Digital Forensics COMP2310

FacultyofScience&Engineering

COMP2310DigitalForensics(S12025)

Assignment1Description

(TotalMarks:200,with20%weightageinFinalGrade)

LEARNINGOUTCOME

This assignment deals with the recovery of digital evidence. On successful completion, you will be able to

• EngagewiththemateriallearnedinCOMP2310;
• Adheretothehighestethicalstandards,obeythelaws,andfollowproceduresatalltimeswhen collecting and dealing with digital evidence.
• Evaluateapracticalcaseconcerningdigitalforensic
• Use appropriate tools and techniques to collect and recover data from a variety of digital
• Communicate effectively the results of an investigation following professional

Task1.DigitalForensicsCapture-The-Flag(CTF):InvestigatingHiddenData

This task is designed as a practical CTF challenge with an emphasis on forensic analysis and reporting.As adigitalforensicsanalyst,yourobjectiveistouncoverasmanyhiddenflagsaspossiblewithintheprovided assignment folder and document the methodology used to extract them.Throughout this task, you will explorecommontechniquesforhidingandretrievingfiles/contentwithinacomputersystem.Yourtechni- cal report should detail the investigative steps you followed, ensuring that a client or another analyst can replicateyourprocess.Additionally,youmustprovideabriefexplanationofthecommandsandtoolsused to locate each flag.

RulesofEngagement:

• Thezippedfilezip containsallthenecessaryfilesforthis task. You are free to explore, view, edit, and create content within this folder. However, if files are accidentally deleted, you will need to re-download the ZIP file to continue.
• You are permitted to use any tools to assist in yourHowever, most challenges can be com- pleted using basic command-line interface (CLI) commands in Kali Linux, and spending excessive time searching for specialized tools may not be efficient. Commands and tools relevant to this assign- ment are covered in Weeks 13 of the course lectures. Flags follow a specific format: ANS{} (e.g., ANS{313d735577e515a4864955b73506729c} or ANS{Y0u_C4nt_S3e_M3}).

• A file named DO_NOT_OPEN.txt is explicitly out of scope and should not beIt contains sensitive information unrelated to the assignment, and any interaction with this file is prohibited.

Task 2.Forensic Analysis of a Seized Laptop:Investigating Policy Violations and SecurityRisks

In2022, MacquarieUniversityseizedanHPlaptopbelongingtooneofitsemployees.Thisemployeeperforms the majority of their work on a workstation that is more powerful than this laptop.Subsequently, the employeedecidedtopassthislaptoptotheirchild,onwhichthepreviousOSandpartitionswereerased,and wiped,andWindows11wasinstalledfortheirprivateuse.ThisactconstitutesaclearbreachofMacquarie UniversitysAcceptableUseofITResourcespolicy,whichoutlinestheUniversityscommitmenttoensuring that its IT resources are used in a manner consistent with legal requirements and ethical responsibilities.

Followingtheincident,MacquarieUniversitycautionedtheemployeeandrecoveredthelaptop.However, upon booting, the laptop exhibited some suspicious behaviors, prompting the University to initiate an investigation into the machine (i.e., laptop) to ensure that it did not pose any threat to its network.

As a forensic expert, you have been asked to help Macquarie University in examining the image.

This laptop has been imaged and consists of 18 EnCase parts, which have been zipped into a single file. (Primary Download Link) (Mirror Download Link)

Please note that this image compared to previous workshop images is large (37GB¹, please permit yourself enough time to download and for Autopsy to analyze the image contents.

SUBMISSION

You need to prepare a single forensic report detailing your findings for Task 1 and Task 2.The maximum word count is 2,500 words and the minimum word count is 1,500.In the report, you need to include the following material:

• QuestionsStudentsmustrespondtothefollowingquestionsregardingTask
• What is the image hash?If you are informed that the verification hash is a5a57c89ebd24b725a1bcd6462bf7670, what would the hash comparison imply? (Disregard this verification hash after this question)
• What is the current installed operating system? When and how was the earliest operating system installed?
• List all active account names (skip the system accounts: Administrator, Guest, systempro- file, Local Service, Network Service), login count, date of creation, system privilege level, and password settings.
• What applications were installed by the suspect within 48 hours after installing the latest operating system?
• What web browsers had activity between 09:00 and 18:00? Which Domains were accessed by the suspect between 09:00 and 18:00? (Provide Domain name and time of first ) From the web browsers, list every keyword searched and URLs accessed with their respective timestamps.
• In the course of a forensic investigation, there is a possibility of encountering Personally Identifi- able Information (PII) that is unrelated to theFollowing the Australian Computer Society (ACS) Code of Ethics, particularly the principles of public interest, honesty, and professional

1Based on the download speed at Macquarie University, this requires approximately 35 minutes to download. Therefore, it is recommended to download the file at Macquarie University to save on download time.

integrity, howshouldsuchinformationbemanagedtoensurecompliancewithethicalandlegal obligations while maintaining the integrity of the investigation?

ForbothTasks1and2,studentsneedtoexplaintheprocedurestheyfollowedasdescribedbelow.

• AcquisitionDescribetheprocessinwhichyouacquiredevidence/flags.Youshouldbecomprehen- sive in detailing your process/methodology.Keeping in mind that you are satisfying both industry best practices and the legal requirements to admit this evidence at trial.It is typical to see some form of data validation listed, for example, the MD5/SHA1 values for the evidence collected.
• Analysis This can vary based on the scope of your analysis, but you should describe what tools/techniques you used as well as your results. If you used multiple tools you should provide tool version numbers so that your results can be cross-validated by another examiner. You should provide enough information so that another examiner who was provided your evidence files should be able to confirm/dispute your findings. For Task 1 you must include the text of the flag that was discovered as part of your analysis.
• Evidence Analyzed This should include serial numbers, hash values (MD5, SHA, ), and custo- dian information if known. If pictures were taken, you may want to include them.
• Steps Taken Be detailed. Remember, your results should be reproducible. Include software and hardware used. Do not forget to include version numbers. You also need to include snapshots of your practical analysis to demonstrate various steps of investigation.

EXPECTATIONANDTIMELINE

• The maximum length is 2,500 words and the minimum length is 1,500.
• No fancy fonts and 5 to double-spacing to be used at all times.
• All work submitted must be authored by the student submitting the work or where material from other sources is included it must be referenced using IEEE referencing.
• Students found to have plagiarised will be dealt with according to university
• Students should submit a single Word or PDF
• The assignment is to be submitted via
• The assignment is dueFriday,11April,11:55pm(FridayofWeek7).

MARKING

Marks will be available on iLearn by the end of Week 9 of the semester.Task 1 and Task 2 each carry 100 marks, with the rubrics provided in Tables1and2, respectively.

The marking guidelines are as follows:

Table1.Task 1Marks Breakdown.

Table 2. Task 2 Marks Breakdown.