COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 1 / 8
COIT12201 - Assessment Item 2
Written Assessment- Digital Forensic Investigation
This assessment item requires you to work in a group (2-3 students per group).
Due date: Due in Week 10 Friday (25 September 2020) 11:55 PM AEST
Weighting: 30% [15 % (Part A) + 15% (Part B)]
Length: Maximum 4000 words (excluding the cover page, table of content, references and
appendix)
Objectives
1. Analyze a case to identify appropriate course of action to investigate.
2. Use appropriate tools and techniques to investigate a digital forensic case.
3. Apply digital forensics methodologies to a forensic investigation.
4. Appraise the legal issues involved in a forensic investigation.
5. Prepare an outline of a professional digital forensic plan and an investigation report.
Overview
In this assessment, you will work in a digital forensic team to investigate a case. Each member of
your group will have specific digital evidence to investigate individually. The group needs to work
together to discuss issues relevant to the entire case. Finally, the group needs to combine individual
investigations and group discussions into a report.
Submit the group report on Moodle for marking. Only one member from the group needs to
upload the report onto Moodle.
Perform the following tasks to complete the assignment:
1. Create a group – no more than 3 members per group;
2. Select one (1) case study to investigate as a group (case study is provided on the Appendix of
this document);
3. Individually, select and complete investigation activities within the case study;
4. As a group, discuss investigation issues and outcome within the case study;
5. Prepare and submit the group report containing both individual and group parts.
These tasks are further described below.
1. Creating a Group - This is a group assignment; hence, it is expected that each student will be
part of a group. A group can have minimum two (2) or maximum three (3) members. Table 1
shows activity requirements based on the size of different groups.
You will organise your own group of three (3) members maximum. Organise your group during the
online tutorial/lab session in weeks before Week 5. You must provide your Tutor (for Distance
Education students, the Unit Coordinator is your tutor) with the details of the members of your group
by end of week 5. Moodle groups will be created using this information which is essential for
submitting the assignment via Moodle submission link.
If for some special circumstances, you must work on your own, you must get written permission via
E-mail from your Unit Coordinator before Week 5. There is no guarantee that your request will be
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 2 / 8
approved as it will depend on the particular circumstance (e.g., “I don’t want to work with others” will
not be considered as a valid reason). Bear in mind that the investigations for the case will require
substantial work and carrying out the work on your own can be quite heavy. Due to the nature of the
required level of investigation, it will not be possible to adjust the work load for students working on
their own (subject to approval from the Unit Coordinator) as it may not be sufficient to answer the
questions raised in the case.
Table 1: Required activities based on the size of the group
Student 1 Student 2 Student 3
Group Size 3 Activity1
Discussion
Activity2
Discussion
Activity3
Discussion
Group Size 2 Activity1
Discussion
Activity2
Discussion
N/A
Group Size 1 Activity1
Activity2
Discussion
N/A N/A
As suggested in Table 1, if the group is with 2 students (Group Size 2), student 1 must select and
complete an activity, student 2 must select and complete a different activity (e.g., student 1 does
activity 2 and student 2 does activity 3, etc.), and both students must work together to discuss the
investigation issues and prepare the report.
Issues with Group and group members: Groups have to be created on or before week 5. It
is the group’s responsibility to manage the work in a coordinated manner to achieve the goal.
2. Selecting a Case Study – Each group needs to choose one (1) case study and perform
activities on that case study. The list of case studies is below, with details on Page 5.
• Case One: Exfiltration of corporate Intellectual Property
• Case Two: Electronic Eavesdropping
• Case Three – Illegal digital materials
3. Performing Investigation Activities - Perform your investigation to answer questions given in the
case document. Your investigation should aim to answer questions asked in your chosen case.
Your answers should be supported by evidence found in your investigation and with detailed
justifications. Your individual activity may not answer all questions, but your group activities
together should answer all the questions. Therefore, collaborate effectively with your group
members.
If your individual activity did not answer any questions for your chosen case, you must
present evidence relevant to your case and/or other possible crime(s) not listed in your
case. Use the forensic software you have learnt in the lab for this investigation. If necessary, you
can use other freely available (or trial version of) forensic tools.
3.1 Individual section: choose your activities based on your group size and activity rules shown
in Table 1.
3.1.1 Activity One - Investigate following digital data acquired from the crime scene
mentioned in your case study and prepare a report.
