MODULAR PROGRAMME

COURSEWORK ASSESSMENT SPECIFICATION

Module Details

Module CodeUFCFJ6-30-2Run14SEP/FR/JUN15/1Module Title SECURITY AND FORENSIC TOOLS

Module Leader Lindsey GilliesModule Coordinator Module Tutors

Dr Toby Ohara, Margaret McCarthy

Component and Element Number B: CW1Weighting: (% of the Module's assessment)

50%

Element DescriptionINDIVIDUAL WRITTEN REPORT ON A FORENSIC CASE STUDY (Individual written report on a forensic case study)Total Assignment time

20 hours

DatesDate Issued to Students:

23 Feb 2015Date to be Returned to Students 14-May-2015

Submission Place

Blackboard

Submission Date 16/04/2015

Submission Time2.00 pm

DeliverablesA detailed report, using the submission form found in Appendix A, which identifies each evidential artefact, provides your contemporaneous analysis notes, and which provides a written overview of the case scenario:

Module Leader Signature

Individual Case Study

This part of the assessment for the module consists of an individual forensic case study. You will be provided with a forensic image of a suspects computer which will be made available to you from the following shared location from 19-Feb-2014

S:\FET\CSCT\SecurityAndForensicTools-UFCFJ6-30-2\Coursework Image\This Encase image file contains evidence items supporting a particular case scenario- it is your job to examine this image file for evidential artefacts, and to build a picture of the case scenario.

You may use whatever tools you consider appropriate.

Case Scenario

The scenario for the assignment is as follows:

Suspects Name: Odlaw

Main Victim: Wally

Other people in the case/potential victims: Wizard, Wenda and Woof.

CircumstancesIt is suspected thatOdlaw has kidnapped Wally and is holding him hostage for ransom.

RemitYour task is to identify the location where Wally is being held.

DeliverableA detailed report, using the submission form found in Appendix A, which identifies each evidential artefact, provides your contemporaneous analysis notes, and which provides a written overview of the case scenario:

1. The report should identify each artefact you have found and its provenance.50%

2. The report should detail, for each artefact, how you found it, in sufficient detail for someone else to follow your process.10%

3. The contemporaneous notes should be sufficiently detailed to allow an independent examiner to repeat your examination with the same results. Factors you need to consider are:

A complete examination

A logical, coherent examination.

Dual verification.

Repeatability

Appropriate choice and use of tools.20%

4. The written overview of no more than 500 words should be constructed upon the evidence you have found describing the case scenario (ie. what you think has taken place, referring back to individual evidence items). You should also identify the important players in this scenario, together with any contact details for them.20%

Submission

You should submit a document file, readable in Microsoft Word or Adobe PDF, via BlackBoard.

Appendix A: Template to be used in reporting upon your analysis of the Forensic Image

Student Number: XXXXXSection A: Findings

The following evidence items were found:

Evidence item numberFull Provenance to include the following fields only (marks will be deducted if you include fewer or additional fields);

Name:

Is Deleted:

File Created:

Last Written

Last Accessed:

Logical Size:

Physical Sector:

Full path:

Hash:Method of discoveryDescription of itemSignificance to case

1

2

3

4

Etc

Section B: Screen captures

You should include a screencapture of the CONTENTS of each evidence item.

Section C: Possible Scenario (max 500 words)Based upon the evidence, a possible scenario is..

Examiner

Exam commenced

Other relevant information

Software used, versions and licensing

Section D: Contemporaneous Notes (Note: if you decide to omit a process, then you should provide your reasons for doing so). The structure of these notes reflect the workflow for EnCase 6, you will need to modify it for EnCase 7.

ActionDone?DateTimeNotes

Load case & verify in EnCase

Load Case into FTK or Autopsy or another forensic tool for dual verification of 2 key artefacts

Recover lost folders (FAT16 & 32).

Mount archives; zip, thumbs.db, etc

File signature analysis, compute hash values

Run filefinder (data carving)

Initialise Case script (operating system information, accounts information, timezone information etc).

Timeline analysis, date of last activity on the computer.

Log-on passwords

use SAMInside/Ophcrack

Registry analysis and

Registry protected area

Internet History, favourites. Other browsers?

Run relevant keyword searches

Emails, local & web-based.

IM clients

Examine different file types.

Export doc / office & exe files; look at Meta data if required

Clean-up utilities. Check log files

Encryption, Steg ,

Link files

Print artefacts

CD/DVD burning apps; check log files

Additional Notes: