Digital Forensic Investigation

Objectives
1. Analyze a case to identify appropriate course of action to investigate.
2. Use appropriate tools and techniques to investigate a digital forensic case.
3. Apply digital forensics methodologies to a forensic investigation.
4. Appraise the legal issues involved in a forensic investigation.
5. Prepare an outline of a professional digital forensic plan and an investigation report.
Overview
In this assessment, you will work in a digital forensic team to investigate a case. Each member of
your group will have specific digital evidence to investigate individually. The group needs to work
together to discuss issues relevant to the entire case. Finally, the group needs to combine individual
investigations and group discussions into a report.
Submit the group report on Moodle for marking. Only one member from the group needs to
upload the report onto Moodle.
Perform the following tasks to complete the assignment:
1. Create a group – no more than 3 members per group;
2. Select one (1) case study to investigate as a group (case study is provided on the Appendix of
this document);
3. Individually, select and complete investigation activities within the case study;
4. As a group, discuss investigation issues and outcome within the case study;
5. Prepare and submit the group report containing both individual and group parts.
These tasks are further described below.
1. Creating a Group – This is a group assignment; hence, it is expected that each student will be
part of a group. A group can have minimum two (2) or maximum three (3) members. Table 1
shows activity requirements based on the size of different groups.
You will organise your own group of three (3) members maximum. Organise your group during the
online tutorial/lab session in weeks before Week 5. You must provide your Tutor (for Distance
Education students, the Unit Coordinator is your tutor) with the details of the members of your group
by end of week 5. Moodle groups will be created using this information which is essential for
submitting the assignment via Moodle submission link.
If for some special circumstances, you must work on your own, you must get written permission via
E-mail from your Unit Coordinator before Week 5. There is no guarantee that your request will be
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 2 / 8
approved as it will depend on the particular circumstance (e.g., “I don’t want to work with others” will
not be considered as a valid reason). Bear in mind that the investigations for the case will require
substantial work and carrying out the work on your own can be quite heavy. Due to the nature of the
required level of investigation, it will not be possible to adjust the work load for students working on
their own (subject to approval from the Unit Coordinator) as it may not be sufficient to answer the
questions raised in the case.
Table 1: Required activities based on the size of the group
Student 1 Student 2 Student 3
Group Size 3 Activity1
Discussion
Activity2
Discussion
Activity3
Discussion
Group Size 2 Activity1
Discussion
Activity2
Discussion
N/A
Group Size 1 Activity1
Activity2
Discussion
N/A N/A
As suggested in Table 1, if the group is with 2 students (Group Size 2), student 1 must select and
complete an activity, student 2 must select and complete a different activity (e.g., student 1 does
activity 2 and student 2 does activity 3, etc.), and both students must work together to discuss the
investigation issues and prepare the report.
Issues with Group and group members: Groups have to be created on or before week 5. It
is the group’s responsibility to manage the work in a coordinated manner to achieve the goal.
2. Selecting a Case Study – Each group needs to choose one (1) case study and perform
activities on that case study. The list of case studies is below, with details on Page 5.
• Case One: Exfiltration of corporate Intellectual Property
• Case Two: Electronic Eavesdropping
• Case Three – Illegal digital materials
3. Performing Investigation Activities – Perform your investigation to answer questions given in the
case document. Your investigation should aim to answer questions asked in your chosen case.
Your answers should be supported by evidence found in your investigation and with detailed
justifications. Your individual activity may not answer all questions, but your group activities
together should answer all the questions. Therefore, collaborate effectively with your group
members.
If your individual activity did not answer any questions for your chosen case, you must
present evidence relevant to your case and/or other possible crime(s) not listed in your
case. Use the forensic software you have learnt in the lab for this investigation. If necessary, you
can use other freely available (or trial version of) forensic tools.
3.1 Individual section: choose your activities based on your group size and activity rules shown
in Table 1.
3.1.1 Activity One – Investigate following digital data acquired from the crime scene
mentioned in your case study and prepare a report.
• charlie-2009-12-11.E01
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 3 / 8
• charlie-work-usb-2009-12-11.E01
• charlie-2009-12-11.mddramimage.zip
3.1.2 Activity Two – Investigate following digital data acquired from the crime scene
mentioned in your case study and prepare a report.
• pat-2009-12-11.E01
• pat-2009-12-11.mddramimage.zip
• jo-work-usb-2009-12-11.E01
3.1.3 Activity Three – Investigate following digital data acquired from the crime scene
mentioned in your case study and prepare a report.
• terry-2009-12-11-002.E01
• jo-2009-12-11-002.E01
• jo-2009-12-11.mddramimage.zip
3.2 Group discussion: Every group needs to address all points given in this sub-section based
on their individual investigation process to include in the report.
• Details of digital forensic methodologies and process flow used to investigate this case.
• Write appropriate justifications to support your chosen methodologies and process.
• Provide appropriate screenshots to show detailed process of the investigation.
• Identify ethical and legal issues applicable for the case you are working on.
• Justification of choosing ethical and legal issues that are relevant to the case.
4. Submit your report – Prepare and submit your investigation report as a group. A group together
must submit only one report.
Only one member from the group needs to upload the report onto Moodle.
4.1 Expected report structure
I. Introduction
II. Activity 1 (include member’s name who carried out this activity)
III. Activity 2 (include member’s name who carried out this activity)
IV. Activity 3 (only for groups of 3) (include member’s name who carried out this activity)
V. Group Discussion
VI. Conclusion
VII. References
Feel free to add sub-headings for sections II to V. You could choose subheadings but make sure
you check the marking guide to assist you for this. For example, for individual activities, subheadings could be: tools used, process followed for the investigation, evidence found,
questions answered by identified evidence and justification.
4.2 What to submit: You must upload a single Word document per group using assignment two
submission link on Moodle. Any screenshots or images must be incorporated into the report, not
submitted as separate files. No other files are to be submitted.
5. Other Resources
Required evidence can be downloaded from:
Download link for hard drive images: http://downloads.digitalcorpora.org/corpora/scenarios/2009- m57-
patents/drives-redacted/
Download link for RAM dumps: http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-
patents/ram/
Download link for USB drives: http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-
patents/usb/
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 4 / 8
Useful Tools: OSForensics, FTK, SleuthKit, autopsy, ProDiscover Basic and Volatility can be really
helpful to investigate this case.
If you are using a Mac computer or Linux, you are advised to install Oracle VirtualBox. You will
need to install Windows virtual machine on the Virtual box and then install these tools on your
Windows virtual machine on the VirtualBox.