MODULAR PROGRAMME

COURSEWORK ASSESSMENT SPECIFICATION

Module Details
Module Code
UFCFJ6-30-2

Run
14SEP/FR/JUN15/1

Module Title
SECURITY AND FORENSIC TOOLS

Module Leader
Lindsey Gillies

Module Coordinator

Module Tutors

Dr Toby Ohara, Margaret McCarthy

Component and Element Number

B: CW1

Weighting: (% of the Module's assessment)

Element Description
INDIVIDUAL WRITTEN REPORT ON A
FORENSIC CASE STUDY (Individual written
report on a forensic case study)

Total Assignment time

20 hours

50%

Dates
Date Issued to Students:
23 Feb 2015

Date to be Returned to Students

14-May-2015

Submission Place

Submission Date
16/04/2015

Blackboard

Submission Time

2.00 pm

Deliverables
A detailed report, using the submission form found in Appendix A, which identifies
each evidential artefact, provides your contemporaneous analysis notes, and which
provides a written overview of the case scenario:

Module Leader Signature

Individual Case Study

This part of the assessment for the module consists of an individual forensic case
study. You will be provided with a forensic image of a suspects computer which will
be made available to you from the following shared location from 19-Feb-2014
S:\FET\CSCT\SecurityAndForensicTools-UFCFJ6-30-2\Coursework Image\
This Encase image file contains evidence items supporting a particular case scenarioit is your job to examine this image file for evidential artefacts, and to build a picture
of the case scenario.
You may use whatever tools you consider appropriate.

Case Scenario
The scenario for the assignment is as follows:
Suspects Name:
Main Victim:
Other people in the
case/potential victims:
Circumstances
Remit

Odlaw
Wally
Wizard, Wenda and Woof.
It is suspected that Odlaw has kidnapped Wally and is holding
him hostage for ransom.
Your task is to identify the location where Wally is being held.

Deliverable
A detailed report, using the submission form found in Appendix A, which identifies
each evidential artefact, provides your contemporaneous analysis notes, and which
provides a written overview of the case scenario:
1.
2.
3.

The report should identify each artefact you have found and its
provenance.
The report should detail, for each artefact, how you found it, in
sufficient detail for someone else to follow your process.
The contemporaneous notes should be sufficiently detailed to allow
an independent examiner to repeat your examination with the same
results. Factors you need to consider are:

50%
10%
20%

A complete examination
A logical, coherent examination.
Dual verification.
Repeatability
Appropriate choice and use of tools.
4.

The written overview of no more than 500 words should be

20%

constructed upon the evidence you have found describing the case
scenario (ie. what you think has taken place, referring back to
individual evidence items). You should also identify the important
players in this scenario, together with any contact details for them.

Submission
You should submit a document file, readable in Microsoft Word or Adobe PDF, via
BlackBoard.

Appendix A: Template to be used in reporting upon your analysis of the Forensic Image
Student Number: XXXXX
Section A: Findings
The following evidence items were found:
Evidence item number

Full Provenance to include

the following fields only
(marks will be deducted if
you include fewer or
additional fields);
Name:
Is Deleted:
File Created:
Last Written
Last Accessed:
Logical Size:
Physical Sector:
Full path:
Hash:

1
2
3
4

Method of discovery

Description of item

Significance to case

Etc

Section B: Screen captures

You should include a screencapture of the CONTENTS of each evidence item.
Section C: Possible Scenario (max 500 words)
Based upon the evidence, a possible scenario is..
Section D: Contemporaneous Notes (Note: if you decide to omit a process, then you should provide your reasons for doing so). The
structure of these notes reflect the workflow for EnCase 6, you will need to modify it for EnCase 7.
Examiner

Exam
commenced

Other
relevant
information

Software used,
versions and
licensing

Action
Load case & verify in EnCase

Load Case into FTK or Autopsy or another forensic tool for

dual verification of 2 key artefacts

Done?

Date

Time

Notes

Action
Recover lost folders (FAT16 & 32).
Mount archives; zip, thumbs.db, etc
File signature analysis, compute hash values

Run filefinder (data carving)

Initialise Case script (operating system information,
accounts information, timezone information etc).
Timeline analysis, date of last activity on the computer.

Log-on passwords
use SAMInside/Ophcrack

Registry analysis and

Registry protected area

Internet History, favourites. Other browsers?

Run relevant keyword searches

Emails, local & web-based.

Done?

Date

Time

Notes

Action
IM clients

Examine different file types.

Export doc / office & exe files; look at Meta data if
required
Clean-up utilities. Check log files

Encryption, Steg ,

Link files

Print artefacts

CD/DVD burning apps; check log files

Additional Notes:

Done?

Date

Time

Notes