Computer Science · Grade 12

Active learning ideas

Network Forensics and Incident Response

Active learning works for network forensics because students need to experience the detective work of tracing anomalies, not just hear about it. By simulating breaches and parsing logs, they develop the habit of looking for subtle signals in noisy data, which is essential for real-world incident response.

Ontario Curriculum ExpectationsCS.N.13CS.S.5
30–50 minPairs → Whole Class4 activities

Activity 01

Simulation Game50 min · Small Groups

Role-Play: Breach Response Simulation

Present a scenario of a detected intrusion via email logs. Groups assign roles for each response phase, document actions in sequence, then debrief as a class on gaps. Use free tools like sample PCAP files for evidence review.

Explain the steps involved in a typical network incident response plan.

Facilitation TipFor the Role-Play: Breach Response Simulation, assign clear roles (e.g., incident commander, log analyst) and rotate them so students see the situation from multiple perspectives.

What to look forPresent students with a short, anonymized log snippet from a web server. Ask them to identify one suspicious entry and explain why it might indicate an attack, referencing specific log fields.

ApplyAnalyzeEvaluateCreateSocial AwarenessDecision-Making
Generate Complete Lesson

Activity 02

Simulation Game35 min · Pairs

Log Parsing Challenge: Anomaly Hunt

Provide anonymized network logs with planted indicators of compromise. Students use text editors or basic scripts to filter entries, identify suspicious IPs, and timeline the attack. Pairs share findings in a gallery walk.

Analyze how network logs and traffic analysis can aid in forensic investigations.

Facilitation TipDuring the Log Parsing Challenge: Anomaly Hunt, provide a mix of clean and compromised logs so students practice filtering techniques under realistic conditions.

What to look forFacilitate a class discussion using the prompt: 'Imagine a ransomware attack has encrypted critical files. Which phase of the incident response plan (preparation, identification, containment, eradication, recovery, lessons learned) is the most challenging to execute effectively, and why?'

ApplyAnalyzeEvaluateCreateSocial AwarenessDecision-Making
Generate Complete Lesson

Activity 03

Simulation Game45 min · Small Groups

Wireshark Workshop: Traffic Dissection

Capture benign and simulated malicious traffic using Wireshark. In small groups, filter packets by protocol, spot odd patterns like port scans, and reconstruct the event narrative. Conclude with a report on response recommendations.

Design a basic incident response strategy for a simulated cyberattack.

Facilitation TipIn the Wireshark Workshop: Traffic Dissection, give students a target anomaly to find first, then open-ended challenges to encourage independent exploration.

What to look forProvide students with a scenario: 'A user reports their computer is behaving erratically after clicking a suspicious link.' Ask them to list three immediate actions they would take to begin the incident response process, focusing on the identification and containment phases.

ApplyAnalyzeEvaluateCreateSocial AwarenessDecision-Making
Generate Complete Lesson

Activity 04

Simulation Game30 min · Individual

Plan Design: Custom Strategy Builder

Give a cyberattack scenario tied to unit content. Individuals outline a tailored response plan, incorporating log analysis steps, then peer review for completeness against the six phases.

Explain the steps involved in a typical network incident response plan.

Facilitation TipWhen guiding the Plan Design: Custom Strategy Builder, require teams to present their plan to peers for feedback before finalizing, reinforcing collaborative problem-solving.

What to look forPresent students with a short, anonymized log snippet from a web server. Ask them to identify one suspicious entry and explain why it might indicate an attack, referencing specific log fields.

ApplyAnalyzeEvaluateCreateSocial AwarenessDecision-Making
Generate Complete Lesson

A few notes on teaching this unit

Teach this topic through layered practice: start with guided analysis of logs and traffic, then transition to role-playing where students apply their findings in real time. Avoid overwhelming students with too much technical detail upfront. Instead, scaffold complexity by beginning with simple anomalies before introducing layered attacks. Research shows that hands-on simulations build both technical skills and confidence, which are critical for incident response under pressure.

Students will demonstrate the ability to follow a systematic incident response plan, from early detection to post-incident review. They will justify their actions using evidence from logs and packet captures, showing clear reasoning about security risks and mitigation steps.

Watch Out for These Misconceptions

  • During Role-Play: Breach Response Simulation, some students may assume that incident response begins only after confirming damage.

    Use the simulation to push students to start with preparation and identification. Provide a scenario where logs show early signs of an attack but no damage is confirmed yet. Ask teams to justify their first actions based on these signs, reinforcing proactive monitoring.

  • During Log Parsing Challenge: Anomaly Hunt, students may believe network logs instantly reveal attackers without analysis.

    In this activity, provide logs with obvious anomalies mixed with red herrings. Have students document their filtering steps and explain why certain entries stood out, shifting focus from instant answers to methodical analysis.

  • During Plan Design: Custom Strategy Builder, students might think forensics ends with identifying the breach source.

    Use the scenario cards to require teams to address all six phases in their plan. Provide a checklist of deliverables for each phase and ask them to present how their strategy ensures complete eradication and recovery, not just detection.

Methods used in this brief

More in Networks and Distributed Systems

Introduction to Computer Networks

Students will explore the fundamental concepts of computer networks, including network topologies and types.

2 methodologies

The OSI Model and TCP/IP

Analyzing the layered architecture that allows diverse hardware to communicate over the internet.

2 methodologies

Network Protocols: TCP and UDP

Understanding the differences between connection-oriented (TCP) and connectionless (UDP) protocols and their use cases.

2 methodologies

IP Addressing and Routing

Exploring how IP addresses identify devices and how routers direct traffic across networks.

2 methodologies

Domain Name System (DNS)

Understanding how domain names are translated into IP addresses and the hierarchical structure of DNS.

2 methodologies