CMS3507 Digital Forensics

Digital Forensics Assignment help

Investigating a Digital Bank Robbery

1. Assignment Aims
In this assignment, you are provided with a scenario of an individual being suspected of stealing and exploiting staff and customer details of a large bank. You have been informed as to what digital assets they are believed to have, along with some other information. You have been assigned a specific task list that you need to complete to support investigation of this crime and submit a report on your findings.

2. Learning Outcomes
• To discuss and analyse the principles and core concepts underpinning the discipline of DF.
• To illustrate technical abilities to carry out forensic examination of different types of digital devices by employing various tools and techniques and obtain digital evidence.
• To analyse and evaluate digital evidence and produce forensic reports which articulate and communicate the expert opinion and technical analyses to a non-expert audience.

3. Assessment Brief
You are a serving Senior Member of a Digital Investigation Unit in West Yorkshire Police. The Chief Inspector has informed you to investigate a scam targeting a large banking institution. The bank received several complaints from its staff and customers that they are getting phone calls, messages, and emails from unknown sources asking for personal and sensitive bank details. The bank is complaint with all the necessary security and fraud prevention protocols, but the scammers/attackers still managed to commit multiple digital robberies, resulting in a massive financial and reputation loss and legal challenges.

Upon initial investigation by the bank’s internal security team, it is now established that someone broke into bank’s central database and stole staff and customer
6 information, which was leveraged to commit the crime. The team has also identified a suspect who denies any involvement in this crime. The following details are provided to you about the suspect to conduct further investigation and retrieve any digital evidence to prove in court whether the suspect committed or is involved in stealing and leaking the information:

• The suspect is a long-term, trusted employee and extremely experienced in their position. They know all peculiarities and technicalities of the bank.

• The suspect uses the following digital devices on daily basis for work:
o A laptop running Microsoft Windows
o An Android Tablet
o An external storage Solid-State Drive (SSD)

• Every device is connected to bank’s private network and contains personal information, accounting documents, internal forms, spreadsheets, reports, receipts, etc. You are given complete physical access to all devices for investigation purposes.

• This is a priority case; however, due to other on-going important cases and limited resources, only 1 investigation PC is available for use.

4. Tasks and their Marking Scheme
Using the above information, the Chief Inspector has instructed you to prepare and submit a technical report

answering the following questions:

Task 1. Which forensic imaging tool would you recommend for persistent storage data acquisition from the devices and why? You must pick at least 3 tools and perform their comparison for each device. [5+5+5=15]
Task 2. Demonstrate forensic imaging process of all devices with clear and relevant screenshots, along with brief description where needed. [5+5+5=15]
Task 3. Explain and demonstrate the type of evidence that can be retrieved from laptop’s volatile memory (RAM) using Volatility framework with clear and relevant screenshots, and how it can benefit the investigation? [10]

Task 4. Discuss how network, memory and malware forensics can play crucial roles in this investigation? [5+5+5=15]
Task 5. What steps you propose to take in the examination phase to make the investigation more time and resource efficient, considering following two aspects: evidence extraction and evidence analysis. [10+15]
Task 6. What challenges one might face during this investigation, considering each investigation phase: data acquisition, examination, and documentation and reporting? How do you propose to resolve them? [15+5]