Assignment Hints and Questions - ad1, ad2, (ad3) are drive image purporting to be of the same...

Question

Assignment Hints and Questions
- ad1, ad2, (ad3) are drive image purporting to be of the same computer.
Install the AccessData FTK Imager to access the AD file format.
Note there are five ADX files but only two images which is because the images have been
split into 1.5GB sections (the last one being a remainder)
Therefore ad1+ad2+...+adX make up the full image (together). Note: So if one is missing or
co
upt you will get e
ors!
1. In the AccessData FTK Imager you need to use the Add Evidence Item... option
2. Choose Image File option
3. Browse to where you have downloaded the image files
Note: You can actually choose any of the adx files but it is less confusing if you choose the
first one as the labels reflect the starting image.
4. Finish to load the image into the Evidence tree
sfletche
Highlight
sfletche
Highlight
If you want to do a comparison between the content of the two images you can use the
Export Directory Listing... option.
This is available by right-clicking on from the image file root icon and selecting the Export
Directory Listing... option
You can open the dir listings in Excel and compare manually. Or perhaps to make it easier
you can try to use a free tool like WinMerge to compare the CSV files to help find
differences. Refer to http:
winmerge.org/?lang=en
http:
winmerge.org/?lang=en
Note the supposed image capture dates of these two additional images seem to be 2009-
Nov-19, and 2009-Dec-01. And the original image was 2009-Dec-02.
Note: It is possible these two additional images co
elate with the Volume Shadow copy
Service (VSS) images with the difference images stored in the hidden System Volume
Information folder. refer to https:
docs.microsoft.com/en-
us/windows/desktop/vss/volume-shadow-copy-service-overview
Hint: The 19 November Date co
elates with the RP19 and RP20 folders.
These dates should somehow be co
oborated by the actual evidence in the image
files. Think about what files are always updated/accessed (registry)?
Your report should highlight the following areas (these will be
assessed):
- A) Discuss if there is any evidence of illegal drug activity (Methamphetamine). Explain your
position on this. What evidence did you find if any? How sound / reliable do you believe
your evidence collection to be? [20 marks]
- B) Present any evidence in a time line format, signposting the points where you believe any
offence may have occu
ed and other significant dates/times in the case. Compare any
evidence found and timeline information side by side with the different tools available to
you (e.g. ProDiscove
OSFOrensics/ FTK Imager) and highlight any differences. Be sure to
state the pros and cons of using one tool over the other. [20 marks]
- C) You were provided with two sets of hard drive images. Are there any differences
etween them, considering they are purported to be of the same computers. What do you
think has occu
ed here? What are the differences between the sets of the drive images?
Which images do you think are the originals and why? How do you think the sets of drive
images were created? [20 marks]
- D) A common defence is that the actions were committed unintentionally or that the
perpetrator did not know the actions were illegal. With these possible defences in mind,
address how you would respond to these defences. Are there any clues that indicate intent
or knowledge of criminal activity? [20 marks]
- E) Conduct some research into ways that image files (graphic images) could be “tampered
with”. Are there ways that are undetectable, or difficult to detect? Present your findings in a
short section – written in a formal referenced style. You are only expected to have
approximately 5 references (good quality: reputable journal or conference papers). [20
marks]
https:
docs.microsoft.com/en-us/windows/desktop/vss/volume-shadow-copy-service-overview
https:
docs.microsoft.com/en-us/windows/desktop/vss/volume-shadow-copy-service-overview
Assignment Hints and Additional Questions
Additional Questions

