Assessment item 2 - Tasks and Forensics Report
Value:30%
Due Date: Week 10Return Date: Week 12Group Assessment:No
Submission method options:online
TASK
Task 1: Recovering scrambled bits (10%) (10 marks)Thia task helps you to test your skills in encryption and decryption of some data that you may encounter in the field of digital forensics. For this task I will upload a text file with scrambled bits on the suject interact2 site closer to the assignment due date. You will need to use some DFT (digital forensics tool) to recover the scrambled bits. First, decide what DFT will be suitable for this task and then start your process. Please note you may need to do few iterations and some trial and test to get the goal. Your bit recovery process will be step by step which means you may not see the whole receovered bits just after one step, you may need to use several steps to recover all bits in the given file. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment.
Deliverable:
Describe the process used in restoring the scrambled bits and insert plain text in the assignment. You can include the screen shots of your working. Include at least in one of the screen shot your i2 site login and username to show it is your work.
Task 2: Digital Forensics Report (20%) (20 marks)In this major task you are asked to prepare a digital forensic report for the following scenario after carefully reading the scenario and looking at textbook figures as referred below:In addition, you are also to comment on the ethical issues / implications that may arise during your investigation. See further explanation of this in the deliverables below.You are working in a Digital Forensic Investigation company, ABC Forensics (you can come up with your own company name if you are not fan of this name) and investigating a possible intellectual property theft by a new employee of Superior Bicycles, Inc. This employee, Tom Johnson, is the cousin of Jim Shu, an employee who had been terminated. Bob Aspen is an external contractor and investor who gets a strange e-mail from Terry Sadler about Jim Shu's new project (shown in Figure 8-5 of the textbook on p. 350). Bob forwards the e-mail to Chris Robinson (the president of Superior Bicycles) to inquire about any special projects that might need capital investments. Chris forwards the e-mail to the general counsel, Ralph Benson, asking him to look into it. He also forwards it to Bob Swartz, asking him to have IT look for any e-mails with attachments. After a little investigation, Bob Swartz forwards an e-mail IT found to Chris Robinson (shown in Figure 8-6 of the textbook on p. 350).Chris also found a USB drive on the desk Tom Johnson was assigned to. Your task is to search for and determine whether the drive contains any proprietary Superior Bicycles, Inc. data in the form of any digital photograph and/or in any other form such as emails, text, spreadsheets etc as an evidence. In particular, you may look for graphic files such as JPEG on the USB drivehidden with different format. But during the investigation you also look for other type of data as mentioned above. As a digital forensic specialist, you do not pre-assume that you will (or will not) find what you are looking for. However, you need to make sure that you conduct comprehensive investigation before reaching to any conclusions.Note for the USB drive image, you need to download the "C08InChp.exe" file from the download section of Chapter 8 on the student companion site of the textbook (Nelson, Phillips, & Steuart, 6/e, 2019).In order to conduct a thorough investigation, search all possible places where you think that data might be hidden (e.g. in e-mails and USB drive) and recover and present any digital evidence in the report. You may find that some of the files that you found cannot be opened properly or may be damaged or may be made corrupt intentionally, mention such files in your report. You may look at how to repair these files (hint: look at files headers). If you repair a file, mention your report that you have done so usinga specific DFT. You do not need to write the whole repairing process if it is too long. If your current free version of the DFT cannot save large size files, you may consider searching and using other similar DFT that can save the larger size files. Assume that your company does not have the budget to purchase another DFT for this purpose, so you have to go with the free version.
