SSC93002 Computer Forensics Assignment 1

Unit: Computer Forensics
Unit Code: SSC93002
Assignment 1   	Initial report (Evidence Data Acquisition) 
Southern Cross University

Case 1:

Lego is defined as a line of plastic construction toys consisting of interlocking plastic building blocks. In all states and territories of Australia, it is illegal to access, own or distribute digital content relating to “Lego”. An allegation has been made to law enforcement via a witness, who claims to have seen an individual access “Lego” related content within a place of work. The entity is a start-up with small offices in each state of Australia.

Following the approval of formal warrants, the computer in question was seized. The computer’s disk drive was then forensically acquired using the Belkasoft Acquisition Tool (BAT). Unfortunately, the junior investigator who obtained the forensic image of the computer’s disk drive only performed a logical acquisition. To worsen the situation, the junior investigator misplaced the original disk drive within the forensic laboratory.

Given the time-critical nature of the case, an investigation will need to be undertaken on the available acquired data. The prosecution team and law enforcement agencies have contacted the renowned forensics unit, SCU Forensics, for this purpose. The following list of facts have been produced for this investigation:

• The suspect, Jane, denies accessing “Lego” content on the computer.
• Jane did confirm that the computer does belong to her.
• Jane stated that she does not take the computer home.
• Jane stated that she does not lock the computer when she is away from her desk.
• Prior accumulated intelligence reports suggest that Jane may be formulating conspiracies and be in possession of content that suggests that the moon landing was fake.

As one of our trusted computer forensics professionals at SCU Forensics, who specialises in digital forensic investigations such as this, you are asked to prepare to conduct this investigation. You will be assigned the task of examining a forensic image of the computer that was seized. It is currently not known what Jane was doing with the Lego content. The image will be provided to you in week 6. In Jane’s opinion, the computer was infected with malware which could have resulted in potential content appearing on the computer. Given the significance of this case, Jane may have been engaged in additional illegal activity that attract serious penalties, including imprisonment.

Case 2:

Due to intelligence provided by the Australian government, two passengers were intercepted by Customs upon arriving in Wellington, New Zealand from Brisbane. The Intel stated that Jane Esteban and John Fredricksen may be involved in illegal activity.

The suspects were each searched by a customs officer. John Fredricksen’s baggage consisted of clothing, toiletries and a Windows laptop. Jane Esteban’s baggage also consisted of clothing, toiletries and a small windows laptop.

Upon further search of the lining of the suitcase, one kilogram of Methamphetamine was located. Both suspects were taken into separate interview rooms where they were interrogated. John Fredricksen refused to answer any questions.

Jane Esteban stated all she knew was that she had to deliver the suitcase to the “Eastbourne library” but if all else failed then they were to deliver it to 666 Rewera Avenue, Petone as told by John.

Customs and police subsequently raided that address. There was nobody present at the address. Customs did, however, find drugs, guns and a desktop computer in the living room of the suspect’s house.

You are a forensics investigator brought in to consult on this case. Customs officers have delivered images and memory dumps of the 2 laptops and 1 desktop computer to you. Your task is to carry out a forensic examination of John Fredricksen, Jane Esteban and the unknown suspect’s laptops and desktop computers to further understand their motives, goals and objectives. It should be noted that all three devices contain different Windows 10 builds and resulting artefacts may not be located in the same location or even be present.

Case 2 intelligence already obtained:

Steve Kowhai: Kowhai is a big player drug distributor/dealer in the lower north island of New Zealand and is wanting to find some quality product to expand his growing empire even more. Kowhai has contacted a source (John) in the US to smuggle in a taster of the product he plans to buy in larger quantities later. Kowhai has provided John with information about New Zealand and points on how best to smuggle the product into Wellington without raising any alarms at customs. Kowhai knows a thing or two about digital forensics and decided to use steganography to hide the document within a picture.

John Fredricksen: Fredricksen has been communicating with Kowhai (NZ dealer) via with what he believes is a secure and private chat room (Discord) to discuss his new consignment. Their chat contains information on where they are going and what he wants John Fredricksen to deliver. Furthermore, Kowhai shares some documents via (email, cloud, etc) that will assist with his job. John Fredricksen now has enough information to concoct his plan of smuggling the 1kg of methamphetamine into New Zealand but he needs to find some cover that can take the heat off of himself if any surprises were to happen. John identifies Jane Esteban a regular user of his businesses product (meth) and thinks she will make a great mule for smuggling the drugs.

Jane Esteban: Jane is an undercover Australian Federal Police (AFP) officer tasked with gathering evidence about a drug ring involving John Fredricksen and his associate Kowhai in New Zealand. Jane will be using the following persona while working undercover: she has a terrible addiction and has been visiting Fredricksen to feed her addiction, which has lead to a transactional friendship with him as a result. Fredricksen approaches Jane soon after his discussion with Kowhai to try and convince her to assist with his job.

Another forensics investigator has been working on this case for two weeks and will brief you with some initial findings and tips in a ‘handover’ process.

Tasks

Your task is two-fold. For case 1 you are to formulate a forensics plan as outlined below in part 1. Secondly, for case 2 you are to investigate the supplied forensic images using appropriate tools and processes and to develop and submit a written preliminary forensic report on your findings. For case 2, the prosecution team and law enforcement agencies will require you to provide a chain of custody and to use Autopsy and any other tool(s) you choose. You may use any other tools to undertake the investigation, but you must justify and clearly record all your activities.

