Assignment computer forencics
Prepared by: Mr. Ahsan Aziz Moderated by: Dr. Ammar Alazab July, 2018 Assessment Details and Submission Guidelines Unit Code BN309 – T2 2018 Unit Title Computer Forensics Assessment Type Individual Assignment Assessment Title Validating and Testing Computer Forensics Tools and Evidence – Part 1 Purpose of the assessment (with ULO Mapping) This assignment assesses the following Unit Learning Outcomes; students should be able to demonstrate their achievements in them. a. Systematically collect evidence at private-sector incident scenes. b. Document evidence and report on computer forensics findings. c. Implement a number of methodologies for validating and testing computer forensics tools and evidence. Weight 15% of the total assessments Total Marks 50 Word limit 1500 words max Due Date Friday, 31st Aug, 2018, 11:55 PM. (Week 7) Submission Guidelines • All work must be submitted on Moodle by the due date along with a completed Assignment Cover Page. • The assignment must be in MS Word format, 1.5 spacing, 11-pt Calibri (Body) font and 2 cm margins on all four sides of your page with appropriate section headings. • Reference sources must be cited in the text of the report and listed appropriately at the end in a reference list using IEEE referencing style. Extension If an extension of time to submit work is required, a Special Consideration Application must be submitted directly through AMS. You must submit this application within three working days of the assessment due date. Further information is available at: http://www.mit.edu.au/about-mit/institute-publications/policies- procedures-and-guidelines/specialconsiderationdeferment Academic Misconduct Academic Misconduct is a serious offence. Depending on the seriousness of the case, penalties can vary from a written warning or zero marks to exclusion from the course or rescinding the degree. Students should make themselves familiar with the full policy and procedure available at: http://www.mit.edu.au/about-mit/institute-publications/policies- procedures-and-guidelines/Plagiarism-Academic-Misconduct-Policy- Procedure. For further information, please refer to the Academic Integrity Section in your Unit Description. http://www.mit.edu.au/about http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/special-considerationdeferment http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/Plagiarism-Academic-Misconduct-Policy-Procedure http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/Plagiarism-Academic-Misconduct-Policy-Procedure http://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and-guidelines/Plagiarism-Academic-Misconduct-Policy-Procedure BN309 IT Computer Forensics Page 2 of 4 Prepared by: Mr Ahsan Aziz Moderated by: Dr. Ammar Alazab July, 2018 Assignment Questions: Objective: The objective of the assignment is to acquire data from a drive, perform data recovery using different techniques and tools, analysing it and finally performing the validation of acquired data. In addition, students are required to properly document all steps in form a report, the report should be formal enough that it can be used in a legal process. Marks will be awarded based on the sophistication and the difficulties of the techniques explored. Case Study: You have been assigned a case of embezzlement. A USB is found from the suspect’s office, and it is expected to have very important information regarding the case. The USB contains several Excel files, a couple of image files and some text files. Assignment Specification: Prepare a report on the following sections related to the case study scenario. You can use your own USB, create/delete files as mentioned in the scenario and perform forensics. Provide the list of references using IEEE referencing style at the end of the report. Section 1: Data Acquisition Prepare a forensic image (bit stream copy) with the record of data deletion. Explain the method and tool you used for acquiring data. You will need this image to perform the consecutive tasks. Please submit this image with your assignment. (200 words) Section 2: Data Recovery The suspect has deleted two image files from the USB, recover the files and explain the method (with screenshots) and tool you used. (200 words) In addition, recover data from recycle bin, explain the procedure with screenshots. (200 words) Section 3: Data Analysis Inspect all files in the USB, use a hex editor and analyse if there is any hidden data in files. Provide screenshots of your analysis. (200 words) Section 4: Data Validation Explain different methods of data validation and use one of them to validate data on USB. (400 words) BN309 IT Computer Forensics Page 3 of 4 Prepared by: Mr Ahsan Aziz Moderated by: Dr. Ammar Alazab July, 2018 Marking Criteria: Questions Description Marks Section 1 Acquiring data using a standard tool Explanation of acquisitions and screenshots 5 5 Section 2 Data recovery from USB and explanation Data recovery from recycle bin and explanation 5 5 Section 3 Data analysis of all file in USB using Hex Editor 10 Section 4 Data validation with explanation 10 Presentation Writing quality, Coherence, Report Structure 5 Reference style Follow IEEE reference style (should have both in-text citation and reference list) 5 Total 50 BN309 IT Computer Forensics Page 4 of 4 Prepared by: Mr Ahsan Aziz Moderated by: Dr. Ammar Alazab July, 2018 Marking Rubric Sections Excellent Good Fair Poor Section 1 Contingency Planning Appropriate requirements of the plan specified explained and Issues identified and listed Requirements for the plan specified and issues identified and listed Not a complete plan with a few requirements and issues Did not address sub sections of the section Section 2 Security Tools Addressed the three tools explained briefly as to how they work and the cost analysis explained Addressed the three tools however with minimum explanation with cost analysis Three tools selected but not explained and not provided a enough explanation for the justification of cost analysis Not a complete list of security tools and missing explanation of cost analysis Section 3 Information Security Act Explained the act and the important key points Provided an idea about the act with the key points Did not provide a clear picture of the act with the key points included Missing explanation and key points Section 4 Security Management Policy Addressed all the seven sections of the policy with necessary explanation Addressed all the sections and managed to explain the requirements of the policy Addressed all sections with minimum information Missing sections from the policy (Incomplete)