This assignment has several options from which to choose the parts that you wish to undertake. You are required to choose any 2 of the task areas and prepare an appropriate response or submission. Some of the tasks are practical application tasks and others are less hands-on — this gives you the opportunity to pursue the areas of greatest interest or relevance to you and allows you to shape your assessment accordingly. 1. Forensic Computing Task A legacy application is being investigated as there is a suspicion of some previous fraudulent activity. The data from the application is in a native file format structure and it is your task to attempt to reconstruct as much of the data as possible. Fortunately, it has been possible to obtain a test file with a known layout as well as the file in question which has an uncertain layout. The files are labelled testfile.dat and legacy.dat accordingly. The specifications for testfile.dat are as follows: Table Structure Field Type & Size (if appropriate) Record Length 60 Field 1 (Record Status) Long Field 2 Char Field 3 String(30) Field 4 String(10) Field 5 Byte Field 6 Integer Field 7 Long Field 8 Real Table 1: Testfile Structure It has also been possible to recover from early system documentation of a pilot project the structure and listing of the contents of the test file, the contents being available in the file labelled testfile.txt, stored in the same area as the test file data file. The proprietary file structure uses an old ISAM file organization in which the first record is a header record, and the data records follow. In the legacy file legacy.dat, it is known that the data was taken from a business transaction file and should have included at least the following data elements: Transaction id, transaction type, date, customer number, item description, amount, gst Additionally, there may be a number of other values such as item codes, reference values, and potentially internal structural data such as pointer links [probably long integers]. Your submission should be a technical report identifying what you did, and what you achieved, and ideally the details of the recovered data [or as much of it as you have been able to reconstruct]. Appendix elements should include code listings where appropriate. 2. Encryption-Decryption Task A small company has decided to use the web to sell some of its product. Being mindful of potential security problems, their consultant has advised that a simple form of encryption of critical data may be sufficient for their needs. Accordingly, you have been engaged to provide a prototype solution for the problem specifications below: Construct a (web) form application to capture the order information for the client company. The nature of the business is that usually 1, but no more than 3, order lines are ever required, and payment method for this application is exclusively by credit/debit card. Although the product details would normally be obtained from a database, for testing purposes you are to provide for manual entry of the form items. The form content should have: Customer Name Shipping Address Line(s) 1, 2, 3 Postal Code Transaction ID # Transaction Date Order Line Items Set – {product #, Qty, Price} x {1..3} Credit Card Detail: Card Number (16 digits) {ccno} Expiry Date (mm/yyyy) {expiry} Cardholder Name (up to 30 chars) {ccname} Card Security Code (often on back of card - 3 or 4 digits) {security} The solution application is required to encrypt the credit/debit card detail plus the order total price {total} [= qty1 x price1 + qty2 x price2 + qty3 x price3] as a single field in colon delimited format, and the other fields are to be merged into a single composite message, symbol delimited (eg $ or ̃ ) using as much detail as provided by the user or application. [eg. In the case of a single item entry, the encoded string would have "$$$$$$$" as the last part of the first concatenation.] The application should then store the transaction line as an appended detail line in a transaction file. After acceptance testing the application would send the transaction information as the body of an email to the nominated address (eg. orders@clientcompany) via a normal form-to-email application. (ie. "name$addr1$addr2$addr3$post$transid$transdate"+ "$item1$qty1$price1...$item3$qty3$pr3$"+ "keycode:"+"ccno:expiry:ccname:security:total") Since there is only the one user of the data (the business owner), a symmetric encryption technique is to be used. In particular, the TEA (Tiny Encryption Algorithm) block encryption technique is to be applied using a randomly supplied keystring from a library of up to 255 keystrings. The keystring id should be inserted as a single byte at the front of the encoded data {labelled 'keycode' in the above example} so that the decryption routine can firstly parse the string into its 2 parts – keystring id and encrypted string and then apply the appropriate keystring to decrypt the data so that it can be restored to the relevant credit card detail fields. {You may use one of the enhancer complications of workshop 7 to perform the encryption/decryption task as needed.