Unit: Computer Forensics Unit Code: SSC93002 Assignment 1 Initial report (Evidence Data Acquisition) Southern Cross University
Case 1:
Lego is defined as a line of plastic construction toys consisting of interlocking plastic building blocks. In all states and territories of Australia, it is illegal to access, own or distribute digital content relating to “Lego”. An allegation has been made to law enforcement via a witness, who claims to have seen an individual access “Lego” related content within a place of work. The entity is a start-up with small offices in each state of Australia.
Following the approval of formal warrants, the computer in question was seized. The computer’s disk drive was then forensically acquired using the Belkasoft Acquisition Tool (BAT). Unfortunately, the junior investigator who obtained the forensic image of the computer’s disk drive only performed a logical acquisition. To worsen the situation, the junior investigator misplaced the original disk drive within the forensic laboratory.
Given the time-critical nature of the case, an investigation will need to be undertaken on the available acquired data. The prosecution team and law enforcement agencies have contacted the renowned forensics unit, SCU Forensics, for this purpose. The following list of facts have been produced for this investigation:
As one of our trusted computer forensics professionals at SCU Forensics, who specialises in digital forensic investigations such as this, you are asked to prepare to conduct this investigation. You will be assigned the task of examining a forensic image of the computer that was seized. It is currently not known what Jane was doing with the Lego content. The image will be provided to you in week 6. In Jane’s opinion, the computer was infected with malware which could have resulted in potential content appearing on the computer. Given the significance of this case, Jane may have been engaged in additional illegal activity that attract serious penalties, including imprisonment.
Case 2:
Due to intelligence provided by the Australian government, two passengers were intercepted by Customs upon arriving in Wellington, New Zealand from Brisbane. The Intel stated that Jane Esteban and John Fredricksen may be involved in illegal activity.
The suspects were each searched by a customs officer. John Fredricksen’s baggage consisted of clothing, toiletries and a Windows laptop. Jane Esteban’s baggage also consisted of clothing, toiletries and a small windows laptop.
Upon further search of the lining of the suitcase, one kilogram of Methamphetamine was located. Both suspects were taken into separate interview rooms where they were interrogated. John Fredricksen refused to answer any questions.
Jane Esteban stated all she knew was that she had to deliver the suitcase to the “Eastbourne library” but if all else failed then they were to deliver it to 666 Rewera Avenue, Petone as told by John.
Customs and police subsequently raided that address. There was nobody present at the address. Customs did, however, find drugs, guns and a desktop computer in the living room of the suspect’s house.
You are a forensics investigator brought in to consult on this case. Customs officers have delivered images and memory dumps of the 2 laptops and 1 desktop computer to you. Your task is to carry out a forensic examination of John Fredricksen, Jane Esteban and the unknown suspect’s laptops and desktop computers to further understand their motives, goals and objectives. It should be noted that all three devices contain different Windows 10 builds and resulting artefacts may not be located in the same location or even be present.
Case 2 intelligence already obtained:
Steve Kowhai: Kowhai is a big player drug distributor/dealer in the lower north island of New Zealand and is wanting to find some quality product to expand his growing empire even more. Kowhai has contacted a source (John) in the US to smuggle in a taster of the product he plans to buy in larger quantities later. Kowhai has provided John with information about New Zealand and points on how best to smuggle the product into Wellington without raising any alarms at customs. Kowhai knows a thing or two about digital forensics and decided to use steganography to hide the document within a picture.
John Fredricksen: Fredricksen has been communicating with Kowhai (NZ dealer) via with what he believes is a secure and private chat room (Discord) to discuss his new consignment. Their chat contains information on where they are going and what he wants John Fredricksen to deliver. Furthermore, Kowhai shares some documents via (email, cloud, etc) that will assist with his job. John Fredricksen now has enough information to concoct his plan of smuggling the 1kg of methamphetamine into New Zealand but he needs to find some cover that can take the heat off of himself if any surprises were to happen. John identifies Jane Esteban a regular user of his businesses product (meth) and thinks she will make a great mule for smuggling the drugs.
Jane Esteban: Jane is an undercover Australian Federal Police (AFP) officer tasked with gathering evidence about a drug ring involving John Fredricksen and his associate Kowhai in New Zealand. Jane will be using the following persona while working undercover: she has a terrible addiction and has been visiting Fredricksen to feed her addiction, which has lead to a transactional friendship with him as a result. Fredricksen approaches Jane soon after his discussion with Kowhai to try and convince her to assist with his job.
Another forensics investigator has been working on this case for two weeks and will brief you with some initial findings and tips in a ‘handover’ process.
