CMT216
Computer and Network Forensics
Assignment
1. Scenarios
Taurus Smith and her accomplice may be involved in illegal activity. The suspect’s address was searched by the local police officers. In Taurus Smith’s house, one mobile phone, clothing, some cooking books, toiletries, and a USB flash drive were found.
In a further investigation of Taurus Smith’s mobile phone (Exhibit A) and USB flash drive, it is found that the mobile phone is liquid damaged, and the USB flash drive includes an image of a laptop hard drive. Taurus Smith refused to answer any questions. You are a forensic investigator and will be given the image of USB flash drive. You need to conduct examination and identify the relationship between Taurus and her accomplice and any other supporting evidence that pertains to the case.
2. Supplied Materials
• Instructions
• Scenario
• Taurus’ laptop image on a USB flash drive
• Pcap files
• Mobile exhibits
• NTUSER.DAT retrieved from another machine in the same network
3. Basic Requirements
Your task is to demonstrate adherence to basic forensic methodology in your examination of the USB image. You are expected to produce a scientific report detailing the methods employed, the results obtained, and answers to the following questions:
1. Is there anyone else implicated? If so, who? Show any evidence sup-porting your findings.
2. Where was Taurus Smith planning to travel to? Show any evidence supporting your findings.
3. Please identify as many as the recipes and present all techniques were used to hide it in the provided materials.
4. What analyse the network activity involved in this case and present detailed evidence items.
5. From the given NTUSER.DAT can you find what did the user search? How many times did the user use EXCEL.exe? What is the latest typed URL?
Hints:
1. Look for deleted data.
2. Look for suspicious emails or files.
3. Build a “dirty word list” and search the image.
4. Look for artefacts from different browsers, google search, Bin files, pcap files, etc. Basic steps to follow:
If you are starting the case in AUTOPSY. Then here are a few steps to get you started.
1. When it asks for an image use the [image name].e01 supplied.
2. Ensure you select “partition” .
3. Although you have not been given a specific time you should still revise the steps given in the lectures and create a timeline.
4. Then start the analysis. All this can be done through the AUTOPSY interface. Remember that it uses all the tools we have covered.