• +1-617-874-1011 (US)
  • +44-117-230-1145 (UK)
Live Chat
Follow Us:

CF SSC93002 Computer Forensic Assignment Answers

in the unit. As a reminder, these are imaginary scenarios developed by Australian and New Zealand forensics academics. Any likeness to any real-life person or persons is purely coincidental.

Case 1:

Lego is defined as a line of plastic construction toys consisting of interlocking plastic building blocks. In all states and territories of Australia, it is illegal to access, own or distribute digital content relating to “Lego”. An allegation has been made to law enforcement via a witness, who claims to have seen an individual access “Lego” related content within a place of work. The entity is a start-up with small offices in each state of Australia.

Following the approval of formal warrants, the computer in question was seized. The computer’s disk drive was then forensically acquired using the Belkasoft Acquisition Tool (BAT). Unfortunately, the junior investigator who obtained the forensic image of the computer’s disk drive only performed a logical acquisition. To worsen the situation, the junior investigator misplaced the original disk drive within the forensic laboratory.

Given the time-critical nature of the case, an investigation will need to be undertaken on the available acquired data. The prosecution team and law enforcement agencies have contacted the renowned forensics unit, SCU Forensics, for this purpose. The following list of facts have been produced for this investigation:

  • The suspect, Jane, denies accessing “Lego” content on the computer.
  • Jane did confirm that the computer does belong to her.
  • Jane stated that she does not take the computer home.
  • Jane stated that she does not lock the computer when she is away from her desk.
  • Prior accumulated intelligence reports suggest that Jane may be formulating conspiracies and be in possession of content that suggests that the moon landing was fake.

As one of our trusted computer forensics professionals at SCU Forensics, who specializes in digital forensic investigations such as this, you are asked to prepare to conduct this investigation. You will be assigned the task of examining a forensic image of the computer that was seized. It is currently not known what Jane was doing with the Lego content. The image will be provided to you in week 6. In Jane’s opinion, the computer was infected with malware which could have resulted in potential content appearing on the computer. Given the significance of this case, Jane may have been engaged in additional illegal activities that attract serious penalties, including imprisonment.

Case 2:

Due to intelligence provided by the Australian government, two passengers were intercepted by Customs upon arriving in Wellington, New Zealand from Brisbane. The Intel stated that Jane Esteban and John Fredricksen may be involved in illegal activity.

The suspects were each searched by a customs officer. John Fredricksen’s baggage consisted of clothing, toiletries, and a Windows laptop. Jane Esteban’s baggage also consisted of clothing, toiletries, and a small windows laptop.

Upon further search of the lining of the suitcase, one kilogram of Methamphetamine was located. Both suspects were taken into separate interview rooms where they were interrogated. John Fredricksen refused to answer any questions.

Jane Esteban stated all she knew was that she had to deliver the suitcase to the “Eastbourne library” but if all else failed then they were to deliver it to 666 Rewera Avenue, Petone as told by John.

Customs and police subsequently raided that address. There was nobody present at the address. Customs did, however, find drugs, guns, and a desktop computer in the living room of the suspect’s house.

You are a forensics investigator brought in to consult on this case. Customs officers have delivered images and memory dumps of the 2 laptops and 1 desktop computer to you. Your task is to carry out a forensic examination of John Fredricksen, Jane Esteban, and the unknown suspect’s laptops and desktop computers to further understand their motives, goals, and objectives. It should be noted that all three devices contain different Windows 10 builds and resulting artifacts may not be located in the same location or even be present.

Case 2 intelligence already obtained:

Steve Kowhai: Kowhai is a big player drug distributor/dealer in the lower north island of New Zealand and is wanting to find some quality product to expand his growing empire even more. Kowhai has contacted a source (John) in the US to smuggle in a taster of the product he plans to buy in larger quantities later. Kowhai has provided John with information about New Zealand and points on how best to smuggle the product into Wellington without raising any alarms at customs. Kowhai knows a thing or two about digital forensics and decided to use steganography to hide the document within a picture.

John Fredricksen: Fredricksen has been communicating with Kowhai (NZ dealer) via what he believes is a secure and private chat room (Discord) to discuss his new consignment. Their chat contains information on where they are going and what he wants John Fredricksen to deliver. Furthermore, Kowhai shares some documents via (email, cloud, etc) that will assist with his job. John Fredricksen now has enough information to concoct his plan of smuggling the 1kg of methamphetamine into New Zealand but he needs to find some cover that can take the heat off of himself if any surprises were to happen. John identifies Jane Esteban a regular user of his business product (meth) and thinks she will make a great mule for smuggling the drugs.

