Digital Forensic Investigation

Objectives

  1. Analyze a case to identify appropriate course of action to investigate.
  2. Use appropriate tools and techniques to investigate a digital forensic case.
  3. Apply digital forensics methodologies to a forensic investigation.
  4. Appraise the legal issues involved in a forensic investigation.
  5. Prepare an outline of a professional digital forensic plan and an investigation report.

 

Overview

 

In this assessment, you will work in a digital forensic team to investigate a case. Each member of your group will have specific digital evidence to investigate individually. The group needs to work together to discuss issues relevant to the entire case. Finally, the group needs to combine individual investigations and group discussions into a report.

 

Submit the group report on Moodle for marking. Only one member from the group needs to upload the report onto Moodle. 

 

Perform the following tasks to complete the assignment:

 

  1. Create a group – no more than 3 members per group;
  2. Select one (1) case study to investigate as a group (case study is provided on the Appendix of this document);
  3. Individually, select and complete investigation activities within the case study;
  4. As a group, discuss investigation issues and outcome within the case study; Prepare and submit the group report containing both individual and group parts.

 

These tasks are further described below.

  1. Creating a Group – This is a group assignment; hence, it is expected that each student will be part of a group. A group can have minimum two (2) or maximum three (3) members. Table 1 shows activity requirements based on the size of different groups.

 

You will organise your own group of three (3) members maximum. Organise your group during the online tutorial/lab session in weeks before Week 5. You must provide your Tutor (for Distance Education students, the Unit Coordinator is your tutor) with the details of the members of your group by end of week 5. Moodle groups will be created using this information which is essential for submitting the assignment via Moodle submission link.

 

If for some special circumstances, you must work on your own, you must get written permission via

E-mail from your Unit Coordinator before Week 5. There is no guarantee that your request will be approved as it will depend on the particular circumstance (e.g., “I don’t want to work with others” will not be considered as a valid reason). Bear in mind that the investigations for the case will require substantial work and carrying out the work on your own can be quite heavy. Due to the nature of the required level of investigation, it will not be possible to adjust the work load for students working on their own (subject to approval from the Unit Coordinator) as it may not be sufficient to answer the questions raised in the case.

Table 1: Required activities based on the size of the group

 

  Student 1 Student 2  Student 3 
Group Size 3  Activity1

Discussion

Activity2

Discussion

Activity3  Discussion
Group Size 2  Activity1

Discussion

Activity2

Discussion

 N/A
Group Size 1  Activity1

Activity2

Discussion

 N/A  N/A

 

As suggested in Table 1, if the group is with 2 students (Group Size 2), student 1 must select and complete an activity, student 2 must select and complete a different activity (e.g., student 1 does activity 2 and student 2 does activity 3, etc.), and both students must work together to discuss the investigation issues and prepare the report.

Issues with Group and group members: Groups have to be created on or before week 5. It

is the group’s responsibility to manage the work in a coordinated manner to achieve the goal.

 

  1. Selecting a Case Study – Each group needs to choose one (1) case study and perform activities on that case study. The list of case studies is below, with details on Page 5.

 

  • Case One: Exfiltration of corporate Intellectual Property
  • Case Two: Electronic Eavesdropping
  • Case Three – Illegal digital materials

 

  1. Performing Investigation Activities – Perform your investigation to answer questions given in the case document. Your investigation should aim to answer questions asked in your chosen case. Your answers should be supported by evidence found in your investigation and with detailed justifications. Your individual activity may not answer all questions, but your group activities together should answer all the questions. Therefore, collaborate effectively with your group members.

 

If your individual activity did not answer any questions for your chosen case, you must present evidence relevant to your case and/or other possible crime(s) not listed in your case. Use the forensic software you have learnt in the lab for this investigation. If necessary, you can use other freely available (or trial version of) forensic tools.

