Order this Assignment Now: £149 VALID THRU: 04-Apr-2025
LO1 Demonstrate ability of following professional processes during the phases of an investigation
Coursework Assignment Specification
6CS010 Digital Forensics
Module Name: Digital Forensics
Module Code: 6CS010
Weighting to the Overall Module: 70%
Assessment Type: Portfolio (all the portfolio tasks are described within this assignment sheet)
Assessment Title: Digital Forensic Investigation
Academic Year: 2024/25
Date Released to the students: Week 1
Submission Deadline:
Date of Expected feedback and provisional grades: 20 working days after the submission deadline
Instruction to Students
Work presented in an assessment must be your own. Plagiarism is where a student copies work from another source, published or unpublished (including the work of another student) and fail to acknowledge the influence of another’s work or to attribute quotes to the author. Plagiarism is an academic offence, and the penalty can be serious. The University’s policies relating to Plagiarism can be found in the regulations at https://www.wlv.ac.uk/about-us/internal-departments/the-college-of-learning-and-teaching-colt/academic- development/how-to-guides/how-to-avoid-plagiarism/.
To detect possible plagiarism, we will submit your work to Turnitin, a worldwide plagiarism detection facility. This tool searches the Internet and an extensive database of reference material including other students’ work to identify. Once your work has been submitted to the detection service it will be stored electronically in a database and compared against work submitted from this and other universities. It will, therefore, be necessary to take electronic copies of your materials for transmission, storage and comparison purposes and the operational backup process. This material will be stored in this manner indefinitely.
By submitting your assignment, you agree to the above terms and conditions of your submission.
Learning outcomes
LO1 Demonstrate ability of following professional processes during the phases of an investigation
LO2 Understand and follow the core functions of a forensic examination through using software and associated technology in a secure and professional matter.
LO3 Implement appropriate terminology into a digital forensic examination.
1. Scenario
You are part of a team working for Z-Security, an elite digital forensics company in the UK that was invited to investigate a recent security incident involving suspected criminal activities taking place in a medium- sized company called UBB.
You have been hired to physically investigate some of the affected assets, while other Z-Security team members were assigned similar tasks in order to reduce the overall investigation time. As part of your role, you will be asked to prepare an appropriate digital forensics toolkit together with a Digital Forensics Investigation (DFI) model to facilitate your investigation tasks. Any legal interface between law enforcement and this organisation is also a component to be evaluated as part of your assignment.
The incident(s): Network administrators at UBB identified unusual P2P and encrypted traffic that is rarely needed to support their business processes. An early investigation of some of their system logs confirmed suspicious connections some of which bypassed their firewall rules. Alice, a senior ICT manager with reasonable incident response training was keen to keep all the machines attached to the suspected subnet running while he sent an urgent request for Z-Security to start an investigation (based on an Incident Response contract between the two parties).
Bob’s decision was significantly encouraged by recent reports showing further incidents in the company, in particular, an increased number of staff accounts being accessed from unusual locations inside and outside the company. This has raised concerns of the possibility of an insider attack or inappropriate behaviour and misuse of the company’s infrastructure.
2. Ethical and Legal Implications
Due to the nature of this module, you MUST ensure that ALL the tools utilised for this module and its coursework are carefully contained within a controlled laboratory environment.
Performing digital investigation on the dedicated course work VMs and within University cyber labs is permitted, but it is very important to note that unauthorised access to the rest of the university network is NOT allowed. A full monitoring process will be in place and offenders could be prosecuted. Ask your lecturer to clarify any doubts shall you have further inquiries. Overall, make sure you comply with UK- legislation and all associated professional and ethical behaviour.
The purpose of this assignment is NOT to teach you how to break computer system but rather to understand how authorised digital investigations are performed following the detection of an incident.
