ICT600 2024 ASSIGNMENT

ICT600 2024
Cyber Forensics & Incident
Response
Assignment Information

You must submit your assignment online using the Assignment course tool.

You must submit your assignment as ONE word-processed document containing all of
the required question answers.

You must keep a copy of the final version of your assignment as submitted and be prepared
to provide it on request.

The University treats plagiarism, collusion, theft of other students’ work and other forms of
dishonesty in assessment seriously. For guidelines on honesty in assessment including avoiding
plagiarism, see:
http://www.murdoch.edu.au/Curriculum-and-Academic-Policy/Student-Integrity/

2019 Narcos
Due to intelligence provided by the Australian government, two passengers were intercepted by
Customs upon arriving in Wellington, New Zealand from Brisbane. The Intel stated that Jane
Esteban and John Fredricksen may be involved in illegal activity.
The suspects were each searched by a customs officer. John Fredricksen’s baggage consisted of
clothing, toiletries and a Windows laptop. Jane Esteban’s baggage also consisted of clothing,
toiletries and a small windows laptop.
Upon further search of the lining of the suitcase, one kilogram of Methamphetamine was located.
Both suspects were taken into separate interview rooms where they were interrogated. John
Fredricksen refused to answer any questions.
Jane Esteban stated all she knew was that she had to deliver the suitcase to the Eastbourne library
but if all else failed then they were to deliver it to 666 Rewera Avenue, Petone as told by John.
Customs and police subsequently raided that address. There was nobody present at the address.
Customs did, however, find drugs, guns and a desktop computer in the living room of the suspect’s
house.
You are a Customs forensics investigator. Customs officers have delivered images and memory
dumps of the 2 laptops and 1 desktop computer to you. Your task is to carry out a forensic
examination of John Fredricksen, Jane Esteban and the unknown suspect’s laptops and desktop
computers to further understand their motives, goals and objectives. It should be noted that all three
devices contain different Windows 10 builds and resulting artefacts may not be located in the same
location or even be present.

ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024
 ICT600 2024 ASSIGNMENT

Suspects Descriptions
Personas:

John Fredricksen

John has been communicating with Steve Kowhai (NZ dealer) via with what he believes is a secure
and private chat room (Discord) to discuss his new consignment. Their chat contains information
on where they are going and what he wants John Fredricksen to deliver. Furthermore, Steve shares
some documents via (email, cloud, etc) that will assist with his job.

John Fredricksen now has enough information to concoct his plan of smuggling the 1kg of
methamphetamine into New Zealand, but he needs to find some cover that can take the heat off of
himself if any surprises were to happen. John identifies Jane Esteban as a regular user of his
business's product (meth) and thinks she will make a great mule for smuggling the drugs.

Jane Esteban

Jane is an undercover Australian Federal Police (AFP) officer tasked with gathering evidence about
a drug ring involving John Fredricksen and his associate Steve Kowhai in New Zealand.

Jane will be using the following persona while working undercover. She has a terrible addiction
and has been visiting John to feed her addiction, which has led to a transactional friendship with
him as a result. John approaches Jane soon after discussing with Steve to convince her to assist
with his job.

Steve Kowhai

Steve is a big player drug distributor/dealer in the lower north island of New Zealand and is wanting
to find some quality product to expand his growing empire even more. Steve has contacted a source
(John) in the US to smuggle in a taster of the product he plans to buy in larger quantities later. Steve
has provided John with information about New Zealand and points on how best to smuggle the
product into Wellington without raising any alarms at customs. Steve knows a thing or two about
digital forensics and decided to use steganography to hide the document within a picture.

ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024
 ICT600 2024 ASSIGNMENT

Materials – Drive Image

The evidence for this scenario includes Steve Kowhai drive image, Jane Esteban drive image,
John Fredricksen drive image, Steve Kowhai memory image, Jane Esteban memory image, and
John Fredricksen memory image. The materials can be downloaded from
https://downloads.digitalcorpora.org/corpora/scenarios/2019-narcos/

