UFCEJ6 30 2 Coursework 2014 15 Post Moderation
-
Upload
james-webb -
Category
Documents
-
view
221 -
download
2
description
Transcript of UFCEJ6 30 2 Coursework 2014 15 Post Moderation
MODULAR PROGRAMME
COURSEWORK ASSESSMENT SPECIFICATION
Module Details
Module CodeUFCFJ6-30-2Run14SEP/FR/JUN15/1Module Title SECURITY AND FORENSIC TOOLS
Module Leader Lindsey GilliesModule Coordinator Module Tutors
Dr Toby Ohara, Margaret McCarthy
Component and Element Number B: CW1Weighting: (% of the Module's assessment)
50%
Element DescriptionINDIVIDUAL WRITTEN REPORT ON A FORENSIC CASE STUDY (Individual written report on a forensic case study)Total Assignment time
20 hours
DatesDate Issued to Students:
23 Feb 2015Date to be Returned to Students 14-May-2015
Submission Place
Blackboard
Submission Date 16/04/2015
Submission Time2.00 pm
DeliverablesA detailed report, using the submission form found in Appendix A, which identifies each evidential artefact, provides your contemporaneous analysis notes, and which provides a written overview of the case scenario:
Module Leader Signature
Individual Case Study
This part of the assessment for the module consists of an individual forensic case study. You will be provided with a forensic image of a suspects computer which will be made available to you from the following shared location from 19-Feb-2014
S:\FET\CSCT\SecurityAndForensicTools-UFCFJ6-30-2\Coursework Image\This Encase image file contains evidence items supporting a particular case scenario- it is your job to examine this image file for evidential artefacts, and to build a picture of the case scenario.
You may use whatever tools you consider appropriate.
Case Scenario
The scenario for the assignment is as follows:
Suspects Name: Odlaw
Main Victim: Wally
Other people in the case/potential victims: Wizard, Wenda and Woof.
CircumstancesIt is suspected thatOdlaw has kidnapped Wally and is holding him hostage for ransom.
RemitYour task is to identify the location where Wally is being held.
DeliverableA detailed report, using the submission form found in Appendix A, which identifies each evidential artefact, provides your contemporaneous analysis notes, and which provides a written overview of the case scenario:
1. The report should identify each artefact you have found and its provenance.50%
2. The report should detail, for each artefact, how you found it, in sufficient detail for someone else to follow your process.10%
3. The contemporaneous notes should be sufficiently detailed to allow an independent examiner to repeat your examination with the same results. Factors you need to consider are:
A complete examination
A logical, coherent examination.
Dual verification.
Repeatability
Appropriate choice and use of tools.20%
4. The written overview of no more than 500 words should be constructed upon the evidence you have found describing the case scenario (ie. what you think has taken place, referring back to individual evidence items). You should also identify the important players in this scenario, together with any contact details for them.20%
Submission
You should submit a document file, readable in Microsoft Word or Adobe PDF, via BlackBoard.
Appendix A: Template to be used in reporting upon your analysis of the Forensic Image
Student Number: XXXXXSection A: Findings
The following evidence items were found:
Evidence item numberFull Provenance to include the following fields only (marks will be deducted if you include fewer or additional fields);
Name:
Is Deleted:
File Created:
Last Written
Last Accessed:
Logical Size:
Physical Sector:
Full path:
Hash:Method of discoveryDescription of itemSignificance to case
1
2
3
4
Etc
Section B: Screen captures
You should include a screencapture of the CONTENTS of each evidence item.
Section C: Possible Scenario (max 500 words)Based upon the evidence, a possible scenario is..
Examiner
Exam commenced
Other relevant information
Software used, versions and licensing
Section D: Contemporaneous Notes (Note: if you decide to omit a process, then you should provide your reasons for doing so). The structure of these notes reflect the workflow for EnCase 6, you will need to modify it for EnCase 7.
ActionDone?DateTimeNotes
Load case & verify in EnCase
Load Case into FTK or Autopsy or another forensic tool for dual verification of 2 key artefacts
Recover lost folders (FAT16 & 32).
Mount archives; zip, thumbs.db, etc
File signature analysis, compute hash values
Run filefinder (data carving)
Initialise Case script (operating system information, accounts information, timezone information etc).
Timeline analysis, date of last activity on the computer.
Log-on passwords
use SAMInside/Ophcrack
Registry analysis and
Registry protected area
Internet History, favourites. Other browsers?
Run relevant keyword searches
Emails, local & web-based.
IM clients
Examine different file types.
Export doc / office & exe files; look at Meta data if required
Clean-up utilities. Check log files
Encryption, Steg ,
Link files
Print artefacts
CD/DVD burning apps; check log files
Additional Notes: