SSC93002 Computer Forensics Assignment 1

Unit: Computer Forensics
Unit Code: SSC93002
Assignment 1   	Initial report (Evidence Data Acquisition) 
Southern Cross University

Case 1:

Lego is defined as a line of plastic construction toys consisting of interlocking plastic building blocks. In all states and territories of Australia, it is illegal to access, own or distribute digital content relating to “Lego”. An allegation has been made to law enforcement via a witness, who claims to have seen an individual access “Lego” related content within a place of work. The entity is a start-up with small offices in each state of Australia.

Following the approval of formal warrants, the computer in question was seized. The computer’s disk drive was then forensically acquired using the Belkasoft Acquisition Tool (BAT). Unfortunately, the junior investigator who obtained the forensic image of the computer’s disk drive only performed a logical acquisition. To worsen the situation, the junior investigator misplaced the original disk drive within the forensic laboratory.

Given the time-critical nature of the case, an investigation will need to be undertaken on the available acquired data. The prosecution team and law enforcement agencies have contacted the renowned forensics unit, SCU Forensics, for this purpose. The following list of facts have been produced for this investigation:

  • The suspect, Jane, denies accessing “Lego” content on the computer.
  • Jane did confirm that the computer does belong to her.
  • Jane stated that she does not take the computer home.
  • Jane stated that she does not lock the computer when she is away from her desk.
  • Prior accumulated intelligence reports suggest that Jane may be formulating conspiracies and be in possession of content that suggests that the moon landing was fake.

As one of our trusted computer forensics professionals at SCU Forensics, who specialises in digital forensic investigations such as this, you are asked to prepare to conduct this investigation. You will be assigned the task of examining a forensic image of the computer that was seized. It is currently not known what Jane was doing with the Lego content. The image will be provided to you in week 6. In Jane’s opinion, the computer was infected with malware which could have resulted in potential content appearing on the computer. Given the significance of this case, Jane may have been engaged in additional illegal activity that attract serious penalties, including imprisonment.

Case 2:

Due to intelligence provided by the Australian government, two passengers were intercepted by Customs upon arriving in Wellington, New Zealand from Brisbane. The Intel stated that Jane Esteban and John Fredricksen may be involved in illegal activity.

The suspects were each searched by a customs officer. John Fredricksen’s baggage consisted of clothing, toiletries and a Windows laptop. Jane Esteban’s baggage also consisted of clothing, toiletries and a small windows laptop.

Upon further search of the lining of the suitcase, one kilogram of Methamphetamine was located. Both suspects were taken into separate interview rooms where they were interrogated. John Fredricksen refused to answer any questions.

Jane Esteban stated all she knew was that she had to deliver the suitcase to the “Eastbourne library” but if all else failed then they were to deliver it to 666 Rewera Avenue, Petone as told by John.

Customs and police subsequently raided that address. There was nobody present at the address. Customs did, however, find drugs, guns and a desktop computer in the living room of the suspect’s house.

You are a forensics investigator brought in to consult on this case. Customs officers have delivered images and memory dumps of the 2 laptops and 1 desktop computer to you. Your task is to carry out a forensic examination of John Fredricksen, Jane Esteban and the unknown suspect’s laptops and desktop computers to further understand their motives, goals and objectives. It should be noted that all three devices contain different Windows 10 builds and resulting artefacts may not be located in the same location or even be present.

Case 2 intelligence already obtained:

Steve Kowhai: Kowhai is a big player drug distributor/dealer in the lower north island of New Zealand and is wanting to find some quality product to expand his growing empire even more. Kowhai has contacted a source (John) in the US to smuggle in a taster of the product he plans to buy in larger quantities later. Kowhai has provided John with information about New Zealand and points on how best to smuggle the product into Wellington without raising any alarms at customs. Kowhai knows a thing or two about digital forensics and decided to use steganography to hide the document within a picture.

John Fredricksen: Fredricksen has been communicating with Kowhai (NZ dealer) via with what he believes is a secure and private chat room (Discord) to discuss his new consignment. Their chat contains information on where they are going and what he wants John Fredricksen to deliver. Furthermore, Kowhai shares some documents via (email, cloud, etc) that will assist with his job. John Fredricksen now has enough information to concoct his plan of smuggling the 1kg of methamphetamine into New Zealand but he needs to find some cover that can take the heat off of himself if any surprises were to happen. John identifies Jane Esteban a regular user of his businesses product (meth) and thinks she will make a great mule for smuggling the drugs.

Jane Esteban: Jane is an undercover Australian Federal Police (AFP) officer tasked with gathering evidence about a drug ring involving John Fredricksen and his associate Kowhai in New Zealand. Jane will be using the following persona while working undercover: she has a terrible addiction and has been visiting Fredricksen to feed her addiction, which has lead to a transactional friendship with him as a result. Fredricksen approaches Jane soon after his discussion with Kowhai to try and convince her to assist with his job.

Another forensics investigator has been working on this case for two weeks and will brief you with some initial findings and tips in a ‘handover’ process.

Tasks

Your task is two-fold. For case 1 you are to formulate a forensics plan as outlined below in part 1. Secondly, for case 2 you are to investigate the supplied forensic images using appropriate tools and processes and to develop and submit a written preliminary forensic report on your findings. For case 2, the prosecution team and law enforcement agencies will require you to provide a chain of custody and to use Autopsy and any other tool(s) you choose. You may use any other tools to undertake the investigation, but you must justify and clearly record all your activities.

Cover page, table of contents and executive summary 2.5 Marks

Your report will require:

  • A cover page including unit code and title, assignment title, student name, number, campus and lecturer/tutor name.
  • A table of contents that is an accurate reflection of the content within the report for bothcases, generated automatically in Microsoft Word.
  • An executive summary that briefly captures what has been done to date on both cases.

Case 1: Forensics investigation plan 15 Marks (1200 words maximum)

Your knowledge and research of how to prepare for a forensics investigation, details of the digital forensics process, types of forensics acquisitions (including the types of acquisition tools available), will all be crucial in order to complete this task successfully. Project management tools (e.g. Gantt) that indicate what steps you are planning for this case can be a helpful way to summarise a timeline of a forensics investigation. A suggested structure of a forensics investigation plan might be:

Introduction

  • Summary of the offence being investigated (example: potential access and/or ownership and/or distribution of illegal digital content).
  • Details of parties involved.
  • Details of computers or devices pertaining to the investigation.
  • What are we looking at, and why?

Background

  • Summary of the digital forensics process Factual details pertaining to the investigation.
  • Where did offence take place?
  • Who was involved?
  • Who else may have been involved?
  • Statements made by offender or third parties.
  • Known problems relating to the suspects/victims or evidence which may inhibit or delay the investigation and analysis.

Objectives

  • A list of S.M.A.R.T (Specific, Measurable, Achievable, Relevant and Timely) objectives relating to the investigation.
  • Focus on the what. What needs to be done?
  • Does the content or did the content exist on Jane’s computer (yes?no?prove!). If so, can it be linked to Jane (yes?no?prove!). If so, can Jane be linked to the content? Was it intentional? (yes?no?prove!).

Strategies

  • Focus on the how. For example:
    • How will you undertake the analysis?
    • What process and method will you use?
    • What hardware and software tools will be used?
    • Progress/performance indicators
  • What are the milestones in the investigation?
    • The milestones permit the analyst to reflect back upon the analysis thus far (are things going good or bad?)
    • The milestones also ensure that the investigation is progressing adequately and in a timely manner
    • Think project management!!!

You should use the case study instructions and information as your foundation for commencing the plan. Note: your manager wants to understand the crime/allegations that have been made before allocating resources and allowing employees to proceed with the investigation.

Case 2: Preliminary forensics report 20 Marks

You are to present an initial report of your work on Case 2 after the handover, that details your data acquisition and analysis processes using tools and processes of best practice in digital forensics. Any tools and processes, in addition to those already stated, are for you to choose and report on. However, to conduct best practice digital forensics some tools and processes are unavoidable and mandatory (such as chains of custody forms, hash calculators and forensics acquisition and analysis tools) and a failure to use and detail the tools and processes used will result in a poor outcome.

