Transcript Learning Using Assessment on a Digital Forensics Module

Learning Using Assessment
on a Digital Forensics
Module
Dimitris Tsaptsinos
Kingston University, CISM
[email protected]
Joint Hons Course
 The Faculty of CISM offers a joint honours course in Cyber Security,
with Computer Forensics as a core module.
 The course can be studied with Mathematics or Statistics or Business
Management
 It includes the usual modules in programming, databases, operating
systems and networking in addition to modules in biometrics and web
security.
Computer Forensics Module
 A Year 3 (Level 6) core module
 Highly technical, prepares the students by introducing legal,
procedural and technical issues pertinent to computer forensics
 The module consists of lectures, specified directed reading and
practical problem-solving classes.
 During lectures the students will be introduced to a new topic of
investigation, the methodology and the tools that one can employ to
unravel the situation.
 The practical sessions will re-enforce the lecture material and
students will have the opportunity to experiment and discover
forensic evidence.
Assessment Methods
 In addition to the traditional lecture followed by a lab session the




students the students have the opportunity to either re-enforce or add
to their knowledge by using assessment methods that unite assessment
and learning.
Published research work has indicated that improving learning
through assessment depends on five key factors.
the provision of effective feedback to students,
the active involvement of pupils in their own learning
adjusting teaching to take account of the results of assessment
The assessment components
 A weekly diary
 Used to cover new material or remind students of material they have
come across in other modules or cover in detail material presented in
class.
 Such regular assignments provide students with early feedback and
an opportunity to identify areas that the whole class struggles with.
 This is a recommended assessment component for small cohorts.
Week Diary Example - 1
 Recycler Bin analysis using an hex editor
 Using the paper and the notes provide screenshots and explanation
text of how one can calculate (a) the drive number and (b) the
deletion time.
 The students were shown how to calculate the size of the file during
the practical
Week Diary Example -2
 ManyWeb browsers, including Microsoft Internet Explorer, Mozilla,
Firefox, and Netscape offer some sort of password manager option.
When a user enters new username and password information for a
Web site, the browser offers to “remember” it, so the user does not need
to enter that information the next time he or she logs in to that site.
Write a three page report explaining in general terms how these
password manager features work and their main advantages and
disadvantages.
 New material (directed reading or in this case literature search)
Week Diary Example -3
 Name and briefly describe the seven layers of the OSI model
 Recall or learn what SAM is and what is its purpose (windows
registry area)
 What is a hive when you refer to the registry?
 Material that has been covered in other modules
The assessment components
 An individual assignment
 Used early on and it usually employs a publically available case
found on the Internet on sites such as honeynet.org.
 The student has to repeat the steps of the selected case study with the
benefit of familiarising the student with a topic and associated tools
and because the case has known outcomes the student can evaluate
his or her own learning.
 Student hopefully realizes the numerous tools available and
appreciates the different procedures followed by comparing the
various solutions available.
Individual Assignment Example-1
 Read (again) the wp_index_dat.pdf (Forensic Analysis of Internet
Explorer Activity Files) by Keith Jones from Foundstone.
 Use the index file index.dat as an example and take one entry apart
by hand using winhex or HexWorkshop.
 Then use the pasco tool from FoundStone and check your entry.
 Write a lab report, with entries for all steps that you have taken.
Screenshots will be most welcomed.
Individual Assignment Example-2
 Web browser forensics is an article found on internet, which simulate a
forensic situation, provided a scenario and introduced some forensic process
and several web browser forensics tools.
 The article which is found on
http://www.symantec.com/connect/articles/web-browser-forensics-part1explains the whole process.
 Your task is to repeat the investigation using the same tools and procedures
and report your findings using your own screenshots and step by step
instructions of how the investigation it was approached, an explanation of
tools etc.
 The majority of the marks will be given for presentation of your process
and findings.
Individual Assignment Example-3
 Scan24 (http://old.honeynet.org/scans/scan24/)
The assessment components
 GroupWork
 The students working in groups create their own evidence and
subsequently investigate the evidence of another group.
 This simulates reality as we do not always know, if ever, what we will
unearth and we might follow blind alleys as well.
 The overall benefit is that interaction and collaboration with other
students produces better learning outcomes.
 This is recommended for students in their third year rather than the
first year where confidence in working in groups might not have been
evolved.
Groupwork Example
 GROUP REMIT
 Each group will be assigned a crime. Each group must create
evidence to support that a crime has been submitted.
 Create evidence to support that a murder has been committed.
Groupwork Example
 BAD GUY ROLE
 A faculty member has been killed and buried somewhere at the

•
•
•
•
grounds of one of the Kingston University campuses.
GOOD GUY GOALS
Follow a documented forensics investigation process
Identify, locate and recover relevant electronic evidence
Maintain a chain of custody
Present the findings
Groupwork Example
 GRADING
 Fifty marks are allocated on how original and imaginative your
created evidence was. [When you are the bad guy]
 Fifty marks are allocated on your problem solving of the evidence of
another group. [When you are the good guy]
 Extra marks will be allocated if the group that was assigned to solve
your crime failed to find all or part of your evidence.Therefore,
makes sense not to talk to the other groups.