Assignment Information
You must submit your assignment online using the Assignment course tool.
You must submit your assignment as ONE word-processed document containing all of the
equired question answers per group.
You must keep a copy of the final version of your assignment as submitted and be prepared to
provide it on request.
The University treats plagiarism, collusion, theft of other students’ work and other forms of
dishonesty in assessment seriously. For guidelines on honesty in assessment including avoiding
plagiarism, see: http:
www.murdoch.edu.au/teach/plagiarism
ICT378/ICT600 S1 2021
Cyber Forensics and Information Technology/Incident Response
M57 Patents
Assume that you’re a Forensic Investigator given the following case
Founded by Pat McGoo, m57.biz is a new patent search company that researches patent information for
their clients. Specifically, the business of patent search is to generally verify the novelty of a patent
(before the patent is granted), or to invalidate an existing patent by finding prior art (proof that the idea
existed before the patent). At the start of the scenario, the firm has four employees: CEO (Pat McGoo),
IT Administrator (Te
y), and two patent researchers (Jo, Charlie). The firm is planning to hire
additional employees at a later date once further clients are booked. Since the company is looking to
hire additional employees, they have an abundant amount of technology in the inventory that is not
eing used.
Employees work onsite and conduct most business exchanges over email. All employees work in
Windows environments, although each employee prefers different software (e.g. Outlook vs.
Thunde
ird).
ICT378/ICT600 Cyber Forensics Assignment – V1- Last Updated Fe
uary 2021
http:
www.murdoch.edu.au/teach/plagiarism
ICT378/ICT600 Cyber Forensics Assignment – V1- Last Updated Fe
uary 2021
Description - Case: Illegal Materials (Methamphetamine)
A functioning workstation originally belonging to m57.biz was purchased on the second-hand market
in early December, 2009. The buyer (Mr. Aaron Greene) realizes that the previous owner of the
computer had not erased the drive, and finds suspicious documents and videos related to drug use
(specifically Methamphetamine) when looking through the folders and opening the various
applications. Mr. Greene reports this to the police, who take possession of the computer.
Police forensics investigators determine the following:
• The computer originally belonged to m57.biz
• The computer was used in 2009 by Jo, an M57 employee, as a work machine.
• The computer was sold as-is to Mr. Aaron Greene on the 1st of December.
The police provide you with a disk image from the computer purchased by Mr. Aaron Greene, as
created on December 2nd, 2009. The image has the extension “dd”. It has been shared with you that
Mr. Aaron is considered to have acted suspiciously and answered questions inconsistently throughout
all interactions with the detectives.
ICT378/ICT600 Cyber Forensics Assignment – V1- Last Updated Fe
uary 2021
Materials – Drive Image
The materials you will use for your investigations are:
Assignment Data Files , Uploaded on the LMS
Deliverable – Report
Task Description:
You should follow forensics procedures, such as taking a hash of the image before using it and
checking regularly to ensure you have not modified it. You can select and use any proprietary or open
source tools that you have been introduced to or find yourselves to perform the analysis and extract any
evidence present.
Your report should detail the investigation process and the findings (including copies of relevant
evidence), including obstacles and problems that you encountered and how you overcame them. You
can assume that the reader has a light understanding of digital forensics, so any complicated
terms/techniques/etc should be explained.
You must include some screenshots in your reports with the output of the tools or the processes and
when necessary to support/show how you reached your conclusions. Screenshots should not be used to
excess – they merely serve to demonstrate your understanding of the tools/processes and should be
used to support written explanations (not in place of).
You will be marked based on the evidence you extract, the use of appropriate tools, the detail of the
process, the explanation on its relevance to the case and documentation.
Remember, your report should present the information in an unbiased way. Improper
handling/validation of evidence would result in loss of marks except where accurately identified and
co
ected.
**This assignment needs to be accomplished as a group of two or three members.
Marking Criteria:
The following table summarizes the marking criteria of the final report.
Sections Marks
Cover Page, Table of Contents, Executive summary 10%
Methodology 10%
Findings (use of appropriate tools and details of the process)
• Discussions (the explanation on findings’ relevance to the case)
• Supporting Evidence (accurate data acquisition)
60%
Summary & Appendix 10%
References & Formatting 10%
Total 100%
ICT378/ICT600 Cyber Forensics Assignment – V1- Last Updated Fe
uary 2021
Sample Structure for Report
Outline: Use the following as a starting-point to structure your report
Cover Page
• Title
• Date
• Student Name / Student Numbe
Table of Contents
• Main contents listed with page numbe
• Be sure to include visible page numbers on all pages
Executive summary
• Brief Description of the event
• Brief methodology of the investigation
• Brief evidence collection and preservation methods
• Conclusion with short, generalized reasons (like bullet-points)
Methodology details
• Investigation
• Evidence collection and preservation
Finding 1 - Description
• Discussion (e.g. Inculpatory or Exculpatory)
• Supporting evidence
Finding n - Description
• Discussion (e.g. Inculpatory or Exculpatory)
• Supporting evidence
Summary and Conclusion
• Discuss if there is there any evidence of illegal drug activity (Methamphetamine).
• How sound / reliable do you believe your evidence collection to be?
• Is the person innocent or guilty? Explain your position on thi.
Appendix
• Description of persons of interest (often shown in table format)
ICT378/ICT600 Cyber Forensics Assignment – V1- Last Updated Fe
uary 2021
• Association Diagram of persons of interest
• Evidence listing
• Evidence Timeline (present any evidence in a time line format, signposting the points
where you believe any offence may have occu
ed and other significant dates/times in the
case).
• Software and tools used in the investigation
• Other important listings and information as needed
References:
Your report should be your own and you should use appropriate citation and referencing formats.
All sources that you use as supporting material to your reports must be referenced according to
convention. Failure to do so will result in loss of marks! You should use the APA as a referencing
style.
Formatting:
1. Paragraph text: Font size 12 with Cali
i or Times New Roman font. 1.5 line
spacing. Justify alignment

