CMIT 424: Digital Forensics Analysis and Application Detailed Assignment Description for Forensic Report #1

The purpose of this assignment is to determine if you can 

· Properly process and handle evidence for a case and perform other case management functions

· Select and use appropriate digital forensics tools

· Prepare and annotate an inventory of files present on an evidence drive

· Triage an evidence drive using a forensic tool to view and analyze partitions, folders, and files to:

o Identify and properly address the presence (if any) of contraband (adult and child pornography, evidence related to narcotics)

o Identify and properly address the presence of evidence related to violations of an employment agreement or violations of company policy

· Evaluate an assessment (formal or informal) performed by another party and provide a formal response (“equivocal assessment”) in which you address the other party’s procedures and findings

· Write a reasonably professional and comprehensive AssessmentReport for a forensic examination 

Required Deliverables:

1. Assessment Report (75% of grade) 

2. Annotated Inventory of Forensically Interesting Files (25% of grade)

Scenario for Forensic Report #1

James Randell, president and owner of Practical Applied Gaming Solutions, Inc. (PAGS), has contacted you to request assistance in handling a sensitive matter regarding the unexpected resignation of his company’s Assistant Chief Security Officer, George Dean. PAGS is a contractor to several state gaming (gambling) commissions. The company and its employees are required to maintain high ethical standards and are not allowed to participate in any forms of gaming or gambling, including lotteries,due to their involvement as security consultants to the gaming commissioners. The unexpected resignation and disappearance of a senior staff member is a reportable security incident under the terms of several of the company’s contracts with state gaming commissions. Thus, Mr. Randell needs an independent, outside assessment of the facts and evidence pertaining to Mr. Dean’s resignation. 

Background (Information Obtained During Client Interview)

Mr. Randell became concerned about Mr. Dean’s activities after his Human Resources Officer, Norbert Singh, reported that Mr. Dean left a voice mail tendering his resignation effective immediately.Mr. Singh also reported that Mr. Dean’s supervisor (Ms. Betty Mayne, the Chief Security Officer) had opened Mr. Dean’s locked office, at Mr. Singh’s request, and noted that it was unusually tidy and that the computer workstation and a company issued laptop were both missing. Mr. Randell asked Mr. Singh and Ms. Maynes to investigate further and report back to him. During the second meeting, Mr. Randell was informed of the following:

· Mr. Dean’s workstation was one of three company computers taken to the IT Service Center earlier in the week to be wiped and reimaged due to infection by a particularly nasty rootkit.The computers are due back in the office next Friday by 10:00 AM. 

· Ms. Mayne contacted the IT service center and requested that they stop all work and immediately return the three computer systems to the company. 

· Mr. Dean was using a company issued laptop in the office as a temporary replacement for his workstation. The company issued laptop was not found in the office but, an empty laptop case was found under the desk. 

· During their search of the office, Mr. Singh and Ms. Mayne found single 2GB USB drive that had been left in the laptop case. Ms. Mayne and her staff examined the contents of the USB Drive and reported to Mr. Randell that it contained files pertaining to Mr. Dean’s duties as Assistant Chief Security Officer. There were no indications of any involvement in activities contrary to the company’s best interests.Note: This paragraph provides you with the “previous examination” results that you will address in the “Assessment of Previous Investigation” section in your Assessment Report.

Request for Forensic Services (Tasking)

Mr. Randell has requested that you examine the recovered USB drive and tell him what you find. He also asked that you provide an assessment as to the accuracy and validity of the findings from the PAGS CSO’s staff examination of the contents of the USB (“equivocal assessment”). Your deliverables will include an assessment report and an annotated inventory listing all files and information of forensic interest which were recovered from the drive. 

The burning questions of the moment are: 

1. What was George Dean up to before he resigned?

2. Why did he resign so suddenly?

Notes for the Student: 

1. You may encounter contraband, e.g. images depicting adult or child pornography, during your examination of the provided forensic image. If this occurs, you are to proceed as though you had legally authorized permission to continue your examination and prepare a report which includes information about the contraband. For training purposes, Adult pornography is depicted using images of canines (dogs or puppies). Child pornography is depicted using images of felines (cats or kittens). Images of child pornography (cats or kittens) should not be included in a forensic report and should not be extracted from the forensic image. 

