ICT378 Cyber Forensics Assignment 1 – V1.0 Last Updated 27/04/2016 MURDOCH UNIVERSITY ICT378 Cyber Forensics Due Date: Friday 20th May 4.00PM Assignment Information You should submit your assignment online using the Assignment course tool. Late submissions will be penalised at the rate of 10 marks per day late or part thereof. You should submit your assignment as ONE word-processed document containing all of the required question answers. You must keep a copy of the final version of your assignment as submitted and be prepared to provide it on request. The University treats plagiarism, collusion, theft of other students' work and other forms of dishonesty in assessment seriously. This is an INDIVIDUAL assignment. Any instances of dishonest in this assessment will be forwarded immediately to the Faculty Dean. For guidelines on honesty in assessment including avoiding plagiarism, see: http://www.murdoch.edu.au/teach/plagiarism M57 Patents Founded by Pat McGoo, m57.biz is a new patent search company that researches patent information for their clients. Specifically, the business of patent search is to generally verify the novelty of a patent (before the patent is granted), or to invalidate an existing patent by finding prior art (proof that the idea existed before the patent). At the start of the scenario, the firm has four employees: CEO, IT Administrator, and two patent researchers. The firm is planning to hire additional employees at a later date once further clients are booked. Since the company is looking to hire additional employees, they have an abundant amount of technology in the inventory that is not being used. Employees work onsite, and conduct most business exchanges over email. All of the employees work in Windows environments, although each employee prefers different software (e.g. Outlook vs. Thunderbird). ICT378 Cyber Forensics Assignment 1 – V1.0 Last Updated 27/04/2016 The Case: Illegal materials • A functioning workstation originally belonging to m57.biz was purchased on the secondhand market. The buyer (Aaron Greene) realizes that the previous owner of the computer had not erased the drive, and finds illegal digital images and videos on it. Aaron reports this to the police, who take possession of the computer. • Police forensics investigators determine the following: • The computer originally belonged to m57.biz • The computer was used by Jo, an M57 employee, as a work machine. • Police contact Pat McGoo (the CEO). Pat authorizes imaging of all other computer equipment onsite at M57 to support additional investigation. Police further pursue a warrant to seize a personal thumb drive belonging to Jo. (More details are in the attached detective report- ) https://drive.google.com/open?id=0B_i64SFJyvsmVHM1ZzVUbVRqekk The Materials: Drive images The materials you will use for your investigations are  Hard drive image 2009-11-19.E01 (of the original sold computer) https://drive.google.com/open?id=0B_i64SFJyvsmUHlnM05iRXFTcnc ICT378 Cyber Forensics Assignment 1 – V1.0 Last Updated 27/04/2016  Hard drive image 2009-12-01.E01 (of the suspect's replacement computer seized from M57) https://drive.google.com/open?id=0B_i64SFJyvsmWUJ0ZkZPQ3ZUdUU  USB images x2 (These may not be related to the case but are included as they were seized at the same time) https://drive.google.com/open?id=0B_i64SFJyvsmcE5wWThBVlNsRXM https://drive.google.com/open?id=0B_i64SFJyvsmeFZiLUZMY3JibVU ICT378 Cyber Forensics Assignment 1 – V1.0 Last Updated 27/04/2016 To submit: Forensic report (80 marks) Given the above suspicion and seized data files, it is your role as investigator to uncover any evidence to prove or disprove the allegations. The brief above has highlighted what in particular you are looking for, so the scope of the investigation is limited to this particular suspected crime. Your report should follow the structure detailed in Chapter 14 of the textbook, there is no limitation on size of the report although you are urged to state the facts clearly and not bury them in pages of irrelevant content. Your report should highlight the following areas (these will be assessed) a) Discuss if there is there any evidence of illegal activity. Explain your position on this. What evidence did you find if any? How sound / reliable do you believe your evidence collection to be? b) Present any evidence in a time line format, signposting the points where you believe any offence may have occurred and other significant dates/times in the case. c) You were provided with two hard drive images. Do you believe there are other devices used in the offence? If so, why? How would you identify those devices and obtain them? Are there any other insights or remnant data found on the seized hard drives? d) A common defence is that the actions were committed unintentionally or that the perpetrator did not know the actions were illegal. With these possible defences in mind, address how you would respond to these defences. Are there any clues that indicate intent or knowledge of criminal activity? Bonus question: Evaluation of tools/techniques (20 marks) The images have already been prepared for you and given in expert witness data format (used by EnCase software). These images can be opened in a number of tools including the ones we used in the labs, e.g. ProDiscover/OSFOrensics. This is sufficient to be able to answer the above questions and prepare your forensic report. However, for bonus marks you should also perform an evaluation of the tools being used. a) Repeat the evidence acquisition and analysis using any tool that has not been used in the labs before (discuss your plan with your tutor before proceeding). Compare the evidence found and timeline information side by side with the two tools and highlight any differences. Be sure to state the pros and cons of using one tool over the other.