Computer Science
CMIT424 University of Maryland University Digital Forensic Activity Report

CMIT424

University of Maryland University College

Question Description

I’m stuck on a Computer Science question and need an explanation.

The attached forensic report template needs to be filled out. The cmit 424 forensic report assignment description gives instructions on how to complete the lab and the how to access lab pdf shows how to log into the lab.

https://vdi.umuc.edu/Citrix/UMGCWeb/ is the website to access the lab

Will provide username and password to log into umuc.

Unformatted Attachment Preview

Your Organization / Company LLC DIGITAL FORENSIC ACTIVITY REPORT Case Title Case Number Organization / Company, LLC Address Report Date Examiner: Examiner Signature: Report Subject Digital Evidence Report – description of media BACKGROUND On September 12, 2017, XXXX TABLE OF CONTENTS (Feel free to add Addendums to your report as necessary / page #s will vary.) Background………………………………………………………………………………… 1 Table of Contents………………………………………………………………………….. . 2 Legal Authority…………………………………………………………………………….. 3 Initial Processing…………………………………………………………………………… 3 Preliminary Findings………………………………………………………………………..3 Detailed Analysis…………………………………………………………………………... 4 Conclusions………………………………………………………………………………… 8 Software Utilized………………………………………………………………………....... 8 Hardware Utilized………………………………………………………………………….. 8 Digital Media Processing………………………………………………………………....... 8 Disposition of Evidence……………………………………………………………………. 9 Glossary…………………………………………………………………………………….10 ADDENDUM A (Evidence Photograph /Hash Verifications)……..…..…………………..11 ADDENDUM B (Steps Taken)………………….…………………………………………12 Case Name / Case #### LEGAL AUTHORITY (search warrant, consent, abandoned, or organizational property) INITIAL PROCESSING On date, your organization processed the submitted XXXX HD, USB, etc. The processing included inspection, photography, anti-virus (AV) scan, and the forensic imaging of the USB drive. The forensic imaging of the digital media created forensic evidence files for use in subsequent forensic examination of the digital media. Methods were forensically sound and verifiable During an AV scan, XXXXX was identified as containing XX infected files. Include acquisition and verification hash sums here. See ADDENDUM A "Evidence Photos" and ADDENDUM B, “Steps Taken” for more information. PRELIMINARY FINDINGS XXXX This is where you give the reader an overview of your findings / forensic files of interest. Out of analyzing X number of files, X were of forensic value; briefly describe the partition and file structure of the media examined. Include description of the media i.e. size, file system, structure. Please see “Detailed Findings” below for more information. DETAILED FINDINGS / ANALYSIS XXXX This is the bulk of the report. CONCLUSIONS XXXX Further investigation and analysis is recommended to confirm these findings and conclusions and may be the subject of future digital forensic reports. Case Name / Case #### SOFTWARE UTILIZED Collecting the evidence involved the following software SOFTWARE HOW USED HARDWARE UTILIZED Collecting the evidence involved the following hardware. HARDWARE HOW USED DIGITAL MEDIA PROCESSED The following digital media was submitted and processed. PHOTOGRAPH OF DIGITAL MEDIA& IMAGING PROCESS See ADDENDUM A DESCRIPTION OF ITEMS SUBMITTED Include serial numbers and how marked as evidence. DISPOSITION OF EVIDENCE XXXX Drive marked as “XXXX” and assigned inventory #XXXX is currently secured in the evidence locker at XXXX Note that each piece of evidence in this case has been secured and filed with its own individual chain of custody form. Case Name / Case #### GLOSSARY Data Carving– A process involving the examination of media for content relating to multiple types of empty space (i.e. slack space, unused space, unallocated space). Deleted Files–Files that may have been deleted by the computer user or operating system. Normally deleted files are not removed from the hard drive. The deletion process only alters a directory entry in most cases. This leaves deleted files accessible to forensic examinations. Digital Evidence– Information stored or transmitted in binary form that may be relied upon in court. File Slack – The space between the end of the file data and the end of the cluster. File slack may contain data from previous files that has been previously overwritten. Forensic Image – A bit stream copy of the available data. The result may be encapsulated in a proprietary format (e01, ad1, etc). Forensic Copy – The data from the source (original) media is copied “bit by bit” and written to other media in the same bit-by-bit order that it was obtained. Forensic Evidence File – Consist of one or more files that contain the data from the source media that can be restored to other media in such a manner that the “bit by bit” order on the source drive