Forensic Investigation Case Study Assignment -
Title: Clowning About Again
Background
In the state of Western Australia, it is illegal to access, own or distribute digital content relating to clowns. An allegation was been made to law enforcement whereby a witness claims to have seen an individual access clown related content within a place of work. Following the approval of formal warrants, the computer in question was seized from the work place. The computer was then forensically acquired using FTK Imager. Unfortunately, the junior investigator who obtained the 'forensic image' of the computer only performed a logical acquisition. To worsen the situation, the junior investigator forensically wiped the original hard drive from the computer. Fortunately, the logical acquisition was undertaken in a forensically sound manner. The suspect, Clark denies accessing clown content. However, Clark does confirm that the computer does belong to him. Clark stated that he does not always take the computer home or lock it when he is away from his desk.
You are a consultant who specialises in digital forensic investigations. You have been assigned the task of examining a 'forensic' image of the laptop, which was seized with correct warrants. It is currently unknown what Clark was doing with the clown content. In Clark's opinion, the computer was infected with malware which resulted in any potential content appearing on the computer.
Task -
Your task is to investigate the supplied forensic image using appropriate tools and process and to develop and submit a written report on your findings. You may use any tools to undertake the investigation but you must justify all of your actions! Your report must follow the report structure shown below.
Report Structure -
Cover Page - Unit code and title, assignment title, your name, student number, campus and tutor's name
Table of Contents - An accurate reflection of the content within the report, generated automatically in Microsoft Word.
Summary - A succinct overview of the report. What were you looking for? How did you approach the investigation? What did you do? What did you find? What is the outcome of the investigation? Use numbers to support or extend the extent of any crimes that have been committed.
Issue 1 - Presentation of content relating to offence: A detailed representation of all content identified, extracted and analysed in the investigation. All evidence must characterised, explained and examined. What is the value of the evidence to the investigation? What does each piece of evidence mean? Does evidence support or negate the allegations made?
Issue 2 - Identification: Detail all information relating to possible use/ownership of the evidence identified and extracted. How can you link the evidence to a particular owner? Is there any digital evidence, which demonstrates ownership of the device or content?
Issue 3 - Intent: Was the digital content purposefully accessed/used/downloaded/installed? Was it accidental? Was it a third party? Was it malicious software? Present all evidence to support your theory.
Issue 4 - Quantity of Files: How many files of every type were present on the system? What percentage of these files relate to the offence? What does this mean for the overall investigation?
Issue 5 - Installed Software: What applications are installed that relate to the investigation? What purpose do these applications serve? Have they been used/run? Dates/times the application was used. What impact do these applications have on the investigation?
Appendix A - Running Sheet: A comprehensive running sheet (recipe) of your actions in investigating the case study. The running sheet should be presented in table form. What did you? How did you do it? What was the outcome of your action? The running sheet should be more detailed than a 'recipe' and allow someone to replicate your process and achieve the exact same outcome.
Appendix B - Timeline of Events: A comprehensive and chronological order of events representing the actions that resulted in the illegal activity take place, and the events thereafter. Be creative in how you present this data. Consider what is important to include and what serves no purpose.
Additional Task Information - MUST READ
Start early and plan ahead, you may need to spend considerable time experimenting with various tools. If a tool or method fails to result in a successful outcome, you should still document this action in your running sheet. Each tool has its own strengths and limitations.
Look for clues/hints in the investigation. Strategically placed clues/hints have been created in this fictitious case study to help you along the way.
It is not expected that you find every piece of evidence and nor do you have to. Furthermore, should there password protected or encrypted content - you do not necessarily have to break/decrypt it to successfully progress with the investigation.
Remember to ensure the integrity of the image being investigated. You should continually demonstrate that you have maintained integrity throughout your investigation.
Consider what you are trying to find and what you need to negate. The background information of this document provides carefully developed clues.