Deliverables:
First of all in order to visualise and understand this case properly, draw a mind map / chart / flow diagram to show the connection of each person involved and their roles in the company. You may like to mention along the mind map who is asking what request / provding information to whom. Your task is to make the mind map / chart / flow diagram as clearer and presentable to a new person to understand the case as possible. Include this mind map / chart / flow diagram in your report's executive summary.You should also be asking this question while doing investigation, are there any evidence other than images in this case (although you have been specifically asked to look for images)?For this forensic examination, you need to provide a report of approximately 10-12 pages (this is not a hard page limit, take it as a guideline) in the format described in presentation section below. Your report must include screen shots of your work and any images that you may have found during the investigation. Make sure that each screen shot has proper label, e.g. something like Figure 1: Screen shot of opening USB file. etc. You also provide a breif (one or two sentence) description of that screen shot or the image that you inserted in your report.This may increase the number of pages of your report, which is acceptable. But make sure, if this is the case, you only include the screen shots which you think are necessary for the report.In the findings section of your report, please comment on the ethical issues / implications that you may encounter during your investigation. Your comments should be clear, concise and to the point to articulate all the ethical issues and consequences related to the investigation.You may have used various sources for collecting information such as lecture notes, web sources and forums etc. Cite all the sources of information in references that you used to prepare the report.
RATIONALE
This assessment task will assess the following learning outcome/s:
- be able to determine and explain the legal and ethical considerations for investigating
and prosecuting digital crimes.
- be able to formulate a digital forensics process.
- be able to evaluate the technology in digital forensics to detect, prevent and recover from digital crimes.
- be able to analyse data on storage media and various file systems.
- be able to collect electronic evidence without compromising the original data.
- be able to evaluate the functions and features of digital forensics equipment, the environment and the tools for a digital forensics lab.
- be able to critique and compose technical tactics in digital crimes and assess the steps involved in a digital forensics investigation.
- be able to prepare and defend reports on the results of an investigation.
MARKING CRITERIA AND STANDARDS
Task 1: Recovering Scrambled bits (10 marks)
Criteria
|
HD (100% - 85%)
|
DI (84% - 75%)
|
CR (74% - 65%)
|
PS (64% - 50%)
|
FL (49% - 0)
|
Successfully recovering the scrambled bits to their original order (10 marks)
|
Scrambled bits are restored to the original text. DF Tool used to decode the text is mentioned and justification to use the tool is also provided. The process to restore the scrambled bits is clearly described with screenshots inserted of all steps. A brief description of each screen shot is provided. |
Scrambled bits are restored to the original text. Tool used to decode the text is mentioned but the justification is not very clear. The process to restore the scrambled bits is described with some screenshots. A brief description of each screen shot is provided. |
Scrambled bits are restored to the original text. Tool used to decode the text is mentioned but the justification is not very clear. The process to restore the scrambled bits is described but no screenshots provided. A brief description of each screen shot is provided. |
Scrambled bits are restored to the original text. No justification of tool used is provided, process seems to be somewhat vague. A brief description of each screen shot is provided. |
Scrambled bits are restored but not matching with the original text. Tool is not mentioned and process is not described. |
Task 2: Forensics Report (20 marks)
Criteria
|
HD (100% - 85%)
|
DI (84% - 75%)
|
CR (74% - 65%)
|
PS (64% - 50%)
|
FL (49% - 0)
|
Executive Summary: Brief overview and mind-map of the project (3 marks)
|
An excellent summary covering all aspects of the report is included. A clear, correct, simple and understandable mind-map / chart / flow diagram is presented. |
A very well written summary covering all aspects of the report is included. A clear, correct, simple and understandable mind-map / chart / flow diagram is presented. |
A well written summary covering most aspects of the report is included. A clear and understandable mind-map / chart / flow diagram is presented. |
A good summary covering most aspects of the report is included. A clear mind-map / chart / flow diagram is presented. |
Summary is not clear and does not cover aspects of the report. Mind-map / chart / flow diagram is not presented or is not correct. |
Introduction: Scope of engagement, tools to be used and potential findings (3 marks)
|
Introduction is excellent, all elements required in introduction are present, well expressed, comprehensive and accurate. |
All elements are present and largely accurate and well expressed. |
All elements are present with few inaccuracies. |
Most elements are present possibly with some inaccuracies. |
Fails to satisfy minimum requirements of introduction. |
Analysis: relevant programs, techniques, graphics (4 marks)
|
