COM6016: Cyber Threat Hunting and Digital Forensics
Forensics Case Study Assessment , October 2022
Submission Deadline: 15:00 on Wednesday, 14th December 2022
This assignment is worth 60% of the module mark. This assignment is made up of
four different parts. You are required to answer all the questions below. All answers
must be supported with adequate academic references.
The maximum number of pages for this assignment should not exceed 10 pages.
PART 1 [25%]
Leo R is a known local thief and suspected drug trafficker. On the 31st of October
2022, he was arrested while flying a DJI Phantom 2 Vision drone near HM Prison
Berwyn. Prison officers suspect he has been using the drone to either deliver drugs
to the prison or he is involved in planning a jailbreak.
The drone has been seized as well as his mobile devices and a USB drive. Suppose
you have been assigned as the Forensics Lead on the the case
A. Using your knowledge of Digital Forensics and the Digital Forensics
process, describe how you would approach this case from the point of
arrest.
B. A USB disk image seized from Leo R has been provided to you. What
do you suspect he was doing around the prison with a drone? To
obtain the maximum marks for this question, you need to describe your
process and provide evidence to support your suspicion.
PART 2 [40%]
Ciara works for a cosmetics company. She spends 20% of her time travelling to
connect and liaise with clients and suppliers in different countries. When travelling or
visiting other company’s sites, Ciara uses her laptop and business mobile phone for
personal activities. Also, she sometimes works from home and mainly connects to
the company network via a Virtual Private Network (VPN).
During the last six months, the CEO noticed a decrease in the company’s revenue,
along with the entrance of a new competing cosmetics start-up working on the same
line of products and acquiring their customers. The CEO scheduled an urgent
meeting with the executive board and some concerned staff members to look at the
revenues of the running year and come up with a strategy to outperform this new
startup. Ciara attended the meeting, but the CEO noticed that she was particularly
evasive when several questions related to the new startup, called CyCo, located in
Paris, were asked.
Ciara submitted her resignation to leave, a few days after the executive board
meeting. The CEO suspects that Ciara is involved with this new startup and probably
sharing customer data and private products’ information with the company and
possibly others. As with company policy, Ciara has handed her laptop to the IT team
following the submission of her resignation letter and in the process of preparing the
laptop for a new staff, the IT support staff notices some suspicious files and a data
breach investigation is opened.
On Friday, Ciara celebrated her farewell with her colleagues, gave the keys and the
business mobile phone to the IT team at 1 pm and left the company.
The IT team has now imaged the laptop and the mobile phone of Ciara and provided
you with the following:
- Digital image of Ciara’s laptop (taken during her business visit)
- Network capture of Ciara’s laptop (part3_cosmetic.pcap)
You are required to write a maximum of a 800 word forensics report explaining how
you went about your investigation that is to be used in court to prosecute or excoriate
the suspect.
PART 3 [15%]
BGP hosting is a web hosting company providing dedicated and shared hosting
services to UK businesses. The company was founded in 2011 and currently
employs 65 staff in two locations - London and Bristol. The company has an annual
turnover of £4 million and primarily provides services to businesses in the aerospace
and health sectors.
On 30th August, 2021, one of the system administrators at BGP hosting noticed
that one of the servers of a health care client was consuming a lot of system
resources and had a few suspicious active network connections.
The server was restarted, scanned and passed to the security team for monitoring.
On 1st September, 2021, the security team resumed work at 9am and began
looking at tasks assigned, but a quick assessment of the server revealed nothing
strange.
On 2nd September, 2021, the server is inaccessible to clients and a support request
is raised by the client.
At 11 am, the system administrator is greeted with a ransomware message, “Your
server has been infected with ransomware, Your data has been encrypted, you need
to pay 125 bitcoins to unlock it”.
Assume, you work for BGP hosting as a forensics analyst and your colleagues have
provided you with the disk images of the 2 x 2TB hard drives connected to the server
and a live capture of the memory of the device. Explain how you would go about
handling this incident to ensure digital evidence is captured, forensics integrity is
maintained and the business can resume operations in a few days.
PART 4 [20%]
You have been provided a network capture involving about nine servers in an
enterprise network. Your colleague, an IT administrator, suspects there is some
suspicious activity going on. Using your knowledge of cybersecurity and network
forensics, you are required to analyse the PCAP file new_part_4.pcapng and
suggest what you think might be going on in the network packet sequence.
Submission
The final report must be submitted in PDF format using Blackboard.
The submission deadline is 3pm on Wednesday, 14th December 2022
The standard penalties for late submission of work apply: