Computer Science · Grade 10

Active learning ideas

Digital Forensics Basics

Digital forensics relies on hands-on practice to build technical confidence and procedural discipline. Active learning lets students experience the tension between speed and accuracy in evidence handling, which is hard to grasp through lecture alone. Stations, labs, and mock scenarios let them test their own assumptions while working under realistic constraints like time and resource limits.

Ontario Curriculum ExpectationsCS.HS.S.3CS.HS.S.4
30–50 minPairs → Whole Class4 activities

Activity 01

Stations Rotation45 min · Small Groups

Stations Rotation: Forensic Evidence Stations

Prepare four stations: one for hashing files with MD5 tools, one for USB drive imaging, one for log file examination, and one for chain of custody forms. Small groups rotate every 10 minutes, following checklists to document procedures and note observations at each station.

Explain the importance of preserving digital evidence in investigations.

Facilitation TipDuring the Forensic Evidence Stations, assign roles such as imaging specialist, evidence custodian, and documentation reviewer to reinforce accountability.

What to look forPresent students with a scenario: 'A company laptop was stolen, and you suspect sensitive data was accessed. List the first three steps you would take to preserve potential digital evidence, explaining the purpose of each step.'

RememberUnderstandApplyAnalyzeSelf-ManagementRelationship Skills
Generate Complete Lesson

Activity 02

Document Mystery35 min · Pairs

Pairs Lab: Deleted File Recovery

Provide pairs with virtual machines containing deleted sample files. They install free tools like TestDisk, scan drives, recover files, and verify integrity using hashes. Pairs then discuss what they learned about data remnants.

Analyze common techniques used in digital forensics to recover data.

Facilitation TipIn the Deleted File Recovery Lab, circulate with a timer visible to all pairs to create urgency and simulate real case pressure.

What to look forFacilitate a class discussion using the prompt: 'Imagine you are a digital forensics investigator. What are the biggest challenges you might face when trying to recover deleted files from a smartphone that has been factory reset?'

AnalyzeEvaluateSelf-ManagementDecision-Making
Generate Complete Lesson

Activity 03

Document Mystery50 min · Whole Class

Whole Class: Mock Digital Crime Scene

Present a scenario with planted digital clues on shared drives. The class follows a protocol to collect, image, and analyze evidence, then reports findings in a debrief.

Predict the challenges involved in conducting a digital forensic examination.

Facilitation TipSet a 5-minute warning during the Mock Digital Crime Scene to force prioritization of evidence types and spark discussion about what matters most.

What to look forAsk students to write down two key differences between a regular file copy and a forensic image. Then, have them explain why one of these differences is critical for maintaining the integrity of evidence.

AnalyzeEvaluateSelf-ManagementDecision-Making
Generate Complete Lesson

Activity 04

Document Mystery30 min · Individual

Individual Challenge: Log Analysis Puzzle

Give students anonymized network logs to analyze for suspicious activity. They identify timestamps, IP addresses, and anomalies, then submit a report on potential evidence.

Explain the importance of preserving digital evidence in investigations.

Facilitation TipAfter the Log Analysis Puzzle, ask students to swap solutions and peer-grade for 2 minutes to build critical evaluation skills.

What to look forPresent students with a scenario: 'A company laptop was stolen, and you suspect sensitive data was accessed. List the first three steps you would take to preserve potential digital evidence, explaining the purpose of each step.'

AnalyzeEvaluateSelf-ManagementDecision-Making
Generate Complete Lesson

A few notes on teaching this unit

Teach this topic by modeling frustration first. Show students a corrupted image or a file system that refuses to mount, then step back and ask them what they would do next. This approach builds resilience and normalizes problem-solving under uncertainty. Avoid lecturing on every tool; instead, let students discover limitations through controlled failures. Research shows that students retain procedural knowledge better when they troubleshoot their own errors rather than watch demonstrations.

Students will demonstrate the ability to create forensic images without altering source data, recover files using appropriate tools, and document their process clearly. They should also explain why certain steps in the forensic process are non-negotiable for legal admissibility. Look for precise language in their chain of custody logs and peer discussions that reflect an understanding of volatility and integrity.

Watch Out for These Misconceptions

  • During Deleted File Recovery Lab, watch for students who assume deleted files are gone forever.

    Have students use Recuva to scan a USB drive with intentionally deleted files, then compare results in pairs. Ask them to explain why some files are recoverable while others are not based on their scan reports.

  • During Forensic Evidence Stations, watch for students who believe a standard copy of a drive is sufficient for evidence.

    Provide students with two copies of the same image file: one copied normally and one created using FTK Imager with a write-blocker. Have them compare hashes before and after copying to see how metadata changes.

  • During Mock Digital Crime Scene, watch for students who underestimate the challenges of volatile data.

    After seizing the mock laptop, have students quickly capture RAM contents using FTK Imager before shutting it down. Then ask them to identify what data was lost or altered by the shutdown and discuss the implications for real investigations.

Methods used in this brief

More in Networks and the Internet

Introduction to Computer Networks

Understand the basic components of a computer network and different network topologies.

2 methodologies

Network Hardware and Devices

Identify and explain the function of common network hardware components like routers, switches, and modems.

2 methodologies

The Internet: A Network of Networks

Explore the structure and function of the internet as a global network, including its history and key organizations.

2 methodologies

IP Addresses and DNS

Understand how devices are identified on a network using IP addresses and how the Domain Name System (DNS) translates human-readable names.

2 methodologies

TCP/IP and Packet Switching

Analyze the rules that govern how data packets travel across complex networks without getting lost, focusing on TCP/IP.

2 methodologies