finalassignmenthintsandquestions-bmmqh5xp-vxjk2uu3.pdf finalassignment2021-s20gkuny-2jzjafca.pdf

Ali Asgar · Accepted Answer

Computer Forensics analysis report
Computer Forensics analysis report
A report on forensic analysis of a Computer for evidence of illegal drug use
 (
     
     
     
)
Table of Contents
Executive Summary	2
Description of Event:	2
Method of Investigation:	2
Evidence Collection and preservation Method:	3
Methodology Details	4
Steps of digital Forensics:	5
Findings	8
Evidence of Illegal Drug Activity (Methamphetamine)	8
Evidence in timeline format	11
Analyze the Disk Images	14
Common Defenses	14
Tampering of Image files	15
Summary and Conclusion	18
References:	20
Executive Summary
M57.Biz is a patent search company founded by Pat McGoo. It is primarily involved in researching patent information for clients to validate the novelty of a patent by searching for a prior design work that is similar to current design. The firm started with 4 employees initially. The employees were, Pat McGoo (CEO), Terry (IT administrator), Jo and Charlie (Patent Researchers).
Most of the time employees did all work in office and conducted most business work in windows environment and used email clients like outlook or thunderbird.
Description of Event:
A working computer previously owned by m57.biz was bought on the second-hand market by a certain Mr. Aaron Greene sometime in Early December 2009. Mr. Greene realizes upon running the system that the previous owner’s data is still present on the system and he goes through it to find out that there are some suspicious files related to Drug Use, specifically Methamphetamine. Mr. Greene goes through some documents, images and videos and realizes that this indeed is related to illegal drug processing and distribution and reports it to the police.
Method of Investigation:
The police upon receiving a call from Mr. Greene took the system in their custody and created a disk image for forensic investigations.
The police forensics team found that:
· The computer actually was owned by m57.biz
· An employee with m57.biz, named Jo was using this as a workstation till 2009
· The system was sold without any changes to Mr. Aaron Greene on December 1, 2009.
The police also interrogated Mr. Greene about the evidence and his chain of custody and found his answers to be inconsistent.
Computer Forensics includes getting and analyzing digital data for use as proof in a civil, criminal, or administrative cases. A computer forensics expert investigates information that can be extracted from a computer’s hard drive etc. The data obtained might exist on the drive but may be difficult to find or decrypt. Computer forensics is different from Data recovery in sense that in data recovery we know what we are looking for, the type of file, size of file or the content of file is known and thus it is easier. In computer forensics details about the data is not known. Also, a data obtained as evidence can be both confirming that the suspect has done the crime (inculpatory) or might clear the suspect (exculpatory).
Evidence Collection and preservation Method:
To collect evidence of a digital crime, Data Acquisition is used. Data Acquisition is a process to copy data. In computer forensics, it is the act of collecting digital evidence from electronic media. Our primary objective here is to preserve the evidence in digital form. Some times we might have only one chance to make a reliable copy of a disk with an acquisition tool. Once an image is created, we must ensure that the image acquired can be verified.
The data collected in computer forensics acquisition tool is stored as an image file. The image file can be one of three of which two are open-source and one is proprietary. The open-source formats include AFF (Advance forensic format) and Raw format. While the proprietary formats are dependent on the tools used to create the image file. The proprietary formats allow for 
· Option to compress or not the image files of suspect drives to reduce space requirements of the target drive.
· It also provides capability to split a large image file into smaller files for archiving
· It can integrate the metadata of the image file into the image itself. Data such as date time of acquiring, hash value and other case details can be embedded in it.
In our case the disk images were created by police forensics team using Access Data FTK Imager.
In conclusion, we have the following information:
· A computer containing suspected files related to methamphetamine processing and drug use and distribution was obtained by police.
