CYBERCRIME FORENSIC ANALYSIS – COCS71193
Assignment Specification Weighted at 100% of the module mark.
Learning Outcomes being assessed by this portfolio.
- Critical understanding of the techniques and procedures used to identify, collect, and analyse digital evidence of computer crime.
- Critically evaluate methods of evidence handling where digital evidence could be overlooked or misinterpreted.
- The use of digital forensics tools in digital forensic analysis.
Monday 6th May 2024, 1600Hrs.
Requirements & Marking Scheme
General Guidelines:
This is an individual assessment comprised of four parts and is weighted at 100% of the module mark. All Parts A, B, C and D are equally weighted at 25% of the overall module mark. Part A will assess your understanding of Windows File Systems and how they can be abused by perpetrators. Part B will assess your understanding of Digital Forensic Investigations through evidence collection and preservation. Part C will assess your understanding of Threat and Malware Analysis. Finally, Part D will assess your practical understanding of the digital forensic investigation tools.
You are expected to approach all parts of this assignment as small but comprehensive academic reports. Please DO NOT go more or less than 10% of the recommended word limit.
As such the following report structure is expected:
- Introduction, where you will discuss your plan for solving the problem introduced by the instructors.
- Main Body, where you will develop your arguments.
- Conclusions, where you will critically discuss your findings.
- References (At least 25 peer reviewed references in total)
- Appendixes (if needed)
You are expected to demonstrate an insight into the implications of the problem introduced in each task by using clear and concise arguments. The report should be well written (and word-processed), showing good skills in creativity and design. Sentences should be of an appropriate length and the writing style should be brief but informative. The report should have a consistent layout and be divided into enumerated sections, sub- sections, sub-sub sections, etc. For the references and bibliography, you are expected to use appropriate peer reviewed sources for developing your arguments, and an appropriate referencing style as per the University regulations.
A digital copy of the report should be submitted using blackboard/Turnitin (email submission will not be accepted), more instructions will be given for this by your instructor(s).
The deadline for this assignment is Monday 6th May 2024 (16:00, hard deadline).
Presentation of the Assignment Report
It is your responsibility to ensure that your work is neatly and accurately presented. The work must be:
- Word processed.
- Title Page, table of contents, table of figures, list of tables, etc.
- 1.5 line spaced.
- 2.5cm borders around the page (If you are using MS Word, this should be automatic)
- 12-point font in Calibri, Arial, Times New Roman or Tahoma (choose one and use it consistently throughout the report)
- Text aligned Justified.
- Harvard Referenced.
- Include a word count for every part of the assignment.
- Word count should exclude, table of contents, table of figures, list of tables, references, and appendices.
Part A – FAT32 vs NTFS
Part A is weighted at 25% of the overall module mark. It is expected that this part of the portfolio will be in the region of 750 – 1000 words, discussing how a perpetrator can hide data in FAT32 and NTFS file systems by abusing their ‘features’. You are expected to comment on FAT32 and NTFS slack space, alternate data streams, and file deletion.
| Part B, Assessment Criteria | Marks Available |
| Slack Space | 5 |
| File Deletion | 5 |
| Alternate Data Streams | 10 |
| Report Structure and Referencing | 5 |
| Total | 25 |
Part B – Digital Forensic Readiness
Part B is weighted at 25% of the overall module mark. It is expected that this part of the assignment will be in the region of 750 – 1000 words, discussing computer crime in modern society and Incident Response (IR). Additionally, you are required to discuss the concept of Forensic Readiness (FR) within a Small-to-Medium Enterprise (SME), aiming to identify and prevent computer crimes.
| Part B, Assessment Criteria | Marks Available |
| Computer Crime in modern society Discussion | 5 |
| IR Discussion | 5 |
| FR within SME Discussion | 10 |
| Report Structure and Referencing | 5 |
| Total | 25 |
Part C – Threat and Malware Analysis
Part C is weighted at 25% of the overall mark. It is expected that this part of the portfolio will be in the region of 750 – 1000 words, critically discussing the different technologies that are available to a malware analyst. Thus, this section will assess your critical understanding of the methods of malware analysis and malware analysis environments. You are expected to develop your arguments and critically compare dynamic malware analysis to static malware analysis. You should also discuss the use of an isolated physical machine to the use of a virtual machine and briefly explain which environment suits which analysis method. You are also expected to comment on the malware analysis tools used in static and dynamic analysis.
You are expected to use appropriate peer-reviewed sources for developing your arguments and an appropriate referencing style as per the University regulations.