Jane Esteban: Jane is an undercover Australian Federal Police (AFP) officer tasked with gathering evidence about a drug ring involving John Fredricksen and his associate Kowhai in New Zealand. Jane will be using the following persona while working undercover: she has a terrible addiction and has been visiting Fredricksen to feed her addiction, which has lead to a transactional friendship with him as a result. Fredricksen approaches Jane soon after his discussion with Kowhai to try and convince her to assist with his job.

Another forensics investigator has been working on this case for two weeks and will brief you with some initial findings and tips in a ‘handover’ process.

Tasks

Your task is two-fold. For case 1 you are to formulate a forensics plan as outlined below in part 1. Secondly, for case 2 you are to investigate the supplied forensic images using appropriate tools and processes and to develop and submit a written preliminary forensic report on your findings. For case 2, the prosecution team and law enforcement agencies will require you to provide a chain of custody and to use Autopsy and any other tool(s) you choose. You may use any other tools to undertake the investigation, but you must justify and clearly record all your activities. 

Cover page, table of contents and executive summary 2.5 Marks

Your report will require:

  • A cover page including unit code and title, assignment title, student name, number, campus, and lecturer/tutor name.
  • A table of contents that is an accurate reflection of the content within the report for bothcases, generated automatically in Microsoft Word.
  • An executive summary that briefly captures what has been done to date in both cases.

Case 1: Forensics investigation plan 15 Marks (1200 words maximum)

Your knowledge and research on how to prepare for a forensics investigation, details of the digital forensics process, types of forensics acquisitions (including the types of acquisition tools available), will all be crucial in order to complete this task successfully. Project management tools (e.g. Gantt) that indicate what steps you are planning for this case can be a helpful way to summarise a timeline of a forensics investigation. A suggested structure of a forensics investigation plan might be:

Introduction

  • Summary of the offense being investigated (for example: potential access and/or ownership and/or distribution of illegal digital content).
  • Details of parties involved.
  • Details of computers or devices pertaining to the investigation.
  • What are we looking at, and why?

Background

  • Summary of the digital forensics process Factual details pertaining to the investigation.
  • Where did the offence take place?
  • Who was involved?
  • Who else may have been involved?
  • Statements made by the offender or third parties.
  • Known problems relating to the suspects/victims or evidence which may inhibit or delay the investigation and analysis.

Objectives

  • A list of S.M.A.R.T (Specific, Measurable, Achievable, Relevant, and Timely) objectives relating to the investigation.
  • Focus on the what. What needs to be done?
  • Does the content or did the content exist on Jane’s computer (yes?no?prove!). If so, can it be linked to Jane (yes?no?prove!). If so, can Jane be linked to the content? Was it intentional? (yes?no?prove!).

Strategies

  • Focus on the how. For example:
    • How will you undertake the analysis?
    • What process and method will you use?
    • What hardware and software tools will be used?
    • Progress/performance indicators
  • What are the milestones in the investigation?
    • The milestones permit the analyst to reflect back upon the analysis thus far (are things going good or bad?)
    • The milestones also ensure that the investigation is progressing adequately and in a timely manner
    • Think project management!!!

You should use the case study instructions and information as your foundation for commencing the plan. Note: your manager wants to understand the crime/allegations that have been made before allocating resources and allowing employees to proceed with the investigation.

Case 2: Preliminary forensics report 20 Marks  

You are to present an initial report of your work on Case 2 after the handover, that details your data acquisition and analysis processes using tools and processes of best practice in digital forensics. Any tools and processes, in addition to those already stated, are for you to choose and report on. However, to conduct best practice digital forensics some tools and processes are unavoidable and mandatory (such as chains of custody forms, hash calculators and forensics acquisition and analysis tools) and a failure to use and detail the tools and processes used will result in a poor outcome. 

As part of your initial report, you are required to provide a preliminary briefing on any findings or potential evidence. Preliminary findings may or may not constitute evidence but whatever you present must be done professionally. You are not expected to have established all evidence nor are you expected to provide a concluding expert opinion on inculpatory or exculpatory matters yet. As it is a preliminary report, the findings you have to date must be accompanied by a log or running sheet. Here are some examples of early findings you may have:

  • Deleted document files
  • Document metadata
  • Multimedia files (images, videos, etc)
  • Cache artifacts
  • Web browser activity, cookies, and history files

You should ensure you are familiar with the best practices for presenting any artifacts or evidence in a report. 

An example of a preliminary report on findings may look something like that in the appendix of this document.