· The system belongs to a certain Jo working as a patent researcher with m57.biz, a new patents research firm.
· The system was sold on secondhand market without clearing the data from it and was sold to Mr. Aaron Greene who found this data and informed the police.
· The Police team was able to make a copy of the original disk on December 2 ,2009.
· I was called as a forensics expert to look into the evidence and find Inculpatory/exculpatory evidence.
Methodology Details
Digital Forensics is the route toward uncovering and interpreting electronic data. The goal of the cycle is to defend any confirmation in its most novel construction while playing out a coordinated assessment by get-together, perceiving, and endorsing the high-level information to replicate past events.
Digital forensics (also called as digital forensic science) is a part of forensic science that contains the searching, preserving transmitting and analysis of digital material evidence found in electronic storage devices, mostly in connection to a digital crime. 
The words “digital forensics” were traditionally used interchangeably with “computer forensics” but has since evolved to include detection of all devices that can be used for storing digital data like mobiles, usb drives, email servers, internet browse history etc. 
The most common application of Digital forensics is to either support or reject a hypothesis in a criminal or civil courts related to but not limited to cyber crime. Such Criminal cases include the alleged breaking of laws that are maintained by legislation and that are enforced by police and can be prosecuted by the state, such as theft, murder and assault against any person, protecting the rights and property of individuals (that may be associated with family disputes) but may also be about contractual issues between companies where a slightly different form of digital forensics known as electronic discovery (ediscovery) may be used.
Forensics also appear in the private sector; like during an internal corporate investigations or intrusion detection investigation, a data theft, breach of security perimeter specially digital permitter like a firewall etc. System hacks, ransomware and inter-governmental, terrorist hacking activities also sometimes require Digital forensics to find evidence against the culprit.
The technological part of an investigation is divided into several sub-parts, pertaining to the form of digital media involved. They include computer forensics, analysis of computer RAM and Hard disk data; network forensics, analysis of emails, and other network devices like breach of firewall etc; forensic data analysis, related to analysis of financial frauds and analyse the patterns of fraud activities; and mobile device forensics, related to analysing call records, SMS records, chat messages and location of a device etc. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.
Other than finding direct incriminating evidence of a crime, digital forensics are also used to point evidence to specific suspects, confirm or deny alibis or statements, determine criminal/malicious intent, identify true sources (like, in copyright cases), or validate documents. Investigation activities are much wider in scope than in other domains of forensic analysis (where the objective is to find answers to a bunch of simpler questions) often involves complex time-lines analysis or hypotheses.
The setting is regularly for the use of information in a courtroom, however advanced legal sciences can be utilized in different occasions.
Steps of digital Forensics:
In order for digital evidence to be acceptable in a court of law, it must be obtained, processed and stored in a very particular way so that there isn’t any opportunity for cyber criminals to tamper with the evidence.
1. Identification: The tasks done in this stage identifies with all of the works that should be done before the real examination and official assortment of information. Among the things to be performed are getting the required endorsement from concerned authority, planning and setting-up of the instruments to be utilized, and so forth. Apart from this, we also need to locate the evidence and maintain a chain of custody of these articles of evidence, be it a hard drive,

Assignment Hints and Questions - ad1, ad2, (ad3) are drive image purporting to be of the same computer. Install the AccessData FTK Imager to access the AD file format. Note there are five ADX files...

Solution

Answer To This Question Is Available To Download

Related Questions & Answers

Submit New Assignment