you need to develop a case study report as per the requirement and there are virtual machines on which we need to perform the investigation. there are sets of software which you'll require in order to develop a case study report and I am attaching a document which will help you to get a list of software you require.
please let me know the proper way to upload that virtual machine files as they are big in size.
Forensic Investigation Case Study Contents Details:1 Background1 Task2 Report Structure2 Additional Task Information3 Assignment Submission3 Late submission3 Marking Key3 Details: Title:Clowning About Again Value:40% of the final mark for the unit Length:Maximum of 25 pages Background In the state of Western Australia, it is illegal to access, own or distribute digital content relating to clowns. An allegation was been made to law enforcement whereby a witness claims to have seen an individual access clown related content within a place of work. Following the approval of formal warrants, the computer in question was seized from the work place. The computer was then forensically acquired using FTK Imager. Unfortunately, the junior investigator who obtained the ‘forensic image’ of the computer only performed a logical acquisition. To worsen the situation, the junior investigator forensically wiped the original hard drive from the computer. Fortunately, the logical acquisition was undertaken in a forensically sound manner. The suspect, Clark denies accessing clown content. However, Clark does confirm that the computer does belong to him. Clark stated that he does not always take the computer home or lock it when he is away from his desk. You are a consultant who specialises in digital forensic investigations. You have been assigned the task of examining a ‘forensic’ image of the laptop, which was seized with correct warrants. It is currently unknown what Clark was doing with the clown content. In Clark’s opinion, the computer was infected with malware which resulted in any potential content appearing on the computer. Task Your task is to investigate the supplied forensic image using appropriate tools and process and to develop and submit a written report on your findings. You may use any tools to undertake the investigation but you must justify all of your actions! Your report must follow the report structure shown below. Report Structure Cover Page Unit code and title, assignment title, your name, student number, campus and tutor’s name Table of Contents An accurate reflection of the content within the report, generated automatically in Microsoft Word. Summary A succinct overview of the report. What were you looking for? How did you approach the investigation? What did you do? What did you find? What is the outcome of the investigation? Use numbers to support or extend the extent of any crimes that have been committed. Issue #1 – Presentation of content relating to offence A detailed representation of all content identified, extracted and analysed in the investigation. All evidence must characterised, explained and examined. What is the value of the evidence to the investigation? What does each piece of evidence mean? Does evidence support or negate the allegations made? Issue #2 – Identification Detail all information relating to possible use/ownership of the evidence identified and extracted. How can you link the evidence to a particular owner? Is there any digital evidence, which demonstrates ownership of the device or content? Issue #3 – Intent Was the digital content purposefully accessed/used/downloaded/installed? Was it accidental? Was it a third party? Was it malicious software? Present all evidence to support your theory. Issue #4 – Quantity of Files How many files of every type were present on the system? What percentage of these files relate to the offence? What does this mean for the overall investigation? Issue #5 – Installed Software What applications are installed that relate to the investigation? What purpose do these applications serve? Have they been used/run? Dates/times the application was used. What impact do these applications have on the investigation? Appendix A – Running Sheet A comprehensive running sheet (recipe) of your actions in investigating the case study. The running sheet should be presented in table form. What did you? How did you do it? What was the outcome of your action? The running sheet should be more detailed than a ‘recipe’ and allow someone to replicate your process and achieve the exact same outcome. Appendix B – Timeline of Events A comprehensive and chronological order of events representing the actions that resulted in the illegal activity take place, and the events thereafter. Be creative in how you present this data. Consider what is important to include and what serves no purpose. Additional Task Information – MUST READ · Start early and plan ahead, you may need to spend considerable time experimenting with various tools. If a tool or method fails to result in a successful outcome, you should still document this action in your running sheet. Each tool has its own strengths and limitations. · Each report will be unique and presented in its own way. · Scrutinise the marking key, and ask any questions you may have EARLY in the semester! · Look for clues/hints in the investigation. Strategically placed clues/hints have been created in this fictitious case study to help you along the way. · It is not expected that you find every piece of evidence and nor do you have to. Furthermore, should there password protected or encrypted content – you do not necessarily have to break/decrypt it to successfully progress with the investigation. · Remember to ensure the integrity of the image being investigated. You should continually demonstrate that you have maintained integrity throughout your investigation. · Consider what you are trying to find and what you need to negate. The background information of this document provides carefully developed clues. · The task is not just about data recovery! I am more interested in your method (i.e. the