please see attached
Individual Project: Forensic Examination
Scenario:
You are a computer forensic examiner working for the Department of Homeland Security (DHS). DHS has been investigating the possible threat of an attack within the U.S. by members of the Chechen mujahideen.
Your team has been conducting surveillance of suspected terrorist Anwar Tsarni, a Chechen native, currently working as a graduate teaching assistant at George Mason University. Anwar Tsarni is a known associate of accused Boston Marathon bombers Dzhokhar Tsarnaev and Tamerlan Tsarnaev has traveled to a region with a known Chechen terrorist training camp in the past year.
After a six-month investigation including surveillance and wiretaps of the suspect, a search was conducted of an office located at: 10900 University Blvd. Manassas, VA 20110
You will be investigating a forensic image of a flash drive found during this search. Investigators suspect it may have critical evidence on it that will lead them to break up a terrorist cell and thwart an attempted attack on the U.S. Your job is to conduct a forensic analysis of the disk and write a forensic report of your findings.
Tools:
You may use any FORENSIC tools available to you.
At the very least you should use:
FTK Imager (to verify the image and hash values)
FTK Toolkit (to conduct the majority of your investigation) or Autopsy (https://www.sleuthkit.org/autopsy/)
ExifPro (to examine JPEG files)
You must use the template provided and include the information listed. DO NOT LEAVE PLACEHOLDER TEXT, REPLACE WITH YOUR ACTUAL INFORMATION.
You will include the “best” evidence items and full analysis from the following categories in your report. Only include the number of items listed. Do not include more.
Documents (3 items)
PDF (2 items)
Graphics (3 items, minimum 1 must be jpg)
Deleted Files (3 items that are not discussed in other categories)
HTML or Web-based Files (3 items)
OLE Subitems (1 item)
All other relevant background information, image verification, etc listed in the template
What to Look For:
You may want to extract these files to analyze the technical information and metadata closer.
Remember to look for metadata that may provide you with additional information.
Remember, you are looking for evidence to help break up a terrorist cell and prevent an attack. You may want to look for evidence of parties involved, locations, types of attack, etc. You may also want to establish a timeline – this may be crucial if an attack is imminent.
The Report:
Your report will be approximately 5-10 pages OF TEXT (not including your screenshots, lists of evidence, content of evidence files, etc.)
You should give a detailed (step by step) explanation of what you did, what you found, and how and where you found it.
You may use screen shots and file content as an appendix.
Do not include screenshots in the body of your report!!
Do not include the content of the evidence files in the body of your report!!
Crop your screenshots so only relevant information is showing… I shouldn’t be able to see your desktop or other open files.
Follow the “Forensic Report Guidelines” you have been given during lecture.
Do not try to analyze the content of files.
Stick to the FACTS!
Your report should explain the technical aspects (e.x. what is a link file, why is this important, explain it so a non-technical person can understand.)
Just giving a list of evidence with no explanation of how you found it and what it means (as far as the technical aspect) is insufficient. Don’t just say you found it using FTK – explain!
Analyze the metadata!
You have more than enough evidence on the disk to EASILY write this much text. If you are having a hard time, you probably missed a significant amount of evidence.
Formatting:
Use the template provided
Include a title page
Text should be single spaced, 0 spacing before & after
Font should be set to Arial or Calibri
Font should be set to 12 point
Margins should be set to 1 inch
Paragraphs should be set to Justify (not left, right, or center aligned)
You should include headings and subheadings
Your report should be in complete sentences, free of grammatical/spelling errors, easy to read, and professional.
If you use any outside sources, you must cite them using APA citations
Your report must have a red watermark on every page stating: “THIS IS AN EDUCATIONAL PROJECT”. Any project that does not have this will be a zero.
Page Layout – Watermark – Custom Watermark – Text Watermark
Change the text to “THIS IS AN EDUCATIONAL PROJECT”
Change the color to RED, transparency to 75%
Your file must be less than 10MB to be submitted to SafeAssign.
Compress your graphics by using the “Compress Pictures” option in Word.
Choose the smallest file size possible.
Hints:
Remember: your report should read like a story. A list of evidence is not sufficient for a report… you need to explain how/where you found the evidence.
You are not a terrorism analyst, so do not try to interpret the evidence… present the facts as you find them. Remember… you can’t say a specific person did something.
This is an individual project. The GMU honor code will be strictly enforced. You will submit your assignment through SafeAssign on blackboard. Only work submitted through SafeAssign will be accepted.
Checklist:
***Also review the rubric for the project
Content:
I included the case background, my name, who I work for, etc.
I verified the hash value before anything else.
I included the given hashes and calculated hashed.
My report only includes FACTS, no opinions or interpretations.
I did not analyze the file content.
My report includes the file names of evidence items.
My report includes the file paths of evidence items.
My report includes the MAC dates and times of evidence items.
My report explains if the evidence is a file, deleted file, etc. and explains what this means.
Someone could read my report and follow my steps exactly step by step. (I explain what I did.)
Any technical term includes an explanation of what it is, in layman’s terms. (I explain what everything means.)
All evidence mentioned in the report is in the appendix.
I don’t say a specific person did something. (Usernames are differentiated from a person’s name.)
All evidence is documented in the report.
I do not have any inaccurate information in my report.
Formatting:
I included my watermark.
I compressed my graphics and my project is less than 10MB.
I followed formatting guidelines for font, line spacing, etc.
I do not have screenshots in the body of my report.
I do not have file content in the body of my report.
My appendix has labels for each evidence item.
I spell checked and proofread my report.
My report is well formatted and easy to read.
I use headings and subheadings.
I do not have long paragraphs.
Only one evidence item is discussed per paragraph.
Rubric:
Criterion | Expected | Satisfactory | Insufficient |
Case Background | Case background addressed including: · Investigator information including: o name o who the investigator works for
|
|
|
| 4-5 | 2-3 | 0-1 |
Hash Value |
|
|
|
| 4-5 | 2-3 | 0-1 |
Required Evidence Included | Includes the proper number of relevant examples for all categories:
|
|
|
| 15-20 | 10-14 | 0-9 |
Explanation | Report explains:
|
|
|
| 15-20 | 10-14 | 0-9 |
Content |
|
|
|
| 15-20 | 10-14 | 0-9 |
Grammar and Formatting |
|
|
|
| 11-15 | 6-10 | 0-5 |
Appendix |
|
|
|
| 11-15 | 6-10 | 0-5 |
Copyright © 2018 Rebecca J. Pollard. All rights reserved.