Prepared by: Dr Ammar Alazab Moderated by: Dr Ajay Sharma October 2020
| Assessment Details and Submission Guidelines | |
| Trimester | T2 2020 |
| Unit Code | MN624 |
| Unit Title | Digital Forensics |
| Assessment Type | Individual |
| Assessment Title | Major Assignment Replacing Final Examination |
| Purpose of the assessment (with ULO Mapping) |
Students should be able to demonstrate their achievement of the following unit learning outcomes: a. Apply socio-technical contexts in analysing the digital forensic evidences b. Record, administer and document digital forensics in social media c. Investigate the nature and extent of a network intrusion d. Demonstrate competence in applying industry-standard forensic analysis techniques e. Implement forensically sound digital security practices in industry within the limits of relevant governance policies, laws and standards |
| Weight | 50 |
| Total Marks | 100 |
| Word limit | N/A |
| Due Date | Wednesday, 14 October 2020 |
| Duration | 4 hours plus 15 minutes reading time |
| Submission Guidelines |
• All work must be submitted on Moodle by the due date along with a completed Assessment Cover Page. • The assignment must be in MS Word format, 1.5 spacing, 11-pt Calibri (Body) font and 2 cm margins on all four sides of your page with appropriate section headings. • Reference sources must be cited in the text of the assignment, and listed appropriately at the end in a reference list using IEEE referencing style. |
| Deferral | As per the MIT Assessment Policy and Procedure Section 5.3.5, a student may apply to a Head of School to defer an examination or an equivalent assessment in exceptional circumstances. An Application for Special Consideration and supporting documentation must be submitted directly to the School’s Administration Officer via your MIT AMS login: https://online.mit.edu.au/ams. You must submit this application no later than three (3) working days after the due date of the specific piece of assessment or the examination for which you are seeking Special Consideration. |
| Academic Misconduct |
Academic Misconduct is a serious offence. Depending on the seriousness of the case, penalties can vary from a written warning or zero marks to exclusion from the course or rescinding the degree. Students should make themselves familiar with the full policy and procedure available at: https://www.mit.edu.au/about-mit/institute-publications/policies-procedures-and guidelines/AcademicIntegrityPolicyAndProcedure. For further information, please refer to the Academic Integrity Section in your Unit Description. |
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 2 of 11
Summary of Marks
| Question | Mark | Out of Mark |
| Q1 | 10 | |
| Q2 | 25 | |
| Q3 | 15 | |
| Q4 | 10 | |
| Q5 | 25 | |
| Q6 | 15 | |
| Total | 100 |
Instructions to Candidates:
1. Read the questions carefully.
2. If required, please make logical assumptions and clearly state these in your
answer word document file.
3. Make sure the assessment questions are a total of 8 pages.
4. Write your answers in a separate word file. Do not include the questions from
this document in your submitted document as it will be detected by plagiarism
software and show a high percentage similarity.
5. Clearly write the question number as per this document in your answer word
document.
6. Mapping of questions onto ULO
| Question number | ULO | ULO keywords |
| Q3 | a | Apply socio-technical contexts in analysing the digital forensic evidences |
| Q1, Q2 | b | Record, administer and document digital forensics in social media |
| Q5 | c | Investigate the nature and extent of a network intrusion |
| Q3, Q4, Q5 | d | Demonstrate competence in applying industry-standard forensic analysis techniques |
| Q3, Q4, Q6 | e | Implement forensically sound digital security practices in industry within the limits of relevant governance policies, laws and standards |
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 3 of 11
QUESTION 1 – Digital Forensics Validation [2 x 5= 10 Marks]
a) Explain the data hiding technique(s), used in Figure 1. [5 Marks]
Figure 1 Data Management
b) Examine and analyse the MD5 results given in Figure 2. [5 Marks]
Figure 2 MD5 results
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 4 of 11
QUESTION 2 – Cloud Forensics and Social Media Forensics [5 x 5= 25 Marks]
Ryan is a hacker who plans to exploit victims by uploading a malicious webpage in the
cloud. He uses a vulnerability to exploit the cloud presence of XYZ Coffee, a legitimate
company. From there, he installs a malware that inserts a malicious payload into web
pages displayed, social media, and hides his malicious activity from the anti-virus. He
then redirects victims to the website, which infects them with malware. In addition, the
hacker used anti forensics tools. Users complain to the legitimate company that they
are being infected, so the company seeks to fix the problem and investigate the crime.
