COIT20267 Computer Forensics
Written Assignment — Case Study
Due date: 23:45:00 AEST Week 11 Friday (25/05/2018) ASSESSMENT
Length: 3,500 words excluding title page, ToC and references list 2
General Assessment Criteria
Incomprehensible submissions. Assessments provide the opportunity for students to demonstrate their knowledge and skills to achieve the required standard. To do this, assessment responses need to be both clear and easy to understand. If not, the University cannot determine that students have demonstrated their knowledge and skills. Assessments will, therefore, be marked accordingly including the potential for 0 (zero) marks where relevant.
Late penalty. Late submissions will attract penalties at 5% for each day or part thereof that it is late of the total available mark for the individual assessment item. This means that, for an assessment worth 45 marks, the mark that you earn is reduced by 2.25 marks each day that the assessment is late (including part-days and weekends).
Check the marking criteria. Before submitting your assignment, you should check it against the detailed assessment criteria included in this specification to ensure that you have satisfactorily addressed all the criteria that will be used to mark your assignment.
Academic Language. All submissions should be thoroughly proof-read for spelling, typographical or grammatical errors before being submitted. Do not rely on the ‘spell-check’ function in your word processing program. If, for example, ‘affect’ is substituted for ‘effect’, your program may not detect the error.
All assignments will be checked for plagiarism (material copied from other students and/or material copied from other sources) using TurnItIn (TII). If you are found to have plagiarised material or if you have used someone else’s words without appropriate referencing, you will be penalised for plagiarism which could result in zero marks for the whole assignment. In some circumstances a more severe penalty may be imposed.
Useful information about academic integrity (avoiding plagiarism) can be found at: CQUniversity referencing guides https://www.cqu.edu.au/student-life/services-and-facilities/referencing/cquniversity-referencingguides
Who to submit? For on-campus students, one and only one of the group members needs to submit for the entire group. Distance Education (thereinafter ‘DE’) students need to submit individually.
What to submit? A report in MS Word format (.doc or .docx) needs to be submitted. No other document formats are accepted, in particular, no PDF files, Apple Pages, Apple Keynotes, Online Google Doc Links are accepted.
No Zipped files. Students must not zip multiple files and submit it as one single zip/compressed file.
Means of submission. All assignments must be submitted electronically to Moodle. The submission links can be accessed through the Assessment block on the Moodle unit website. Physical copies/ Email submissions are not accepted.
Auto-submission. Moodle implements an auto-submission process for those items uploaded and left as drafts before the original deadline. However, any assessments uploaded after the original deadline must be manually submitted by the students.
Please note that auto-submission process does not work for assessments which have extensions. Auto submission only works where the original deadline of an assessment has not changed. If you are submitting after the deadline (original or extended), you must complete the Moodle submission process.
Further details on completing the submission process are available via the ‘Moodle Help for Students’ link in the Support block of your Moodle pages.
Complete and correct submission. Requests for changing files after the submission deadline may be granted if the Unit Coordinator is contacted. However, if a change of files is allowed by the Unit Coordinator, then the submission time will be taken as the latest time (i.e. when the last update is made), not the original submission time. That will result in a late penalty.
This assignment is based on the following case. Please read it carefully:
Building Finance Pty Ltd is a leading consumer finance company in Australia. Building Finance employs more than 1,000 employees and the company serves more than 3 million customers in Australia. The company offers a range of services including personal loans, car loans, credit cards, personal insurance, and interest-free retail finance.
Building Finance has invested heavily in information technology for supporting its business operations and achieving competitive advantages over its competitors. Major investments were made by the company in the early 2000s but management has lost focus in updating the networks and application infrastructure that supports the business operation in recent years. The network environment between all of Building Finance offices is flat and relatively unrestricted. Users from one office can access systems and servers from another office. Workstations and servers are typically Microsoft Windowsbased. Firewalls and network segmentation are implemented poorly throughout the environment. Intrusion detection and logging exist on systems but they are not effectively used.
Last night, a team leader from Brisbane office has contacted the Information Security Office urgently at Building Finance head office with some concerns regarding the office computer system. He suspects that someone has compromised a few computers in the office building including his computer.
He noted that a few new features of finance management software have been introduced to the computer system. In addition, several files containing customer personal information have been modified from some of the office computers.
The Information Security Officer, specifically investigative and forensic capabilities, are housed at the head office in Sydney and are responsible for investigating similar issues that occur in all offices. The Information Security Office takes this suspicion seriously. A team of digital forensic investigators is formed to investigate this suspicion at the Brisbane office. Apart from reviewing paper-based company documents, the team is tasked to undertake digital forensic analysis of the network and computer systems at the Brisbane office. This involves conducting a network analysis, gathering digital evidence from servers, PCs and e-mail accounts, conducting a cloud investigation, as well as a social media investigation if needed.
