COM6016: Cyber Threat Hunting and Digital Forensics Forensics Case Study Assessment , October 2022 Submission Deadline: 15:00 on Wednesday, 14th December 2022 This assignment is worth 60% of the module mark. This assignment is made up of four different parts. You are required to answer all the questions below. All answers must be supported with adequate academic references. The maximum number of pages for this assignment should not exceed 10 pages. PART 1 [25%] Leo R is a known local thief and suspected drug trafficker. On the 31st of October 2022, he was arrested while flying a DJI Phantom 2 Vision drone near HM Prison Berwyn. Prison officers suspect he has been using the drone to either deliver drugs to the prison or he is involved in planning a jailbreak. The drone has been seized as well as his mobile devices and a USB drive. Suppose you have been assigned as the Forensics Lead on the the case A. Using your knowledge of Digital Forensics and the Digital Forensics process, describe how you would approach this case from the point of arrest. B. A USB disk image seized from Leo R has been provided to you. What do you suspect he was doing around the prison with a drone? To obtain the maximum marks for this question, you need to describe your process and provide evidence to support your suspicion. PART 2 [40%] Ciara works for a cosmetics company. She spends 20% of her time travelling to connect and liaise with clients and suppliers in different countries. When travelling or visiting other company’s sites, Ciara uses her laptop and business mobile phone for personal activities. Also, she sometimes works from home and mainly connects to the company network via a Virtual Private Network (VPN). During the last six months, the CEO noticed a decrease in the company’s revenue, along with the entrance of a new competing cosmetics start-up working on the same line of products and acquiring their customers. The CEO scheduled an urgent meeting with the executive board and some concerned staff members to look at the revenues of the running year and come up with a strategy to outperform this new startup. Ciara attended the meeting, but the CEO noticed that she was particularly evasive when several questions related to the new startup, called CyCo, located in Paris, were asked. Ciara submitted her resignation to leave, a few days after the executive board meeting. The CEO suspects that Ciara is involved with this new startup and probably sharing customer data and private products’ information with the company and possibly others. As with company policy, Ciara has handed her laptop to the IT team following the submission of her resignation letter and in the process of preparing the laptop for a new staff, the IT support staff notices some suspicious files and a data breach investigation is opened. On Friday, Ciara celebrated her farewell with her colleagues, gave the keys and the business mobile phone to the IT team at 1 pm and left the company. The IT team has now imaged the laptop and the mobile phone of Ciara and provided you with the following: - Digital image of Ciara’s laptop (taken during her business visit) - Network capture of Ciara’s laptop (part3_cosmetic.pcap) You are required to write a maximum of a 800 word forensics report explaining how you went about your investigation that is to be used in court to prosecute or excoriate the suspect. PART 3 [15%] BGP hosting is a web hosting company providing dedicated and shared hosting services to UK businesses. The company was founded in 2011 and currently employs 65 staff in two locations - London and Bristol. The company has an annual turnover of £4 million and primarily provides services to businesses in the aerospace and health sectors. On 30th August, 2021, one of the system administrators at BGP hosting noticed that one of the servers of a health care client was consuming a lot of system resources and had a few suspicious active network connections. The server was restarted, scanned and passed to the security team for monitoring. On 1st September, 2021, the security team resumed work at 9am and began looking at tasks assigned, but a quick assessment of the server revealed nothing strange. On 2nd September, 2021, the server is inaccessible to clients and a support request is raised by the client. At 11 am, the system administrator is greeted with a ransomware message, “Your server has been infected with ransomware, Your data has been encrypted, you need to pay 125 bitcoins to unlock it”. Assume, you work for BGP hosting as a forensics analyst and your colleagues have provided you with the disk images of the 2 x 2TB hard drives connected to the server and a live capture of the memory of the device. Explain how you would go about handling this incident to ensure digital evidence is captured, forensics integrity is maintained and the business can resume operations in a few days. PART 4 [20%] You have been provided a network capture involving about nine servers in an enterprise network. Your colleague, an IT administrator, suspects there is some suspicious activity going on. Using your knowledge of cybersecurity and network forensics, you are required to analyse the PCAP file new_part_4.pcapng and suggest what you think might be going on in the network packet sequence. Submission The final report must be submitted in PDF format using Blackboard. The submission deadline is 3pm on Wednesday, 14th December 2022 The standard penalties for late submission of work apply: https://sites.google.com/sheffield.ac.uk/compgtstudenthandbook/home/your-study/as sessment/late-submission Unfair Means This is an individual assignment and you must not collaborate with other students. The standard rules concerning unfair means apply: https://sites.google.com/sheffield.ac.uk/compgtstudenthandbook/home/your-study/ref erencing-unfair-means Questions If you have any questions concerning what is required by this assignment please email them to:
[email protected] 欢迎咨询51作业君