As part of your initial report you are required to provide a preliminary briefing on any findings or potential evidence. Preliminary findings may or may not constitute evidence but whatever you present must be done professionally. You are not expected to have established all evidence nor are you expected to provide a concluding expert opinion on inculpatory or exculpatory matters yet. As it is a preliminary report, the findings you have to date must be accompanied by a log or running sheet. Here are some examples of early findings you may have:

  • Deleted document files
  • Document metadata
  • Multimedia files (images, videos etc)
  • Cache artefacts
  • Web browser activity, cookies and history files

You should ensure you are familiar with best practices for presenting any artefacts or evidence in a report.

An example of a preliminary report on findings may look something like that in the appendix of this document.

Whilst this is a preliminary investigation any accompanying running sheet must be detailed so any forensics professional, prosecution or the defence team can replicate your work and obtain the same evidence. Failure to do so results in inadmissible evidence and will result in significant loss of marks. Examples of a running sheet is shown in appendix 2 of this document. You should also include your running sheet as an appendix. Note: this is an incomplete running sheet! All items in a running sheet must be repeatable. Think of it as a forensics investigation recipe, I should be able to repeat your running sheet and get the same outcome.

Conclusion 2.5 Marks

You must provide a conclusion that both summarises both cases. For example, a summary that summarises the next steps you will be taking in case 1 and summarises your forensics activities in your case 2 so far (including acquisition and chain of custody as well as the analysis activities). This summary does not have to be comprehensive as investigations can change, but it does have to clearly indicate a summary of both cases as outlined previously.

References

Failure to adequately reference work will result in loss of marks and potential plagiarism procedures.

Appendix

  1. An example of presenting preliminary findings.

This report is from a previous case that concerned the allegation made to law enforcement, via a witness, who claimed to have seen an individual access illegal Clown related content within a place of work. For the purposes of this fictitious scenario it was the case that in the state of New South Wales, it is illegal to access, own or distribute digital content relating to “Clown”. A logical image of the suspect’s seized device(s) was acquired by a junior investigator. The image details are as follows:

Image Name

clown.dd

MD5 Checksum

Enter here

Computer Name

Enter here

Device ID

Enter here

Operating System

Enter here

Total Capacity

Enter here

Timezone

Enter here

The following software applications were used to perform the investigation:

  • Autopsy
  • OSForensics
  • Hashcalc
  • SIFT Workstation
  • Kali Linux (e.g. Truecrack, John the ripper)

Findings summary:

File type

Count

Images

12

Videos

2

Audio

2

Documents

14

Executables

5

Cookies

22

The investigation found the following clown related content

  • At least 15 clown related items were downloaded via the Firefox web browser
  • Two screenshots
  • 24 clown related images were retrieved from …
  • 2 clown related videos were retrieved from
  • 3 clown related files were found in unallocated space

Example of how to present a finding

Filename

index.jpg

Location

\Users\computer\Desktop

Size

15,015 Bytes

Sectors

2,997,704 – 2,997,733

Type

JPEG/JFIF

Created

02/07/2018 09:12:29 AM

Accessed

02/07/2018 09:12:30 AM

Modified

02/07/2018 09:12:30 AM

MD5

64b61cf19e916bc1a40831a17db83b3b

Analysis

Clown in blue suit holding a musical instrument.

  1. An example of a running sheet.

Note: this is an incomplete running sheet! All items in a running sheet must be repeatable. Think of it as a forensics investigation recipe, I should be able to repeat your running sheet and get the same outcome.

Date / Time

Task Details

Duration

27/08/2018

09:00 AM

Acquired evidence from SSD (see chain of custody) and ensure the integrity of each file using Quick Hash, MD5 and the 182-md5.txt file provided on the download page.