Answer the following questions based on this scenario.
a) Provide a list of potential digital evidence and media that the investigator is going
to seize for possible forensic examination in this case study. How would you gain
access to this evidence? [2+3= 5 Marks]
b) Explain two acquisition methods that you should use in this situation.
[5 Marks]
c) Describe significant challenges with cloud forensics, including forensic acquisition
and evidence preservation.
[5 Marks]
d) Explain what “anti-forensics” is, and provide detail on some anti-forensics tactics that
could be used in this case study. [2+3=5 marks]
e) How should you proceed if the suspect’s computer is running? [5 marks]
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 5 of 11
QUESTION 3 – Processing Crime and Incident Scenes [3 x 5= 15 Marks]
A company has hired your firm to investigate employee espionage. The company uses
20 TB servers on a LAN. You are permitted to talk to the network administrator who is
familiar with where the data is stored. Please note that company publish a policy stating
their right to inspect computing assets at will. Answer the following questions based on
this scenario.
a) Explain the considerations you should have when deciding what data-acquisition
method to use for your investigation. [5 Marks]
b) Discuss the acquisition method that can be used in this case study. Be sure to
address any customer privacy issues. [5 Marks]
c) Why should companies publish a policy stating their right to inspect computing assets
at will? [5 Marks]
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 6 of 11
QUESTION 4 – Computer Forensics [2 x 5= 10 Marks]
You are investigating a crime with the analysis of a computer disk but the disk contains
several password-protected files and other files with headers that don’t match the
extension.
a) Explain how to identify the header of the file and determine how their extensions
are mismatched. [5 Marks]
b) Discuss the techniques and tools that can be used to recover the passwords from
the protected files. [5 Marks]
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 7 of 11
QUESTION 5 – Network Forensics [5 x 5 = 25 Marks]
A new start-up SME (small-medium enterprise) based in Melbourne with an Egovernment model has recently begun to notice anomalies in its accounting and
product records. It has undertaken an initial check of system log files, and there are
many suspicious entries and IP addresses with a large amount of data being sent outside
the company firewall. They have also recently received a number of customer
complaints saying that there is often a strange message displayed during order
processing, and they are often redirected to a payment page that does not look
legitimate. Address the following questions while preparing your report as a digital
forensics investigator.
a) Discuss a general overview of the methodology that you will use, and provide a
reasoned argument as to why the particular method chosen is relevant.
[5 Marks]
b) How should you proceed if your network forensic investigation involves other
companies?
[5 Marks]
c) Explore the techniques and tools that can be used in this situation.
[5 Marks]
d) Describe significant challenges with network forensics in this network, including
forensic acquisition and evidence preservation.
[5 Marks]
e) Identify and explain three types of log files you should examine after a network
intrusion.
[5 Marks]
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 8 of 11
QUESTION 6: Mobile Forensics [3 x 5= 25 Marks]
You have been assigned a case that needs mobile forensic analysis. A mobile is found from
the suspect’s office, and it might have critical information related to the case.
a) Discuss the information that can be retrieved from this mobile’s SIM card.
[5 Marks]
b) Illustrate the general procedure to access the content on this mobile phone SIM
card.
[5 Marks]
c) Explain measures to validate data on this mobile. [5 Marks]
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 9 of 11
Marking criteria:
The following marking criteria will be followed for this assessment
| Questions | Description of the marking criteria | Marks |
| Q1 | a) Explain the data hiding technique(s), used in Figure 1. (5 marks) b) Examine and analyse the MD5 results given in Figure 2. (5 marks) |
10 |
| Q2 | a) Provide a list of potential digital evidence and media that the investigator is going to want to seize for possible forensic examination in this case study. How would you gain access to this evidence? (5 marks) b) Explain two acquisition methods that you should use in this situation. (5 marks) c) Describe significant challenges with cloud forensics, including forensic acquisition and evidence preservation. (5 marks) d) Explain what “anti-forensics” is, and provide detail on some anti-forensics tactics that could be used in this case study. (5 marks) c) How should you proceed if the suspect’s computer is running? (5 marks) |
25 |
| Q3 | a) Explain the considerations you should have when deciding what data-acquisition method to use on your investigation? (5 Marks) b) Discuss the acquisition method that can be used in this case study. Be sure to address any customer privacy issues. (5 marks) c) Why should companies publish a policy stating their right to inspect computing assets at will? (5 marks) |
15 |
| Q4 | a) Explain how to identify the header of the file and determine how their extensions are mismatched. (5 marks) b) Discuss what techniques and tools that can be used to recover the passwords from the protected files. (5 marks) |
10 |
| Q5 | a) Discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular method chosen is relevant. (5 marks) b) How should you proceed if your network forensic investigation involves other companies? (5 marks) c) Discuss what techniques and tools can be used in this situation. (5 marks) d) Describe significant challenges with network forensics in this network, including forensic acquisition and evidence preservation. (5 marks) |
25 |
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 10 of 11
| Questions | Description of the marking criteria | Marks |
| e) Identify and explain three types of log files you should examine after a network intrusion. (5 marks) |
||
| Q6 | a) Discuss the information that can be retrieved from this mobile’s SIM card. (5 marks) b) Discuss the general procedure to access the content on this mobile phone SIM card. (5 marks) c) Explain measures to validate data on this mobile. (5 marks) |
15 |
| Total | 100 |
MN624 – Digital Forensics – Final Assessment Trimester 2, 2020
Page 11 of 11
Marking Rubric
| Marking Rubric Criteria/ Grades |
High Distinction (HD) [Excellent] >80% |
Distinction (D) [Very Good] 70%-80% |
Credit (C) [Good] 60%-70% |
Pass (P) [Satisfactory] 50%-60% |
Fail (N) [Unsatisfactory] |
| Question 1 /10 |
Concise and specific to the question |
Topics are relevant and soundly analysed. |
Generally relevant and analysed. |
Some relevance and briefly presented. |
This is not relevant to the assignment topic. |
| Question 2 /25 |
Accurate and to the point in-depth knowledge has been provided regarding the topic in question. |
Adequately, correct and to the point, in depth knowledge has been provided regarding the topic in question. |
Mostly correct and to the point, in depth knowledge has been provided regarding the topic in question. |
To some extent correct knowledge has been provided regarding the topic in question but lacking depth. |
Not correct/relevant knowledge has been provided regarding the topic in question, missing depth and details. |
| Question 3 /15 |
Demonstrated excellent ability to think critically and sourced reference material appropriately |
Demonstrated excellent ability to think critically but did not source reference material appropriately |
Demonstrated ability to think critically and sourced reference material appropriately |
Demonstrated ability to think critically and did not source reference material appropriately |
Did not demonstrate the ability to think critically and did not source reference material appropriately |
| Question 4 /10 |
All elements are present and very well integrated. |
Components present with good cohesive |
Components present and mostly well integrated |
Most components present |
The proposal lacks structure. |
| Question 5 /25 |
Outcome of the problem is clearly written with step by step process. |
Outcome of the problem is somewhat written with step by step process. |
Outcome of the problem is written with step by step process. But end result is not correct. |
Outcome of the problem is written but not with step by step process. |
Outcome of the problem is wrong. |
| Question 6 /15 |
Clear, concise and in-depth knowledge has been provided regarding the topic in question, design concepts are clear and the proposed designing has comprehensively fulfilled the requirements. |
Reasonably clear, concise and detailed knowledge has been provided regarding the topic in question, design concepts are almost accurate with minor inaccuracies and proposed designing has reasonably fulfilled the requirements. |
Adequately clear knowledge has been provided regarding the topic in question, design concepts are partially correct with minor inaccuracies and proposed designing has partially fulfilled the requirements. |
To some extent,clear knowledge has been provided, but lacks depth of understanding regarding the topic in question, design concepts are fairly correct with some inaccuracies and proposed designing has narrowly fulfilled the requirements. |
The required description regarding the topic in question is not correct, design concepts are not correct/relevant and proposed designing is irrelevant or does not fulfill the requirements at all. |
END OF MAJOR ASSIGNMENT REPLACING
FINAL EXAMINATION