} The randomizing algorithm should be a relatively easily computable value (for example, sec- onds since midnight (from system clock) at the time the 'submit' button is clicked mod 255). Clearly this value needs to be recorded at least momentarily while the subsequent processing occurs. The decryption application needs to be able to restore the data into the relevant data fields. This would be achieved either by downloading (eg FTP) the transaction data and performing the restore action, or capturing the email body content and performing the restore action. Submission for this task should comprise: • Program listings for the part 1 message concatenation and encryption, and the part 2 restoration and decryption. Include a copy of your intermediate file either as a screen capture or printed version (if the encrypted segment does not contain non-printing char- acters). • Documentation about your approach and its specific details. • Personal reflection on what you have done/achieved/learned from this task. Suggestion: If setting up a test environment you might test the direct emailing approach (to yourself) to capture and then interpret the transaction information. 3. Scripting Evaluation Task A friend of yours has decided to recommend you to an acquaintance of theirs who is establishing a new business venture specialising in the manufacture and supply of small car parts – sump plugs, washers, welch plugs, and similar. The owner of that business has already subscribed to a web hosting company which provides a unix/linux based host with some elementary perl scripts for form-to-email, guestbook, and simple web-mail applications. Other software technologies provided on the server include PHP and MySQL. Other than the web-mail application the business owner is concerned that the provided scripts are either too basic or of uncertain security for the business model being proposed, and would prefer to upload his own applications for: • customer relationship management, preferably including form-to-email facilities • a job quoting system, to keep track of quotations given to customers • basic e-commerce functions – to enable online orders to be place and deposits to be taken (securely) Being a new business venture, the costs of development of such applications is prohibitive, so the owner is seeking advice and recommendations regarding available scripts that could be used and modified if needed. Your task is to research available script libraries and suggest 3 appropriate scripts for each application, with a suitable review and recommendation about the preferred option. If possible, a freeware/shareware/open source application should be selected, but if not suitable a lower cost item should be proposed unless there are compelling reasons for not doing so. Your submission should take the form of a consultant report, clearly showing what you have reviewed, what associated work you have done, and ultimately what your final recommenda- tions for the client are. A consultant report typically contains Title Page, Table of Contents, Executive Summary, In- troduction, Background, Methods, Findings/Results/Data, Discussion/Analysis, Conclusion, Recommendations, References, and Appendices. 4. Technical Research Report Task The technical research report task requires you to research any one of the following security issues and prepare a mini-conference style paper on that topic area. You are able to adopt a viewpoint from the perspectives listed about the topic area and construct a suitably justified argument that expresses your viewpoint. The mini-conference paper should be no more than 3000 words in length and contain an abstract, introduction, relevant content section(s), a conclusion, and a set of references. The report should be in 2-column format after the title and abstract, single-line spacing, and 11-point Times (New Roman) font. The final report should be submitted in pdf format. The topic issues from which you may choose are: • The Australian Privacy Principles (as amended in March 2014) • A Security Culture in Enterprises • The Role of Encryption in Information Security • Testing the Effectiveness of an Enterprise's Information Security Initiatives • Using Forensic Computing Techniques in Enterprises • Data Security and combine the selected topic with one of the following perspectives: • Does pose a serious security threat or not? • Compare the Business Issues against the Technical Issues of . • What is the impact of on enterprise information security planning? • Other {a specific area of your own interest} ** ** seek topic coordinator approval first Assessment The assessment for this assignment is subject to the following: • Students are required to complete any 2 of the assignment tasks 1 – 4. Some of these tasks are practically oriented, and others are more report oriented. • Each assignment task will be graded separately in the usual University range of [HD, DN, CR, P, F]. Where the task is assessed as being close to a neighboring grade scale the symbols + and - may be appended to indicate whether the submission falls at the high or low end of the grade range. Variations to the overall mark are subject to the student nominated weighting for each part as described in the following paragraph. • Students may nominate their weightings for each of the assessment tasks in the range 40-60% at the time of submission. Thus if you feel that each task is equally worthy, a 50-50 split (the default) would be nominated. If you feel that you have completed one task much better than the other, you might nominate a 60-40 split, or 55-45. If you wish to have a non-equal weighting applied to your tasks, you must clearly identify the task and chosen weighting at the time of submission.