• charlie-2009-12-11.E01
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 3 / 8
• charlie-work-usb-2009-12-11.E01
• charlie-2009-12-11.mddramimage.zip
3.1.2 Activity Two - Investigate following digital data acquired from the crime scene
mentioned in your case study and prepare a report.
• pat-2009-12-11.E01
• pat-2009-12-11.mddramimage.zip
• jo-work-usb-2009-12-11.E01
3.1.3 Activity Three - Investigate following digital data acquired from the crime scene
mentioned in your case study and prepare a report.
• terry-2009-12-11-002.E01
• jo-2009-12-11-002.E01
• jo-2009-12-11.mddramimage.zip
3.2 Group discussion: Every group needs to address all points given in this sub-section based
on their individual investigation process to include in the report.
• Details of digital forensic methodologies and process flow used to investigate this case.
• Write appropriate justifications to support your chosen methodologies and process.
• Provide appropriate screenshots to show detailed process of the investigation.
• Identify ethical and legal issues applicable for the case you are working on.
• Justification of choosing ethical and legal issues that are relevant to the case.
4. Submit your report – Prepare and submit your investigation report as a group. A group together
must submit only one report.
Only one member from the group needs to upload the report onto Moodle.
4.1 Expected report structure
I. Introduction
II. Activity 1 (include member’s name who carried out this activity)
III. Activity 2 (include member’s name who carried out this activity)
IV. Activity 3 (only for groups of 3) (include member’s name who carried out this activity)
V. Group Discussion
VI. Conclusion
VII. References
Feel free to add sub-headings for sections II to V. You could choose subheadings but make sure
you check the marking guide to assist you for this. For example, for individual activities, subheadings
could be: tools used, process followed for the investigation, evidence found,
questions answered by identified evidence and justification.
4.2 What to submit: You must upload a single Word document per group using assignment two
submission link on Moodle. Any screenshots or images must be incorporated into the report, not
submitted as separate files. No other files are to be submitted.
5. Other Resources
Required evidence can be downloaded from:
Download link for hard drive images: http://downloads.digitalcorpora.org/corpora/scenarios/2009- m57-
patents/drives-redacted/
Download link for RAM dumps: http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-
patents/ram/
Download link for USB drives: http://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-
patents/usb/
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 4 / 8
Useful Tools: OSForensics, FTK, SleuthKit, autopsy, ProDiscover Basic and Volatility can be really
helpful to investigate this case.
If you are using a Mac computer or Linux, you are advised to install Oracle VirtualBox. You will
need to install Windows virtual machine on the Virtual box and then install these tools on your
Windows virtual machine on the VirtualBox.
Acknowledgement
The case scenario used in this document has been adapted from
http://digitalcorpora.org/corpora/scenarios/m57-patents-scenario for education purpose.
COIT12201 – Assignment 2
Marking Guide
You will be marked individually for your individual activity. Your group discussion will be marked same for
your entire group. Your total mark will be: your individual contribution mark + group mark
Student ID & Name: ____________________________________________________
Marker / Date: _________________________________________________________
Part A: 3.1 Individual section (15 marks)
Marks Comments
1. Depth of the investigation:
• Did students apply all possible
avenues to find evidence? (2 marks)
• Did they reveal all evidence present
in digital data? (2 marks)
/4
2. Appropriateness of tools and techniques:
• How appropriate was the choice of tools
and techniques used for investigation? (3
marks)
• How well does the report detail the
investigation process? (3 marks)
/6
3. Presentation of the evidence
• Was the evidence found presented
appropriately to support answers of the
questions from case study? (2.5 marks)
• How well is the detailed justification
presented? (2.5 marks)
/5
Part B: 3.2 Group work (15 marks) – same marks
for entire group
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 5 / 8
Group discussion: (1.5 marks for each)
• Details of digital forensic methodologies and
process flow used to investigate this case.
• Write appropriate justifications to support your
chosen methodologies and process.
• Provide appropriate screenshots to show detail
process of the investigation.
• Identify ethical and legal issues applicable for the
case you are working on.
• Justification of choosing ethical and legal issues
that are relevant to the case.
