Department of Computer Science Module Title Digital Forensics and Penetration Testing Assignment Title Individual essay on Digital Forensics Learning Objectives Assessed LO1: Show clear and comprehensive understanding of the need and uses of Digital Forensics. LO2: Understand and demonstrate Digital Forensics techniques. Submission Information This 1650 words essay(with 10% flexibility) should be submitted online viaTurn-it-in on the CO7604 Moodle page. The work should be submitted as a Word or PDF (.pdf) and should be properly referenced using the APA referencing system. Extensions and Plagiarism Extensions Extensions can only be granted by Dr Linda Rayner, Head of Department at least 48 hours in advance of the deadline (by appointment through the Departmental Administrator), and written evidence will be required. Late work is penalised at the rate of 5% per day. Plagiarism The material you submit must be your own work. The penalties for plagiarism are severe. The minimum penalty is usually zero for that piece of work. Further information is available at Portal > Support Departments > Academic Quality Support Services > Academic Malpractice. Assignment Brief Read this whole brief before starting; both the scenario and both tasks. As a guide, Task 1 and Task 2 take a ⅓ and ⅔ split respectively in expected word count. Between the end of Task 1 and the start of Task 2, the scenario develops further. Introduction You are working for a very small company, Chester Digital Forensic n’ Stuff (CDFnS), which advertises itself as providing Digital Forensics to organisations amongst other things. The company has just set up, and the director has employed you as its sole Cyber Security Specialist who has training across the field of cyber security. CDFnS, being new, has no formal procedures yet laid out for anything. CDFnS has just been contracted by a company, Thornton Delivery Service (TDS), to provide them support in identifying a suspected data breach at TDS. About Thornton Delivery Service (TDS) TDS is a national delivery company based at Thornton Science Park. They employ 50 staff including administration, drivers, and warehouse workers. Their system is reliant on IT systems. Their Business Systems comprise of the following: • 1 Windows Server 2012 R2 servers running: o Active Directory o Roles: DNS, DHCP, File Server o Default logging o Financial software for tracking and accounting o Asset software for tracking parcels • 1 Linux Server for backup of files off the Windows Server • 20 in-house client computers which are used primarily by the administration staff, who underpin the day-to-day operations. These are a variety of Windows 7, Windows 10, and OS X El Capitan. To date this comprises of eight Windows 7 machines, ten Windows 10 machines, and 2 El Capitan machines. • TDS also operates a Bring Your Own Device (BYOD) policy which means up to an additional 20 or so devices may be on the Wireless Network. The main use of this is to connect to network shares on-site. TDS Data Breach The Administrator occasionally looks at internal traffic stats for fun in the odd month he is not overworked, and this time, on looking at stats over the previous months, he had noticed something suspect: The Administrator at TDS noticed that there had been a lot of traffic from the Windows Server 2012 firstly to one of the internal Windows 7 client machines, and then by the next day out directly from the Server to the Internet. When the data went to the Windows 7 client machine, and out from the Server, it went late in the evening. The Window 7 client’s user was likely at home at both times. The Administrator is not experienced in analysis of logs or in digital forensics. Task 1: (1/3) You need to act swiftly to preserve as much evidence as you need to uncover what is going on. TDS is not expecting any downtime at the moment. Describe and critically analyse the approach you will take from a technical perspective to develop an understanding of what has happened. What will you request access to, and how will you use that data or information provided? Consider multiple possibilities without coming to early conclusions. Establish some sort of process and express it possibly with the help of a diagram, flow chart, or other. Identify any tools you may use, including built-in tools. Remark upon the impact on the business of the approach(es) you decide to take. CDFnS Makes Progress Following Task 1, you find out that: Some logs have been deleted on the Server (the security logs that are normally viewable in Event Viewer). Thousands of logon attempts were made from the Windows 7 client to the Windows Server 2012 before successfully getting access to the admin account. These attempts were made from the client machine on the same evening that it was also downloading files from the file server under the user’s account, with access to limited number of files. Some logs have been deleted on the Windows 7 client. Once the attacker had gained access to the Server admin account, he could access any files on the file server, and more confidential files were accessed. Neither the Windows 7 client nor the Windows Server 2012 have been rebooted since the event. You propose to take a memory dump and copy of the hard disks for each machine. TDS would like to get to the bottom of this, and accepts, even if they have to take the server offline overnight (for not more than 12 hours). (Task 2, overleaf…) Task 2: (2/3) Explain the benefit of taking memory and disk copies of both machine. For each, what can you expect to determine? For either the Windows 7 client or the Windows Server 2012: Describe briefly the process of taking a memory copy and a disk copy, minimising impact. For both memory and disk images, describe and critically analyse the approach you would take from a technical perspective to develop a further understanding of what has happened. Identify any tools you may use, and the use of those tools. Consider the precaution taken and the reason for those cautions.   General Instructions • Format: The format should be one column, left or justified alignment, have appropriate and meaningful headings/sections. Use a meaningful structure that ensures coherency. • Referencing: Do not just give a list of references without showing where/how you have used them in the text – ensure you include in-text referencing. See herefor a quick guide. • Support: If you use external support, e.g., for proofreading or translation, you MUST state this. The tutor will provide adequate support to ensure that all students are very clear of what is expected of them in this assessment. So ensure you take this opportunity to get clarifications where you need them. • Coverage: You are expected to address ALL requirements identified in clauses 4-10. Some of these requirements, e.g., where a future action/activity is required, may be met by just a brief statement that shows you are aware of the requirement and how to address it. Remember that this should be in the context of the Physicians’ College. • Originality: It is acceptable to use direct quotes from sources. However, excessive use of direct quotes (regardless of whether they are referenced or not) reduces the originality of the work. This and high level of similarity will affect the student’s mark. Assessment Criteria Marks will be affected if the above instructions are not adhered to. The following criteria will apply: • Knowledge [30%]: Demonstration of knowledge and understanding of subject matter, tailoring of discussion to case study, and coverage • Cognitive skills [30%]: Clarity of discussion, coherency, perception, articulation of views, thoughtful interpretation etc. • Practical/professional skills [25%]: Technical understanding and use of materials, breadth and depth of material, academic writing, formatting and strength of argument. • Communication [10%]: Presentation, vocabulary and style, spelling and punctuation • Referencing [5%]: Using literature to support argument. Acknowledging and accurately presenting sources.