Thinking Like an Expert
Overview
Students take part in a series of discussions designed to get them thinking like experts in their field.
Why Use This?
This course uses the “scaffolding” method in the discussions. Scaffolding works by giving students less guidance over time to master the course content. By using scaffolding in discussions, you can see how student thinking evolves and deepens throughout the semester. This method also builds confidence and real-world professional skills, as students must master the content to solve problems independently.
How Does It Work?
In this computer forensics course, each assignment asks students to investigate a fictitious computer crime. The first assignment begins by giving students a list of questions that an investigator would ask in a real investigation. The students are asked to discuss why these questions were selected in the discussion. As the semester goes on, the assignments and discussions work together to guide students’ thinking about how to conduct a real investigation. When faced with the final assignment, in which they are only given details about a crime, students use the discussion to form their own questions.
Here’s how the discussions are scaffolded in the course:
Overview of discussions included in the course. Each discussion gives students more insight into how an actual expert would investigate a computer crime—and which questions they would ask and why.
A list of discussion topics that read:
- Discussion – WHY were the Investigation 01 questions selected?
- Discussion – Course Rubric
- Discussion – Which questions SHOULD be asked for Investigation 02?
- Discussion – Which questions WILL be asked for Investigation 03?
- Discussion – Which questions are YOU going to ask for Investigation 04?
Example of the first discussion prompt. In this prompt, the instructor provides the most guidance for students to complete the assignment.
Discussion – WHY were the Investigation 01 questions selected?
The scenario document for Investigation 1 contains a series of questions for you to answer to help guide you through the investigation. In the real world, examiners almost never have so much guidance. You will eventually have to work out for yourself what information is relevant to your investigation. Basically, you’ll need to start thinking and making decisions like a professional in the field. To work up to that process, I’ve constructed the investigations such that I diminish the amount of guidance I provide you. However, I’m going to guide you in the process of thinking like a professional. We will use these discussions as the place where the development of that thought process occurs.
Let’s begin by discussing the questions you were asked in Investigation 1. If you can figure out why they were important to know, you will be farther along your way to coming up with your own.
Initial Post
Prompt
For your initial discussion post, ask yourself the following question:
Why did I (the instructor) choose to list these questions to guide you through Investigation 1?
What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?
How many times did the vibranium account run excel.exe on the nromanoff system?
When was this program last run?
What is the most recent Typed URL in the vibranium NTUSER.DAT?
List the last five files that were accessed, in order, with the time they were accessed.
I expect your initial post to demonstrate that you’ve thought deeply about the prompt. Responses such as “The questions are forensically relevant” won’t suffice. You’ll need to provide reasoning for your answer.
IMPORTANT To be clear, for this discussion I’m not asking you to answer the five (5) questions provided. I’m asking you to discuss why you think I asked them.
Example of the last discussion prompt. In this prompt, the instructor provides limited guidance, and students complete the assignment on their own.
Discussion – Which questions are YOU going to ask for Investigation 04?
Our discussions for Investigations 1–3 involved analyzing the sorts of information that would be critical to identify in these hypothetical scenarios. For Investigation 4 and your Forensic Challenge, we’re going to go with a situation that more closely matches what you will encounter in real life: no questions will be provided for these assignments. However, to ensure you still have some sort of guidance on what to look for, we’re going to have one last discussion on scenario questions.
Initial Post
Prompt
For your initial discussion post, I want you to do the following:
None of these questions will be answered in the assignment, but using the scenario below, if you had to work out what information would be key to identify, what would those questions be?
Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything; however, recently they have had unusual activity in their bank account.
Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found.
REMEMBER For the sake of detailed reporting, some information is always important to note, like the time zone and class/subclass/individual characteristics of the evidence. I shouldn’t be seeing those questions appearing at this point.
As always, I expect your initial post to demonstrate that you’ve thought deeply about what questions should be asked and provided your reasoning.
Keep In Mind
- Use scaffolding carefully. Think about what information students need to know first and what information can be taken away as the semester goes on.
- Focus on building student confidence rather than correcting errors. Tell students what they missed, but assure them that they can complete the assignment successfully.
- Make sure you frequently interact with the whole class and with students one-on-one in the discussions (even if your responses are short).