COMP2310 Digital Forensics - Assignment 2

LEARNING OUTCOME

This assignment deals with the recovery of digital evidence. On successful completion, you will be able to

• Engage with material learned in COMP2310;

Develop and follow suitable processes when performing incident response and conducting digital forensics investigations;

• Evaluate a practical case with respect to digital forensic investigations;

Use appropriate tools and techniques to collect and recover data from a variety of digital sources; and

• Communicate effectively the results of an investigation following professional

SUBMISSION

This is a group (of at most 5 students) project. Only one submission, via Turnitin, is required per group.

Presentation

Each group is required to do a presentation for the assignment discussing the process involved in digital investigation.

The group presentation will be submitted via video recording. So, you need to have a group meeting with your teammates online and do the presentation. This needs to be recorded for submission.

Each group will present for 10 minutes, and each student is expected to present for around 2–3 minutes. As we are restricted in time, please ensure to finish your presentation within the allocated time. Note that:

• All members of the group must present in the group

If your group is not prepared on your assigned presentation date, 5 (five) marks will be taken from your grade for the presentation.

• Your presentation must finish within the time (10 minutes) allocated for

Presentations that exceed the time limit will be penalized at the rate of 5% of presentation grade/extra minute.

Marking guideline is as follows:

Presentation Structure	1 Marks
Communication of Content	1 Marks
Visual Aspects of Presentation	1 Marks
Speaking skills and Audience Interaction	2 Mark
Total worth	5 Marks

Final Report

You need to prepare a forensic report with a maximum of 2000 words. You need to explain the procedures to answer the above mentioned questions (i.e., Ex. 1–10).

Acquisition – Describe the process in which you acquired evidence. You should be comprehensive in detailing your process/methodology.

Analysis – This can vary based on the scope of your analysis, but you should describe what tools/techniques (if you are using other than Wireshark) you used as well as your results. If you used multiple tools you should provide tool version numbers so your results can be cross-validated by another examiner. You should provide enough information so another examiner who was provided your evidence files should be able to confirm/dispute your findings.

Steps Taken – Be detailed. Remember, your results should be reproducible. Include software and hardware used. Do not forget to include version numbers. You also need to include screenshots of your practical analysis to demonstrate various steps of investigation.

Evidence – This should include the answers to the above mentioned questions with screenshots (e.g., the content of email).

EXPECTATION AND TIMELINE

There is a 10% threshold for the word count. The maximum word length is 2000 words and the minimum word length is 1500. There are penalties of 5% per 100 words over 2000 or under the 1500 word limit.

• No fancy fonts and 5 to double-spacing to be used at all times.

All work submitted must be authored by the student submitting the work or where material from other sources is included it must be referenced using IEEE referencing.

• Students found to have plagiarised will be dealt with according to university
• Students should submit a single word or pdf
• The assignment is to be submitted via
• The assignment is due at 5 June, 5pm.

MARKING

Marks will be available in iLearn by two weeks after the submission due date. Marking guideline is as follows:

Questions correctly answered	10 Marks
Content precisely presented with snapshots and figures	2 Marks
Readability and presentation of material (layout, no grammatical errors, reads well, figure quality, etc.)	2 Marks
Cited references	1 Mark
Total worth	15 Marks

OVERVIEW

Network Forensics (marks: 6)

As a junior Digital Forensics investigator, suppose you were asked to passively monitor and characterise the cyber activities of a potential suspect named Carlos Gacimartin. To this end, you resolved to remote acquisition of network traffic from computer(s) (or virtual machine(s)) and mobile phone used by Carlos Gacimartin. Your supervisor asks you to the following questions to perform some basic analysis.

Ex. 1 — What is the hostname of the machine used by Carlos Gacimartin? (marks: 1)

Ex. 2 — What is the total number of emails sent and received by Carlos Gacimartin? (marks: 1) Ex. 3 — What is name of the person in the picture sent by Carlos Gacimartin? (marks: 1)

Ex. 4 — What is the size (in Kilo-bytes i.e., KB) of the attached JPEG file in Carlos Gacimartin’s email? (marks: 1)

Ex. 5 — What is the title of the National Geographic journal read by Carlos Gacimartin ? (marks: 1)

Ex. 6 — What sort of websites were accessed by Carlos for news content? When were the news websites accessed? (marks: 1)

Mobile Phone Forensics (marks: 4)

Suppose you also captured traffic from Carlos Gacimartin’s phone. As digital forensics expert, you opt to perform analysis¹.

Ex. 7 — What is the deviceType and deviceId of the mobile phone? (marks: 1) Ex. 8 — What is the Phone Model used by Carlos Gacimartin? (marks: 1)

Ex. 9 — What is the location (latitude and longitude) value shared with http://snappy.appypie.com? (marks: 1)

Ex. 10 — What is the country name in which the mobile phone was used? (marks: 1)