Computer Forensics Investigations - Digital Investigation Coursework

This assignment allows you to build your knowledge and critical evaluation of computer forensics investigations. To pass the coursework you must demonstrate your understanding of the practice of digital investigations as they are conducted in an organisation. This is achieved through the investigation of computer-based evidence using tools and techniques that you have been introduced to during the module delivery. You are allowed to make use of any references during your digital investigation but are encouraged to use academic sources such as conference and journal papers. This is an individual coursework.

Assessment Scenario/Problem

Many organisations have an IT security strategy in place covering the management of IT security facilities and acceptable activities undertaken within the organisation. Computer forensics has long been an activity within the bounds of law enforcement agencies. However, commercial organisations are increasingly making use of computer forensics tools and techniques to investigate system misuse. In addition, corporate digital investigations are also conducted to provide evidence in cases such as fraud, Intellectual Property theft, or harassment.

Another UK university, which does not have expertise in computer forensics, has asked Nottingham Trent University's College of Science and Technology (NTU CST) to conduct a digital investigation into suspected Intellectual Property (IP) ‘theft’ on their behalf. A number of relevant files have been recovered from a staff member's (Dr John Haggerty) shared drive. In addition, a number of emails have been recovered from the mail server and provided as .pst archives. All recovered files have been placed on a flash memory drive and imaged by IT staff at the other university. The image is made available to you via the module room on NOW. You are to investigate the files and provide a report of your findings to NTU CST’s School Management Team. 

The report should include a brief description of the analysis procedures you followed and the programs that you used during the investigation. 

You are expected to analyse the image thoroughly and to report all evidence that may indicate that IP ‘theft’ has taken place or was in the process of taking place when the image was made. You should also report any evidence that you find that suggests that IP ‘theft’ has not taken place.

Your report should not exceed 3000 words (excluding references, tables, captions and appendices). Particular care should be made to ensure that the report contains correct references to all cited work in an appropriate style, for example, the Harvard Referencing System or the American Psychological Association style. You should submit your report to the module Dropbox in NOW before the submission deadline.