Digital Forensics Investigation Report: Forensic Analysis of a Suspect's Computer
You are expected to spend about 40 hours to complete this assignment to a satisfactory standard.
This assignment is worth 60% of the overall assessment for this module.
This Assignment assesses the following module Learning Outcomes (from Definitive Module Document):
1. Demonstrate the ability to independently conduct digital evidence in the terms of collection and acquisition.
2. Demonstrate the ability to critically analyse and evaluate digital evidence for reporting in a forensically sound manner.
3. Demonstrate the ability to apply knowledge in the current technological issues in digital forensics.
Detailed Instructions
You are a digital forensics analyst working for Customs and have been assigned to an investigation. Customs officers already collected forensic artefacts relating to the case and have managed the integrity and continuity issues during collection and transportation. One of the forensic artefacts was a computer containing a single hard disk. Customs officers have delivered the forensic image of a suspect's computer to you alongside a file containing the hash values of the image.
Your task is to analyse the forensic image as part of the investigation and produce a report based on your management of the case, your analysis and your findings.
You will have to:
1. setup your forensic workstation for your analysis, which would include any forensic tools that you feel are appropriate for the job,
2. download a copy of the forensic image from the server to your forensic workstation while addressing continuity and integrity issues,
3. carry out a forensic examination of the evidence file that you have been supplied with and forensically examine its contents, ensuring that you document your actions and decisions as detailed contemporaneous notes.
4. write a report detailing the investigation.
The files required for this assessment can be downloaded from https://herts365- my.sharepoint.com/:f:/g/personal/ct19abi herts ac uk/Em5PmtzMQcBJoPt-YlT- eKkBcb3GWTa2AK0pQ1hfdVa-ww?e=4ZpBas (https://herts365- my.sharepoint.com/:f:/g/personal/ct19abi herts ac uk/Em5PmtzMQcBJoPt-YIT- eKkBcb3GWTa2AK0pQ1hfdVa-wwe=4ZpBas)
Please be aware that you MUST be logged into your university account to be able to download these files.
Case Management
Report on activities for setting up a new case. Report on continuity and integrity issues.
Evidence Analysis
In your analysis you are to comment on:
the disk structure, partitions and filesystems present in the forensic image.
the Operating System installations.
Time zone settings.
the software program installations.
hardware devices and hardware volumes that were connected in the operating system.
the users and their profiles: (for example: profile characteristics, e-mail activity, internet activity, personal data analysis, suspect's relationship to others and future intentions).
any other findings or supporting evidence that is significant to the case.
Findings/Conclusions
Your findings should be presented in a factual way, following best practice. Your findings should include any relevant information that you have discovered during your investigation.
Contemporaneous notes
Produce contemporaneous notes that reflect the work you have undertaken and justify how you maintained the chain of custody. It is advisable you make use of a specialist tool to securely record your digital notes. Your contemporaneous notes should be submitted as an Appendix to the report and there is no word count for the notes.
Report Structure
Logical organisation of thoughts and arguments, brevity, clarity, word processed report. and appropriate style, punctuation, and spelling.
Submission Requirements
You are required to submit a report using the submission link provided on Canvas. The report should be written in either Microsoft Word or OpenOffice and submitted in a doc, docx, odt or fodt format. As a guide, your final report is expected to be in the region of 2000 words which does not include appendices and references. You are expected to demonstrate an insight into the implications of the problem introduced in each task by using clear and concise arguments. The report should be well written, showing good skills in creativity and design. Sentences should be of an appropriate length and the writing style should be brief but informative. Remember, digital forensic analysts report on facts and avoid comments and generalisations.
In this assessment you are expressly prohibited from (i) using GenAI tools for the creation of content and (ii) from using GenAI tools or a proofreader or a proofreading service for proofreading.
The following report structure is expected:
1. Title page Include module code, assignment title and student ID number.
2. Introduction - Include a discussion of case management.
3. Evidence analysis.
4. Findings and Conclusions - Include critical discussion of the investigation.
5. References.
6. Appendix Include contemporaneous notes.