Cover page, table of contents and executive summary 2.5 Marks

Your report will require:

• A cover page including unit code and title, assignment title, student name, number, campus and lecturer/tutor name.
• A table of contents that is an accurate reflection of the content within the report for bothcases, generated automatically in Microsoft Word.
• An executive summary that briefly captures what has been done to date on both cases.

Case 1: Forensics investigation plan 15 Marks (1200 words maximum)

Your knowledge and research of how to prepare for a forensics investigation, details of the digital forensics process, types of forensics acquisitions (including the types of acquisition tools available), will all be crucial in order to complete this task successfully. Project management tools (e.g. Gantt) that indicate what steps you are planning for this case can be a helpful way to summarise a timeline of a forensics investigation. A suggested structure of a forensics investigation plan might be:

Introduction

• Summary of the offence being investigated (example: potential access and/or ownership and/or distribution of illegal digital content).
• Details of parties involved.
• Details of computers or devices pertaining to the investigation.
• What are we looking at, and why?

Background

• Summary of the digital forensics process Factual details pertaining to the investigation.
• Where did offence take place?
• Who was involved?
• Who else may have been involved?
• Statements made by offender or third parties.
• Known problems relating to the suspects/victims or evidence which may inhibit or delay the investigation and analysis.

Objectives

• A list of S.M.A.R.T (Specific, Measurable, Achievable, Relevant and Timely) objectives relating to the investigation.
• Focus on the what. What needs to be done?
• Does the content or did the content exist on Jane’s computer (yes?no?prove!). If so, can it be linked to Jane (yes?no?prove!). If so, can Jane be linked to the content? Was it intentional? (yes?no?prove!).

Strategies

• Focus on the how. For example:
  • How will you undertake the analysis?
  • What process and method will you use?
  • What hardware and software tools will be used?
  • Progress/performance indicators
• What are the milestones in the investigation?
  • The milestones permit the analyst to reflect back upon the analysis thus far (are things going good or bad?)
  • The milestones also ensure that the investigation is progressing adequately and in a timely manner
  • Think project management!!!

You should use the case study instructions and information as your foundation for commencing the plan. Note: your manager wants to understand the crime/allegations that have been made before allocating resources and allowing employees to proceed with the investigation.

Case 2: Preliminary forensics report 20 Marks

You are to present an initial report of your work on Case 2 after the handover, that details your data acquisition and analysis processes using tools and processes of best practice in digital forensics. Any tools and processes, in addition to those already stated, are for you to choose and report on. However, to conduct best practice digital forensics some tools and processes are unavoidable and mandatory (such as chains of custody forms, hash calculators and forensics acquisition and analysis tools) and a failure to use and detail the tools and processes used will result in a poor outcome.

As part of your initial report you are required to provide a preliminary briefing on any findings or potential evidence. Preliminary findings may or may not constitute evidence but whatever you present must be done professionally. You are not expected to have established all evidence nor are you expected to provide a concluding expert opinion on inculpatory or exculpatory matters yet. As it is a preliminary report, the findings you have to date must be accompanied by a log or running sheet. Here are some examples of early findings you may have:

• Deleted document files
• Document metadata
• Multimedia files (images, videos etc)
• Cache artefacts
• Web browser activity, cookies and history files

You should ensure you are familiar with best practices for presenting any artefacts or evidence in a report.

An example of a preliminary report on findings may look something like that in the appendix of this document.

Whilst this is a preliminary investigation any accompanying running sheet must be detailed so any forensics professional, prosecution or the defence team can replicate your work and obtain the same evidence. Failure to do so results in inadmissible evidence and will result in significant loss of marks. Examples of a running sheet is shown in appendix 2 of this document. You should also include your running sheet as an appendix. Note: this is an incomplete running sheet! All items in a running sheet must be repeatable. Think of it as a forensics investigation recipe, I should be able to repeat your running sheet and get the same outcome.

Conclusion 2.5 Marks

You must provide a conclusion that both summarises both cases. For example, a summary that summarises the next steps you will be taking in case 1 and summarises your forensics activities in your case 2 so far (including acquisition and chain of custody as well as the analysis activities). This summary does not have to be comprehensive as investigations can change, but it does have to clearly indicate a summary of both cases as outlined previously.

References

Failure to adequately reference work will result in loss of marks and potential plagiarism procedures.

Appendix

1. An example of presenting preliminary findings.

This report is from a previous case that concerned the allegation made to law enforcement, via a witness, who claimed to have seen an individual access illegal Clown related content within a place of work. For the purposes of this fictitious scenario it was the case that in the state of New South Wales, it is illegal to access, own or distribute digital content relating to “Clown”. A logical image of the suspect’s seized device(s) was acquired by a junior investigator. The image details are as follows:

The following software applications were used to perform the investigation:

• Autopsy
• OSForensics
• Hashcalc
• SIFT Workstation
• Kali Linux (e.g. Truecrack, John the ripper)

Findings summary:

The investigation found the following clown related content

• At least 15 clown related items were downloaded via the Firefox web browser
• Two screenshots
• 24 clown related images were retrieved from …
• 2 clown related videos were retrieved from
• 3 clown related files were found in unallocated space

Example of how to present a finding

2. An example of a running sheet.

Note: this is an incomplete running sheet! All items in a running sheet must be repeatable. Think of it as a forensics investigation recipe, I should be able to repeat your running sheet and get the same outcome.