代写COM6016、代写R程序设计

日期：2022-12-10 01:32

COM6016: Cyber Threat Hunting and Digital Forensics

Forensics Case Study Assessment , October 2022

Submission Deadline: 15:00 on Wednesday, 14th December 2022

This assignment is worth 60% of the module mark. This assignment is made up of

four different parts. You are required to answer all the questions below. All answers

must be supported with adequate academic references.

The maximum number of pages for this assignment should not exceed 10 pages.

PART 1 [25%]

Leo R is a known local thief and suspected drug trafficker. On the 31st of October

2022, he was arrested while flying a DJI Phantom 2 Vision drone near HM Prison

Berwyn. Prison officers suspect he has been using the drone to either deliver drugs

to the prison or he is involved in planning a jailbreak.

The drone has been seized as well as his mobile devices and a USB drive. Suppose

you have been assigned as the Forensics Lead on the the case

A. Using your knowledge of Digital Forensics and the Digital Forensics

process, describe how you would approach this case from the point of

arrest.

B. A USB disk image seized from Leo R has been provided to you. What

do you suspect he was doing around the prison with a drone? To

obtain the maximum marks for this question, you need to describe your

process and provide evidence to support your suspicion.

PART 2 [40%]

Ciara works for a cosmetics company. She spends 20% of her time travelling to

connect and liaise with clients and suppliers in different countries. When travelling or

visiting other company’s sites, Ciara uses her laptop and business mobile phone for

personal activities. Also, she sometimes works from home and mainly connects to

the company network via a Virtual Private Network (VPN).

During the last six months, the CEO noticed a decrease in the company’s revenue,

along with the entrance of a new competing cosmetics start-up working on the same

line of products and acquiring their customers. The CEO scheduled an urgent

meeting with the executive board and some concerned staff members to look at the

revenues of the running year and come up with a strategy to outperform this new

startup. Ciara attended the meeting, but the CEO noticed that she was particularly

evasive when several questions related to the new startup, called CyCo, located in

Paris, were asked.

Ciara submitted her resignation to leave, a few days after the executive board

meeting. The CEO suspects that Ciara is involved with this new startup and probably

sharing customer data and private products’ information with the company and

possibly others. As with company policy, Ciara has handed her laptop to the IT team

following the submission of her resignation letter and in the process of preparing the

laptop for a new staff, the IT support staff notices some suspicious files and a data

breach investigation is opened.

On Friday, Ciara celebrated her farewell with her colleagues, gave the keys and the

business mobile phone to the IT team at 1 pm and left the company.

The IT team has now imaged the laptop and the mobile phone of Ciara and provided

you with the following:

- Digital image of Ciara’s laptop (taken during her business visit)

- Network capture of Ciara’s laptop (part3_cosmetic.pcap)

You are required to write a maximum of a 800 word forensics report explaining how

you went about your investigation that is to be used in court to prosecute or excoriate

the suspect.

PART 3 [15%]

BGP hosting is a web hosting company providing dedicated and shared hosting

services to UK businesses. The company was founded in 2011 and currently

employs 65 staff in two locations - London and Bristol. The company has an annual

turnover of ￡4 million and primarily provides services to businesses in the aerospace

and health sectors.

On 30th August, 2021, one of the system administrators at BGP hosting noticed

that one of the servers of a health care client was consuming a lot of system

resources and had a few suspicious active network connections.

The server was restarted, scanned and passed to the security team for monitoring.

On 1st September, 2021, the security team resumed work at 9am and began

looking at tasks assigned, but a quick assessment of the server revealed nothing

strange.

On 2nd September, 2021, the server is inaccessible to clients and a support request

is raised by the client.

At 11 am, the system administrator is greeted with a ransomware message, “Your

server has been infected with ransomware, Your data has been encrypted, you need

to pay 125 bitcoins to unlock it”.

Assume, you work for BGP hosting as a forensics analyst and your colleagues have

provided you with the disk images of the 2 x 2TB hard drives connected to the server

and a live capture of the memory of the device. Explain how you would go about

handling this incident to ensure digital evidence is captured, forensics integrity is

maintained and the business can resume operations in a few days.

PART 4 [20%]

You have been provided a network capture involving about nine servers in an

enterprise network. Your colleague, an IT administrator, suspects there is some

suspicious activity going on. Using your knowledge of cybersecurity and network

forensics, you are required to analyse the PCAP file new_part_4.pcapng and

suggest what you think might be going on in the network packet sequence.

Submission

The final report must be submitted in PDF format using Blackboard.

The submission deadline is 3pm on Wednesday, 14th December 2022

The standard penalties for late submission of work apply: