Forensic Investigation Case Study About Clowning

Assignment Title: Clowning About Again

Assignment Background

In the state of Western Australia, it is illegal to access, own or distribute digital content relating to clowns. An allegation was been made to law enforcement whereby a witness claims to have seen an individual access clown related content within a place of work. Following the approval of formal warrants, the computer in question was seized from the work place. The computer was then forensically acquired using FTK Imager. Unfortunately, the junior investigator who obtained the ‘forensic image’ of the computer only performed a logical acquisition. To worsen the situation, the junior investigator forensically wiped the original hard drive from the computer. Fortunately, the logical acquisition was undertaken in a forensically sound manner. The suspect, Clark denies accessing clown content. However, Clark does confirm that the computer does belong to him. Clark stated that he does not always take the computer home or lock it when he is away from his desk.

You are a consultant who specialises in digital forensic investigations. You have been assigned the task of examining a ‘forensic’ image of the laptop, which was seized with correct warrants. It is currently unknown what Clark was doing with the clown content. In Clark’s opinion, the computer was infected with malware which resulted in any potential content appearing on the computer.

Assignment Task

Your task is to investigate the supplied forensic image using appropriate tools and process and to develop and submit a written report on your findings. You may use any tools to undertake the investigation but you must justify all of your actions! Your report must follow the report structure shown below.

Assignment Report Structure

Cover Page

Unit code and title, assignment title, your name, student number, campus and tutor’s name

Table of Contents

An accurate reflection of the content within the report, generated automatically in Microsoft Word.

Summary

A succinct overview of the report. What were you looking for? How did you approach the investigation? What did you do? What did you find? What is the outcome of the investigation? Use numbers to support or extend the extent of any crimes that have been committed.

Issue #1 – Presentation of content relating to offence

A detailed representation of all content identified, extracted and analysed in the investigation. All evidence must characterised, explained and examined. What is the value of the evidence to the investigation? What does each piece of evidence mean? Does evidence support or negate the allegations made?

Issue #2 – Identification

Detail all information relating to possible use/ownership of the evidence identified and extracted. How can you link the evidence to a particular owner? Is there any digital evidence, which demonstrates ownership of the device or content?

Issue #3 – Intent

Was the digital content purposefully accessed/used/downloaded/installed? Was it accidental? Was it a third party? Was it malicious software? Present all evidence to support your theory.

Issue #4 – Quantity of Files

How many files of every type were present on the system? What percentage of these files relate to the offence? What does this mean for the overall investigation?

Issue #5 – Installed Software

What applications are installed that relate to the investigation? What purpose do these applications serve? Have they been used/run? Dates/times the application was used. What impact do these applications have on the investigation?

Appendix A – Running Sheet

A comprehensive running sheet (recipe) of your actions in investigating the case study. The running sheet should be presented in table form. What did you? How did you do it? What was the outcome of your action? The running sheet should be more detailed than a ‘recipe’ and allow someone to replicate your process and achieve the exact same outcome.

Appendix B – Timeline of Events

A comprehensive and chronological order of events representing the actions that resulted in the illegal activity take place, and the events thereafter. Be creative in how you present this data. Consider what is important to include and what serves no purpose.

Additional Task Information – MUST READ

Start early and plan ahead, you may need to spend considerable time experimenting with various tools. If a tool or method fails to result in a successful outcome, you should still document this action in your running sheet. Each tool has its own strengths and limitations.
Each report will be unique and presented in its own way.
Scrutinise the marking key, and ask any questions you may have EARLY in the semester!
Look for clues/hints in the investigation. Strategically placed clues/hints have been created in this fictitious case study to help you along the way.
It is not expected that you find every piece of evidence and nor do you have to. Furthermore, should there password protected or encrypted content – you do not necessarily have to break/decrypt it to successfully progress with the investigation.
Remember to ensure the integrity of the image being investigated. You should continually demonstrate that you have maintained integrity throughout your investigation.
Consider what you are trying to find and what you need to negate. The background information of this document provides carefully developed clues.
The task is not just about data recovery! I am more interested in your method (i.e. the carefully created running sheet), than any evidentiary artefacts that you may recover!

Assignment Marking Key

CRITERIA
Evidence
At least 5 ‘issues’ are created and adequately populated with correct evidence.
Evidence is characterised (filenames, sector locations, file extensions, metadata, hashes, dates/times, allocation status, explanations, etc.)
Evidence has been explained, analysed and linked appropriately to other evidence.
Method and Timeline
Comprehensive running sheet with clearly defined aims, methods and results.
Clear use of forensic process which is repeatable and reproducible.
An accurate and professional timeline of evidence, detailing critical events.