COMP40571 Computer Forensics

The date is 1 July 2004. You have been called in by an organisation that suspects one of its staff members is breaking organisational policy. 

The staff member has joined a strange religious group that considers geometric shapes to be very important. The staff member was warned in May 2004 against using organisational resources to create, store, search the Web for or disseminate pictures of such shapes.

1.You arrive at the scene which looks as shown in the photos below.

a) Explain what you would do, and why. 

b) Include a list of the equipment you should have brought with you. 

2.You decide to create a forensic image of the computer’s memory. Explain what you would do, and why. 

3.a) Make a list of the types of evidence that you might search for to determine if the staff member has continued to breach organisational policy.

The computer provides no useful evidence. Next, you create a forensic image of one of the memory sticks.

Download image cwk1.dd from NOW. Assume this is the image that you created from the memory stick. 

b) Analyse it using Autopsy or any other tool you choose.

c) Present a table listing what you found during your analysis.

4.Report any relevant evidence that you found including any conclusions that you believe can be drawn. 

5.There are also other reports you should produce and submit apart from the evidence report. Provide a list of these reports and show 2 or 3 entries from EACH report. You may invent the data that is presented in these entries.