going to present an alternative position or theory of what happened in the Michael Fiola Vs Commonwealth case.
Pairs need to consider this alternative theory and are expected to work backward through the Cognitive Task Model, progressing from the initial presentation back to external data sources (the log file) to find supporting evidence for the alternative theory.
Pairs should then consider the different possible processes and distill them down to the most important processes that support them in abstracting from data sources to presentation of the final narrative.
Advise pairs that they have to produce a presentation justifying the processes they devise. If the class is small enough then all pairs can present. However, in the situation where the class is large, suggest some at random will present. This will ensure pairs are aware that they may have to present will ensure they are sufficiently motivated to complete the activity.
Wander between pairs and consider the major steps that groups are identifying so that they can be called upon later during a class-wide presentations.
Collect presentations and updated task models with abstraction processes from learners.
The aim is for the class to broadly devise the analytical processes that are pertinent to the previously defined class-wide Cognitive Task Model for information processing in digital investigations.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed, rather than randomly, to demonstrate and discuss with the entire class any novel insights or gaps in understanding.
Present the starting and ending point for most digital investigation in terms of information processing, i.e. external data sources and presentation of the case, complemented with the initial and final abstraction processes.
Advise the class that they are going to collectively devise the abstractions processes between each cognitive step though .
Remind and discuss with the class the wider aim of abstraction processes in information process is to abstract from external data sources to higher-level understanding.
Begin with consideration of the initial step in the Cognitive Task Model, notionally the consideration of external data sources.
Reposition the Cognitive Task Model as a staircase and then ask the class for appropriate processes that would fit to progress up the staircase.
Shape discussion as likely to receive many different suggestions. Having said that, the lecturer will want to note the others in front of the class as to use them later. For example, by recording them on a whiteboard.
Continue in the approach until the most significant abstraction processes are detailed. It is not a concern if all are not documented or some are incomplete as a debriefing session follows the activity.
Use an audience response system, such Mentimeter, to consider each step and to ensure the majority of the class collectively agrees on the steps.
Conclude the session with a complete, class generated Cognitive Task Model with analytical processes.
Before moving onto to consider processes at various steps the lecturer should seek confirmation from the class. Lecturers may want to consider an audience response system, such as Mentimeter.
The lecturer should then conclude the session with a complete, class generated task model with processes from all the case studies considered.
The class observe the third layer of the Cognitive Task Model, that is with key steps, abstraction processes and analytical processes. Pairs should be advise to compare and contrast the similarities and differences between the presented model and the model produced in class.
The lecturer or instructor should:
Present the Cognitive Task Model with abstraction processes, specifically the Pirolli & Card model from CyBOK.
Ask learners to spend a few minutes to reflect on the differences between the model presented, the class wide generated model and their own pair model.
Provide an opportunity for learners to address questions and/or address any misconceptions.
The THIRD block of activities is designed to afford learners the opportunity to identify the two primary analytical loops employed by investigators to improve understanding as well as gather more evidence.
Analytical loops. Instructor provides a brief lecture on the primary analytical loops employed by investigators.
Refining task model with analytical loops. Learners are expected to identify and discuss various analytical loops that support investigators.
Class collective development of Analytical Loops. The class collectively discuss and debate the various possible analytical loops.
The session begins with a brief lecture on the high frequency iterative analytical loops that investigators perform to strengthen their case.
Learners will use this material as well as consideration of the case study to consider the analytical loops used in digital investigations.
The lecturer or instructor should:
Present their own analytical loops lecture or provide it in advance for students to consider.
Permit time for questions to address any misconceptions or issues with the material presented.
Advise learners that they should have completed the entry ticket activity and have the output from the activity with them.
Learners revisit the Cognitive Task Model devised from the previous activities. Pairs now consider the high-frequency iterative loops employed by investigators to strengthen their case.
The lecturer or instructor should:
Issue the incomplete class-wide task model with key steps and processes that has been generated from previous activities.
Advise learners to consider the material on analytical loops that investigators would employ to strengthen their case.
Ask learners to consider the case and identify a point where the investigator may have developed an initial theory but had no supporting data.
Ask pairs when that is likely to occur within the information processing process.
Pairs should then annotate the Cognitive Task Model with the relevant analytical loop.
Pairs should then consider a the case and consider a point where the investigator encountered fragments of evidence but was unsure what connected them.
Pairs should then consider when that is likely to occur within the information processing process in the digital investigation and what actions did the investigator perform.
Pairs should then annotate the task model with the relevant analytical loop.
Collect the annotated Cognitive Task Model from pairs.
The aim is for the class to broadly devise the analytical processes that are pertinent to the previously defined class-wide Cognitive Task Model for information processing in digital investigations.
The lecturer or instructor should:
Use a random number generator to randomly select pairs to present. The lecturer may favour to select pairs on what they have observed, rather than randomly, to demonstrate and discuss with the entire class any novel insights or gaps in understanding.
Ask for example where the investigator may have developed an initial theory but had no supporting data.
Ask if any other pair has a different suggestion or approach.
Lecturer should then ask the pair that presented the example, what the investigator actually did or what the pair felt they likely did, if it not clear.
Discuss with class at what point such activity is likely to happen within the Cognitive Task Model and achieve consensus. Lecturer may consider using audience participation tools, such as Mentimeter.
Lecturer should move on to consider the loop where an investigator may have data but is not clear how it relates or what it means. The lecturer can again use a random number generator to randomly select pairs to present or select a pair on what they have observed previously.
Ask the class what they think the investigator would do in such a situation.
Ask if there are any other suggestions from others, before asking the presenting pair to state their perception.
Discuss at what point such activity is likely to happen within the information processing process with the class and achieve consensus. Lecturer may consider using audience participation tools, such as Mentimeter.
The FOURTH block is used to conclude the active lesson plan and is focused on aligning the outcomes of the activities with material presented in the CyBOK.
The Cognitive Task Model from Pirolli & Card is presented to the class. The lecturer should highlight the key elements and afford the opportunity to ask questions.
The lecturer or instructor should:
Present the Cognitive Task Model and highlight the key steps, processes and loops.
Ask the class if they have any questions or do not any aspect of what was covered in the session.
Ask learners to complete the Quad Fold Activity.