Results from Quick Hash and MD5:

182.7z.001: 90bc13ee6fc8d727b8ef4d15f8ea0113

182.7z.002: 2027ab6f49b6d18ef4c42c3ec04ab070

182.7z.003: 00bab1e957bf58ef31c131f79e917851

182.7z.004: 38c8c03f254131c11462fbfe33e95e39

182.7z.005: 970961797afa65420441decc6f561440

182.7z.006: 0be7b6cadd0bd5ce1e1830833bd8ba1c

182.7z.007: 03fb8aed700bbd7f0f051e7b8a5f07ed

182.7z.008: 793b3b07a8b9d32c21a820caa27439ef

182.7z.009: 2eda3a0e19090a2ff5ecb8426db44344

182.7z.010: 0a3a889ec5c583e58d14f226ee79d07e

182.7z.011: dcc2d89f6f9962edc9f987eeb3f34f41

182.7z.012: 695b32f630df008f23376ad5c31eaf21

182.7z.013: eff60512189034622dc7b88f00a44e39

182.7z.014: 4131f8d9c30f83912d5bb82b8b57e32d

182.7z.015: 734a55ba4c459214375515dac0d4191b

1 hour

27/08/2018

10:00 AM

Extract 182.dd image from archive files and ensure the integrity of the image file using Quick Hash and MD5.

Result from Quick Hash and MD5:

182.dd MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc

10 mins

27/08/2018

10:10 AM

Make working copy of downloaded image, move copy to the case working directory and verify integrity of the copy using Quick Hash and MD5.

Result from Quick Hash and MD5:

182.dd.working MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc

5 mins

27/08/2018

10:15 AM

Make backup copy of downloaded image, move backup to the backup folder and verify integrity of the backup using Quick Hash and MD5.

Result from Quick Hash and MD5:

182.dd.backup MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc

5 mins

Requirements and marking rubric out of 40 marks:

Cover page, table of contents and introduction [2.5]

A cover page including unit code and title, assignment title, student name, number, campus and lecturer/tutor name (0.5)

A table of contents that is an accurate reflection of the content within the report, generated automatically in Microsoft Word (1)

An introduction that briefly captures what has been done to date and is being reported on so far (1)

Case 1: The forensics investigation plan [15]

Introduction:

Summarises the offence being investigated, the parties and any devices involved (3).

Background:

Comprehensively outlines the digital forensics process, forensics preparation processes, data acquisition types, formats and tools (2).

Adequality addresses factual details pertaining to the case (e.g. where did the offence take place, who was involved and who else may have been involved) (1).

Clearly addresses any statements made by offender or third parties, known problems relating to the suspects/victims or evidence which may inhibit or delay the investigation and analysis (1).

Objectives:

Clearly lists S.M.A.R.T (Specific, Measurable, Achievable, Relevant and Timely) objectives relating to the investigation (4).

Strategies:

Comprehensively outlines strategies for how the investigator will approach the investigation (e.g. addressed how the analysis will be undertaken, the process and method, any hardware and software tools to be used and any progress/performance indicators (2).

Clearly defines milestones of the investigation using project management tools (2).

Case 2: The forensics process and data acquisition [10]

Comprehensively outlines the digital forensics process, forensics preparation processes, data acquisition types, formats and tools for this case (5)

Includes an appropriate chain of custody form (2.5)

Clear evidence that appropriate tools have been used in the acquisition and are being used in the investigation (2.5)

Case 2: Preliminary evidence, findings and running sheet [10]

Well-presented preliminary findings and evidence (where applicable) (3)

Appropriate running sheet detailing processes and tools used (3.5)

Methods used to obtain and present findings can be repeated (3.5)

Conclusion [2.5]

Summarises your case so far (acquisition and chain of custody activities) (2.5)

Summarises the next steps to be taken in the investigation (2.5)

Referencing

Not well researched [-1]

Low quality references [-1]

Inconsistent format [-1]

AssignmentHippo Features
  • On Time Delivery

    Our motto is deliver assignment on Time. Our Expert writers deliver quality assignments to the students.

  • Plagiarism Free Work

    Get reliable and unique assignments by using our 100% plagiarism-free services.

  • 24 X 7 Live Help

    The experienced team of AssignmentHippo has got your back 24*7. Get connected with our Live Chat support executives to receive instant solutions for your assignment problems.

  • Services For All Subjects

    We can build quality assignments in the subjects you're passionate about. Be it Programming, Engineering, Accounting, Finance and Literature or Law and Marketing we have an expert writer for all.

  • Best Price Guarantee

    Get premium service at a pocket-friendly rate. At AssignmentHippo, we understand the tight budget of students and thus offer our services at highly affordable prices.