Whilst this is a preliminary investigation any accompanying running sheet must be detailed so any forensics professional, prosecution or the defense team can replicate your work and obtain the same evidence. Failure to do so results in inadmissible evidence and will result in significant loss of marks. Examples of a running sheet is shown in appendix 2 of this document. You should also include your running sheet as an appendix. Note: this is an incomplete running sheet! All items in a running sheet must be repeatable. Think of it as a forensics investigation recipe, I should be able to repeat your running sheet and get the same outcome. 

Conclusion 2.5 Marks

You must provide a conclusion that both summarises both cases. For example, a summary that summarises the next steps you will be taking in case 1 and summarises your forensics activities in your case 2 so far (including acquisition and chain of custody as well as the analysis activities). This summary does not have to be comprehensive as investigations can change, but it does have to clearly indicate a summary of both cases as outlined previously. 

References

Failure to adequately reference work will result in loss of marks and potential plagiarism procedures. 

Appendix

  1. An example of presenting preliminary findings.

This report is from a previous case that concerned the allegation made to law enforcement, via a witness, who claimed to have seen an individual access illegal Clown related content within a place of work. For the purposes of this fictitious scenario it was the case that in the state of New South Wales, it is illegal to access, own or distribute digital content relating to “Clown”. A logical image of the suspect’s seized device(s) was acquired by a junior investigator. The image details are as follows:

Image Name  

clown.dd 

MD5 Checksum  

Enter here

Computer Name  

Enter here

Device ID  

Enter here

Operating System  

Enter here

Total Capacity  

Enter here

Timezone  

Enter here

The following software applications were used to perform the investigation: 

  • Autopsy
  • OSForensics
  • Hashcalc
  • SIFT Workstation
  • Kali Linux (e.g. Truecrack, John the ripper)

Findings Summary: 

File type

Count

Images

12

Videos

2

Audio

2

Documents

14

Executables

5

Cookies

22

The investigation found the following clown-related content

  • At least 15 clown-related items were downloaded via the Firefox web browser
  • Two screenshots
  • 24 clown-related images were retrieved from …
  • 2 clown-related videos were retrieved from
  • 3 clown-related files were found in unallocated space

Example of how to present a finding

   

Filename  

index.jpg

Location  

\Users\computer\Desktop

Size  

15,015 Bytes

Sectors  

2,997,704 – 2,997,733

Type  

JPEG/JFIF

Created  

02/07/2018 09:12:29 AM

Accessed  

02/07/2018 09:12:30 AM

Modified  

02/07/2018 09:12:30 AM

MD5  

64b61cf19e916bc1a40831a17db83b3b

Analysis  

Clown in blue suit holding a musical instrument.

An example of a running sheet.

Note: this is an incomplete running sheet! All items in a running sheet must be repeatable. Think of it as a forensics investigation recipe, I should be able to repeat your running sheet and get the same outcome.

Date / Time  

Task Details  

Duration  

27/08/2018

09:00 AM 

Acquired evidence from SSD (see the chain of custody) and ensure the integrity of each file using Quick Hash, MD5, and the 182-md5.txt file provided on the download page. 

Results from Quick Hash and MD5:  

182.7z.001: 90bc13ee6fc8d727b8ef4d15f8ea0113

182.7z.002: 2027ab6f49b6d18ef4c42c3ec04ab070

182.7z.003: 00bab1e957bf58ef31c131f79e917851

182.7z.004: 38c8c03f254131c11462fbfe33e95e39

182.7z.005: 970961797afa65420441decc6f561440

182.7z.006: 0be7b6cadd0bd5ce1e1830833bd8ba1c

182.7z.007: 03fb8aed700bbd7f0f051e7b8a5f07ed

182.7z.008: 793b3b07a8b9d32c21a820caa27439ef

182.7z.009: 2eda3a0e19090a2ff5ecb8426db44344

182.7z.010: 0a3a889ec5c583e58d14f226ee79d07e

182.7z.011: dcc2d89f6f9962edc9f987eeb3f34f41

182.7z.012: 695b32f630df008f23376ad5c31eaf21

182.7z.013: eff60512189034622dc7b88f00a44e39

182.7z.014: 4131f8d9c30f83912d5bb82b8b57e32d

182.7z.015: 734a55ba4c459214375515dac0d4191b

1 hour 

27/08/2018

10:00 AM 

Extract 182.dd image from archive files and ensure the integrity of the image file using Quick Hash and MD5. 

Result from Quick Hash and MD5:  

182.dd MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc 

10 mins 

27/08/2018

10:10 AM 

Make a working copy of the downloaded image, move the copy to the case working directory, and verify integrity of the copy using Quick Hash and MD5. 

Result from Quick Hash and MD5:  

182.dd.working MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc 

5 mins 

27/08/2018

10:15 AM 

Make a backup copy of the downloaded image, move back up to the backup folder and verify the integrity of the backup using Quick Hash and MD5. 

Result from Quick Hash and MD5:  

182.dd.backup MD5 hash = 15f5d5224b4bed8a97b6fc0c2a7ecfbc 

5 mins 

Requirements and marking rubric out of 40 marks:

Cover page, table of contents and introduction [2.5]

A cover page including unit code and title, assignment title, student name, number, campus and lecturer/tutor name (0.5)

A table of contents that is an accurate reflection of the content within the report, generated automatically in Microsoft Word (1)

An introduction that briefly captures what has been done to date and is being reported on so far (1)

Case 1: The forensics investigation plan [15]

Introduction:

Summarises the offense being investigated, the parties, and any devices involved (3).

Background:

Comprehensively outlines the digital forensics process, forensics preparation processes, data acquisition types, formats, and tools (2). 

Adequality addresses factual details pertaining to the case (e.g. where did the offense take place, who was involved, and who else may have been involved) (1). 

Clearly addresses any statements made by the offender or third parties, known problems relating to the suspects/victims or evidence which may inhibit or delay the investigation and analysis (1).

Objectives: 

Clearly lists S.M.A.R.T (Specific, Measurable, Achievable, Relevant, and Timely) objectives relating to the investigation (4). 

Strategies:

Comprehensively outlines strategies for how the investigator will approach the investigation (e.g. addressed how the analysis will be undertaken, the process and method, any hardware and software tools to be used, and any progress/performance indicators (2).

Clearly defines milestones of the investigation using project management tools (2). 

Case 2: The forensics process and data acquisition [10]

Comprehensively outlines the digital forensics process, forensics preparation processes, data acquisition types, formats and tools for this case (5)

Includes an appropriate chain of custody form (2.5)

Clear evidence that appropriate tools have been used in the acquisition and are being used in the investigation (2.5)

Case 2: Preliminary evidence, findings and running sheet [10]

Well-presented preliminary findings and evidence (where applicable) (3)

Appropriate running sheet detailing processes and tools used (3.5)

Methods used to obtain and present findings can be repeated (3.5)

Conclusion [2.5]

Summarises your case so far (acquisition and chain of custody activities) (2.5)

Summarises the next steps to be taken in the investigation (2.5)

Referencing

Not well researched [-1]

Low-quality references [-1]

Inconsistent format [-1]

Submission Format

When you have completed the assignment, you are required to submit your assignment in the DOC format. The file will be named using the following convention:

filename = FirstInitialYourLastName_SSC93002_A1_S2_20xx.doc (i.e. DJones_SSC93002_A1_S2_2019.doc)

Original Work

It is a University requirement that a student’s work complies with the Academic Integrity Policy. It is a student’s responsibility to be familiar with the Policy.

Failure to comply with the Policy can have severe consequences in the form of University sanctions. For information on this policy please refer to Student Academic Integrity Policy at the following website: http://policies.scu.edu.au/view.current.php?id=00141 

As part of a University initiative to support the development of academic integrity, assessments may be checked for plagiarism, including through an electronic system, either internally or by a plagiarism checking service, and beheld for future checking and matching purposes.

A Turnitin link has been set up to provide you with an opportunity to check the originality of your work until your due date. Please make sure you review the report generated by the system and make changes (if necessary!) to minimize the issues of improper citation or potential plagiarism. If you failed to follow this step, your report may not be graded or may incur late feedback.

Retain Duplicate Copy

Before submitting the assignment, you are advised to retain electronic copies of original work. In the event of any uncertainty regarding the submission of assessment items, you may be requested to reproduce a final copy.

School Extension Policy

In general, I will NOT give extension unless where there are exceptional circumstances. Students wanting an extension must make a request at least 24 hours before the assessment item is due and the request must be received in writing by the unit assessor or designated academic through student service

(please visit https://www.scu.edu.au/current-students/student-

administration/special-consideration/ for details). Extensions within 24 hours of submission or following the submission deadline will not be granted (unless supported by a doctor’s certificate or where there are exceptional circumstances – this will be at the unit assessor’s discretion and will be considered on a case by case basis). Extensions will be for a maximum of 48 hours (longer extensions supported by a doctor’s certificate or alike to be considered on a case by case basis).

A penalty of 5% of the total available grade will accrue for each 24-hour period that an assessment item is submitted late. Therefore, an assessment item worth 40 marks will have 2 marks deducted for every 24-hour period and at the end of 20 days will receive 0 marks.

Students who fail to submit following the guidelines in this Unit Information Guide will be deemed to have not submitted the assessment item and the above penalty will be applied until the specified submission guidelines are followed.