In Albuquerque, New Mexico, there has been a mass shooting at the Welker Compound on Daniel Road with over 10 casualties. The owners of the property have long been suspected to be a criminal gang with white supremist ideologies. The compound had been under police surveillance with network traffic for the day of the shooting captured by the ISP. A damaged laptop was discovered at the scene and a memory dump was made but the disk image was unrecoverable. There has also been a mobile phone found near the body of the gang leader and several other suspected criminals and victims. [1]

Task 1

You are a digital forensics analyst for the Albuquerque Police Department. You have been tasked with examining any digital forensic evidence found at the scene as well as the network capture. The case supervisor suggests you address the following questions.

1. Who are the suspects in the transmission? When does the first communication begin?
2. What browsers are the suspects using and on what operating systems?
3. Are there undercover DEA agents within the gang? If so, who are they?
4. What was sent for Jesse to collect?
5. Is Jesse a DEA agent?
6. What applications are running on the memory dump computer?
7. What web pages has the memory dump computer visited recently?
8. What is email address of the owner of the memory dump computer?
9. What is password of the memory dump computer?
10. Create a detailed timeline of the significant events that take place on the memory dump computer.
11. What are the non-stock applications installed on the phone?
12. Who is in the contacts list?
13. What messages and calls have been sent and received by the phone?
14. What Internet searches has the owner of the phone made?
15. Is there a link between this phone and the disk image provided in Assessment A2. If so what is it?

As part of the answer for each of these questions you must include:

• A clear description of the evidence and reasoning for your answer.
• A detailed description of the process that you followed and the tools that you used to obtain the evidence. It is expected that you will include screenshots in your description.

Evidence Details

• DestroyedLaptopMemory.zip (md5sum: 02094d46e9b3277b5f653000e3dee4b1)
• welkercapture.zip (md5sum: 480b054a95e589861ed2566a561aaee6)
• victimphone.zip (md5sum: 274ec2b5afdbbe562728315c56581ae3)

Evidence for this assessment can be downloaded at the following links:

• DestroyedLaptopMemory.zip (https://cloudstor.aarnet.edu.au/plus/s/4MwGA9ULsXgwzKN)
• welkercapture.zip (https://cloudstor.aarnet.edu.au/plus/s/bHZGk4t2MeuPB0z)
• victimphone.zip (https://cloudstor.aarnet.edu.au/plus/s/mYHz4qKKmUJaKOw)

If you are using the SIFT workstation on the Griffith Cyber Range you can download it from the following link if you are logged into the SIFT workstation. This link is only accessible if you are logged into the SIFT workstation.

http://7906ICTAssignment.griffith.internal/A3/

Task 2

As it appears that survivors of this incident will be prosecuted, you must complete a digital forensic report for the police department. However, it must be written for a non-IT audience and may be used in court proceedings. This report should follow the recommended report structure and be addressed to non-technical possibly legal staff. Your answers for Task 1 should make up the appendix of this report.

Your report on the investigation should include the following main headings:

• Introduction and Executive Summary – Provide an overview of the case, the relevance of the evidential media being examined, who requested the forensic analysis, and what was requested.
• Evidence Summary – Describe the items of digital evidence that were analysed, providing details such as MD5 values, make and models of equipment
• Examination Summary– Provide an overview of the critical findings relating to the investigation, an executive summary, with any recommendations or conclusions in short form
• Forensic Analysis and Findings– Provide a detailed description of the forensic analysis performed and the resulting findings, along with supporting evidence.
• Conclusions – A summary of conclusions should follow logically from previous sections in the report and should reference supporting evidence.

Marking Criteria

This rubric provides you with the criteria to which your assessment will be marked as well as information as to how you might achieve the best possible marking outcomes.

Please review the marking rubric before you commence work on this assessment task.?Ensure that you have addressed the relevant criteria outlined in the rubric when completing the assessment task.

7906ICT A3 Marking Criteria.pdf  7906ICT A3 Marking Criteria.pdf – Alternative Formats

 

[1]The story, all names, characters, and incidents portrayed in this assignment are fictitious. No identification with actual persons (fictitious, living or deceased), places, buildings, events, and motion pictures is intended or should be inferred. No person or entity associated with this assignment received payment or anything of value, or entered into any agreement, in connection with the depiction of tobacco products. No animals were harmed in the making of this assignment.