Digital Forensics Investigation: Tools and Techniques

Plagiarism and its Consequences

Work presented in an assessment must be your own. Plagiarism is where a student copies work from another source, published or unpublished (including the work of another student) and fail to acknowledge the influence of another’s work or to attribute quotes to the author. Plagiarism is an academic offence, and the penalty can be serious. The University’s policies relating to Plagiarism can be found in the regulations at To detect possible plagiarism, we will submit your work to Turnitin, a worldwide  plagiarism detection facility.

This tool searches the Internet and an extensive database of reference material including other students’ work to identify. Once your work has been submitted to the detection service it will be stored electronically in a database and compared against work submitted from this and other universities. It will, therefore, be necessary to take electronic copies of your materials for transmission, storage and comparison purposes and the operational backup process. This material will be stored in this manner indefinitely.

By submitting your assignment, you agree to the above terms and conditions of your submission.

Learning outcomes

LO1 Demonstrate ability of following professional processes during the phases of an investigation

LO2 Understand and follow the core functions of a forensic examination through using software and associated technology in a secure and professional matter.

LO3 Implement appropriate terminology into a digital forensic examination. School of Mathematics and Computer Science, University of Wolverhampton

You are part of a team working for Z-Security, an elite digital forensics company in the UK that was invited to investigate a recent security incident involving suspected criminal activities taking place in a mediumsized company called UBB. You have been hired to physically investigate some of the affected assets, while other Z-Security team members were assigned similar tasks in order to reduce the overall investigation time. As part of yourrole, you will be asked to prepare an appropriate digital forensics toolkit together with a Digital Forensics Investigation (DFI) model to facilitate your investigation tasks. Any legal interface between law enforcement and this organisation is also a component to be evaluated as part of your assignment.

The incident(s): Network administrators at UBB identified unusual P2P and encrypted traffic that is rarely needed to support their business processes. An early investigation of some of their system logs confirmed suspicious connections some of which bypassed their firewall rules. Alice, a senior ICT manager with reasonable incident response training was keen to keep all the machines attached to the suspected subnet running while he sent an urgent request for Z-Security to start an investigation (based on an Incident Response contract between the two parties).

Bob’s decision was significantly encouraged by recent reports showing further incidents in the company, in particular, an increased number of staff accounts being accessed from unusual locations inside and outside the company. This has raised concerns of the possibility of an insider attack or inappropriate behaviour and misuse of the company’s infrastructure.

Ethical and Legal Implications

Due to the nature of this module, you MUST ensure that ALL the tools utilised for this module and its coursework are carefully contained within a controlled laboratory environment.

Performing digital investigation on the dedicated course work VMs and within University cyber labs is permitted, but it is very important to note that unauthorised access to the rest of the university network is NOT allowed. A full monitoring process will be in place and offenders could be prosecuted. Ask your lecturer to clarify any doubts shall you have further inquiries. Overall, make sure you comply with UKlegislation and all associated professional and ethicalbehaviour.

The purpose of this assignment is NOT to teach you how to break computer system but rather to understand how authorised digital investigations are performed following the detection of an incident.

Assignment Tasks

In response to the incident(s), Z-Security assigned you several tasks as part of their main digital investigation. You were given the following tasks:

1. To develop an Expert Report template using MS word. Z-Security wants a new template to standardise and use for this investigation to maintain cross-team consistency in their documentation. The template should include suitable branding, titles, subtitles and notes. [should not exceed 3 pages]
2. To conduct a literature review and critically discuss published Digital Investigation Process Models. The narrative should compare and conclude (with justification) the most suitable model for Z-Security to adopt. Examples of criterions to support your conclusion include but not limited to the module’s ability to cover new technologies (e.g. IoT), flexibility, and to support the team’s collaborative activities. This discussion must be referenced throughout. [Word count (excluding references): 500 words ± 10%]
3. To perform full analysis on a byte-to-byte copy of the given asset; machine’s hard drive and memory (volatile data). As a Digital Investigator, you are expected to work within the guidance of a forensic model to report your findings. You must discover, document and forensically report any two actions performed on the seized device in violation of UBB’s Acceptable Use Policy (AUP) which can be found in Appendix 1. Your work during the investigation should consider the rigour, reproducibility and integrity of data. Any findings that could help attributing these actions to an individual or more will be relevant as well. [no wordcount or maximum number of pages, but do not document more than two unacceptable actions]
4. To develop a Digital Investigation Toolkit prioritising open-source tools. These tools will be utilised by you for this incident to perform the required analysis (i.e. for the specific type of technology you will investigate, everything else is out of scope), or to be used by any Z-Security team in the future for the same type of investigation. The Toolkit should be presented within a table and supported by any brief notes deemed necessary. [2-3 pages]

Further details and guidelines

- Support your work with screenshots and photos when required.

- To successfully meet the requirements, you must investigate and answer the given assignment tasks and consider the criteria given in the attached marking scheme.

- During the incident investigation, instructors (management board) will observe your work during the lab and take notes on the appropriateness of your progress.

- While considering legal aspects, remember that both UBB and Z-Security operate in the UK.

- The structural arrangements of the report are part of the assignment, and you are expected to make informed decision to plan it accordingly