Your task is two-fold. For case 1 you are to formulate a forensics plan as outlined below in part 1. Secondly, for case 2 you are to investigate the supplied forensic images using appropriate tools and processes and to develop and submit a written preliminary forensic report on your findings. For case 2, the prosecution team and law enforcement agencies will require you to provide a chain of custody and to use Autopsy and any other tool(s) you choose. You may use any other tools to undertake the investigation, but you must justify and clearly record all your activities.
Your report will require:
Your knowledge and research of how to prepare for a forensics investigation, details of the digital forensics process, types of forensics acquisitions (including the types of acquisition tools available), will all be crucial in order to complete this task successfully. Project management tools (e.g. Gantt) that indicate what steps you are planning for this case can be a helpful way to summarise a timeline of a forensics investigation. A suggested structure of a forensics investigation plan might be:
You should use the case study instructions and information as your foundation for commencing the plan. Note: your manager wants to understand the crime/allegations that have been made before allocating resources and allowing employees to proceed with the investigation.
You are to present an initial report of your work on Case 2 after the handover, that details your data acquisition and analysis processes using tools and processes of best practice in digital forensics. Any tools and processes, in addition to those already stated, are for you to choose and report on. However, to conduct best practice digital forensics some tools and processes are unavoidable and mandatory (such as chains of custody forms, hash calculators and forensics acquisition and analysis tools) and a failure to use and detail the tools and processes used will result in a poor outcome.
As part of your initial report you are required to provide a preliminary briefing on any findings or potential evidence. Preliminary findings may or may not constitute evidence but whatever you present must be done professionally. You are not expected to have established all evidence nor are you expected to provide a concluding expert opinion on inculpatory or exculpatory matters yet. As it is a preliminary report, the findings you have to date must be accompanied by a log or running sheet. Here are some examples of early findings you may have:
You should ensure you are familiar with best practices for presenting any artefacts or evidence in a report.
An example of a preliminary report on findings may look something like that in the appendix of this document.
Whilst this is a preliminary investigation any accompanying running sheet must be detailed so any forensics professional, prosecution or the defence team can replicate your work and obtain the same evidence. Failure to do so results in inadmissible evidence and will result in significant loss of marks. Examples of a running sheet is shown in appendix 2 of this document. You should also include your running sheet as an appendix. Note: this is an incomplete running sheet! All items in a running sheet must be repeatable. Think of it as a forensics investigation recipe, I should be able to repeat your running sheet and get the same outcome.
You must provide a conclusion that both summarises both cases. For example, a summary that summarises the next steps you will be taking in case 1 and summarises your forensics activities in your case 2 so far (including acquisition and chain of custody as well as the analysis activities). This summary does not have to be comprehensive as investigations can change, but it does have to clearly indicate a summary of both cases as outlined previously.
Failure to adequately reference work will result in loss of marks and potential plagiarism procedures.
Appendix
This report is from a previous case that concerned the allegation made to law enforcement, via a witness, who claimed to have seen an individual access illegal Clown related content within a place of work. For the purposes of this fictitious scenario it was the case that in the state of New South Wales, it is illegal to access, own or distribute digital content relating to “Clown”. A logical image of the suspect’s seized device(s) was acquired by a junior investigator. The image details are as follows:
Image Name |
clown.dd |
MD5 Checksum |
Enter here |
Computer Name |
Enter here |
Device ID |
Enter here |
Operating System |
Enter here |
Total Capacity |
Enter here |
Timezone |
Enter here |
The following software applications were used to perform the investigation:
Findings summary:
File type |
Count |
Images |
12 |
Videos |
2 |
Audio |
2 |
Documents |
14 |
Executables |
5 |
Cookies |
22 |
The investigation found the following clown related content
Example of how to present a finding
Filename |
index.jpg |
Location |
\Users\computer\Desktop |
Size |
15,015 Bytes |
Sectors |
2,997,704 – 2,997,733 |
Type |
JPEG/JFIF |
Created |
02/07/2018 09:12:29 AM |
Accessed |
02/07/2018 09:12:30 AM |
Modified |
02/07/2018 09:12:30 AM |
MD5 |
64b61cf19e916bc1a40831a17db83b3b |
Analysis |
Clown in blue suit holding a musical instrument. |
Note: this is an incomplete running sheet! All items in a running sheet must be repeatable. Think of it as a forensics investigation recipe, I should be able to repeat your running sheet and get the same outcome.
Date / Time |
Task Details |
Duration |
27/08/2018 09:00 AM |
Acquired evidence from SSD (see chain of custody) and ensure the integrity of each file using Quick Hash, MD5 and the 182-md5.txt file provided on the download page. Results from Quick Hash and MD5: 182.7z.001: 90bc13ee6fc8d727b8ef4d15f8ea0113 182.7z.002: 2027ab6f49b6d18ef4c42c3ec04ab070 182.7z.003: 00bab1e957bf58ef31c131f79e917851 182.7z.004: 38c8c03f254131c11462fbfe33e95e39 182.7z.005: 970961797afa65420441decc6f561440 182.7z.006: 0be7b6cadd0bd5ce1e1830833bd8ba1c 182.7z.007: 03fb8aed700bbd7f0f051e7b8a5f07ed 182.7z.008: 793b3b07a8b9d32c21a820caa27439ef 182.7z.009: 2eda3a0e19090a2ff5ecb8426db44344 182.7z.010: 0a3a889ec5c583e58d14f226ee79d07e 182.7z.011: dcc2d89f6f9962edc9f987eeb3f34f41 182.7z.012: 695b32f630df008f23376ad5c31eaf21 182.7z.013: eff60512189034622dc7b88f00a44e39 182.7z.014: 4131f8d9c30f83912d5bb82b8b57e32d 182.7z.015: 734a55ba4c459214375515dac0d4191b |
1 hour |
27/08/2018 10:00 AM |
Extract 182.dd image from archive files and ensure the integrity of the image file using Quick Hash and MD5. Result from Quick Hash and MD5: 182.dd MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc |
10 mins |
27/08/2018 10:10 AM |
Make working copy of downloaded image, move copy to the case working directory and verify integrity of the copy using Quick Hash and MD5. Result from Quick Hash and MD5: 182.dd.working MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc |
5 mins |
27/08/2018 10:15 AM |
Make backup copy of downloaded image, move backup to the backup folder and verify integrity of the backup using Quick Hash and MD5. Result from Quick Hash and MD5: 182.dd.backup MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc |
5 mins |
Requirements and marking rubric out of 40 marks: |
Cover page, table of contents and introduction [2.5] |
A cover page including unit code and title, assignment title, student name, number, campus and lecturer/tutor name (0.5) |
A table of contents that is an accurate reflection of the content within the report, generated automatically in Microsoft Word (1) |
An introduction that briefly captures what has been done to date and is being reported on so far (1) |
Case 1: The forensics investigation plan [15] |
Introduction: |
Summarises the offence being investigated, the parties and any devices involved (3). |
Background: |
Comprehensively outlines the digital forensics process, forensics preparation processes, data acquisition types, formats and tools (2). |
Adequality addresses factual details pertaining to the case (e.g. where did the offence take place, who was involved and who else may have been involved) (1). |
Clearly addresses any statements made by offender or third parties, known problems relating to the suspects/victims or evidence which may inhibit or delay the investigation and analysis (1). |
Objectives: |
Clearly lists S.M.A.R.T (Specific, Measurable, Achievable, Relevant and Timely) objectives relating to the investigation (4). |
Strategies: |
Comprehensively outlines strategies for how the investigator will approach the investigation (e.g. addressed how the analysis will be undertaken, the process and method, any hardware and software tools to be used and any progress/performance indicators (2). |
Clearly defines milestones of the investigation using project management tools (2). |
Case 2: The forensics process and data acquisition [10] |
Comprehensively outlines the digital forensics process, forensics preparation processes, data acquisition types, formats and tools for this case (5) |
Includes an appropriate chain of custody form (2.5) |
Clear evidence that appropriate tools have been used in the acquisition and are being used in the investigation (2.5) |
Case 2: Preliminary evidence, findings and running sheet [10] |
Well-presented preliminary findings and evidence (where applicable) (3) |
Appropriate running sheet detailing processes and tools used (3.5) |
Methods used to obtain and present findings can be repeated (3.5) |
Conclusion [2.5] |
Summarises your case so far (acquisition and chain of custody activities) (2.5) |
Summarises the next steps to be taken in the investigation (2.5) |
Referencing |
Not well researched [-1] |
Low quality references [-1] |
Inconsistent format [-1] |
Our motto is deliver assignment on Time. Our Expert writers deliver quality assignments to the students.
Get reliable and unique assignments by using our 100% plagiarism-free.
Get connected 24*7 with our Live Chat support executives to receive instant solutions for your assignment.
Get Help with all the subjects like: Programming, Accounting, Finance, Engineering, Law and Marketing.
Get premium service at a pocket-friendly rate at AssignmentHippo
I was struggling so hard to complete my marketing assignment on brand development when I decided to finally reach to the experts of this portal. They certainly deliver perfect consistency and the desired format. The content prepared by the experts of this platform was simply amazing. I definitely owe my grades to them.
Get instant assignment help