160 likes | 231 Views
Learning Using Assessment on a Digital Forensics Module. Dimitris Tsaptsinos Kingston University, CISM d.tsaptsinos@kingston.ac.uk. Joint Hons Course. The Faculty of CISM offers a joint honours course in Cyber Security, with Computer Forensics as a core module.
E N D
Learning Using Assessment on a Digital Forensics Module Dimitris Tsaptsinos Kingston University, CISM d.tsaptsinos@kingston.ac.uk
Joint Hons Course • The Faculty of CISM offers a joint honours course in Cyber Security, with Computer Forensics as a core module. • The course can be studied with Mathematics or Statistics or Business Management • It includes the usual modules in programming, databases, operating systems and networking in addition to modules in biometrics and web security.
Computer Forensics Module • A Year 3 (Level 6) core module • Highly technical, prepares the students by introducing legal, procedural and technical issues pertinent to computer forensics • The module consists of lectures, specified directed reading and practical problem-solving classes. • During lectures the students will be introduced to a new topic of investigation, the methodology and the tools that one can employ to unravel the situation. • The practical sessions will re-enforce the lecture material and students will have the opportunity to experiment and discover forensic evidence.
Assessment Methods • In addition to the traditional lecture followed by a lab session the students the students have the opportunity to either re-enforce or add to their knowledge by using assessment methods that unite assessment and learning. • Published research work has indicated that improving learning through assessment depends on five key factors. • the provision of effective feedback to students, • the active involvement of pupils in their own learning • adjusting teaching to take account of the results of assessment
The assessment components • A weekly diary • Used to cover new material or remind students of material they have come across in other modules or cover in detail material presented in class. • Such regular assignments provide students with early feedback and an opportunity to identify areas that the whole class struggles with. • This is a recommended assessment component for small cohorts.
Week Diary Example - 1 • Recycler Bin analysis using an hex editor • Using the paper and the notes provide screenshots and explanation text of how one can calculate (a) the drive number and (b) the deletion time. • The students were shown how to calculate the size of the file during the practical
Week Diary Example -2 • Many Web browsers, including Microsoft Internet Explorer, Mozilla, Firefox, and Netscape offer some sort of password manager option. When a user enters new username and password information for a Web site, the browser offers to “remember” it, so the user does not need to enter that information the next time he or she logs in to that site. Write a three page report explaining in general terms how these password manager features work and their main advantages and disadvantages. • New material (directed reading or in this case literature search)
Week Diary Example -3 • Name and briefly describe the seven layers of the OSI model • Recall or learn what SAM is and what is its purpose (windows registry area) • What is a hive when you refer to the registry? • Material that has been covered in other modules
The assessment components • An individual assignment • Used early on and it usually employs a publically available case found on the Internet on sites such as honeynet.org. • The student has to repeat the steps of the selected case study with the benefit of familiarising the student with a topic and associated tools and because the case has known outcomes the student can evaluate his or her own learning. • Student hopefully realizes the numerous tools available and appreciates the different procedures followed by comparing the various solutions available.
Individual Assignment Example-1 • Read (again) the wp_index_dat.pdf (Forensic Analysis of Internet Explorer Activity Files) by Keith Jones from Foundstone. • Use the index file index.dat as an example and take one entry apart by hand using winhex or Hex Workshop. • Then use the pasco tool from FoundStone and check your entry. • Write a lab report, with entries for all steps that you have taken. Screenshots will be most welcomed.
Individual Assignment Example-2 • Web browser forensicsis an article found on internet, which simulate a forensic situation, provided a scenario and introduced some forensic process and several web browser forensics tools. • The article which is found on http://www.symantec.com/connect/articles/web-browser-forensics-part-1explains the whole process. • Your task is to repeat the investigation using the same tools and procedures and report your findings using your own screenshots and step by step instructions of how the investigation it was approached, an explanation of tools etc. • The majority of the marks will be given for presentation of your process and findings.
Individual Assignment Example-3 • Scan24 (http://old.honeynet.org/scans/scan24/)
The assessment components • Group Work • The students working in groups create their own evidence and subsequently investigate the evidence of another group. • This simulates reality as we do not always know, if ever, what we will unearth and we might follow blind alleys as well. • The overall benefit is that interaction and collaboration with other students produces better learning outcomes. • This is recommended for students in their third year rather than the first year where confidence in working in groups might not have been evolved.
Groupwork Example • group remit • Each group will be assigned a crime. Each group must create evidence to support that a crime has been submitted. • Create evidence to support that a murder has been committed.
Groupwork Example • Bad guy role • A faculty member has been killed and buried somewhere at the grounds of one of the Kingston University campuses. • Good guy goals • Follow a documented forensics investigation process • Identify, locate and recover relevant electronic evidence • Maintain a chain of custody • Present the findings
Groupwork Example • Grading • Fifty marks are allocated on how original and imaginative your created evidence was. [When you are the bad guy] • Fifty marks are allocated on your problem solving of the evidence of another group. [When you are the good guy] • Extra marks will be allocated if the group that was assigned to solve your crime failed to find all or part of your evidence. Therefore, makes sense not to talk to the other groups.