Description of analysis is clear and appropriate programs and techniques are selected. Very good graphic image analysis. |
Description of analysis is clear and mostly appropriate programs and techniques are selected. Good graphic image analysis. |
Description of analysis is clear and mostly appropriate programs and techniques are selected.Reasonable graphic image analysis. |
Description of analysis is not completely relevant. Little or no graphics image analysis provided. |
Fails to satisfy minimum requirements of analysis. |
Findings: specific files/images,
|
A greater detail of findings is provided. |
Findings are provided, keywords |
Findings are provided, some |
Findings are provided but are |
Fails to satisfy minimum |
type of searches, type of evidence, ethical issues / implications (5 marks)
|
Keywords and string searches are listed very clearly.Evidences found are very convincing. A clear, concise and articulated explanation of all the ethical issues / implicationsl is provided. |
and string searchers are listed. Evidence is sound. Ownership is clear. A clear, concise and articulated explanation of all the ethical issues / implicationsl is provided. |
keywords are listed. Evidence is reasonable which relates to the ownership. A clear and articulated explanation of most of the ethical issues / implicationsl is provided. |
somewhat vague. Keywords and strings are not very clear.Evidence found may be questionable. An articulated explanation of some of the ethical issues / implicationsl is provided. |
requirements providing findings. |
Conclusion: Summary, Results (3 marks)
|
High level summary of results is provided which is consistent with the report and the executive summary. |
Well summarised results and mostly consistent with the findings and the information in executive summary. |
Good summary of results.Able to relate the results with findings. |
Satisfies the minimum requirements. Results are not really consistent with the findings. |
Fails to satisfy minimum requirements of summarising the results. |
References: Must cite references to all material used as sources for the content (2 marks)
|
APA 6th edition referencing applied to a range of relevant resources. No referencing errors.Direct quotes used sparingly. Sources all documented. |
APA 6th edition referencing applied to a range of relevant resources. No more than 2 referencing errors.Direct quotes used sparingly. Sources all documented. |
APA 6th edition referencing applied to a range of relevant resources. No more than three errors. Direct quotes used in- context. All sources are documented. |
APA 6th edition referencing applied to a range of relevant resources.No more than 4 errors. Direct quotes used in-context.Some sources documented. |
Referencing not done to the APA 6th edition standard. Over-use of direct quotes. Range of sources used is not appropriate and/or not documented. |
Glossary / Appendices: (Optional - not marked)
|
Glossary of technical terms used in the report is provided which has generally |
Glossary of technical terms used in the report is provided which has mostly |
Glossary of some technical terms used in the report is provided which has |
Glossary of some technical terms used in the report is provided however |
Most terminologies are missing.Appendices are either not provided |
|
acceptable source of definition of the terms and appropriate references are included. Relevant supporting material is provided in appendices to demonstrate the evidence. |
acceptable source of definition of the terms and appropriate references are included. Some supporting material is provided in appendices to demonstrate the evidence. |
mostly acceptable source of definition of the terms and appropriate references are included. Some supporting material is provided in appendices to demonstrate the evidence. |
terms are not generally common and some references are missing. Some supporting material is provided in appendices. |
or are irrelevant. |
PRESENTATION
The following should be included as minimum requirements in the report structure:
Executive Summary (3 marks)
This section provides a brief overview of the case, your involvement as an examiner, authorisation, major findings and conclusion
•Table of Contents
Background, scope of engagement, forensics tools used and summary of potential findings
•Analysis Conducted (3 marks)
- Description of relevant programs on the examined items
- Techniques used to hide or mask data, such as encryption, steganography, hidden attributes, hidden partitions etc
- Graphic image analysis
•Findings (5 marks)
This section should describe in greater detail the results of the examinations and may include:
- Specific files related to the request
- Other files, including any deleted files that support the findings
- String searches, keyword searches, and text string searches
- Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and news group activity
- Indicators of ownership, which could include program registration data.
•Conclusion (3 marks)
Summary of the report and results obtained. Do not introduce new results or new ideas in conclusions. Repeat the information from Executive Summary.
•References (2 marks)
You must cite references to all material you have used as sources for the content of your work
•Glossary (Optional)
A glossary should assist the reader in understanding any technical terms used in the report. Use a generally accepted source for the definition of the terms and include appropriate references.
•Appendices (Optional)
You can attach any supporting material such as printouts of particular items of evidence, digital copies of evidence, and chain of custody documentation.