 

  • Individual section: choose your activities based on your group size and activity rules shown in Table 1.
    • Activity One – Investigate following digital data acquired from the crime scene mentioned in your case study and prepare a report.
      • charlie-2009-12-11.E01
      • charlie-work-usb-2009-12-11.E01
      • charlie-2009-12-11.mddramimage.zip
    • Activity Two – Investigate following digital data acquired from the crime scene mentioned in your case study and prepare a report.
      • pat-2009-12-11.E01
      • pat-2009-12-11.mddramimage.zip
      • jo-work-usb-2009-12-11.E01
    • Activity Three – Investigate following digital data acquired from the crime scene mentioned in your case study and prepare a report.
      • terry-2009-12-11-002.E01
      • jo-2009-12-11-002.E01
      • jo-2009-12-11.mddramimage.zip

 

  • Group discussion: Every group needs to address all points given in this sub-section based on their individual investigation process to include in the report.

 

  • Details of digital forensic methodologies and process flow used to investigate this case.
  • Write appropriate justifications to support your chosen methodologies and process.
  • Provide appropriate screenshots to show detailed process of the investigation.
  • Identify ethical and legal issues applicable for the case you are working on.
  • Justification of choosing ethical and legal issues that are relevant to the case.

 

  1. Submit your report – Prepare and submit your investigation report as a group. A group together must submit only one report.

Only one member from the group needs to upload the report onto Moodle.  

 

  • Expected report structure
    1. Introduction
    2. Activity 1 (include member’s name who carried out this activity)
  • Activity 2 (include member’s name who carried out this activity)
  1. Activity 3 (only for groups of 3) (include member’s name who carried out this activity)
  2. Group Discussion
  3. Conclusion
  • References

 

Feel free to add sub-headings for sections II to V. You could choose subheadings but make sure you check the marking guide to assist you for this. For example, for individual activities, subheadings could be: tools used, process followed for the investigation, evidence found, questions answered by identified evidence and justification.

 

  • What to submit: You must upload a single Word document per group using assignment two submission link on Moodle. Any screenshots or images must be incorporated into the report, not submitted as separate files. No other files are to be submitted.

 

5.  Other Resources

Required evidence can be downloaded from:

Download link for hard drive images: http://downloads.digitalcorpora.org/corpora/scenarios/2009 m57patents/drivesredacted/ 

Download link for RAM dumps: http://downloads.digitalcorpora.org/corpora/scenarios/2009m57 patents/ram/ 

Download link for USB drives: http://downloads.digitalcorpora.org/corpora/scenarios/2009m57 patents/usb/ 

 

 

Useful Tools: OSForensics, FTK, SleuthKit, autopsy, ProDiscover Basic and Volatility can be really helpful to investigate this case.

 

If you are using a Mac computer or Linux, you are advised to install Oracle VirtualBox. You will
need to install Windows virtual machine on the Virtual box and then install these tools on your  
Windows virtual machine on the VirtualBox.  

 

Acknowledgement

 

The case scenario used in this document has been adapted from http://digitalcorpora.org/corpora/scenarios/m57patentsscenario for education purpose.

 

COIT12201 – Assignment 2 Marking Guide

 

You will be marked individually for your individual activity. Your group discussion will be marked same for your entire group. Your total mark will be: your individual contribution mark + group mark

 

Student ID & Name: ____________________________________________________  

Marker / Date: _________________________________________________________

 

Part A: 3.1       Individual section (15 marks)   

Marks

 

Comments

1. Depth of the investigation: 

•        Did students apply all possible avenues to find evidence? (2 marks)

•        Did they reveal all evidence present in digital data? (2 marks)

/4  
2. Appropriateness of tools and techniques: 

•        How appropriate was the choice of tools and techniques used for investigation? (3 marks)

•        How well does the report detail the investigation process? (3 marks)

 /6  
3. Presentation of the evidence

•        Was the evidence found presented appropriately to support answers of the questions from case study? (2.5 marks)

•        How well is the detailed justification presented? (2.5 marks)

 

 

/5

 
Part B: 3.2    Group work (15 marks) – same marks for entire group    
Group discussion: (1.5 marks for each)

•        Details of digital forensic methodologies and process flow used to investigate this case.

•        Write appropriate justifications to support your chosen methodologies and process.

•        Provide appropriate screenshots to show detail process of the investigation.

•        Identify ethical and legal issues applicable for the case you are working on.

•        Justification of choosing ethical and legal issues that are relevant to the case.

