ASIA PACIFIC INSTITUTE OF INFORMATION TECHNOLOGY PSB109SE PSB109SE - Digital Forensics Fundamentals (CU DEGREE) Marking Scheme COURSEWORK 1 (50%) PLEASE CONSIDER THE ENVIRONMENT AND DO NOT PRINT THIS...

ASIA PACIFIC INSTITUTE OF INFORMATION TECHNOLOGY
PSB109SE    
PSB109SE - Digital Forensics Fundamentals (CU DEGREE)
Marking Scheme
COURSEWORK 1 (50%)
PLEASE CONSIDER THE ENVIRONMENT AND DO NOT PRINT THIS DOCUMENT UNNECESSARILY.
QUICK TIPS; UPLOAD ALL FINAL WORK INTO THE DEDICATED WEB PORTAL. CONVERT TO SLIDE FOR DISCUSSION or PRESENTATION, DISTRIBUTE SOFT-COPY ONLY, PRINT DRAFT, PRINT CONTENTS ONLY, PRINT DOUBLE-SIDE, PRINT 2IN1, USE RE-CYCLED PAPERS ONLY. THANK YOU.
Assignment Learning Outcomes
On completion of this module, a student should be able to:
1. Define the principles of digital forensics and data recovery in respect of “live” and “dead” acquisition. ( You can use USB drive or any external DVD , HARD drive )
3. Apply digital forensic methodology to digital crime investigation in accordance with UK ACPO Principles regarding digital evidence. (2012)
4. Analyse the legal, ethical and professional issues involved in digital forensic investigations.
6. Develop technical writing skills required to accurately record and report forensic findings and document evidence.
    
Assessment
    
Indicative time (hrs)
    
Module
Weight
         

Activity Led Learning


    
18 Hours of Lecture and 18 hours of Tutorial (Lab) = 36 hours

    

50%


Coursework with Viva (50%) assessing learning outcomes 1,3,4,6
Coursework with Viva (Activity Led Learning)
Learning Outcomes:
· Perform identification, extraction and analysis of digital evidence (Task 1, 3, 4)
· Record and report forensic findings and document evidence (Task 6)
· Present findings in a 15 minutes VIVA.
Digital Forensic Examination of Storage Media
The storage media, to be examined for evidence, contained a virtualized image of a Windows-based Operating System with a NTFS/FAT based File System. The case is as follows:
Case
John Doe contacted my office (forensic services) in regards to imaging a stolen laptop computer running Windows® XP Professional that had been recovered. Doe is requesting a forensic examination to see what company documents may have been stolen by the suspect(s) and is requesting a full forensic examination and report for possible criminal charges & civil litigation.
Task
1. Investigation
You, as the expert digital forensic examiner, are required to research on at least one open source (free) forensic tool, learn how to use the tool by performing forensic examination on a storage media.
Forensic examination of the given storage media (containing the above mentioned case) is to be ca
ied out using AccessData® FTK based forensic tools as well as an open source forensic tool for cross checking.
2. Examiner Report
In your examiner report of not more than 25 pages (Times New Roman Font size 12 with one line spacing), you need to state your key observations, analysis and opinions on the case based on the evidences extracted from the evidence file.
The following are required in the examination report:
•    Case information
•    Information on the Evidences seized. This include:
· Evidence Number
· SHA1
· Model
· Serial Numbe
· Examiner name    
•    Any evidences that are relevant to the case. You should be as thorough as possible.
•    Any relevant notes on the evidence recovered (base on your observation).
The examiner report should include the relevant sections:
· Case identifie
number    
· Exhibit/tag numbe
· Identity of the examine
investigato
· Identity of the reporting agency
· Date of receipt of exhibit
· Date of report
· Descriptive list of items submitted for examination, including serial number, make, model, operating system etc.
· Brief description of steps taken during examination, such as string searches, graphics image searches, and recovering erased files
· Conclusion
· Appendices
Submission of Work (30%)
Submission of Forensic Examination Report in hardcopy format on 11 June 2018 (Monday). The report format consists of following main sections:
· Case Summary
· Forensic Acquisition (Imaging) (if applicable)
· Details of Findings (Forensic Analysis)
· Conclusion
VIVA (20%)
Conduct a presentation on your approach and demonstrate your work/demonstration during an in-class session on 11 June 2018 (Monday) in a 15 minutes VIVA session.
Reference Sites:
https:
accessdata.com/products-services/forensic-toolkit-ftk
http:
www.digital-detective.net/digital-forensics-documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf
www.bcs.org/upload/pdf/conduct.pdf
http:
www.legislation.gov.uk/ukpga/1990/18/introduction
http:
www.legislation.gov.uk/ukpga/2001/16/contents
http:
www.legislation.gov.uk/ukpga/2009/25/contents
http:
www.legislation.gov.uk/ukpga/2003/42/contents
https:
www.cps.gov.uk/legal/p_to_
prohibited_images_of_children
http:
www.homeoffice.gov.uk/publications/agencies-public-bodies/fs
codes-conductpractice?view=Standard&pubID=868070
http:
tna.europarchive.org/ XXXXXXXXXX
http:
scienceandresearch.homeoffice.gov.uk/hosd
publications/cctvpublications/6608_Retrieval_of_Video_Ev13c4f.html?view=Standard&pubID=585513
http:
www.acpo.police.uk/about_pages/structure.html
The following steps are recommended for forensic examination of digital evidence:
1. Case Planning & Preparation
1.1. Accessing the case scenario - determine a preliminary design or approach to the case. Consider the case size, scope, and other special characteristics. This is in accordance to UK Computer Misuse Act.
1.2. Seizure and device handling – knowledge and compliance to seizure and device handling policies and procedures, plans, drills, staff training and experience, and proper equipment, in accordance to ACPO Digital Evidence Principles (2012).
1.3. Recording the incident scene – Assessing a physical location for safety. Scene is recorded through a combination of field notes, sketches, video, or still images.
2. Case Collection
2.1. Acquiring evidence – Systematically outline the case details. Determine the type of evidence; operating system; known disk format; location of evidence.
2.2. Chain of custody - Establish a chain of custody; transport the evidence to a computer forensics lab; secure evidence in an approved secure container.
3. Case Examination
3.1. Forensic Imaging – prepare a forensics workstation; make a forensic copy of the evidence via forensically sound and repeatable techniques.
3.2. Forensic Handling of Volatile Digital Evidence – Protect and capture volatile memory of live system such as running processes, network connections, and other important application data.
3.3. Investigator Ethics – Professionalism and competency of forensic investigator to ca
y out investigations & report their findings in an unbiased and factual manner.
4. Case Analysis
4.1. Forensic Examination - Identify meaningful evidence, determine how to preserve the evidence and extract, process, and interpret the evidence.
4.2. Interpret Evidence – Expert interpretation of evidence to draw deductions, expert opinions of the case.
5. Reporting
5.1. Organization/Clarity/Coherence - Ability to communicate the results of investigation in a thorough and clear manner. Laying out of ideas in logical order; building arguments piece by piece.
5.2. Competency to Present Analytical Findings - Possessing a well-defined report structure so as to contribute to readers’ ability to understand the written information.
Assignment Deliverables and Conditions:
· Final Documentation has to be word processed. The maximum of 25 pages is recommended.
· Late submissions will be awarded ZERO marks. If you have genuine reason/s for needing to submit late, you can request an extension from faculty registry (at reception).
· Your document should be submitted in hardcopy.
· Citation of ACPO and relevant legislation is mandatory. Obtain the forensic tools from credible sources.
Marks Allocation (Examiner Report)
    Steps
    Marks Allocated
    1. Case Planning & Preparation
    
