Perform a forensic investigation into digital evidence.
Assessed Learning Objectives
LO3 – Analyse, interpret and report on digital evidence
LO4 – Use and extend a technical vocabulary necessary to interact with stakeholders in a digital forensic investigation
Unfair Means to Enhance Performance
Please see the UCLAN Academic Regulations and Assessment Handbook for information and penalties related to “unfair means to enhance performance”.
Work submitted up to 1 week late from the submission date will be capped at 50%. No work will be accepted after 1 week without supporting extenuating circumstances. All assignments must be submitted electronically through Blackboard where they will be processed by Turnitin. Extenuating circumstance requests must be lodged via myUCLAN.
Learning to write concisely is an important skill to develop and is useful throughout your academic and professional career. Your mark will be penalised heavily if you exceed the word counts or page limits.
You should use Microsoft Word to complete this assignment. If you use a word processor other than Microsoft Word then you should check to ensure that the document layout is the same as Microsoft Word. Microsoft Word is also available through the University remote access portal page.
Constraints: 6 pages + contemporaneous notes
Feedback: Up to 3 weeks after submission
Weight: 50% of the module mark
Audience: Non-technical client/investigation commissioner
You are provided with an evidence file available on Blackboard.
Perform and report on individual parts of a digital forensic investigation.
This is a simulated investigation and doesn’t include the analysis of lots of irrelevant data. The evidence that is provided is small and doesn’t include any tricks. You will however need to interpret the data/evidence and draw your own conclusions based on the evidence you find.
You will create an expert report to communicate your findings. See the scenario below for further information about your investigation. You will keep notes of your investigative actions contemporaneously; they should be as long as is necessary but should reflect your investigation process accurately.
You should copy your contemporaneous notes to the end of your report and submit a single document.
You are a forensic investigator working for the UCLAN High Tech Crime Unit. You have been contacted by the Managing Director of the company ‘Vamos Solutions’. One of their employees has been accused of stealing company secrets.
The employee has attempted to smuggle company secrets out of the work building by copying company secrets onto a USB data storage device. While leaving the building the employee was detained by on-site security and the USB storage device was discovered. This USB storage device has been processed by a forensic imaging technician and the forensic image has been obtained.
You have been provided with a forensic image of the USB data storage device. This is called exhibit CST/001. This is available for download via Blackboard and is available under CO4514->assignments->co4514ass2year4.e01. This is an evidence file that contains the USB image file and must be viewed in forensic software such as Autopsy.
You have been asked to answer the following questions.
Question 1 – Is there any evidence to suggest that the company secrets have been copied onto the USB pen?
Question 2 – Is there any evidence to suggest that the suspect has tried to hide any data?
Question 3 – Any evidence to suggest the reason why the suspect has attempted to steal this data?
Question 4 – What further evidence may be needed by the investigation team to support any of the facts discovered during your investigation?
Note: question 4 is not about the evidence that you will find during your investigation; it is about identifying what further evidence could possibly be found if you had access to other evidence sources (for example, the suspect’s office computer).
You must take lots of screen shots during your investigation and copy these screenshots into your contemporaneous notes. Failing to do this will mean that you fail your assignment.
You must use your name as the case number when setting up the new case in Autopsy. When you create a case in Autopsy, the case number is appended to the title bar; and your name will appear in each screen shot you take of Autopsy.
For every action you take in Autopsy, you should take a screen shot and then provide notes that explain what you are doing, why you are doing it, what you hope to discover, and what you actually discover.