辅导案例-COMP3721-Assignment 2
Individual Assignment COMP3721 - Enterprise Information Security EIS and EIS(GE) Assignment 2 Forensic Analysis Step One: Create forensic reports of the user folder using bulk extractor. DO NOT EXAMINE YOUR WHOLE DISK On a Windows system this is C:\Users\ On a Mac system this is /Users/ Note that these paths may be different depending on your system’s configuration. Step Two: Analyse the information in the generated reports. What information can you find? For example who are the users? what personal information is found? which Internet sites have been visited? which communication trails are found? what are the users’ hobbies or interests? what did you find that surprised you? did you find potential threats? For each step in your analysis make detailed notes for your forensic report. Other tools may be used, such as grep (grepWin or greppie), Hex editor (HxD or 0xED), ExifTool, SleuthKit (Autopsy) Step Three: Write the Case Report which should contain these headings The Case Summary In the case summary, the basic information about the situation is briefly described. What happened to lead to an investigation being launched? Remember you are role playing a digital forensic analyst. Acquisition and Preparation The report goes into the steps taken in preparing the devices and media for examination and how the examination of the materials was conducted. This section of the final report summarises the details that are in the various examinations logs that were collected along the way. It is not necessary to be quite as detailed here, but it is important that no steps be left out. You should not include details of sensitive information in the 1 COMP9721 - Enterprise Information Security GE Individual Assignment COMP3721 - Enterprise Information Security report. Details that should be included are any actions taken prior to evidence acquisition (such as photographic records; how the media where forensic copies were stored was prepared, including what tools were used to protect and/or sanitise the media; before/after hash values of disk images examined; tools that were used for making images; individual steps that were taken during each process. Include times and dates that evidence items were handled. Findings The findings section is not a place for coming to conclusions. This is only where the re- sults of the various tests, examinations, and procedures are reported. As with the preparation stage, it is necessary to document what tools were used and what steps were taken, but not a minutely detailed description. The process used in any given file search should be described, including such details as search strings used, Boolean operators used, and so forth. Rather than list each and every file found during the search, a summary of findings, including the number and types of files found, is in order. The results of an Internet search would include a listing of any Web sites visited by users on the target system, organised by user. A histogram of Internet activity could be included to show where most activity occurred. Conclusion The summary is where the investigator presents the interpretation of the facts. The “how” and “why” parts of the story are filled in. At this point, the writer of the report may need to do more than present facts about what was found. As with all other sections in this report, the expression of opinions should be reserved. However, this is the one place in the report where a professional opinion might be required. The conclusion should tie all other sections together. The final report should indicate that the investigation was thorough and complete. Assessment This assignment contributes 30% of your overall assessment for the topic. The grading for this assignment will be according to the University rating scheme [HD, DN, CR, P, F]. You are required to submit the Case Report in a PDF file to the assignment box on FLO by Monday Week 10, 9:00am Ensure that you have appropriate identification of your work, which includes full identification information {StudentID, Name, FAN} There is no set word count. It depends on what you find and how you interpret it. However, be concise! 2 COMP9721 - Enterprise Information Security GE