Your report should include:
- Discussion on malware analysis methods
- Goals of malware analysis
- Comparison discussion
- Mapping to analysis environments
- Discussion on the tools
| Part C, Assessment Criteria | Marks Available |
| Malware Analysis Methods and Goals | 5 |
| Comparison between Static and Dynamic Analysis (Include Tools Used) | 12 |
| Mapping to Analysis Environments | 5 |
| Report Structure and Referencing | 3 |
| Total | 25 |
Part D: Practical Digital Investigation
This section will assess your ability to analyse and present evidence in a mock courtroom environment. Part D is weighted at 25% of the overall module mark and has no word count. You will be given a raw image file (on Blackboard under the Assessment Content). You need to produce a report outlining the list of evidence identified, forensic analysis of each evidence and appropriate artefacts in order to resolve the alleged crime. This report should be included within your final portfolio report. For this part of the assignment, you are expected to use EnCase, however, you can use any of the available free/open-source digital forensics investigation tools (e.g., Autopsy – https://www.sleuthkit.org/autopsy/).
| Part D, Assessment Criteria | Marks Available |
| Evidence Handling and Identification | 7 |
| Evidence Analysis | 15 |
| Report Structure | 3 |
| Total | 25 |
Evidence Identification/Analysis
In your analysis you are to find the following pieces of evidence (but not limited to) and comment on:
- Disk geometry analysis of the given exhibit (e.g., partitions present in the collected artefacts, recovery of deleted partitions etc.)
- Time zone settings.
- Installed Operating System.
- Programs installed.
- Devices and hardware volumes.
- Steganographic Contents.
- Encrypted Documents (PDF, text, word, etc.)
- Binary files (executables)
- The users’ information.
- Emails.
- Internet activities.
- Cookies information.
- File carving / recovery of deleted files.
- When was the last recorded computer shutdown date/time?
- Who was the last user to logon to the computer?
- List the network cards used by this computer.
- Find any IP address and the MAC address of the computer.
Findings/Conclusions
Your findings should be presented in a factual way and should include any relevant information that you have discovered during your investigation. You are expected to include your analysis and evaluation of the tasks in a reflective way.
Report Structure
Logical organisation of thoughts and arguments, clarity, effective presentation of deliverables, word processed report following the discussed guidelines, and appropriate style, punctuations, and spelling. The use of numbering format is highly recommended to make the presentation effective.
Best Wishes!
Marking Scheme
| Criteria | Fail (< 50) | Reasonable (50 – 59) | Good (60– 69) | Excellent (>70) |
| Part A | No understanding of the various data hiding techniques. No discussion of the slack space, ADSs or the various ‘deleting’ mechanisms. | Clear understanding of data hiding techniques discussing file slack, disk slack, hiding executables in ADSs and other data types as well as file system deletion, directory deletion, and file deletion. May contain some errors. Some examples but very limited. | A clear and useful theme is developed. Insight into implications. Clear and concise arguments that lead to appropriate conclusions and recommendations. Very good examples demonstrating all of the techniques. Contains very few errors. | As before plus: Excellent understanding and exposition of data hiding issues that shows insight and draws together various investigative techniques. No errors. |
| Part B | Superficial arguments. Very limited discussion of the issues presented by the assignment document. | Reasonable evidence of adequate understanding of digital forensics. Appropriate discussion on computer Crimes and information security. IR and FR procedures are discussed but may contain errors. | As before but correlations between crimes are clearly identified and discussed. The report demonstrates a good understanding of the processes, covering all key issues, and demonstrating a good critical understanding of the implications. | High academic learning ability achieved. Exceptional quality of output demonstrating professionalism. The report can be seen as ‘best practice’ for IR and FR and it clearly argues how IR must be coupled with FR. |
| Part C | No understanding of static and dynamic analysis. No insight into the analysis environment and tools used. | Clear but underdeveloped arguments with inappropriate justification. Limited critical discussion of static analysis vs ‘dynamic analysis, analysis environment and tools used. Contains errors. | A clear and useful theme is developed. Insight into the analysis methods and the environment. Clear comparative analysis and tools. Contains very few errors. | As before but with excellent flow of ideas, with a sense of understanding containing no errors. Good report structure with relevant peer reviewed sources. |
| Part D | No case and no clear evidence handling procedures. No evidence analysis. Very week report structure. | Evidence of some insight into the investigative procedure. Very little analysis that covers only the system analysis. Some conclusions are given but contain errors. Some structure to the report is provided. | Appropriate management of evidence. Report covers some of the key issues. Complete analysis of evidence that leads to findings. Contains very few errors. | High academic learning ability achieved with excellent understanding of the various investigative techniques, demonstrating professionalism. Can participate in case work. |
Get expert help for CYBERCRIME FORENSIC ANALYSIS – COCS71193 and many more. 24X7 help, plag free solution. Order online now!
