1 SIT282 TRIMESTER XXXXXXXXXXASSIGNMENT 1 NOTE: IF YOU HAVE NOT SIGNED AND SUBMITTED YOUR AGREEMENT, YOUR ASSIGNMENT WILL NOT BE MARKED AND YOU WILL BE DISENROLLED FROM THE UNIT. This assignment...

1 SIT282 TRIMESTER 1 2013 ASSIGNMENT 1 NOTE: IF YOU HAVE NOT SIGNED AND SUBMITTED YOUR AGREEMENT, YOUR ASSIGNMENT WILL NOT BE MARKED AND YOU WILL BE DISENROLLED FROM THE UNIT. This assignment covers material up to the week ending April 8. DUE: THURSDAY APRIL 25 BY 2 PM. NO EXTENSIONS allowed without medical or other certification. LATE ASSIGNMENTS will automatically lose 10% per day up to a maximum of three days, including weekends and holidays. Assignments submitted 4 or more days late will not be marked and are given zero. METHOD OF SUBMISSION: On-campus Burwood students will submit hard copies to Lei Pan through assignment drop-off boxes (faculty office in Building L at B). On-campus Geelong students will submit hard copies to Damien Hutchinson at the lecturer theatre or in the computer lab. Off-campus students email the electronic copy of the report to Damien Hutchinson at [email protected]. All assignments are required to have the assignment cover sheet attached, which is available at http://www.deakin.edu.au/sebe/students/ Maximum size of your submission should be ten pages excluding the cover page and appendices. The font size should be no less than 10pt. (Please attach screen shots, file tables, and automated reports generated by FTK or ProDiscover as appendices. (No mark will be given if you fail to show the evidence of your work-out. i.e. the process carried out to produce your solution.) Please keep a copy of your assignment for reference in case the original one is lost or mishandled. 2 THE CASE: Donald Price is an employee from Joachim’s Art Gallery based in Melbourne, Australia. Mr. Price had been suspended from the gallery when an audit discovered that one of the pieces he was responsible for had disappeared. (This was a small watercolour of two boats.) Unfortunately, Mr. Price wiped the hard disk of his office PC before investigators could be deployed. However, a CD-ROM was found in the PC’s CD-ROM drive. Although Mr. Price subsequently denied that the CD-ROM belonged to him, it was seized and entered into evidence. A forensic image in raw format of the CD-ROM can be found here: http://www.deakin.edu.au/~zoidberg/2013OZ.ISO And its MD5 hash value can be found here: http://www.deakin.edu.au/~zoidberg/2013OZ.ISO.md5 You, an ITS officer employed by Joachim’s Art Gallery, are assigned to examine the image for any information relating to the case. You should keep in mind malicious codes and other means which may potentially alter the evidence. YOU MUST CITE ALL REFERENCES INCLUDING TECHNICAL MANUALS AND LAW PARAGRAPHS. Your analysis should be conducted on a virtual machine (VMware) and include the following information: 1. PROCEEDURE 1.1 Use an evidence form to document the evidence given to you. (1 mark) 1.2 Describe the environment of your forensic workstation and the access to the machine. Describe the procedure that you used to download the image file to your work directory. (1 mark) 1.3 Give at least two SHA-based hash function values of the ISO image. (1 mark) 1.4 Explain why multiple hash values are necessary to verify the validity of the image file. (1 mark) 1.5 Explain the procedure that you used before you could access the image file inside the virtual machine. (1 mark) 2. BINARY DETAILS 2.1 Use a table to document the detailed information of the files found in the root directory of the ISO image—file names, file actual sizes and their MD5 hash values. 3 (1 mark) 2.2 Provide a description of any programs you would like to use based on the files identified on the ISO image. (1 mark) 3. FORENSIC DETAILS 3.1 Describe the key words you used to search the ISO image and explain why you chose them. Detail your search result and give your conclusions. (Document your procedure including commands and screenshots.) (9 marks) 4. LEGAL IMPLICATIONS 4.1 List one violation conducted by Mr. Price against Cybercrime Act 2001, and one violation conducted by Mr. Price against the Crimes Act 1958. Back up your answers with definitions. (2 marks) 4.2 Is this case best pursued as a corporate or criminal investigation? Why? (2 marks)