Digital Forensics Assignment: Practical Exercise and Critical Review

LO1: Demonstrate an understanding of and conduct the main stages of a digital forensics' investigation.

LO2: Apply good forensics processes in the preservation of evidence and auditing of actions taken.

LO3: Collect and interpret evidence from a range of different sources.

LO4: Critically evaluate recent developments in digital forensics.

LO5: Apply a wide range of transferable skills and attributes applicable to industry and research.

Note: it is your responsibility to make sure that your work is complete and available for marking by the deadline. Make sure that you have followed the submission instructions carefully, and your work is submitted in the correct format, using the correct hand-in mechanism (e.g., Moodle upload). If submitting via Moodle, you are advised to check your work after upload, to make sure it has uploaded properly. Do not alter your work after the deadline. You should make at least one full backup copy of your work.

This assignment will require you to demonstrate your grasp of both the theoretical and practical aspects of Digital Forensics. The practical exercise will require you to put yourself in the position of a forensics  examiner processing evidence. You will need to demonstrate your ability to manage the evidence through its entire life cycle while upholding the most meticulous requirements on the integrity of the material and the dependability of your findings. Forensic examiners are expected to take every reasonable precaution to make sure the processes they perform to not cause any unwanted tampering with the evidence and their conclusions can be sufficiently dependable to be accepted in court. Such work can be vital in the investigation and prosecution of all manner of crimes as well as being used for internal auditing within organisations. Your aim is to take a forensic investigator’s approach to your (simulated) evidence.

The second part of the assignment will require you to critically review a publication in the academicliterature. You will need to be able to take the cutting-edge research being done in the field and make theimplications relevant for forensics practitioners. Forensics practitioners may be expected to handle avariety of different devices, technology, operating systems, software, and data. With the constant advance of each of these technologies, as well as tools and techniques for analysingevidence, the field isconstantly evolving. Your aim is to examine one aspect of modern advances in the academic field of digitalforensics and put the implications into context for a forensics practitioner.

Create a simulated evidence set centred primarily around a web browser session. The evidence set should include some suspicious activity, but nothing too serious. A good evidence set will show that someone was (possibly) planning something suspicious/malicious, but there should be no danger of you breachingany relevant laws/policies/codes of conduct in the creation of the evidence set. It is advisable that this be a browser session on a newly installed browser, e.g., using a virtual machine. Having created this evidence, process this evidence as if you were a forensic investigator. Conduct the appropriate actions for evidence collection, preservation, and analysis in accordance with the ACPO guidelines1:

• Collection: How did you obtain the evidence? What tools/commands did you use to collect theevidence? How reliable are these tools/commands? Were all the collection actions recorded in detail (i.e., with enough detail for someone else to reproduce the steps)? Was the collection done in a way to minimise any possible changes on the evidence device?
• Preservation: Is the copy of the evidence obtained an exact duplicate of the original evidence files/folders? Has the meta-data of the files/folders also been preserved? Can the integrity of the collected evidence be verified? Has the evidence been stored/processed in a way to determine ifany modification of the evidence happens? Were all the preservation actions recorded in detail (i.e., with enough detail for someone else to reproduce the steps)?
• Analysis: What conclusions can be drawn from the evidence and what is your confidence in these conclusions? What tools have been used to assist in the analysis and how reliable are these tools?

Has the analysis been conducted on the exact duplicates of the original evidence files and has this analysis caused any modification to these files? Were all the analysis actions recorded in detail (i.e., with enough detail for someone else to reproduce the steps)?

Select a recent academic paper on a topic related to Digital Forensics (you may find it helpful to use sites such as IEEExplore2 and Google Scholar3

Provide a written review of the paper that includes:

• Any relevant background. Explain some of the related theory and/or context that underpins the paper.
• A summary of the main contributions of the paper. In your own words explain what novel approach/tool/technique the authors have presented.
• Your critical evaluation of the significance of the paper. Give your assessment of the positive and negatives of the paper. Identify good practices in the paper that could be reproduced in other, related works. Identify areas that the authors neglected to fully explore or where the work could have been improved/where there is scope for further work.
• The implications that the paper has to the practice of digital forensics. Describe possible scenarios where you could envision the results of the paper providing a tangible benefit to an investigation.