/7.5
Report preparation and submission -
• The group prepared a single report which is
presented cohesively covering the whole
investigation (2.5 marks)
• The entire group has submitted only one copy of
the report in Moodle. (2.5 marks)
/5
Report quality:
• Is the report easy to follow? (0.5 mark)
• How well is the flow of the investigation
sequentially presented in the report (1 mark)
• Does it prepare with formal report writing style
such as table of content, page numbers,
appropriate referencing (if any), cover page
and so on. (1 mark)
/2.5
Late submission deduction –
/5%( 1.5
marks) for
each day
Total Marks: /30
The case details appear on the next page.
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 6 / 8
Appendix: Case Details
Common to all case studies:
Company Details
M57.biz is a new company that researches patent information for clients. The company currently has
one (1) CEO/President, and three (3) additional employees. The company is planning to recruit more
employees, so they have a lot of inventory on hand (computers, printers, etc.).
Table 2: M57 personnel details.
Personnel Electronic Identity
Pat McGoo (President/CEO) pat@m57.biz (email password: mcgoo01)
Terry Johnson (IT Administrator) terry@m57.biz (email password: johnson01)
Jo Smith (Patent Researcher) jo@m57.biz (email password: smith01)
Charlie Brown (Patent Researcher) charlie@m57.biz (email password: brown01)
Employees work onsite and conduct most business exchanges over email. All of the employees work in
Windows environments, although each employee prefers different software (e.g. Outlook vs.
Thunderbird). Figure 1 shows the network configuration of the company.
Figure 1: Network configuration for M57.biz
Note: In the above figure “DOMEX” is the local server managing external network access and email.
You can find further information (such as a copy of the detective reports, along with the search
warrant and affidavit) about this case in the link below.
http://digitalcorpora.org/corpora/scenarios/m57-patents-scenario
Case One - Exfiltration of corporate Intellectual Property
One of the employees in M57 is stealing proprietary research on patent information from the company and
passing it on to an outside entity. This employee has taken some measures to cover their tracks, but
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 7 / 8
probably did not count on the company machines being imaged in the ongoing investigation of other
criminal activity.
You are tasked with determining the following:
• Who is exfiltrating the patent search data?
• How are they doing it? Can you identify the specific items they have stolen? What is required to
access the data?
• Who is the outside contact?
• Is there anything in your analysis to suggest that this person might be charged with more than one
criminal offense?
At the end of your investigation you should prepare a report based on the details provided in the
assignment two.
Case Two – Electronic Eavesdropping
One of the M57 employees is spying on the boss (Pat McGoo) electronically. This employee is concerned
that Pat may find out about certain activities they have engaged in - activities that may be related (directly
or indirectly) to another ongoing investigation.
You are tasked with determining the following:
• Who is spying on Pat?
• How are they doing it? Can you identify specific methods or software they have used to facilitate this?
• Why is the employee spying on Pat?
• Is anyone else involved? Would you characterize them as accomplices?
At the end of your investigation you should prepare a report based on the details provided in the
assignment two.
Case Three - Illegal digital materials
It was found that a functioning workstation originally belonging to m57.biz was purchased on the secondary
market. Aaron Greene, the buyer realises that the previous owner of the computer had not erased the drive
and finds illegal digital images and videos on it. Aaron reports this to the police, who take possession of
the computer. Police forensics investigators determine the following:
• The computer originally belonged to m57.biz
• The computer was used by Jo Smith, an M57 employee, as a work computer.
Police contact Pat McGoo, the CEO of m57.biz. Pat authorises imaging of all other computer equipment
onsite at M57 to support additional investigation. Police further pursue a warrant to seize a personal thumb
drive (USB) belonging to Jo. You are given disk images from all of the computers and USB devices found
onsite at M57, along with a USB thumb drive belonging to Jo. You are also provided with four detective
reports and a search warrant and affidavit associated with seizure of the USB drive.
• For the purposes of the scenario, illegal images have been simulated with pictures and videos of cats
produced exclusively for this corpus.
COIT12201 Electronic Crime and Digital Forensics – T2, 2020 Assessment 2 Page: 8 / 8
Questions to answer:
• Is Jo the owner of these files? What evidence is there to confirm or reject this?
• How did the computer come to be sold on the secondary market?
• Who (if anyone) was involved in the sale (theft?) of the computer?
• Were any attempts made to hide these activities (the possession of illegal digital material)?
At the end of your investigation you should prepare a report based on the details provided in the
assignment two.
End of Assessment item 2 specification document.