COIT20267 Computer Forensics Assessment Specification Written Assignment 2 — Case Study Objectives This assessment item relates to the course learning outcome 1 to 7. Please refer to the course profile to see how this assessment item relates to the course learning outcomes. These objectives will be measured by the 'closeness of fit' to meeting the requirements and the assessment criteria below. General Assessment Criteria Incomprehensible submissions. Assessments provide the opportunity for students to demonstrate their knowledge and skills to achieve the required standard. To do this, assessment responses need to be both clear and easy to understand. If not, the University cannot determine that students have demonstrated their knowledge and skills. Assessments will, therefore, be marked accordingly including the potential for 0 (zero) marks where relevant. Late penalty. Late submissions will attract penalties at 5% for each day or part thereof that it is late of the total available mark for the individual assessment item. This means that, for an assessment worth 45 marks, the mark that you earn is reduced by 2.25 marks each day that the assessment is late (including part-days and weekends). See s3.2.4 in the Assessment of Coursework procedure at http:// policy.cqu.edu.au/Policy/policy_file.do?policyid=1242. Check with marking criteria. Before submitting your assignment you should check it against the detailed assessment criteria included in this specification to ensure that you have satisfactorily addressed all the criteria that will be used to mark your assignment. Language. All submissions should be thoroughly proof-read for spelling, typographical or grammatical errors before being submitted. Do not reply on the 'spell-check' function in your word processing program. If, for example, 'affect' is substituted for 'effect', your program may not detect the error. Academic Integrity All assignments will be checked for plagiarism (material copied from other students and/or material copied from other sources) using TurnItIn (TII). If you are found to have plagiarised material or if you have used someone else's words without appropriate referencing, you will be penalised for plagiarism which could result in zero marks for the whole assignment. In some circumstances a more severe penalty may be imposed. The University's Academic Misconduct Procedures are available at: http:// policy.cqu.edu.au/Policy/policy_file.do?policyid=1244. Due date: 23:45:00 AEST Week 12 Friday (07/10/2016) ASSESSMENT Weighting: 45% Length: 3,000 words for FLEX students; 3,500 for on-campus 3 students !1Useful information about academic integrity (avoiding plagiarism) can be found at: CQUniversity referencing guides https://www.cqu.edu.au/student-life/services-and-facilities/referencing/cquniversity-referencingguides Submission requirements Who to submit? For on-campus students, one and only one of the group members needs to submit for the entire group. FLEX students need to submit individually. What to submit? A report in MS Word format (.doc or .docx) needs to be submitted. No other document formats are accepted, in particular, no PDF files, Apple Pages, Apple Keynotes, Online Google Doc Links are accepted. No Zipped files. Students must not zip multiple files and submit it as one single zip/compressed file. Means of submission. All assignments must be submitted electronically to Moodle. The submission links can be accessed through the Assessment block on the Moodle course website. Physical copies/ Email submissions are not accepted. Auto-submission. Moodle implements an auto-submission process for those items uploaded and left as drafts before the original deadline. However, any assessments uploaded after the original deadline must be manually submitted by the students. Please note that auto-submission process does not work for assessments which have extensions. Autosubmission only works where the original deadline of an assessment has not changed. If you are submitting after the deadline (original or extended), you must complete the Moodle submission process. Further details on completing the submission process are available via the 'Moodle Help for Students' link in the Support block of your Moodle pages. Complete and correct submission. Assignments, once submitted, are final and therefore cannot be modified. Students bear all the onus to ensure that their submissions are correct (correct files in correct format) and complete before submitting to Moodle. The Case This assignment is based on the following fictitious case. Please read this case carefully; every piece of information is given for a reason. ABC University (the 'University') is one of the top eight universities in the U.S. with over 25,000 students, 10 campuses in five different States, over 500 staffs members, and offering more than 200 University qualifications. The University promotes flexible study and allows both its students and staff members to bring their own devices (laptops, tablets and smart phones) to University and connect them to the University network. It is in the University's strategic plan that the University will open another 4 campuses in U.S. and 6 campuses or study centres in China and India in the next 15 years and expend its students to an unprecedented number of 40,000. Each and every student enrolled in the University is given a student card during the Orientation Week. These student cards are contactless and use RFID technology. Students need to tap their card onto a !2card reader to be able to access their respective campus. Staff members are given a similar staff identification card that provide them access to their workplace. Each student is assigned a unique student ID starting with two random lower English letters and followed by 8 numerical digits, e.g. 'at12345678'. Student IDs are randomly generated, and therefore are not necessarily alphabetically/numerically consecutive for the same cohort. Each student is also assigned an email address, which is their student ID followed by '@abc.edu', e.g. '[email protected]'. Staff members are also assigned a unique staff ID with the first letter of their first name followed by a '.' (dot) and their full last name, e.g. 'r.pickering'. Each staff member is also assigned an email address, which is their staff ID followed by '@abc.edu', e.g. '[email protected]'. Staff directory is open to the public while student information (including their University email and their personal information) is private and confidential. Email routing in the University has been set up in such a way that emails sent to any unknown mailbox account will be routed to a catch-all address, '[email protected]'. The University has directed much resources in information technology for its daily operation as well as enhancing student learning experiences. However, with the federal government budget cut on education, updating the networks and application infrastructure has not been the University's priority in the most recent years. The University has a number of Mac and PC labs, running age-old versions of macOS and Windows OS. Staff members and Ph.D. students, at their orientation, have a choice of Mac or PC desktop computer for work. The network structure for all campuses and across all University functional areas is flat and relatively unrestricted. Firewalls and network segmentation are poorly implemented throughout the entire network. Intrusion detection and prevention systems have been installed on the network but they are not effectively used. Last week was not the best week