/7.5  
Report preparation and submission –

•        The group prepared a single report which is presented cohesively covering the whole investigation (2.5 marks)

•        The entire group has submitted only one copy of the report in Moodle. (2.5 marks)

/5  
Report quality:

•        Is the report easy to follow? (0.5 mark)

•        How well is the flow of the investigation sequentially presented in the report (1 mark)

•        Does it prepare with formal report writing style such as table of content, page numbers, appropriate referencing (if any), cover page and so on. (1 mark)

/2.5  
Late submission deduction –

 

/5%( 1.5 marks) for each day  
Total Marks: /30  

 

The case details appear on the next page.                                                              

 

  Appendix: Case Details

Common to all case studies:   

                                                                                                                Company Details

M57.biz is a new company that researches patent information for clients. The company currently has one (1) CEO/President, and three (3) additional employees. The company is planning to recruit more employees, so they have a lot of inventory on hand (computers, printers, etc.).

Table 2: M57 personnel details.

Personnel Electronic Identity
Pat McGoo (President/CEO)  pat@m57.biz (email password: mcgoo01)
Terry Johnson (IT Administrator) terry@m57.biz (email password: johnson01)
Jo Smith (Patent Researcher) jo@m57.biz (email password: smith01)

 

Charlie Brown (Patent Researcher) charlie@m57.biz (email password: brown01)

 

Employees work onsite and conduct most business exchanges over email. All of the employees work in Windows environments, although each employee prefers different software (e.g. Outlook vs. Thunderbird). Figure 1 shows the network configuration of the company.

 

 

Note: In the above figure “DOMEX” is the local server managing external network access and email.

 

You can find further information (such as a copy of the detective reports, along with the search warrant and affidavit) about this case in the link below.

http://digitalcorpora.org/corpora/scenarios/m57patentsscenario    

Case One – Exfiltration of corporate Intellectual Property 

 

One of the employees in M57 is stealing proprietary research on patent information from the company and passing it on to an outside entity. This employee has taken some measures to cover their tracks, but probably did not count on the company machines being imaged in the ongoing investigation of other criminal activity.

You are tasked with determining the following:

  • Who is exfiltrating the patent search data?
  • How are they doing it? Can you identify the specific items they have stolen? What is required to access the data?
  • Who is the outside contact?
  • Is there anything in your analysis to suggest that this person might be charged with more than one criminal offense?

At the end of your investigation you should prepare a report based on the details provided in the assignment two.

 

Case Two – Electronic Eavesdropping

 

One of the M57 employees is spying on the boss (Pat McGoo) electronically. This employee is concerned that Pat may find out about certain activities they have engaged in – activities that may be related (directly or indirectly) to another ongoing investigation.

You are tasked with determining the following:

  • Who is spying on Pat?
  • How are they doing it? Can you identify specific methods or software they have used to facilitate this?
  • Why is the employee spying on Pat?
  • Is anyone else involved? Would you characterize them as accomplices?

At the end of your investigation you should prepare a report based on the details provided in the assignment two.

                    Case Three – Illegal digital materials 

 

It was found that a functioning workstation originally belonging to m57.biz was purchased on the secondary market. Aaron Greene, the buyer realises that the previous owner of the computer had not erased the drive and finds illegal digital images and videos on it. Aaron reports this to the police, who take possession of the computer. Police forensics investigators determine the following:

  • The computer originally belonged to m57.biz
  • The computer was used by Jo Smith, an M57 employee, as a work computer.

 

Police contact Pat McGoo, the CEO of m57.biz. Pat authorises imaging of all other computer equipment onsite at M57 to support additional investigation. Police further pursue a warrant to seize a personal thumb drive (USB) belonging to Jo. You are given disk images from all of the computers and USB devices found onsite at M57, along with a USB thumb drive belonging to Jo. You are also provided with four detective reports and a search warrant and affidavit associated with seizure of the USB drive.

  • For the purposes of the scenario, illegal images have been simulated with pictures and videos of cats produced exclusively for this corpus.

 

Questions to answer:

  • Is Jo the owner of these files? What evidence is there to confirm or reject this?
  • How did the computer come to be sold on the secondary market?
  • Who (if anyone) was involved in the sale (theft?) of the computer?
  • Were any attempts made to hide these activities (the possession of illegal digital material)?

At the end of your investigation you should prepare a report based on the details provided in the assignment two.    

 

 

End of Assessment item 2 specification document.