3. Assignment Tasks
In response to the incident(s), Z-Security assigned you several tasks as part of their main digital investigation. You were given the following tasks:
To develop an Expert Report template using MS word. Z-Security wants a new template to standardise and use for this investigation to maintain cross-team consistency in their documentation. The template should include suitable branding, titles, subtitles and notes. [should not exceed 3 pages]
T o conduct a literature review and critically discuss published Digital Investigation Process Models. The narrative should compare and conclude (with justification) the most suitable model for Z-Security to adopt. Examples of criterions to support your conclusion include but not limited to the module’s ability to cover new technologies (e.g. IoT), flexibility, and to support the team’s collaborative activities. This discussion must be referenced throughout. [Word count (excluding references): 500 words ± 10%] To perform full analysis on a byte-to-byte copy of the given asset; machine’s hard drive and memory (volatile data). The asset can be found on Canvas as a VM (VM-SnapshotSep2016.7z four actions performed on the seized device in violation of UBB’s Acceptable Use Policy (AUP) which can be found in Appendix 1. Your work during the investigation should consider the rigour, reproducibility and integrity of data. Any findings that could help attributing these actions to an individual or more will be relevant as well. [no wordcount or maximum number of pages, but do not document more than two unacceptable actions]
To develop a Digital Investigation Toolkit prioritising open-source tools. These tools will be utilised by you for this incident to perform the required analysis (i.e. for the specific type of technology you will investigate, everything else is out of scope), or to be used by any Z-Security team in the future for the same type of investigation. The Toolkit should be presented within a table and supported by any brief notes deemed necessary. [2-3 pages]
Further details and guidelines
Support your work with screenshots and photos when required.
To successfully meet the requirements, you must investigate and answer the given assignment tasks and consider the criteria given in the attached marking scheme.
During the incident investigation, instructors (management board) will observe your work during the lab and take notes on the appropriateness of your progress.
While considering legal aspects, remember that both UBB and Z-Security operate in the UK.
The structural arrangements of the report are part of the assignment, and you are expected to make informed decision to plan it accordingly.
4. Submission Guidelines
Please adhere to the following requirements:
Submission will be via Canvas/Turnitin; please see the front cover for the submission date . You must ensure your work is submitted to this link before the deadline to avoid unforeseen technical issues. Submissions by emails are NOT allowed.
The report should be written in a formal reporting style and without use of personal pronouns (for example, no use of ‘I, me, my, our, we, they, he, she’). If you find it difficult, you may want to research the use of the passive voice.
Layout should make reasonable use of margins, clear headings, single line spacing and font size should be 11pt (i.e. your report should be professionally presented).
All content; main report, references and appendices should be contained and submitted in a single document .
Referencing should be in the Harvard style (see Cite Them Right available at http://www.citethemrightonline.com ). Note; you will need your University user ID and password to access this resource
Only Microsoft Word or PDF file formats
Include page numbers, the module code and your student ID.
5. Marking Scheme
Feedback and Marks (Assignment 1 is 70% for the module).
Assessment Criteria Section
Possible marks
Actual Marks (Agreed)
Expert Report Template and Content Structure
Template structure and clarity;
5
5
Appropriateness of titles and notes;
5
Review of DFI Models
Academic writing and overall narrative;
Clear evidence of analysis, excellent critical thinking and problem-solving approach;
Quality, relevance and number of references.
10
10
10
Digital Forensics Analysis
The utilisation and implementation of a relevant Investigation Model, Procedures, techniques, and Chain- of-Custody;
Quality and completeness of the analysis performed, and the number and value of artefacts covered; steps undertaken, and decisions made for undertaking certain forensic investigation steps with attention towards the rigour, reproducibility and integrity of data.
Relevance of findings reported.
10
10
10
The Toolkit
The utilisation and implementation of the right tools to perform investigate Digital Investigation Toolkit scoped appropriately to this assignment.
20
Consideration of Professional, Legal and Ethical Aspects
5
Total
100%
Appendix 1
Acceptable internet use policy for UBB
Use of the internet by employees of UBB is permitted and encouraged where such use supports the goals and objectives of the business.
However, UBB has a policy for the use of the internet whereby employees must ensure that they:
comply with current legislation
use the internet in an acceptable way
do not create unnecessary business risk to the company by their misuse of the internet
Unacceptable behaviour
In particular the following is deemed unacceptable use or behaviour by employees:
visiting internet sites that contain obscene, hateful, pornographic or otherwise illegal material
using the computer to perpetrate any form of fraud, or software, film or music piracy
using the internet to send offensive or harassing material to other users
downloading commercial software or any copyrighted materials belonging to third parties, unless this download is covered or permitted under a commercial agreement or other such licence
hacking into unauthorised areas
publishing defamatory and/or knowingly false material about UBB, your colleagues and/or our customers on social networking sites, ‘blogs’ (online journals), ‘wikis’ and any online publishing format
revealing confidential information about UBB in a personal online posting, upload or transmission - including financial information and information relating to our customers, business plans, policies, staff and/or internal discussions
undertaking deliberate activities that waste staff effort or networked resources
introducing any form of malicious software into the corporate network
Company-owned information held on third-party websites
If you produce, collect and/or process business-related information in the course of your work, the information remains the property of UBB. This includes such information stored on third-party websites such as webmail service providers and social networking sites, such as Facebook and LinkedIn.
Monitoring
UBB accepts that the use of the internet is a valuable business tool. However, misuse of this facility can have a negative impact upon employee productivity and the reputation of the business.
In addition, all of the company`s internet-related resources are provided for business purposes. Therefore, the company maintains the right to monitor the volume of internet and network traffic, together with the internet sites visited. The specific content of any transactions will not be monitored unless there is a suspicion of improper use.
Sanctions
Where it is believed that an employee has failed to comply with this policy, they will face the company`s disciplinary procedure. If the employee is found to have breached the policy, they will face a disciplinary penalty ranging from a verbal warning to dismissal. The actual penalty applied will depend on factors such as the seriousness of the breach and the employee`s disciplinary record.
Agreement
All company employees, contractors or temporary staff who have been granted the right to use the company`s internet access are required to sign this agreement confirming their understanding and acceptance of this policy.
Sample Answer - Do Not Copy
LO1 Demonstrate ability of following professional processes during the phases of an investigation
Digital Forensics Investigation for UBB Incident
Introduction
Z-Security, an elite digital forensics firm, has been tasked with investigating a security breach at UBB, a medium-sized company in the UK. The unusual network traffic, including peer-to-peer (P2P) and encrypted communications bypassing firewall rules, along with unauthorised access to staff accounts, indicates the possibility of an insider attack or external intrusion. This report outlines the digital forensics toolkit and investigation model, evaluates the legal interface between UBB and law enforcement, and ensures the adherence to professional processes throughout the investigation.
Digital Forensics Toolkit
To ensure a thorough and systematic investigation, an appropriate digital forensics toolkit is essential. The following tools will be included:
Hardware Write Blockers : These devices prevent any data from being altered when retrieving information from storage media, preserving the integrity of the original data. This ensures compliance with the principle of data immutability, a key component in digital forensics.
Imaging Tools : Tools such as FTK Imager or EnCase Imager will be used to create forensic images of suspect systems. Imaging is vital as it provides a complete copy of the data, allowing for subsequent analysis while preserving the original evidence.
Network Analyser (e.g., Wireshark) : Given the unusual network traffic detected, a network analysis tool will help capture and inspect network packets. This can assist in identifying the source, destination, and content of suspicious communications.
Forensic Software Suites (e.g., Autopsy, EnCase) : These suites will help identify and analyse file systems, deleted files, system logs, and metadata across the compromised machines.
Password Recovery Tools (e.g., Cain & Abel) : If encrypted data is encountered, password recovery tools may be necessary to access crucial evidence, especially if accounts were compromised.
Log Analysis Tools (e.g., Splunk) : These will aid in reviewing system logs, identifying unusual access patterns, and tracing any unauthorised activities both inside and outside UBB.
Memory Forensics Tools (e.g., Volatility) : Analysing the system’s memory can provide volatile data, such as running processes, network connections, and user activity, which are crucial in reconstructing the timeline of events during the breach.
Digital Forensics Investigation (DFI) Model
To facilitate the investigation and ensure all steps are followed methodically, the following Digital Forensics Investigation (DFI) model will be used, based on established professional standards.
Identification : The first step is identifying the scope of the investigation, starting with the unusual P2P and encrypted traffic. The compromised machines and accounts accessed from unusual locations will also be targeted for investigation.
Preservation : All affected machines and assets will be isolated to preserve evidence. Alice’s decision to keep all machines running is a good initial response; however, the systems will now be properly quarantined, ensuring no further tampering or unauthorised access occurs.
Continued...
Order this Assignment Now:£149
100% Plagiarism Free & Custom Written, Tailored to your instructions