for the Information Security Office. They received complaints from a large number of students from all campuses claiming that they have received a spam email inviting them to pay to have their assignments completed by 'quality' ghost writers. However, no such email was received by the '[email protected]' account. An anonymous report also arrived at the Information Security Office last week, alleging the one of the staff members, John Pickering, viewed inappropriate images and videos at workplace using both his own PC and the Mac desktop provided by the University. The Information Security Office takes these two incidents seriously. However, the Office has a small team of two IT professionals and they do not feel that they have the expertise to carry out a full scale forensic investigation. The University is anxious to ensure that the student information is not being comprised, and to follow the correct procedures to investigate the second allegation. Your team has been employed to determine whether any malicious/inappropriate activity has taken place. Your team is tasked to undertake computer forensic analysis of the computer systems. This involves gathering digital evidence from relevant computers and e-mail accounts. Instructions Group/Individual assignment. This part is a group assignment for on-campus students and an individual assignment for FLEX students. Group formation and registration guidelines are available in the same place where you find this document. Length. For on-campus student, the report is 3,500 words in length; for FLEX students, the report is 3,000 words in length. 10% leeway on either side is applicable to both on-campus and FLEX students. !3Assumptions. Students are encouraged to make assumptions wherever necessary subject to two conditions: (1) assumptions should not contradict with the factual information given in the case; (2) assumption, once made, must be relevant and addressed in your report. In capacity of a computer forensics expert, your task is to prepare a computer forensics investigation plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. This plan should detail the following: • justify why the use of the digital forensic methodology and approach is warranted including appropriate procedures for University investigation. • describe the resources required to conduct a digital forensic investigation, including skill sets and required tools of the team members. • outline an approach for data/evidence identification and acquisition that would occur in order to prepare the other team members for review of the digital evidence. • outline an approach and steps to be taken during the analysis phase. • develop relevant security policies for the University. • provide recommendations to the University for dealing with the problems. Tips for preparing your computer forensics investigative plan In writing the computer forensics investigation plan, students need to address following points. Do note that points listed below are not exhaustive and need to be considered as helpful tips. • Justify a need for computer forensics methodology and consider the scope of the case including nature of alleged misconducts leading to consideration of how electronic and digital evidence may support the investigation. The plan should consider how computer forensics differs from other techniques (such as data recovery) and detail the overall steps for the systematic computer forensics approach. • Consider the required resources and include details regarding preparation plan for evidence gathering (such as evidence forms, types, storage media and containers), forensics workstation and peripherals needed, software/tools for analysis depending on the type of evidence to be gathered including rationale for selected tools, and consideration of team member skills in digital analysis (such as OS knowledge, skills for interviewing, consultation, working as per the needs of the team and understanding of law and University policies). • Detail the approach for data acquisition including the different types of evidence that can be gathered and their source depending upon the nature of the case and scope of investigation, develop a plan for data acquisition including rationale for selected plan and contingency planning, detail type of data acquisition tools needed including rationale and an outline for the data validation & verification procedures. • Provide an outline of the forensic analysis procedures/steps depending upon the nature of evidence to be collected, and detail the validation approach. This can include techniques to counter data hiding, recovering deleted files, procedures for network and e-mail analysis. • Develop suitable security policies for the University. • Provide appropriate recommendations to the University for dealing with the problems. • Table of contents for the investigative plan should consider what to include in the report, structure of the report, focus or scope of the report including supporting material to be provided and references. This table of contents should include headings and sub-headings pertaining to the aspects addressed in the above dot points. Specifically your report should include the following. !41. Title page: (each) student name (in your group), (each) student number (in your group), (each) student email address (in your group, use CQU email), title of your report, local lecturer/tutor, and course coordinator. Not counted towards the word count. 2. Executive summary. 3. Table of Contents (ToC): should list the report (sub)sections in decimal notation. Create the ToC using MS Word's ToC auto-generator rather than manually typing out the ToC. Instructions can be found here: https://support.office.com/en-gb/article/Create-a-table-of-contents-or-update-a-table-ofcontents-eb275189-b93e-4559-8dd9-c279457bfd72#__create_a_table. Not counted towards the word count. 4. Introduction. 5. Body of the report (use appropriate headings in the body of the report). 6. Conclusion. 7. Reference list: all references must be in Harvard Referencing Style. Not counted towards the word count. Marking Criteria - Justification (5 marks) Is the justification of "why use of the digital forensic methodology and approach is warranted" sound? - Resources (10 marks) Are the resources required to conduct a digital forensic investigation completely listed? - Approach (10 marks) Is the approach for evidence identification and acquisition reasonable? - Steps (5 marks) Are steps to be taken during the analysis phase reasonable? - Policies (5 marks) Are they suitable for the University? - Recommendations (5 marks) Are they appropriate? - Table of content and References (5 marks) Is the table of contents for the investigative report complete? Can this reflect the student's understanding of forensic principles? Are the references correctly cited? Deductions - Too long or too short (up to 3 marks) If the report is too short or too long, the marker may impose a penalty up to 3 marks to this assessment. - Incomprehensible English (up to 45 marks) If the report is unable to be read and understood by the marker, the marker may impose a penalty up to 35 marks to this assessment. !5- Flaws in expression, grammar, spelling or punctuation (up to 5 marks) The marker may exercise his/her discretion to deduct up to 5 marks from this assessment on the ground of the (poor) quality of writing. - Late penalty (up to 45 marks) In the absence of an extension, the marker will impose late penalties at 2.25 marks for each day or part thereof that the assignment is overdue. !6