Assessment item 2 Assignment 2 - Tasks and Forensics Report Value: 30% Due date: 19-May-2017 Return date: 09-Jun-2017 Submission method options Alternative submission method Task Task 1: Recovering scrambled bits (5 Marks) For this task I will upload a text file with scrambled bits on the Interact site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment. Deliverable: Describe the process used in restoring the scrambled bits and insert plain text in the assignment. Task 2: Revealing hidden information from an image (5 Marks) For this task I will provide an image with hidden information in it. You will be required to reveal the hidden information. Deliverable: Describe the process used to reveal the hidden information from the image and copy the revealed information in the assignment in plain text. Charles Sturt University Subject Outline ITC597 ****** SM I-28 January 2017-Version 1 Page 9 of 17 Task 3: Forensics Report (20 Marks) In this major task assume you are a Digital Forensics Examiner. Considering a real or a hypothetical case you are required to produce a formal report consisting of facts from your findings to your attorney who has retained you. You are free to choose a forensics scenario which can be the examination of a storage media (HDD, USB Drive, etc), email or social media forensics, mobile device forensics, cloud forensics or any other appropriate scenario you can think of. Deliverable: A forensics report of 1800-2000 word. Rationale This assessment task covers data validation, e-discovery, steganography, reporting and presenting, and has been designed to ensure that you are engaging with the subject content on a regular basis. More specifically it seeks to assess your ability to: determine the legal and ethical considerations for investigating and prosecuting digital crimes analyse data on storage media and various file systems collect electronic evidence without compromising the original data; evaluate the functions and features of digital forensics equipment, the environment and the tools for a digital forensics lab; compose technical tactics in digital crimes and assess the steps involved in a digital forensics investigation; prepare and defend reports on the results of an investigation Marking criteria Task 1: Recovering scrambled bits (5 Marks) Criteria HD 100% - 85% DI 84% - 75% CR 74% - 65% PS 64% - 50% Successfully recovering the scrambled bits to their original order (5 marks) Scrambled bits are restored to the original text. Tool used to decode the text is mentioned and justification to use the tool is also provided. The process to restore the scrambled bits is clearly described with screenshots inserted of all steps. Scrambled bits are restored to the original text. Tool used to decode the text is mentioned but the justification is not very clear. The process to restore the scrambled bits is described with some screenshots. Scrambled bits are restored to the original text. Tool used to decode the text is mentioned but the justification is not very clear. The process to restore the scrambled bits is described but no screenshots provided. Scrambled bits are restored to the original text. No justification of tool used is provided, process seems to be somewhat vague. Scrambled bits are restored but not matching with the original text. Tool is not mentioned and process is not described. Possible marks 5.0 – 4.25 4.24 – 3.75 3.74 – 3.25 3.24 – 2.5 Task 2: Revealing hidden information from an image (5 Marks) Criteria HD 100% - 85% DI 84% - 75% CR 74% - 65% PS 64% - 50% Successfully revealing hidden text from an image Hidden text is revealed. Tool used to reveal the text is Hidden text is revealed. Tool used to reveal the text is Hidden text is revealed. Tool used to reveal the text is Hidden text is revealed. No justification of tool Hidden text is revealed but not matching with the Charles Sturt University Subject Outline ITC597 ****** SM I-28 January 2017-Version 1 Page 10 of 17 (5 marks) mentioned and justification to use the tool is also provided. The process to reveal the text is clearly described with screenshots inserted of all steps. mentioned but the justification is not very clear. The process to restore the text is described with some screenshots. mentioned but the justification is not very clear. The process to restore the text is described but no screenshots provided. used is provided, process seems to be somewhat vague. original text. Tool is not mentioned and process is not described. Possible marks 5.0 – 4.25 4.24 – 3.75 3.74 – 3.25 3.24 – 2.5 Task 3: Forensics report (20 Marks) Criteria HD 100% - 85% DI 84% - 75% CR 74% - 65% PS 64% - 50% Introduction: Background, scope of engagement, tools and findings (3 marks) All elements are present, well expressed, comprehensive and accurate. All elements are present and largely accurate and well expressed. All elements are present with few inaccuracies. Most elements are present possibly with some inaccuracies. Possible marks 3.0 – 2.55 2.54 – 2.25 2.24 – 1.95 1.94 – 1.5 Analysis: relevant programs, techniques, graphics (5 marks) Description of analysis is clear and appropriate programs and techniques are selected. Very good graphic image analysis. Description of analysis is clear and mostly appropriate programs and techniques are selected. Good graphic image analysis. Description of analysis is clear and mostly appropriate programs and techniques are selected. Reasonable graphic image analysis. Description of analysis is not completely relevant. Little or no graphics image analysis provided. Possible marks 5.0 – 4.25 4.24 – 3.75 3.74 – 3.25 3.24 – 2.5 Findings: specific files/images, type of searches, type of evidence, indicators of ownership (5 marks) A greater detail of findings is provided. Keywords and string searches are listed very clearly. Evidence found is very convincing. Indication of ownership is very clear. Findings are provided, keywords and string searchers are listed. Evidence is sound. Ownership is clear. Findings are provided, some keywords are listed. Evidence is reasonable which relates to the ownership. Findings are provided but are somewhat vague. Keywords and strings are not very clear. Evidence found may be questionable. Possible marks 5.0 – 4.25 4.24 – 3.75 3.74 – 3.25 3.24 – 2.5 Conclusion: Summary, Results (3 marks) High level summary of results is provided which is consistent with the report. Well summarised results and mostly consistent with the findings. Good summary of results. Able to relate the results with findings. No new material is included. Satisfies the minimum requirements. Results are not really consistent with the findings. Possible marks 3.0 – 2.55 2.54 – 2.25 2.24 – 1.95 1.94 – 1.5 References: Must cite references to all material used as sources for the content (2 marks) APA 6th edition referencing applied to a range of relevant resources. No referencing errors. Direct quotes used sparingly. Sources all documented. APA 6th edition referencing applied to a range of relevant resources. No more than 2 referencing errors. Direct quotes used sparingly. Sources all documented. APA 6th edition referencing applied to a range of relevant resources. No more than 3 errors. Direct quotes used in-context. Sources all documented. APA 6th edition referencing applied to a range of relevant resources. No more than 4 errors. Direct quotes used in-context. Some sources documented. Charles Sturt University Subject Outline ITC597 ****** SM I-28 January 2017-Version 1 Page 11 of 17 Possible marks 2.0 – 1.7 1.6 – 1.5 1.4 – 1.3 1.2 – 1.0 Glossary / Appendices: (2 marks) Glossary of technical terms used in the report is provided which has generally acceptable source of definition of the terms and appropriate references are included. Relevant supporting material is provided in appendices to demonstrate the evidence. Glossary of technical terms used in the report is provided which has mostly acceptable source of definition of the terms and appropriate references are included. Some supporting material is provided in appendices to demonstrate the evidence. Glossary of some technical terms used in the report is provided which has mostly acceptable source of definition of the terms and appropriate references are included. Some supporting material is provided in appendices to demonstrate the evidence. Glossary of some technical terms used in the report is provided however terms are not generally common and some references are missing. Some supporting material is provided in appendices.