is the same as the restored drive. The file may contain “additional” data written by the backup software. The additional data is program overhead. Hash–Numerical values, generated by various hashing functions, used to substantiate the integrity of digital evidence and/or for inclusion / exclusion comparisons against known value sets. Message Digest 5 (MD5) Hash–A 128-bit value that uniquely describes the contents of a file. This is a standard hash value used in digital forensics. New Technology File System–NTFS (NT file system; sometimes New Technology File System) is the file system that the Windows NT operating system uses for storing and retrieving files on a hard disk. NTFS is the Windows NT equivalent of the Windows 95 file allocation table (FAT) and the OS/2 High Performance File System (HPFS). Removable Media– Items (e.g., floppy disks, CDs, DVDs, USB Drives, tape) that store data and can be easily removed. Unallocated Space – also called free space, is defined as the unused portion of the hard drive. Universal Time Coordinated– UTC / GMT is the basis for local times worldwide. Other names include Universal Time Coordinated / Universal Coordinated Time. UTC is the successor to Greenwich Mean Time (GMT). Case Name / Case #### ADDENDUM A The following is a photograph of XXXX PICTURE(s) SHOWN HERE The following details the forensic image processing. example: Seagate Hard Drive, 250GB, Serial #12345: Digital Forensics Examiner (DFE) created forensic evidence files of XXXX drive #XXXX. The pre-processing hash results are presented below: MD5 checksum: XXXX SHA1 checksum: XXXX The forensic processing subsequently created XXXX (X) files (simulated). Forensic Evidence Files Created: XXX.E01 – XXXX.E04 (example with four files) The forensic imaging process involved a post processing hash verification of the contents of the evidence file compared with the pre-processing hash. The hash analysis is presented below. MD5 checksum: XXXX: verified SHA1 checksum: XXXX: verified The forensic imaging process successfully created a forensically sound and verifiable bit stream copy of the hard drive in the form of forensic evidence files. Case Name / Case #### ADDENDUM B Steps Taken: 1. 2. ETC. Ensure to describe your target media sterilization process i.e. what media you used to store the acquired image files. Include your chain of custody procedures in steps taken also i.e. when you received the media, by whom, where it is stored, when it was returned, etc. CMIT 424: Digital Forensics Analysis and Application Detailed Assignment Description for Forensic Report #1 The purpose of this assignment is to determine if you can • • • • • • Properly process and handle evidence for a case and perform other case management functions Select and use appropriate digital forensics tools Prepare and annotate an inventory of files present on an evidence drive Triage an evidence drive using a forensic tool to view and analyze partitions, folders, and files to: o Identify and properly address the presence (if any) of contraband (adult and child pornography, evidence related to narcotics) o Identify and properly address the presence of evidence related to violations of an employment agreement or violations of company policy Evaluate an assessment (formal or informal) performed by another party and provide a formal response (“equivocal assessment”) in which you address the other party’s procedures and findings Write a reasonably professional and comprehensive AssessmentReport for a forensic examination Required Deliverables: 1. Assessment Report (75% of grade) 2. Annotated Inventory of Forensically Interesting Files (25% of grade) Scenario for Forensic Report #1 James Randell, president and owner of Practical Applied Gaming Solutions, Inc. (PAGS), has contacted you to request assistance in handling a sensitive matter regarding the unexpected resignation of his company’s Assistant Chief Security Officer, George Dean. PAGS is a contractor to several state gaming (gambling) commissions. The company and its employees are required to maintain high ethical standards and are not allowed to participate in any forms of gaming or gambling, including lotteries,due to their involvement as security consultants to the gaming commissioners. The unexpected resignation and disappearance of a senior staff member is a reportable security incident under the terms of several of the company’s contracts with state gaming commissions. Thus, Mr. Randell needs an independent, outside assessment of the facts and evidence pertaining to Mr. Dean’s resignation. Background (Information Obtained During Client Interview) Mr. Randell became concerned about Mr. Dean’s activities after his Human Resources Officer, Norbert Singh, reported that Mr. Dean left a voice mail tendering his resignation effective Copyright © 2019 by University of Maryland University College. All Rights Reserved. 1 of 7 CMIT 424: Digital Forensics Analysis and Application immediately.Mr. Singh also reported that Mr. Dean’s supervisor (Ms. Betty Mayne, the Chief Security Officer) had opened Mr. Dean’s locked office, at Mr. Singh’s request, and noted that it was unusually tidy and that the computer workstation and a company issued laptop were both missing. Mr. Randell asked Mr. Singh and Ms. Maynes to investigate further and report back to him. During the second meeting, Mr. Randell was informed of the following: • • • • Mr. Dean’s workstation was one of three company computers taken to the IT Service Center earlier in the week to be wiped and reimaged due to infection by a particularly nasty rootkit.The computers are due back in the office next Friday by 10:00 AM. Ms. Mayne contacted the IT service center and requested that they stop all work and immediately return the three computer systems to the company. Mr. Dean was using a company issued laptop in the office as a temporary replacement for his workstation. The company issued laptop was not found in the office but, an empty laptop case was found under the desk. During their search of the office, Mr. Singh and Ms. Mayne found single 2GB USB drive that had been left in the laptop case. Ms. Mayne and her staff examined the contents of the USB Drive and reported to Mr. Randell that it contained files pertaining to Mr. Dean’s duties as Assistant Chief Security Officer. There were no indications of any involvement in activities contrary to the company’s best interests.Note: This paragraph provides you with the “previous examination” results that you will address in the “Assessment of Previous Investigation” section in your Assessment Report. Request for Forensic Services (Tasking) Mr. Randell has requested that you examine the recovered USB drive and tell him what you find. He also asked that you provide an assessment as to the accuracy and validity of the findings from the PAGS CSO’s staff examination of the contents of the USB (“equivocal assessment”). Your deliverables will include an assessment report and an annotated inventory listing all files and information of forensic interest which were recovered from the drive. The burning questions of the moment are: 1. What was George Dean up to before he resigned? 2. Why did he resign so suddenly? Notes for the Student: 1. You may encounter contraband, e.g. images depicting adult or child pornography, during your examination of the provided forensic image. If this occurs, you are to proceed as though you had legally authorized permission to continue your examination and prepare a report which includes information about the contraband. For training purposes, Adult pornography is depicted using images of canines (dogs or puppies). Child pornography is depicted using images of felines (cats or kittens). Images of child Copyright © 2019 by University of Maryland University College. All Rights Reserved. 2 of 7 CMIT 424: Digital Forensics Analysis and Application pornography (cats or kittens) should not be included in a forensic report and should not be extracted from the forensic image. 2. For training purposes, pictures of flowers are used to denote narcotics and related contraband. 3. The referenced employment agreement is understood to include prohibitions against participating in any/all illegal activities on company premises or while using company IT resources. This prohibition includes receipt and transmission of illegal forms of pornography (as defined by the State of Maryland and the US Federal Government) and engaging in any/all forms of drug trafficking. 4. For the purposes of this assignment, you (the student) are acting in the role of “forensic examiner.” In the grading rubric, actions attributed to “the examiner” are actions that you should (or should not) have taken. Acquisition / Forensic Imaging Report (USB) Forensically sterile media was created using Sumuri Paladin and then used for the imaging operation as the target media. The sterile state was verified using DCFLDD’s verify file command (sudo dcfldd vf=/dev/sdx pattern=00 where sdx is the drive designator for the USB). Imaging operation was performed using FTK Imager. Image: PAGS01_06132014.E01 Created By AccessData® FTK® Imager 2.6.0.49 090505 Case Information: Forensic Report #1 CMIT 424 Fall 2014 Case Number: PAGS01 Evidence Number: PAGS01 Unique description: Lexar Jump Drive Examiner: Instructor -------------------------------------------------------------Information for PAGS01_06132014: Physical Evidentiary Item (Source) Information: [Drive Geometry] Cylinders: 63 Tracks per Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 1,014,784 [Physical Drive Information] Drive Model: LEXAR JUMPDRIVE USB Device Copyright © 2019 by University of Maryland University College. All Rights Reserved. 