Individual Assignment COMP3721 - Enterprise Information Security
EIS and EIS(GE) Assignment 2
Forensic Analysis
Step One:
Create forensic reports of the user folder using bulk extractor. DO NOT EXAMINE YOUR
WHOLE DISK
On a Windows system this is
C:\Users\
On a Mac system this is
/Users/
Note that these paths may be different depending on your system’s configuration.
Step Two:
Analyse the information in the generated reports.
What information can you find? For example
ˆ who are the users?
ˆ what personal information is found?
ˆ which Internet sites have been visited?
ˆ which communication trails are found?
ˆ what are the users’ hobbies or interests?
ˆ what did you find that surprised you?
ˆ did you find potential threats?
For each step in your analysis make detailed notes for your forensic report.
Other tools may be used, such as grep (grepWin or greppie), Hex editor (HxD or 0xED), ExifTool,
SleuthKit (Autopsy)
Step Three:
Write the Case Report which should contain these headings
The Case Summary In the case summary, the basic information about the situation is briefly
described. What happened to lead to an investigation being launched? Remember you are
role playing a digital forensic analyst.
Acquisition and Preparation The report goes into the steps taken in preparing the devices and
media for examination and how the examination of the materials was conducted. This section
of the final report summarises the details that are in the various examinations logs that were
collected along the way. It is not necessary to be quite as detailed here, but it is important
that no steps be left out. You should not include details of sensitive information in the
1 COMP9721 - Enterprise Information Security GE
Individual Assignment COMP3721 - Enterprise Information Security
report. Details that should be included are any actions taken prior to evidence acquisition
(such as photographic records; how the media where forensic copies were stored was prepared,
including what tools were used to protect and/or sanitise the media; before/after hash values
of disk images examined; tools that were used for making images; individual steps that were
taken during each process.
Include times and dates that evidence items were handled.
Findings The findings section is not a place for coming to conclusions. This is only where the re-
sults of the various tests, examinations, and procedures are reported. As with the preparation
stage, it is necessary to document what tools were used and what steps were taken, but not
a minutely detailed description.
The process used in any given file search should be described, including such details as search
strings used, Boolean operators used, and so forth. Rather than list each and every file found
during the search, a summary of findings, including the number and types of files found, is
in order. The results of an Internet search would include a listing of any Web sites visited
by users on the target system, organised by user. A histogram of Internet activity could be
included to show where most activity occurred.
Conclusion The summary is where the investigator presents the interpretation of the facts. The
“how” and “why” parts of the story are filled in.
At this point, the writer of the report may need to do more than present facts about what was
found. As with all other sections in this report, the expression of opinions should be reserved.
However, this is the one place in the report where a professional opinion might be required.
The conclusion should tie all other sections together. The final report should indicate that
the investigation was thorough and complete.
Assessment
This assignment contributes 30% of your overall assessment for the topic. The grading for this
assignment will be according to the University rating scheme [HD, DN, CR, P, F].
You are required to submit the Case Report in a PDF file to the assignment box on FLO by
Monday Week 10, 9:00am
Ensure that you have appropriate identification of your work, which includes full identification
information {StudentID, Name, FAN}
There is no set word count. It depends on what you find and how you interpret it. However, be
concise!
2 COMP9721 - Enterprise Information Security GE