Unitname:Computerforensicinvestigation

Lessonplan

Level3TechnicalLevelIT:UserSupport

Unitname:Computerforensicinvestigation

Performanceoutcome:PO1–P3,P4,M2

Unittype:Internallyassessed

Tutorname:

Grouporcohort
Weekno. / 5
Date
Guidancenotes
Computerforensicsistheuseofanalyticalandinvestigativetechniques,whichwouldenablesomeonetoidentify,gatherandexaminedigitallystoredorencodedinformation.Itisthereforeimportantthatlearnersareabletoputintopracticetheskillsandknowledgerequiredwheninvestigatingawiderangeofcomputersystemsandoperatingsystems.Theywillneedtoanalysetheirfindingsinordertodetectorpreventcrimeofanyotherdisputewhereevidenceisdigitallystored.
Resources
• StandalonePCsystem
• Networkedsystem
• Laptop
TheabovesystemsmustcontaindifferentoperatingsystemsieWindows,UnixandLinux.Activitybriefexplainingthepurposeoftheactivitiesandtheevidencethattheteamswillbe
requiredtoproduce.
Softwaretoolssuchasthoseavailablefrom:
• digital-forensic.org
• resources.infosecinstitute.com/computer-forensics-tools
• digital-forensics.sans.org/community/downloads
FilesystemsandstorageoffilesinUnix–youtube.com/watch?v=hZpom8ouYD8
Driveformatsandtheirdifferences–youtube.com/watch?v=S5uxpHszU1EWindowsfilesystems–youtube.com/watch?v=TLKZEU1DZ9c
Length–1hour
Linkstootherassessmentorperformanceoutcomes:
• Unit1–Fundamentalprinciplesofcomputing.
• Unit4–Supportingendusers
• Unit5–Installingandmaintainingsoftware.
• Unit6–Organisationalsystemssecurity.
• Unit8–Industrialproject.
Lessonobjective
Bytheendofthislessonlearnerswillbeableto:
• understandfilesystemsanddatastoragetoinclude:
• FAT
• NTFS
• filesystemmetadata
• live,deleted,unallocateddataandFile
Stack.
• identifyandusepreinstalledoperatingsystemtoolstoinclude:
• Eventviewer
• Firewall. / Activities
Teacherled
Re-caponpreviouslesson-risksassociated
withsoftwareandexplainthatthepurposeofthislessonisfor:
• learnerstoworkinsmallteamsandinvestigateandanalysearangeofcomputersystemswithrespectto:
• thefilesystemsinvolvedandthewaythatdataisstored
• whatpreinstalledauditingtoolsareavailablewithintheOS
• groupstoprepareapresentationontheirfindingsfornextlesson.
(10minutes)
Smallgroups(threetofivelearners)investigatingthedifferentcomputersystems(eachgrouptobegiven15minutesforeachsystemconductedina
‘roundrobin’).(Groupsession3x15minutes–
total45minutes)
Teacherled
• Re-capoflessonensuringlearnershaveobtainedtheinformationtheyrequiretopreparetheirpresentationsfornextlesson.
• Iflearnersneedmoretime,provide
opportunityforlearnerstoaccessthesystemsduringtheweek.
(5minutes)
Synopticassessment
Learnersdrawuponknowledgethattheyhaveobtainedfrompreviousstudyorworkexperienceinrelationtothefollowingunits:
• Unit1–Fundamentalprinciplesofcomputing.
• Unit4–Supportingendusers
• Unit5–Installingandmaintainingsoftware.
• Unit6–Organisationalsystemssecurity. / Stretchandchallengeactivities?
Thelearnerscouldundertakeadditionalinvestigationandanalysisoffurtherofcomputersystemsandoperatingsystemsinordertoestablish:
• thefilesystemsinvolvedandhowdataisstored
• thepreinstalledauditingtoolsavailableindifferentoperatingsystems
• workingasateamtogathertheinformationto

• Unit8–Industrialproject.createajointpresentationontheresultsoftheirwork.

Transferableskillsand/orsoftskills
Thefollowingsoftskillsareembeddedinthedeliveryofthiscontent:
• negotiation
• analysis
• timemanagement
• commitment
• workingunderpressure. / Englishandmaths
ThislessonprovidesthelearnerswiththeopportunitytodevelopthefollowingEnglishskills:
• oralcommunicationwithinsmallgroups
• notetaking
• writtencommunicationskillsforpresentation.
Assessment
Assessment,withrespecttothelearningthathastakenplace,canbeconfirmedthroughthefollowing:
• observationoflearnerengagementwiththeactivitydemonstratingtheirknowledgeandtechnicalability
• observationoflearnerparticipationindiscussionsduringtheinvestigationandanalysisofthecomputersystems
• assessmentofcompletedpresentationbyteamsinrelationtorequirementsoftheactivity
• assessmentofresponsestoQ&A
during/afterpresentationdelivery. / Meaningfulemployerengagement
Thelearnerswouldbenefitfromapresentation/webinarfromalocalemployer,whoisinvolvedincomputerforensicinvestigation.Theemployercouldemphasisetothegroupthat
‘youneverknowwhatmaycomeup’andthereforehavetobepreparedtoinvestigateandanalyseaverywiderangeofcomputersystemsandoperatingsystems,someofwhichmaybelegacyoperatingsystems.
Itisunlikelythatlearnerswillbeabletoundertakeactualworkexperiencewithinthisareaduetothesensitivityoftheindustry,butanemployercoulddiscussthetypesofcasesinvolved,givingrealbutanonymousexamples.