Forensic Investigation Case Study Contents Details: 1 Background 1 Task 2 Report Structure 2 Additional Task Information 2 Assignment Submission 3 Late submission 3 Details: Title: Clowning About Value: 30% of the final mark for the unit Length: Maximum of 50 pages Background Linda is suspected of accessing and possessing digital content pertaining to 'clowns', and being in possession of, and using encryption software. Accessing, possessing, or distributing of any digital content pertain to 'clowns' is considered illegal and may carry severe penalties. Private communication, including the use of encryption software or techniques is strictly forbidden in the country. You are a consultant who specialises in Digital Forensic investigations. You have been assigned the task of examining an image of Linda's laptop which was seized with the appropriate warrants and imaged using forensically sound practices. Unfortunately, the junior investigator who obtained a 'forensic image' of Linda's laptop only performed a logical acquisition. To make matters worse, the junior investigator then went on to forensically wipe Linda's hard drive. The logical acquisition was undertaken in a forensically sound manner and the md5 value is "5046fdcc23d05e7535801353bf832a7d". At this point in time it is unknown if Linda was also distributing the digital content of 'clowns'. Linda denies accessing and possessing any content pertaining to the 'clowns', or possessing and using encryption software. Linda has stated that she believes she is simply the victim of cyber crime, and doesn't understand why anyone would want to target her. Linda claims that she may have been targeted after a recent online interaction with an unknown individual who was supposed to help secure her computer. Task Your task is to investigate the supplied image using appropriate tools and forensic process and to develop and submit a written report on your findings. You may use any tools to undertake the investigation but you must justify all of your actions! Report Structure Your report must be structured as follows: • Cover Page • Table of Contents • Overview of Tasks o What were you looking for? o How did you approach the investigation? o What did you do? o What did you find? o In YOUR expert opinion what is the outcome of the investigation? • Issue #1 Presentation of content relating to offence • Issue #2 Identification • Issue #3 Intent • Issue #4 Quantity of Files • Issue #5 Installed Software • Appendix A o Running Sheet  This section should contain a well-structured running sheet (in table form) showing what do you did, how you did it, and what was the outcome. This should be very detailed and show clear use of the forensic process.  The process must be detailed enough so that the procedures can be repeated and results reproduced.  You must clearly state the date/time you undertook the action in the running sheet. • Appendix B o Timeline of events (chronological order of events on Linda's laptop) Additional Task Information • Start early and plan ahead, you may need to spend some time experimenting with various tools. If a tool or method fails to result in a successful outcome you should still document this action in your running sheet. Each tool has its own strengths and limitations. • Each report will be unique and presented in its own way. • Scrutinise the marking key, and ask any questions you may have EARLY in the semester! • Look for clues/hints in the investigation. Strategically placed clues/hints have been created in this fictitious case study to help you along the way. • It is not expected that you find every piece of evidence and nor do you have to. • Remember to ensure the integrity of the image being investigated. You should continually demonstrate that you have maintained integrity throughout your investigation. Assignment Submission The submission must be a Microsoft Word document. You are only submitting 1 document through blackboard. You do not need an ECU assignment cover sheet. Late submission If you submit your assignment after the due date, then you will be penalised in accordance with the standard ECU regulations of 5% of the maximum mark, for every work day that your assignment is late. If your assignment is submitted more than 5 days late, then you will be awarded a mark of 0 for the assignment. Marking Key CRITERIA MARK Structure/Presentation (4 marks) Report is professional and logically structured /4 Presentation of Evidence (15 marks) 'Issues' are adequately explored and populated with appropriate evidence /8 Evidence is organised professionally and in a logical manner /1 Evidence is characterised (filenames, sector locations, file extensions, metadata, hashes etc.) /4 Evidence has been explained and analysed appropriately /2 Appendix (11 marks) Comprehensive running sheet with clearly defined aims, methods and results /3 Forensic methodology shows clear use of the forensic process /2 Forensic process is repeatable and reproducible /3 Accurate and professional timeline of evidence /3