Group/Individual assignment. This is a group assignment for on-campus students and an individual assignment for DE students. If needed, group formation and registration guidelines are available in the Presentation Assignment Specification.
Length. For on-campus and DE students, the report is 3,500 words in length, excluding title page, ToC and references list. 10% leeway on either side is applicable.
Assumptions. Students are encouraged to make assumptions wherever necessary subject to two conditions: (1) assumptions should not contradict with the factual information given in the case; (2) assumptions, once made, must be relevant and addressed in your report.
In capacity of a computer forensics expert, your task is to prepare a computer forensics investigation plan to enable a systematic collection of evidence and subsequent forensic analysis of the electronic and digital data. This plan should detail the following:
1- Justify why the use of the digital forensic methodology and approach is warranted including appropriate procedures for the Company’s investigation.
2- Describe the resources required to conduct a digital forensic investigation, including skill sets and the required software and hardware for the forensics team members.
3- Outline an approach for data/evidence identification and acquisition that should occur in order to be able to identify and review the digital evidence.
4- Outline an approach and steps to be taken during the analysis phase. In particular, explain what would be involved in the network, servers, PCs, e-mail, cloud and social media investigations.
5- Develop relevant security policies for the Company.
6- Provide recommendations to the Company for dealing with similar future problems.
Tips for preparing your computer forensics investigative plan
In writing the computer forensics investigation plan, students need to address following points. Do note that points listed below are not exhaustive and need to be considered as helpful tips.
• Justify a need for computer forensics methodology and consider the scope of the case including the nature of alleged misconducts leading to consideration of how electronic and digital evidence may support the investigation.
• Consider the required resources and include details regarding preparation plan for evidence gathering (such as evidence forms, types, storage media and containers), forensics workstation and peripherals needed, software/tools for analysis depending on the type of evidence to be gathered including rationale for selected tools, and consideration of team member skills in digital analysis (such as OS knowledge, skills for interviewing, consultation, working as per the needs of the team and understanding of law and Company policies).
• Detail the approach for data acquisition including the different types of evidence that can be gathered and their source depending upon the nature of the case and scope of investigation, develop a plan for data acquisition including rationale for selected plan and contingency planning, detail type of data acquisition tools needed including rationale and an outline for the data validation & verification procedures.
• Provide an outline of the forensic analysis procedures/steps depending upon the nature of evidence to be collected, and detail the validation approach. This can include techniques to counter data hiding, recovering deleted files, procedures for network, servers, PCs, e-mail, cloud and social media investigations.
• Develop suitable security policies for the Company.
• Provide appropriate recommendations to the Company for dealing with the problems.
• Prepare a professional report with an Executive Summary, a Word generated table of contents, an Introduction, a body of the report with proper headings and sub-headings, and a Conclusion.
• Table of contents for the investigative plan should consider what to include in the report, structure of the report, focus or scope of the report including supporting material to be provided and references. This table of contents should include headings and sub-headings pertaining to the aspects addressed in the above dot points.
Specifically, your report should include the following.
1. Title page: (each) student name (in your group), (each) student number (in your group), (each) student email address (in your group, use CQU email), title of your report, local lecturer/tutor, and unit coordinator. Not counted towards the word count.
2. Executive summary.
3. Table of Contents (ToC): should list the report (sub)sections in decimal notation. Create the ToC using MS Word’s ToC auto-generator rather than manually typing out the ToC. Instructions can be found here: https://support.office.com/en-gb/article/Create-a-table-of-contents-or-update-atableofcontents-eb275189-b93e-4559-8dd9-c279457bfd72#__create_a_table. Not counted towards the word count.
5. Body of the report (use appropriate headings in the body of the report).
7. Reference list: all references must be in Harvard Referencing Style. Not counted towards the word count.
- Justification (3 marks) Is the justification of “why use of the digital forensic methodology and approach is warranted” sound?
- Resources (9 marks) Are the resources required to conduct a digital forensic investigation completely listed?
- Approach (8 marks) Is the approach for evidence identification and acquisition reasonable?
- Steps (10 marks) Are steps to be taken during the analysis phase reasonable?
- Policies (5 marks) Are they suitable for the Company?
- Recommendations (5 marks) Are they appropriate?
- Formatting and References (5 marks) Is the table of contents for the investigative report complete? Can this reflect the student’s understanding of forensic principles? Is the paper consistently formatted with balanced structure? Are the references correctly cited?
- Incomprehensible English (up to 45 marks)
If the report is unable to be read and understood by the marker, the marker may impose a penalty up to 45 marks to this assessment.
- Late penalty (up to 45 marks)
In the absence of an extension, the marker will impose late penalties at 2.25 marks for each day or part thereof that the assignment is overdue.