Reference no: EM133948356 , Length: Word Count:6000
Cyber Forensics
Level 7
Learning outcome 1: Demonstrate an in-depth understanding of incident handling and forensic investigation methodologies, investigation plans, and threat-hunting techniques.
Learning outcome 2: Demonstrate techniques to investigate different types of incidents and detect and extract attack vectors.
Learning outcome 3: Communicate ideas and solutions with rational and reasoned arguments using appropriate methods (e.g., orally, electronically, written reports) and develop those communication skills required for successful group work.
Assessment - Cyber Forensic Cases - Practical Investigations
In this practical assignment, students are required to solve real-world cyber investigation cases. They are also required to utilise their knowledge and skills to collect evidence and answer the main questions generated by the case studies.
The students will be given a cybercrime case description and the related collected evidence (disk images, RAM images, files, etc.). They are required to apply the appropriate forensics tools to extract data, retrieve hidden files, and comment on their findings. They are also required to answer the questions generated by the case study based on the data retrieved from the provided evidence. They are required to submit an assignment report that produces a detailed walkthrough for each task, explaining the techniques used and including relevant screenshots where appropriate.
Scenario 1: Bank Fraud Case
A bank manager is suspected of transferring confidential banking data. The manager used encrypted communication on the network (logs unrecoverable) and likely attempted to hide or delete key evidence. A USB flash drive seized from the manager's laptop during a preliminary sweep is now in custody. You are required to conduct a full forensic analysis, extract and examine digital artefacts, and report findings that may assist in reconstructing the event with other sources of evidence. Get expert-level assignment help in any subject.
You are part of the internal digital forensics team assigned to investigate this suspicious banking activity that may involve internal collusion. You have been given a forensic image of the USB (bank_fraud.001 and bank_fraud.002), a case log file and a task sheet from the investigative lead. You must conduct a thorough forensic analysis of the USB device.
Look for data exfiltration artefacts, concealed files, or suspicious communications. Produce a formal report detailing findings, artefacts recovered and suggested next steps.
Hints:
This task tests your file carving and case reconstruction skills
List the files recovered from the image and state which is important to the investigation
Is there any content that can be used as evidence for further investigation?
Are there any signs of use of Steganography and Encryption?
Recover the stego medium and report the content 5. Recover the encrypted text and report the content.
Are there any other anti-forensic techniques used on the evidence?
List some sensitive data recovered from the evidence. For example, names, passwords, wallets, pictures, etc.
What are your suggestions to further the case?
Scenario 2: Network Forensics
In another case, it was noticed that malware had infected a company's network as a result of an intrusion alert from an IDS. The incident response team were able to collect network captures from the company's network logs for further analysis. The company recruited you as a forensic expert to analyse the log and report details about the malware activities on the network.
You have 1 pcap file (named malware-traffic-analysis), likely infected with a Windows-based malware. Identify and report the malware family that caused the infection and other information such as IP address of the command-and-control server, a DLL file and its hash, ports, communications between the servers and the hosts, the infected Windows host name, and the user account name.
Note that the pcap file has been infected with malware, likely Windows-based. Therefore, it is recommended to analyse it in a non-Windows environment like Kali, Ubuntu, or MacOS.
Scenario 3: Bad PDF Case
Ali is a renowned banking system forensics investigator with numerous successful financial case investigations. Ali was recently contacted by a financial company called "Best Finance (BF)" to perform forensics work on a recent incident. One of BF's employees had received an email from a coworker that pointed to a PDF file. Upon opening the file, the employee did not seem to notice anything; however, recently, they have had unusual activity in their bank
account. BF was able to obtain a memory image of the employee's virtual machine upon suspected infection. BF asked Ali to analyse the virtual memory and report any suspected activities found. Since Ali is very busy these days, he has asked you to complete this investigation and answer the following questions:
List the processes that were running on the victim's machine. Which process was most likely responsible for the initial exploit?
List the sockets that were open on the victim's machine during infection. Are there any suspicious processes that have sockets open?
List any suspicious URLs and IP addresses that may be associated with the processes.
Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs?
What is the purpose and intent of the suspected files or processes?
Find possible hashes for the administrator password.
Tips: You may need to use Volatility and strings a lot during this investigation.
What the work must include:
Before beginning the practical investigation, use the provided information and materials to develop a high-level set of procedures, processes, and techniques for planning this investigation. Your plan should be clear and concise, and should then be followed throughout this investigation. The plan should be specific to this case but backed up by best practice. (20%)
Before beginning the practical investigation, identify initial key questions that will need to be answered throughout the investigation. Also, record how the question was answered
- what was the source of the answer, including what procedure/process/technique was used to determine the answer. (10%)
As you work through the practical investigation, identify further key questions to lay the factual groundwork for this
case. An example list of some key questions is above, - use this and add to this list. Answer these key questions and also record how the question was answered. (30%)
Keep a record of the answers and sources to all the key questions in a separate self-contained chapter or appendix. These will comprise part or all of the evidence. For the main body of the work, in accordance with your plan, piece together all the pieces of evidence to present a solid case with conclusions. Refer to your evidence. Present and address any conflicting or circumstantial evidence directly. (30%)
Throughout this work, you must reference best practices to give credence to your work. (10%)
All scenario questions are worth equal marks. Scenario 1 is worth 30% of the overall mark, and likewise, other scenarios. The remaining 10% is for the submission and marking of all the other practical labs.
The above does not define a structure. You are expected to form a reasonable structure to your work, in accordance with the Layout of Report. Although no marks are awarded directly for structure, the inability to present your work in a well-structured manner could impact its overall quality. - See Assessment Criteria document on Blackboard.
Layout of Report
This report must be formatted and submitted as one document. The report should look presentable with the target audience being a peer. It must at least have;
a title,
one Contents section or page at the start,
a very brief introduction to the report, a well- structured body that addresses the task, and a chapter or appendix that records all the key questions, answers, and sources.
A reader of your report must be able to navigate the document; sections / sub-sections must be named appropriately, and numbered if considered useful. Write the report so that the reader does not need to refer to this Assignment Brief. I.e. it should be self-contained.
Organisation advice:
Number all figures and tables used, and use brief captions for each figure or table. Refer to the figure or table from the body of the text.
Use presentable formatting; Use headers, and break into appropriate sections with sub-headers.
Don't write complicated, long sentences unless they completely make sense; it is often easier to write shorter sentences that are well-formed and unambiguous, clearly making a point. All/any Appendices should be referred to from the main body of the report.
General Instructions
Format: The format should be one column, left or justified alignment, and have appropriate and meaningful headings/sections. Use a meaningful structure that ensures coherence.
Referencing: Do not just give a list of references without showing where/how you have used them in the text - ensure you include in-text referencing.
Support: If you use external support, e.g., for proofreading or translation, you MUST state this. The tutor will provide adequate support to ensure that all students are very clear about what is expected of them in this assessment. So ensure you take this opportunity to get clarifications where you need them.
Coverage: You are expected to address all aspects of each task in full.
Originality: It is acceptable to use direct quotes from sources. However, excessive use of direct quotes (regardless of whether they are referenced or not) reduces the originality of the work. This and a high level of similarity will affect the student's mark.
The information in the appendices* is supplementary to the report and so should not include material integral to the report itself. It will only be referred to by the tutor where they think necessary and may not all be read by the tutor. Information which the student feels is critical to their argument must be included in the main body of the report. (*Except for the required evidence in this report.)