Recent Question/Assignment

Work should be submitted in a single MS Word document.
The four questions should be clearly labelled in your submission. The assignment will be submitted to the Turnitin service.
Clarity of explanation and clear reporting style is very important in the discipline of Computer Forensics, and also important in this assignment. The assignment should be 2000 words.
Founded by Pat McGoo, is a new patent search company that researches patent information for their clients.
Specifically, the business of patent search is to generally verify the novelty of a patent (before the patent is granted), or to invalidate an existing patent by finding prior art (proof that the idea existed before the patent). At the start of the scenario, the firm has four employees: CEO, IT Administrator, and two patent researchers. The firm is planning to hire additional employees at a later date once further clients are booked. Since the company is looking to hire additional employees, they have an abundant amount of technology in the inventory that is not being used.
Employees work onsite, and conduct most business exchanges over email. All of the employees work in Windows environments, although each employee prefers different software (e.g. Outlook vs. Thunderbird).
Important Illegal Activities in this case:
? A functioning workstation originally belonging to was purchased on the secondhand market. The buyer (Aaron Greene) realizes that the previous owner of the computer had not erased the drive, and finds illegal digital images and videos on it. Aaron reports this to the police, who take possession of the computer.
? Police forensics investigators determine the following:
? The computer originally belonged to
? The computer was used by Jo, an M57 employee, as a work machine.
? Police contact Pat McGoo (the CEO). Pat authorizes imaging of all other computer equipment onsite at M57 to support additional investigation. Police
further pursue a warrant to seize a personal thumb drive belonging to Jo. (More details are in the attached detective report)
The materials you will use for your investigations are available from the links below.
These data file are unique to the assignment, so do not use files from any other source or your results will be incorrect!
The files included are:
Detective report
MD5 Hash : 6503aebc41b067af1f6cdf9e1b88a05e detectivereport1.pdf
Hard drive image 2009-11-19.E01 (of the original sold computer) MD5 Hash 258f5ba43eb8a0a141eb19648bbf5c4b jo-2009-11-
19.e01 Z1bHM
Hard drive image 2009-12-01.E01 (of the suspect’s replacement computer seized from M57)
MD5 Hash: 477cf7b5ce449c44c8e78099be06064b jo-2009-12-
01.e01 WkstSUk
USB images x2 (Unknown if these relate to the case but are included as they were seized at the same time)
MD5 Hash: 8cdc12e30af14e19533c58b3ffe840b5 jo-favorites-usb-2009-12-
MD5 Hash f9408bfcd292a7d8d60928a42806046f jo-work-usb-2009-12-
11.e01 teGs
Report Requirements:
Given the above suspicion and seized data files, it is your role as investigator to uncover any evidence to prove or disprove the allegations. The brief above has highlighted what in particular you are looking for, so the scope of the investigation is limited to this particular suspected crime.
Your report should follow the structure detailed in Chapter 14 of the textbook, there is no limitation on size of the report although you are urged to state the facts clearly and not bury them in pages of irrelevant content.
Your report should highlight the following areas (these will be assessed)
a) Discuss if there is there any evidence of illegal activity.
Explain your position on this. What evidence did you find if any? How sound / reliable do you believe your evidence collection to be? Describe any steps you took to ensure the integrity of the evidence. You should use at least two forensics tools in your evidence analysis and if results differ then you should highlight the strengths and weaknesses of the two tools which you have used.
b) Present any evidence in a time line format, highlighting (with written descriptions), the points where you believe any offence may have occurred and other significant dates/times in the case.
c) You were provided with two hard drive images. Do you believe there are other devices used in the offence? If so, why? How would you identify those devices and obtain them? Are there any other insights or remnant data found on the seized hard drives?
d) Are there any clues that indicate intent or knowledge of criminal activity? A common defence is that the actions were committed unintentionally or that the perpetrator did not know the actions were illegal. With these possible defences in mind, address how you would respond to these defences.