carefully created running sheet), than any evidentiary artefacts that you may recover! Assignment Submission The submission must be a Microsoft Word document. You are only submitting one document through blackboard. You do not need an assignment cover sheet. Do not submit more than 1 document as these will not be assessed. Marking Key CRITERIA MARK Evidence (20 marks) At least 5 ‘issues’ are created and adequately populated with correct evidence. /8 Evidence is characterised (filenames, sector locations, file extensions, metadata, hashes, dates/times, allocation status, explanations, etc.) /8 Evidence has been explained, analysed and linked appropriately to other evidence. /4 Method and Timeline (20 marks) Comprehensive running sheet with clearly defined aims, methods and results. /8 Clear use of forensic process which is repeatable and reproducible. /6 An accurate and professional timeline of evidence, detailing critical events. /6 Module 1 Background: This workshop focuses on the preparation of your chosen workstation for future tutorial activities and the major case study assignment. Some of the required downloads are large and thus you should plan accordingly. For each product you download, you should read the supporting help files, assess the features, purpose and limitations of that tool. As you progress through the unit, you will soon discover there is not a single tool or product that suits all investigative problems. In this unit, you will download and use a variety of software applications. It is your responsibility to ensure you have security software installed and configured to protect your computer and data from malicious activity. You should create backups of your workstation and all assignment files on a regular basis. In addition you should always scan all files you download from the Internet for malicious software (regardless of the source), using a quality and reputable anti-virus product. Many digital forensic products are Microsoft Windows based. However, software developers are progressively developing software for MacOS as they realise the increased adoption of Mac computers. Those using MacOS or Linux may opt to run Microsoft Windows in a virtual machine allowing digital forensics products to operate without issues. You should have sufficient skill and knowledge to install and configure software as required for your chosen workstation and thus support for trivial tasks is not provided. Should you find yourself experiencing difficulty, you may seek support from your tutor, but you should aim to solve technical issues yourself. Task: 1. Visit www.zerofish.net and browse through the various categories of tools and computer forensic resources available. You should commence familiarising yourself with different tools/products and their capabilities. 2. Download and install VMWare Player or an alternative virtualisation product. 3. Download the SANS Investigative Forensic Toolkit virtual machine from https://digital-forensics.sans.org/community/downloads a. The SANS Investigative Forensic Toolkit (SIFT) is a Linux based virtual machine specifically designed for open source digital investigations. SIFT will be used for tutorial activities and to support you in completing your assignment. b. You will be required to create a free SANS account. Please note that in many instances vendors will not send or supply download links to email from Gmail, Hotmail etc. 4. Download and install FTK Imager by AccessData from http://accessdata.com/product-download and assess the capabilities and feature sets of the product. You will need to register a valid email address to obtain your download link. Please note that free and publicly available email addresses do not often work as a registration email. You should also make sure you read all conditions and ‘check’ boxes correctly. 5. Download and install the latest version of Autopsy from http://www.sleuthkit.org/index.php – many future activities and the assignment will make use of Autopsy. 6. Visit http://linuxleo.com and browse through the available resources. You should download and read through "The Beginner's Guide" PDF document titled "The Law Enforcement and Forensic Examiner's Introduction to Linux" this resource will support you in using the SIFT virtual machine, and give you a better understanding of digital forensics, especially within a Linux context. 7. Read through the Australian and Western Australian Computer Crime Acts. You should familiarise yourself with Section 440A of the Western Australian Criminal Code. 8. X-Ways forensics is a powerful and popular tool used amongst law enforcement agencies and digital forensic investigators worldwide. Whilst you are not required to purpose the software, for those of you wishing to expand you knowledge and skillset in digital forensics, you may like to consider purchasing a copy of X-Ways WinHex. The following link provides a comparison of the different feature sets of each of the X-Ways products https://www.x-ways.net/winhex/comparison.html 9. As part of your familiarisation process of different tools, you should allocate time and assess the feature set of the following products: PassMark OSForensics, Guidance Software Encase Forensic, nuix, Magnet IEF. At this point you should have hopefully downloaded, installed and setup your workstation for subsequent activities in this unit. The following two exercises are designed to get you thinking about digital forensic from two different perspectives. 10. As you will learn throughout this unit, digital forensics is not just about computers or smartphones. There are many electronic devices, which could be used as evidentiary artefacts in a court of law. Based on the following list, try and come up with specific types of data that could be useful for a forensic investigator to obtain. Post your answers on Blackboard. The activity is not graded, but Blackboard discussions will be monitored as a means of participation within the unit. a. Audio/Video devices i.e. iPods b. Digital cameras c. Gaming consoles d. GPS devices e. USB missile