3 of 7 CMIT 424: Digital Forensics Analysis and Application Drive Serial Number: 8KRZ24B Drive Interface Type: USB Source data size: 495 MB Sector count: 1014784 [Computed Hashes] MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1 Image Information: Acquisition started: Fri Jun 13 21:59:00 2014 Acquisition finished: Fri Jun 13 22:00:53 2014 Segment list: PAGS01_06132014.E01 Image Verification Results: Verification started: Fri Jun 13 22:00:53 2014 Verification finished: Fri Jun 13 22:00:56 2014 MD5 checksum: bc1bedd931cacfd5bc4004ec9ef2fb3e : verified SHA1 checksum: 217eb21b8e9f4e363824df43204f0f3b75025fd1 : verified Examination of the Evidence (Procedure) for Forensic Report #1 This assignment requires that you apply the knowledge and skills learned in Labs 0-4. You should refer to those lab procedures and the lab readings (Labx_content.docx) if you need ideas on how to get started or what you should look for when processing the forensic image for this assignment. Before You Begin: 1. Locate the forensic image file for this examination. It is located on the share drive in the VDA (H:\CMIT424\FR1). This is your evidence file and should be treated as if it were stored on a physical USB that you can move from place to place. 2. It is not necessary for you to create a forensic clone from the evidence file onto a physical device. Examination Procedure: 3. Review the acquisition report provided with this assignment. a. Note the type of media and physical structure as reported in the acquisition report from FTK Imager b. Note the storage capacity c. Note any identifying information 4. Launch the forensic tool (software application) that you will use to process your case. You may need to use multiple tools, e.g. WinHex for File Carving and EnCase for general processing of the image. 5. Process the forensic image for this case using the tool(s) of your choice. Copyright © 2019 by University of Maryland University College. All Rights Reserved. 4 of 7 CMIT 424: Digital Forensics Analysis and Application 6. Review the logical structure of the media from which the forensic image was created (WinHex is a good tool for doing this.) a. Note the number and size of partitions b. Location and sizes of unallocated space (unpartitioned space) c. Note the types of file systems present d. Perform a brief low-level analysis of the contents of the partitions including information contained within the MBR or boot record e. Note the partition names / volume names f. What operating system(s) were used to format the media? Modify the media? 7. Review the files and folders found in the case (by partition). (EnCase is a good tool for this step.) a. View graphics files b. View contents of documents and spreadsheets c. Look for password protected or encrypted files d. Look for deleted files or files in a recycle or trash bin e. Perform a keyword search to determine if there is information present in one or more files which may provide answers to the case questions. f. Perform other analysis as required 8. Export a file inventory which shows all files found. Your inventory should be in table format (use MS Word or Excel). Each entry must include, at a minimum: a. File Path b. MD5 Hash c. MAC Times (modify, last access, create) d. Item Number e. Other useful metadata for the individual files (choose your columns wisely). 9. Using your inventory from step #6, create an annotated file inventory which presents the forensically interesting files in table format. Add a column to your inventory table which contains your Comments or Explanations. You will deliver this file with your assignment submission. You may use either MS Word or MS Excel format for this deliverable. 10. Analyze your recovered files to find answers to the questions presented in the Scenario document for this assignment. Make sure that you keep track of which files support specific answersor findings. 11. Prepare an Assessment Report in which you present a summary of your forensic processing and your findings (answers to the scenario questions). 12. Attach your report and your file inventory to the assignment for Forensic Report #1 and submit it for grading. Grading Information for Forensic Report #1 The rubric for this assignment is attached to the assignment folder entry. The information below provides additional information about content and format requirements. This assignment is graded on a 100 point basis and is worth 15% of the final course grade. Annotated File Inventory (25 points total) Copyright © 2019 by University of Maryland University College. All Rights Reserved. 5 of 7 CMIT 424: Digital Forensics Analysis and Application • Formatted File Inventory Exported from Forensic Tool (e.g., Encase, WinHex) as Excel Spreadsheet (.xlsx or.xls) or MS Word Document (Table Format). (10 points) • Identified files of forensic interest (as determined by the case scenario & questions). (5 points) • An ...
Purchase answer to see full attachment
Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool's honor code & terms of service.