2. For training purposes, pictures of flowers are used to denote narcotics and related contraband.

3. The referenced employment agreement is understood to include prohibitions against participating in any/all illegal activities on company premises or while using company IT resources. This prohibition includes receipt and transmission of illegal forms of pornography (as defined by the State of Maryland and the US Federal Government) and engaging in any/all forms of drug trafficking.

4. For the purposes of this assignment, you (the student) are acting in the role of “forensic examiner.” In the grading rubric, actions attributed to “the examiner” are actions that you should (or should not) have taken.

Acquisition / Forensic Imaging Report (USB)

Forensically sterile media was created using Sumuri Paladin and then used for the imaging operation as the target media. The sterile state was verified using DCFLDD’s verify file command (sudo dcfldd vf=/dev/sdx pattern=00 where sdx is the drive designator for the USB).

Imaging operation was performed using FTK Imager.

Image: PAGS01_06132014.E01

Created By AccessData® FTK® Imager 2.6.0.49 090505

Case Information: Forensic Report #1 CMIT 424 Fall 2014

Case Number: PAGS01

Evidence Number: PAGS01

Unique description: Lexar Jump Drive

Examiner: Instructor

--------------------------------------------------------------

Information for PAGS01_06132014:

Physical Evidentiary Item (Source) Information:

[Drive Geometry]

Cylinders: 63

Tracks per Cylinder: 255

Sectors per Track: 63

Bytes per Sector: 512

Sector Count: 1,014,784

[Physical Drive Information]

Drive Model: LEXAR JUMPDRIVE USB Device

Drive Serial Number: 8KRZ24B

Drive Interface Type: USB

Source data size: 495 MB

Sector count: 1014784

[Computed Hashes]

MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e

SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1

Image Information:

Acquisition started: Fri Jun 13 21:59:00 2014

Acquisition finished: Fri Jun 13 22:00:53 2014

Segment list: PAGS01_06132014.E01

Image Verification Results:

Verification started: Fri Jun 13 22:00:53 2014

Verification finished: Fri Jun 13 22:00:56 2014

MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e : verified

SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1 : verified

Examination of the Evidence (Procedure) for Forensic Report #1

This assignment requires that you apply the knowledge and skills learned in Labs 0-4. You should refer to those lab procedures and the lab readings (Labx_content.docx) if you need ideas on how to get started or what you should look for when processing the forensic image for this assignment.

Before You Begin:

1. Locate the forensic image file for this examination. It is located on the share drive in the VDA (H:\CMIT424\FR1). This is your evidence file and should be treated as if it were stored on a physical USB that you can move from place to place. 

2. It is not necessary for you to create a forensic clone from the evidence file onto a physical device.

Examination Procedure:

3. Review the acquisition report provided with this assignment.

a. Note the type of media and physical structure as reported in the acquisition report from FTK Imager

b. Note the storage capacity

c. Note any identifying information

4. Launch the forensic tool (software application) that you will use to process your case. You may need to use multiple tools, e.g. WinHex for File Carving and EnCase for general processing of the image.

5. Process the forensic image for this case using the tool(s) of your choice.

6. Review the logical structure of the media from which the forensic image was created (WinHex is a good tool for doing this.)

a. Note the number and size of partitions

b. Location and sizes of unallocated space (unpartitioned space)

c. Note the types of file systems present

d. Perform a brief low-level analysis of the contents of the partitions including information contained within the MBR or boot record

e. Note the partition names / volume names

f. What operating system(s) were used to format the media? Modify the media?

