Microsoft Word – 2021_T2_SIT282_Assessment_Task 4.doc
SIT282- Computer Crime and Digital Forensics T2 2019
Assessment Task 2 Case Investigation and Recommendation Report
Due: Sunday October 3rd at 11.59pm (end of week 11).
Total Available Marks: 35, Weighting 35%
General Requirements
Please use the “Assessment_Task_2_TEMPLATE” file provided in the assessments
folder on the Unit Site to complete this assessment.
• NO EXTENSIONS allowed without medical or other certification.
• LATE ASSIGNMENTS will automatically lose 5% per day up to a maximum of five
days, including weekends and holidays. Assignments submitted 6 or more days late will
not be marked and are given zero.
• The virtual machine used for the practicals contains all the tools required to complete this
assessment task.
• Ensure you take screenshots of your work for evidence and that these are legible in your
report.
• To complete this assessment you will need to have followed the theoretical material and
completed the practicals for weeks 7-9. This assessment covers material up to the week
ending September 13th.
• Your submission must be in a PDF format.
• Maximum size of your submission should be 15 pages excluding the cover page but
including screenshots, table of contents, 2 page digital forensic report prepared for Sandra
(refer to item 7 on the next page) and references. The font size should be no less than
11pt.
• No mark will be given if you fail to show the evidence of your work-out. i.e.
the process carried out to produce your solution. The report should be
written so the steps performed are reproducible.
• Ensure you keep a backup copy of your work.
• Plagiarism is not tolerated. For information on Plagiarism and Collusion including
penalties please refer to the link: http://www.deakin.edu.au/students/clouddeakin/help-
guides/assessment/plagiarism
• The APA Referencing Style is to be used for this assignment where appropriate.
https://www.deakin.edu.au/students/studying/study-support/referencing/apa-6
Help with the assessment
If you require assistance please ask your instructors (Burwood students ask your practical
demonstrator; Geelong and Cloud students ask Damien Hutchinson). We will NOT answer
questions that are requesting answers or solutions. A question MUST be substantiated with
evidence that work has been attempted relating to the question being asked.
The marking rubric is attached to the submission link on the Unit site. This provides a
detailed structure for successfully completing the assessment. Be sure to refer to the relevant
section of the rubric when asking a question. The only other advice is to ensure you do not
leave this until the final days before the due date.
THE CASE:
The hazardous materials team is called suddenly at 3a.m. May 10 to a warehouse
behind Roma St station in Brisbane. Team member Moti identifies the scene as a drug
manufacturing location, and the people there have hurriedly packaged up the loose
powders they were working with, leaving traces on the floor and across many desk
surfaces. Moti makes a decision not to call the forensic squad in when he sees the
drug traces, because he suspects the drug is at the top of the current most dangerous
list and he needs to take samples back to his lab for analysis before identifying it.
However, Moti is familiar with the protocol when there is a computer in the area, and
calls his colleague Sandra, waking her at 3:17a.m. to walk him through a capture of
computer data for forensic analysis. He is able to shut down the laptop, and removes it
from the scene along with several CDs found in the desk.
Later that day, Sandra analyzes the laptop and CDs in the police forensics lab. The
computer is equipped with Windows and only a basic Word document facility and
Internet Explorer, a program called “OpenPuff”, and has software for showing DVDs
and image files. No documents appear to have been stored on the machine. Three of
the CDs are actually DVDs with recent movies. The fourth contains a suspicious ZIP
file.
Sandra makes three forensic copies of all the data and stores two of them safely in the
lab. She then delegates the laptop and CDs to various staff members for analysis,
distributing the third copies to them. As most of the staff are also involved in a large
on-going investigation she decides to ask for the help of an additional team member
who is holidaying overseas.
You receive a secure e-mail from Sandra with an attachment containing two NTLM
hash strings retrieved from the criminal’s laptop, the ZIP file from one of the CDs
along with a request to analyse it as quickly as possible for any pertinent information,
and an apology for interrupting your holiday.
The two NTLM hashes are:
D6A21EA26063C42FC9876E4B0C51BC82:CA72B189F412A384D96B785A08176773
and
8282461A2BDAF626E6067B973FDDC643:5C305D4616C7571D5DDC6EEA5BA5C395
TO DOWNLOAD A COPY OF THE ZIP FILE IN THE EMAIL ATTACHMENT COPY AND
PASTE THIS URL INTO A WEB BROWSER:
http://www.deakin.edu.au/~zoidberg/2019A02.zip
And you are advised that the MD5 hash value of the executable file should be
9ec1c8f62429182349f3979c39aed8fb
Analyze this file and report your findings using the outline below. (For marking
purposes, it is strongly recommended that you follow this outline.)
DIGITAL FORENSIC PROCEDURE
1. Explain how you downloaded the file, what precautions you took, and how you
ensured its integrity.
2 mark
2. Describe how you decrypt the two given NTLM hash values by using OphCrack
including screen shots.
3 marks
3. Describe the process that you apply to open the downloaded file. Describe whether
there is a relationship between this process and the information obtained in Step 2.
3 marks
4. Describe the actual content of the encrypted file that you identified in Step 3. If
there are multiple files, list their file names, types and MD5 hash values. Describe
the visual contents in each file.
4 marks
5. What tools will you now use to proceed your investigation and why?
3 mark
6. Describe how your investigation proceeded at this point, including screen shots.
12 mark.
DIGITAL FORENSIC REPORT
7. Write a two page report for Sandra listing your findings and recommendations.
Make appropriate suggestions on how a further investigation should proceed.
Construct and complete a single-item evidence form as part of your report.
8 marks