Final Answer

Please let me know if you need anything to be changed or added I will be happy to carry any changes, just leave me a message and will get back to you as soon as I can Bye for now, but will be here if you need any further help

Practical Applied Gaming Solutions, Inc. (PAGS)
DIGITAL FORENSIC ACTIVITY REPORT

Case Title: Forensic Report #1 CMIT 424

Case Number: PAGS01

Organization / Company, LLC

Report Date

Address: Practical Applied Gaming Solutions,

23 November 2019

Inc. (PAGS)
Examiner: Instructor

Examiner Signature:

Report Subject
Digital Evidence Report – Lexar JumpDrive

BACKGROUND

The main aim of this investigation is to identify the potential reason for the resignation one of the
main employees of the Practical Applied Gaming Solutions, Inc. the president of the agency has
contracted the forensic investigations team to identify the potential reason that made George dean to
resign from his previous position at the company. The president is convinced that the resignation of
George is linked to malpractices involving illegal activities and dealings in the firm. The resignation has
come as a surprise to the president since it was unexpected. The company has maintained a platform that

Forensic Report #1 CMIT 424 / Case PAGS01

prohibits the other employees from engaging in activities that involve illegal dealing such as gambling
among others.
The reason for this prohibition is based on the idea that the employees are usually involved in
crucial activities like security consultations with the gaming commissioners. Therefore, their
engagement in gaming activities is not based on the company's policy requirements. The president
believes that the resignation and also disappearance of one of the senior staff members from the
company amounts to a reportable security incident that needs investigation. Gaining facts about the
resignation of Mr. Dean will open up opportunities for the company to identify if Mr. Dean and the
involved senior employee of the company are engaged in illegal dealings such as gambling which is
against the corporate policy.

The main questions which the forensic team need to answer and have formed the fouandtion for the
investigation are as follows:
1. Why did Mr. Dean resign from his position at the company with no prior notice?
2. What were the immediate activities or projects that Dean was engaged in before he resigned
from his position at the company?
3. Could it be that Mr. Dean was dealing with illegal activities that are prohibited by the company
such as gambling?
The main questions that were generated from this context are:
1. What reason made Dean resign?
2. Was Dean dealing with inappropriate activities that go against the policy guidelines of the
company and his position?

Forensic Report #1 CMIT 424 / Case PAGS01

3. Will the forensic investigation of the device obtained reveal important information about the
reason for the resignation?

TABLE OF CONTENTS

Background………………………………………………………………………………… 1
Table of Contents………………………………………………………………………….. . 2
Legal Authority…………...

Robert__F (47055)
Duke University

Anonymous
Top quality work from this tutor! I’ll be back!

Anonymous
It’s my second time using SP and the work has been great back to back :) The one and only resource on the Interwebs for the work that needs to be done!

Anonymous
Thanks, good work

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4
Similar Questions
Related Tags