7. Review the files and folders found in the case (by partition). (EnCase is a good tool for this step.)

a. View graphics files

b. View contents of documents and spreadsheets

c. Look for password protected or encrypted files

d. Look for deleted files or files in a recycle or trash bin

e. Perform a keyword search to determine if there is information present in one or more files which may provide answers to the case questions.

f. Perform other analysis as required

8. Export a file inventory which shows all files found. Your inventory should be in table format (use MS Word or Excel). Each entry must include, at a minimum:

a. File Path

b. MD5 Hash

c. MAC Times (modify, last access, create)

d. Item Number

e. Other useful metadata for the individual files (choose your columns wisely).

9. Using your inventory from step #6, create an annotated file inventory which presents the forensically interesting files in table format. Add a column to your inventory table which contains your Comments or Explanations. You will deliver this file with your assignment submission. You may use either MS Word or MS Excel format for this deliverable.

10. Analyze your recovered files to find answers to the questions presented in the Scenario document for this assignment. Make sure that you keep track of which files support specific answersor findings.

11. Prepare an Assessment Report in which you present a summary of your forensic processing and your findings (answers to the scenario questions). 

12. Attach your report and your file inventory to the assignment for Forensic Report #1 and submit it for grading.

Grading Information for Forensic Report #1

The rubric for this assignment is attached to the assignment folder entry. The information below provides additional information about content and format requirements. This assignment is graded on a 100 point basis and is worth 15% of the final course grade.

Annotated File Inventory (25 points total)

· Formatted File Inventory Exported from Forensic Tool (e.g., Encase, WinHex) as Excel Spreadsheet (.xlsx or.xls) or MS Word Document (Table Format). (10 points)

· Identified files of forensic interest (as determined by the case scenario & questions). (5 points)

· Annotations on inventory items for files of forensic interest. (10 points)

Assessment Report (75 points total)

Formatting Note:

For this assignment, you are asked to write an Assessment Report which focuses on whether or not the assessment performed by another investigator has errors or omissions. Your report should be written using the Forensic Report #1 Template. Create additional report sections as deemed necessary. Use snippets, figures, and addendums as needed to explain the forensic items of interest that answer the case questions. Typically this report ranges from 12-25 pages. 

Utilize the reporting features of the forensic applications (example: bookmarks) but bear in mind that automated reports do not replace the final forensic report. Use this information, however, to enhance your report in the form of addendums or by inserting relevant information into the report template to illustrate/justify your findings.

Ensure that the below “Required Content Items” are covered in your report.

Outline / Required Content Items:

· Case Background and Summary of Findings (20 points)

o Brief summary of reasons for this forensic examination (from scenario) including description of victims or parties who were harmed by the subject’s actions and description of the subject or target of this forensic examination.

o List format presentation.

§ Case questions & findings for each

§ Use case questions from scenario or developed from scenario

· Summary of Examinations Performed (20 points)

o Results of on-site examination for location from which evidence was recovered

o Results of Interviews with victims, employees, principals of firms, etc.

o Results from document reviews (policies, employment agreements, etc.)

o Results from examinations of computer hardwareand contents of media (hard drives, removable media, etc.) including inventory of recovered files whose contents or metadata are of forensic interest for this case

· Case Assessment (10 points)

o Identification of subject or offender (individual who is the target for the forensic examination); characteristics of subject.

o Description and Characteristics of Location (real-space location info require for establishment of jurisdiction); characteristics of location.

o Identification and Description of Policy Violations, Civil or Criminal Laws broken,

o Identification and description of victims ororganizations which wereharmed

· Assessment of Previous Investigation (10 points)

o Identification of Investigators who conducted prior investigation(s)

o Summary of investigatory process as reported by previous investigators

o Evaluation of the findings (accuracy, validity) from previous examinations of the evidence; includes identification of missed information; includes identification of errors in procedures or incorrect analysis.

· Investigative Suggestions / Follow-on Questions(5 points total)

o Additional questions that should be asked of the recovered data

o Additional questions that should be asked of the client / investigator

o Additional considerations / concerns regarding this investigation

· Professionalism (10 points total)

o Organization & Appearance (5 points): neat, consistent, professional appearance

o Writing Mechanics (5 points): grammar, spelling, punctuation, etc.)