Scenario

As a Digital Forensic Consultant, you have been asked by a company to investigate possible illicit materials on a company PC workstation.

A printout of one such image was found in the local printer attached to the workstation (Figure 1) when a printer jam was cleared. Storing, downloading or transmitting such illicit images of "cats" is against company policy. Any employee found deliberately contravening this policy is subject to instant dismissal. However, it is proving to be difficult to identify the owner of the image. This is firstly because no printer or network logs are available that would allow the company to trace the image back to a user. Secondly, two part-time members of staff, Alice and Bob, share the workstation that the printer is connected to.

You have been provided with a forensically sound image of the PC's hard drive to analyse. The image file is in the CAINE virtual machine in Linuxzoo, within the directory /images/cw3. This directory also contains the hash of the drive at the time of acquisition.

Specifically, your remit for the analysis has been described as: "Firstly, we are interested in establishing whether the drive contains any illicit images. If so, we would like to establish the extent of the problem and the user responsible. We would like to know where the images originated and whether the responsible user had any plans regarding the images, for example, further distribution, or whether they collaborated with anyone else."

You need to perform a forensic analysis of the supplied drive image and write up your findings in an investigation report. To fulfil the remit, your analysis should include the following:
1. An exhaustive search for image files on the drive and establishing the user they belonged to.
2. Analysis of the relevant user's browser artefacts
3. Analysis of the relevant user's communications with others (such as email, messenger, etc)

Methods and tools to address items 1 and 2 are taught explicitly in this module, though you may want to research some of these further. Item 3 has not been covered in the taught material of the course, so you will need to tackle this challenge.

Report requirements

Your report must include the following:

- Executive Summary - This must be at the beginning of your report, clearly summarise your main findings and give your conclusion, as well as outlining any limitations of your investigation. The Executive Summary must be written for a non-technical audience (e.g. CEO, lawyer, judge or jury). It is strictly limited to ONE page plus a table that provides a high level summary timeline of the relevant user's actions relating to the remit of the investigation. The table should be single spaced, 10 point font and may include no more than 20 rows.

- Procedure/Discussion - This is the core of your coursework. Make sure you document the investigative procedure followed in answering the task, identifying all relevant data and metadata and evaluating the information into a coherent discussion which includes error risk. Your report should thus include a significant amount of analysis of the information you are presenting. Your reasoned opinion is also needed, as well as critical evaluation of the data.
Remember that the acquisition and preservation of evidence are not part of your remit - your investigation should cover the analysis, evaluation and reporting stages of the investigation only.

- Supporting evidence and methods - Include in the body of your report screenshots of relevant evidence and the commands used to obtain them (If you used a GUI, briefly describe the procedures followed). You may use additional diagrams/tables where useful. All figures must have suitable captions and be explicitly referred to in the text. Make sure that screenshots are clear and cropped to show only relevant parts and further highlight the important information.

- Research and References - Use research to underpin your investigation, particularly regarding email and messenger analysis. This can include academic articles, white papers, relevant websites and books. Throughout the report, where you are discussing knowledge gained from the references, include citations in the format (author, year) to attribute the information. Remember that your report must be in your own words. It should be your personal reflection on the topic, based on and supported by the

references used and your experiences and knowledge of the module. Do not "cut-and- paste" from the web.
The end of your report should have a list of the references used to support your research, Use the APA/Harvard style in use in the School of Computing.

Refer to the marking scheme overleaf to check how the above will contribute to your marks. The end of the report answers some frequently asked questions. We will also discuss this coursework in a short lecture, which will be recorded for you.

Report format, presentation and style
- The maximum length of the report is 12 pages. This will be strictly enforced - we will not read beyond the end of page 12.
- The report should be around 2500 words.
- Use formal language - this includes using 3rd person.
- It must be completely your own work.
- Start with the executive summary and timeline table (see above) and end with the list of references. The conclusions / limitations are part of the executive summary, do not repeat them at the end of your report.
- No cover page or table of contents is required.
- Appendices are not permitted.
- As your report will be marked online, please use the following formatting for the main body of text (tables, captions and references may use single spacing and 10-11 point font):
o 12 point font
o 1.5 times spacing
o normal margins
o left-aligned
- All pages should be numbered.