CIS8708 – Written Assessment
This assignment has four questions to be completed. Compile your answers into a Word document to be uploaded to Study Desk, with or without the optional Excel Spreadsheet in Question 1. Include your Name, Student Number and course code (CIS8708) in the header of each page and include references and a bibliography where appropriate.
When submitting your document/s, the file will be submitted to Turnitin for originality checking. You will be able to see the report come back and can make adjustments if required before resubmitting.
Question 1 – 10 marks, 600 word maximum
Your supervisor has asked you to research current data acquisition tools. Using your preferred Internet search engine and the vendors listed in Week 4 (ProDiscover, EnCase, FTK, Sleauth-Kit, X-Ways, iLook), prepare a report containing the following information for each tool and stating which tool you would prefer to use and why:
Forensics vendor name
Acquisition tool name and latest version number
Features of the vendor’s product
With this data collected, prepare a table or spreadsheet listing vendors in the rows. For the column headings, list the following features:
Other proprietary formats the tool can read
Compression of image files
Remote network acquisition capabilities
Method used to validate (MD5, SHA-1, and so on)
Any other comparatives you would like to add such as cost/licensing model, acquisition speeds based on image format or other features.
Note: if you prefer to do this comparative table in an Excel spreadsheet, which would be acceptable to submit as a second file.
Question 2 – 10 marks, 500 word maximum
To continue your learning in digital forensics, you should research new tools and methods often. For this project, download the user manuals for VirtualBox and ProDiscover. Write a guide for a junior investigator (including screenshots) on how to convert a ProDiscover .eve image file to a VHD file and load the VHD file in VirtualBox. You can download the user guide for VirtualBox at www.virtualbox.org/wiki/Downloads. The ProDiscover manual should be in the following path, under the folder where you installed ProDiscover: Program Files (x86)Technology PathwaysProDiscoverProDiscoverManual.pdf.
Question 3 – 10 marks, 300 word maximum.
You are working as a Forensic Investigator and have been presented with a file to investigate. The Word1.docx file (available from StudyDesk assignment section) has been forensically extracted from an employee’s USB drive. This employee is being investigated for suspicious bank transactions in their capacity as a Finance Officer, to an account number starting with 4848. Investigate the file for any references to the account number. Write a report on the steps you took to investigate the file and detail anything relevant that you may find.
Question 4 – 10 marks, 500 word maximum.
As a Forensic Investigator who knows Splunk, you have been asked to do some investigating using Splunk at the company Frothly, an alcoholic beverage producer.
You have 7 questions to answer using Splunk at https://splunk-teach.usq.edu.au (access will be demonstrated in Week 6 tutorial). To view all data, search “ index=-botsv2- earliest=0 ” in the Search and Reporting App. The consider search conditions that can be added to filter down, based on the information in each question.
For each question, show the search term that you used and the text/numeric answer to the question. In conclusion, write an evidence report to the HR investigator to summarise all the things that you discovered (consider this person to be non-technical and detail the report with this in mind).
Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited? Answer guidance: Do not provide the FQDN. Answer example: google.com
Amber found the executive contact information and sent him an email. What is the CEO's name? Provide the first and last name.
After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee's email address?
What is the name of the file attachment that Amber sent to a contact at the competitor?
What is Amber's personal email address?
What version of TOR did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.
What is the public IPv4 address of the server running www.brewertalk.com?