    1.1. Accessing the case scenario
(UK Computer Misuse Act)
    5
    1.2. Seizure and device handling
(ACPO)
    5
    1.3. Recording the incident scene –
Contemporaneous notes taking
    10
    2. Case Collection
    
    2.1. Acquiring evidence
    5
    2.2. Chain of custody
    10
    3. Case Examination
    
    3.1. Forensic Imaging
    10
    3.2. Forensic Handling of Volatile Digital Evidence
    10
    3.3. Investigator Ethics
    5
    4. Case Analysis
    
    4.1. Forensic Examination
    10
    4.2. Interpreting Evidence
    10
    5. Reporting
    
    5.1    Organization/Clarity/Coherence
    10
    5.1    Competency to Present     Analytical Findings
    10
    Total
    100
Marks Allocation (VIVA)
Content
The information in the speech should be organized. It should have an engaging introduction that grabs the audience’s attention. The body of the speech should include details, facts and statistics to support the main idea. The conclusion should wrap up the speech and leave the audiences with something to remember.
In addition, the speech should be accurate. Teachers should decide how students should cite their sources if they are used. These should be turned in at the time of the speech. Good speakers will mention their sources during the speech.
Last, the content should be clear. The information should be understandable for the audience and not confusing or ambiguous.
Eye Contact
Students eyes should not be riveted to the paper or note cards that they prepare for the presentation. It is best if students write talking points on their note cards. These are main points that they want to discuss. If students write their whole speech on the note cards, they will be more likely to read the speech word-for-word, which is boring and usually monotone.
Students should not stare at one person or at the floor. It is best if they can make eye contact with everyone in the room at least once during the presentation. Staring at a spot on the wall is not great, but is better than staring at their shoes or their papers.
Flow
When speaking, the speaker should not have distracting pauses during the speech. Sometimes a speaker may pause for effect; this is to tell the audience that what he or she is going to say next is important. However, when students pause because they become confused or forget the speech, this is distracting.
Another problem is ve
al fillers. Student may say “um," “er" or “uh" when they are thinking or between ideas. Some people do it unintentionally when they are nervous.
If students chronically say “um" or use any type of ve
al filler, they first need to be made aware of the problem while practicing. To fix this problem, a trusted friend can point out when they doing during practice. This will help students be aware when they are saying the ve
al fillers.
Confidence and Attitude
When students speak, they should stand tall and exude confidence to show that what they are going to say is important. If they are nervous or are not sure about their speech, they should not slouch. They need to give their speech with enthusiasm and poise. If it appears that the student does not care about his or her topic, why should the audience? Confidence can many times make a boring speech topic memorable.
Visual Aids
The visual that a student uses should aid the speech. This aid should explain a facts or an important point in more detail with graphics, diagrams, pictures or graphs.
These can be presented as projected diagrams, large photos, posters, electronic slide presentations, short clips of videos, 3-D models, etc. It is important that all visual aids be neat, creative and colorful. A poorly executed visual aid can take away from a strong speech.
One of the biggest