Due Date: 1 May 2016
Forensics Report (20 Marks)
In this major task you are assumed as a Digital Forensics Examiner. Considering a real or a hypothetical case you are required to produce a formal report consisting of facts from your findings to your attorney who has retained you. You are free to choose a forensics scenario which can be examination of a storage media (HDD, USB Drive etc), email or social media forensics, mobile device forensics, cloud forensics or any other appropriate scenario you can think of.
Please paste the link below in your browser and download the following files from the following folders.
http://digitalcorpora.org/corpora/scenarios/m57-patents-scenario
The above link was published in the following book:
GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS
PROCESSING DIGITAL EVIDENCE
Bill Nelson, Amelia Phillips, Christopher Steuart, Fifth Edition
1 Exercise slides-Download the PPT slides to your hard drive.
2 Detective reports, warrant and affidavit- download the 4 x Word Docs to your hard drive.
3 USB Image drives. - Here is 4 images download the images to your hard drive.
4 I have included Charlie’s files and these were indexed by using the Forensics Tool, OSForensics. Please run the file for Charlie which is located in the USB Image drive folder and check if there are information that alleges Charlie’s doings.
As a Digital Forensics Examiner, I need to ascertain whether Charlie is involved in anything illicit or against company policy.
Forensics Tools to be used for this report are:
1 OSForensics-Download from the Internet (OPENSource)
2 FTK Imager- Download from the Internet (OPENSource)
3 SleuthKit- Download from the Internet (OPENSource)
Deliverable: A forensics report of 1800-2000 words.
Rationale
This assessment task covers data validation, e-discovery, steganography, reporting and presenting, and has been designed to ensure that you are engaging with the subject content on a regular basis. More specifically it seeks to assess your ability to:
• determine the legal and ethical considerations for investigating and prosecuting digital crimes
• analyse data on storage media and various file systems
• collect electronic evidence without compromising the original data;
• evaluate the functions and features of digital forensics equipment, the environment and the tools for a digital forensics lab;
• compose technical tactics in digital crimes and assess the steps involved in a digital forensics investigation;
• prepare and defend reports on the results of an investigation
Criteria HD
100% - 85% DI
84% - 75% CR
74% - 65% PS
64% - 50% FL
50% - 0
Introduction:
Background, scope of engagement, tools and findings
(3 marks) All elements are present, well expressed, comprehensive and accurate.
All elements are present and largely accurate and well expressed. All elements are present with few inaccuracies. Most elements are present possibly with some inaccuracies.
Fails to satisfy minimum requirements of introduction.
Possible marks 3.0 – 2.55 2.54 – 2.25 2.24 – 1.95 1.94 – 1.5 1.4 – 0
Analysis:relevant programs, techniques, graphics
(5 marks)
Description of analysis is clear and appropriate programs and techniques are selected. Very good graphic image analysis. Description of analysis is clear and mostly appropriate programs and techniques are selected. Good graphic image analysis. Description of analysis is clear and mostly appropriate programs and techniques are selected.
Reasonable graphic image analysis. Description of analysis is not completely relevant. Little or no graphics image analysis provided. Fails to satisfy minimum requirements of analysis.
Possible marks 5.0 – 4.25 4.24 – 3.75 3.74 – 3.25 3.24 – 2.5 2.4 – 0
Findings:
specific files/images, type of searches, type of evidence, indicators of ownership
(5 marks) A greater detail of findings is provided. Keywords and string searches are listed very clearly. Evidence found is very convincing. Indication of ownership is very clear. Findings are provided, keywords and string searchers are listed. Evidence is sound. Ownership is clear. Findings are provided, some keywords are listed. Evidence is reasonable which relates to the ownership. Findings are provided but are somewhat vague. Keywords
and strings are not very clear. Evidence found may be questionable. Fails to satisfy minimum requirements providing findings.
Possible marks 5.0 – 4.25 4.24 – 3.75 3.74 – 3.25 3.24 – 2.5 2.4 – 0
Conclusion:
Summary, Results
(3 marks) High level summary of results is provided which is consistent with the report. Well summarised results and mostly consistent with the findings. Good summary of results.
Able to relate the results with findings. No new material is included. Satisfies the minimum requirements. Results are not really consistent with the findings. Fails to satisfy minimum requirements of summarising the results.
Possible marks 3.0 – 2.55 2.54 – 2.25 2.24 – 1.95 1.94 – 1.5 1.4 – 0
References:
Must cite references to all material used as sources for the content
(2 marks)
APA 6th edition referencing applied to a range of relevant resources. No referencing errors. Direct quotes used sparingly. Sources all documented. APA 6th edition referencing applied to a range of relevant resources. No more than 2 referencing errors.
Direct quotes used sparingly. Sources all documented. APA 6th edition referencing applied to a range of relevant resources. No more than 3 errors. Direct quotes used in-context. Sources all documented. APA 6th edition referencing applied
to a range of relevant resources.
No more than 4 errors. Direct quotes used in-context. Some sources documented. Referencing not done to the APA 6th edition standard. Over-use of direct quotes. Range of sources used is not appropriate and/or not documented.
Possible marks 2.0 – 1.7 1.6 – 1.5 1.4 – 1.3 1.2 – 1.0 0.9 – 0
Glossary / Appendices:
(2 marks) Glossary of technical terms used in the report is provided which has generally acceptable source of definition of the terms and appropriate references are included. Relevant supporting material is provided in appendices to demonstrate the evidence. Glossary of technical terms used in the report is provided which has mostly acceptable source of definition of the terms and appropriate references are included. Some supporting material is provided in appendices to demonstrate the evidence. Glossary of some technical terms used in the report is provided which has mostly acceptable source of definition of the terms and appropriate references are included. Some supporting material is provided in appendices to demonstrate the evidence. Glossary of some technical terms
used in the report is provided however terms are not generally common and some references are missing. Some supporting material is provided in appendices. Most terminologies are missing.
Appendices are either not provided or are irrelevant.
Possible marks 2.0 – 1.7 1.6 – 1.5 1.4 – 1.3 1.2 – 1.0 0.9 – 0
The Report must contain the following headings below:
• Presentation
• Following should be included as minimum requirements in the report structure:
• • Executive Summary or Abstract
This section provide a brief overview of the case, your involvement as an examiner, authorisation, major findings and conclusion
• Table of Content
• Introduction
Background, scope of engagement, forensics tools used and summary of findings
• Analysis Conducted
o Description of relevant programs on the examined items
o Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions etc
o Graphic image analysis
• Findings
This section should describe in greater detail the results of the examinations and may include:
o Specific files related to the request
o Other files, including deleted files that support the findings
o String searches, keyword searches, and text string searches
o Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and news group activity
o Indicators of ownership, which could include program registration data.
• Conclusion
Summary of the report and results obtained
• References
You must cite references to all material you have used as sources for the content of your work
• Glossary
A glossary should assist the reader in understanding any technical terms used in the report. Use a generally accepted source for the definition of the terms and include appropriate references.
• Appendices
You can attach any supporting material such as printouts of particular items of evidence, digital copies of evidence, and chain of custody documentation.
• Follow the referencing guidelines for APA 6 as specified in Referencing Guides.
GET ANSWERS / LIVE CHAT