Module Code
COM0015M

BSc, BEng and MEng Degrees Examination 2020-21
DEPARTMENT OF COMPUTER SCIENCE
Forensic Analysis of Cyber Incidents (FACI)
Open Individual Assessment

Issued​: 12/Feb/2021 12:00 noon
Submission due ​: 18/Mar/2021 12:00 noon
Feedback and Marks due​: 15/Apr/2021 12:00 noon

All students should submit their answers through the electronic submission system:
http://www.cs.york.ac.uk/student/assessment/submit/​ by 12:00 noon, 18/Mar/2021. An
assessment that has been submitted after this deadline will be marked initially as if it had been
handed in on time, but the Board of Examiners will normally apply a lateness penalty.
Your attention is drawn to the section about Academic Misconduct in your Departmental Handbook:
https://www.cs.york.ac.uk/student/handbook/​.
Any queries on this assessment should be addressed by email Angus Marshall,
[email protected] ​OR by posting a question in the relevant section of the VLE discussion
forum​ (preferred mechanism). Answers that apply to all students will be posted on the VLE.

Rubric:
Answer all questions. Note the page limits for each question. Parts of answers that go
beyond the page limit ​will not​ be marked. Any references or other sources used must be
listed at the end of the document and do not count towards page limits.

Your exam number should be on the front cover of your assessment. You should not be
otherwise identified anywhere on your submission.

Page 1 of 3
General marking criteria
1. There are two questions. Answer both questions. Note that the two questions are related
and both deal with the scenario given below.
2. In all questions, the marks are awarded for addressing the problems set, the quality of your
discussion and justification of your assumptions/choices/conclusions etc.
3. You are expected to research your answers and to cite appropriate academic and/or other
sources in an appropriate format for the type of report you have been asked to write. It is
probably not sufficient to use only the module notes.
4. You may need to make assumptions about the systems involved in order to propose
solutions; this is acceptable provided any such assumptions are realistic, clearly stated and
do not conflict with any information provided to you.
5. Present your answers on A4 pages, with a minimum 11pt font, minimum 120% line spacing
(what Word calls “Multiple 1.08”), and minimum 2cm margins either side.
Each question has an indicated number of pages in which to answer it. Cover page and reference
lists or bibliographies do not count towards these limits. Excess pages will not be marked.
Scenario
During the pandemic, the offices of the University of Grand Fenwick’s Computer Science dept. had
been largely unoccupied, with only essential admin. and support staff on duty. Academic staff have
been permitted to access their offices occasionally, in order to pick up essential books, papers and
equipment, or between face to face teaching sessions.
Because of this, the IT manager has taken the opportunity to conduct an audit and maintenance
exercise to identify all equipment present in dept. and perform essential updates.
During this process, a device was found plugged into a USB docking station in one of the staff offices.
The member of staff whose office it is denies all knowledge of this device and reports that it they do
not believe it was present when they last checked their office on 4th November 2020. The device
was found on 25th January 2021.
The IT manages is concerned that this device may be evidence of a breach, or attempted breach, of
security and has requested that you carry out an examination of it and provide further advice (see
below).
A suitably qualified technician has imaged the device and will provide you with the image and a
record of the examination of the physical device, which includes photographs, any serial numbers
etc.
Background - the department runs a mixture of Debian Linux and Windows desktop machines in staff
offices, with some staff also using Macintosh, Chrome, Android and iOS devices on the wireless
network. It has its own Windows servers for data storage (accessible from Windows and Linux
desktops) and a contract with Google for email, cloud data storage and other services (accessible by
anyone with a departmental user account).. Access to central University services is available via the
dept. network which is connected to the main University network through a managed switch.

Page 2 of 3
Task
1. [40 marks] Examine the device image, and related information, and produce your report, for
senior management (some of whom are not IT specialists), giving as much information as possible
about the device’s involvement, or potential to be involved, in a security breach. Your report is not
intended to be used for court proceedings at this stage, but should highlight anything which may be
significant should a prosecution be required. ​Maximum length: 5 pages.
2. [60 marks] Produce a plan for how you would conduct an investigation to determine which
systems had been affected by an incident involving a device of this type, including details of the
nature of any evidence you would hope to recover from affected systems, how/where you would
find this evidence, and what it would mean. Your plan should include consideration of any legal as
well as technical issues which affect the ability to present any of the relevant evidence in court in
this case.
NOTE: ​This should be a plan which will work for ​FUTURE​ investigations, and should not necessarily
be specific to this incident. It should be possible for a competent IT technician to follow the plan and
recover evidence without having to further interpret the plan. The plan must include sufficient
information for the IT team to prepare, in advance, for an investigation to be carried out as soon as
an incident has been detected​. Maximum length: 10 pages.
Mark allocation - for guidance only.
In Question 1, marks will be allocated for clarity & usability of your report (10), application of sound
forensic methods (10) and use of appropriate analytical & interpretive methods (20).
In Question 2, marks will be given for identification of potential evidence sources (25), consideration
of evidential issues (10), evidence of structured planning (15) and overall usability & clarity of the
plan (10).


END OF PAPER

Page 3 of 3

欢迎咨询51作业君