Drive Images

Actor File Name MD5 Hash

Steve Kowhai Narcos-1a.001-021 996182c381ec9e7025f40519107615e4

Jane Estaban Narcos-3a.001-021 ce707bf783dde13ed42196cd6e473083

John Fredricksen Narcos-2a.001-021 56823dee9b24a40407bec184f80261c2

Memory images

Actor File Name MD5 Hash

Steve Kowhai Narcos-Mem-1a.001-003 3469089f9a26b0b51a4ee985cd1c3008

Jane Estaban Narcos-Mem-3a.001-003 7c155dae658fb059586b3ab5144e21d2

John Fredricksen Narcos-Mem-2a.001-003 fd7027c7bffedd653226355467c2b1ef

ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024
 ICT600 2024 ASSIGNMENT

Deliverable Report

Task Description
You should follow forensics procedures, such as taking a hash of the image before using it and
checking regularly to ensure you have not modified it. You can select and use any proprietary or
open source tools that you have been introduced to or find yourselves to perform the analysis and
extract any evidence present.
Your report should detail the investigation process and the findings (including copies of relevant
evidence), including obstacles and problems that you encountered and how you overcame them.
You can assume that the reader has a light understanding of digital forensics, so any complicated
terms/techniques/etc should be explained.
You must include some screenshots in your reports with the output of the tools or the processes
and when necessary to support/show how you reached your conclusions. Screenshots should not
be used to excess – they merely serve to demonstrate your understanding of the tools/processes
and should be used to support written explanations (not in place of).
You will be marked based on the evidence you extract, the use of appropriate tools, the detail of
the process, the explanation on its relevance to the case and documentation. Remember, you
report should present the information in an unbiased way. Improper handling/validation of
evidence would result in loss of marks except where accurately identified and corrected.

**This assignment can be accomplished either individually or in pairs.

Marking Rubric:
The following table summarizes the marking criteria of the final report.

Sections Marks
Cover Page, Table of Contents, Executive summary 5
Methodology 10
Findings (use of appropriate tools and details of the process)

• Discussions (the explanation on findings’ relevance to the case) 65

• Supporting Evidence (accurate data acquisition)
Summary & Appendix 10
References & Formatting 10
Total 100

ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024
 ICT600 2024 ASSIGNMENT

Your report must highlight the following requirements (these will be

assessed):

A. “Provide a written summary not to exceed two pages that describes what took
place”:
• Clear and concise summary.
• The summary is objective, not subjective.
• Report only includes relevant artefacts pertaining to the case.
• "The written summary is free of grammatical, syntax, and spelling errors, e.g., consistent
verb tense, pronoun-antecedent agreement, correct use of parallelism, etc".

B. "Provide a written description not to exceed four pages of the forensic methodology
used to analyse the evidence files and obtain the results identified in the summary.
The methodology does not need to provide step-by-step instructions on how software
was used; however, it should provide a sufficient description for the findings to be
reproduced":
• A methodology explaining the forensic process of how artefacts were identified.
• The methodology is forensically sound and is defensible.
• The methodology is reproducible for other forensic examiners.
• The methodology and table of findings support the conclusions presented in the Narcos
scenario.
• "The written methodology is free of grammatical, syntax, and spelling errors, e.g.,
consistent verb tense, pronoun-antecedent agreement, correct use of parallelism, etc".

C. "Provide a Table of Findings, which contains a list of recovered artefacts with

forensic information to build a defensible case". “User-produced evidence files
(include name of file(s), MD5 hash, and locations(s) and comment regarding
evidentiary value)":
• Identify relevant user account profiles and computer names associated with the
suspect's computers.
• Identify relevant web activity on each suspect's computer.
• Identify images that help to build a profile of the three suspects' behaviour.
• Identify binary files that could help the investigation.
• Identify the means and the content of communications between all the suspects.
• Identify any documents that could help the investigation.
• Identify any obfuscation methods used by the suspects.
• Identify encryption methods used by the suspects and determine two methods that can
circumvent the encryption.
• Identify malware used by one of the suspects and determine its purpose.
• Identify the vulnerability that allowed the malware to function.
• Leverage other Windows artefacts that provide corroborative evidence such as
Windows Timeliner.
• Identify whether changes have occurred to these artefacts across the different Win 10
builds.
• Identify the roles of each suspect.

ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024
 ICT600 2024 ASSIGNMENT

Sample Structure for Report

Outline: Use the following as a starting point to structure your report

Cover Page
• Title
• Date
• Student Name / Student Number

Table of Contents
• Main contents listed with page number
• Be sure to include visible page numbers on all pages

Executive summary
• Brief Description of the event
• Brief methodology of the investigation
• Brief evidence collection and preservation methods
• Conclusion with short, generalized reasons (like bullet-points)

Methodology details
• Investigation
• Evidence collection and preservation

Finding 1 - Description
• Discussion (e.g. Inculpatory or Exculpatory)
• Supporting evidence

Finding n - Description
• Discussion (e.g. Inculpatory or Exculpatory)
• Supporting evidence

Summary and Conclusion

• Discuss if there is there any evidence of illegal drug activity (Methamphetamine).
• How sound / reliable do you believe your evidence collection to be?
• Is the person innocent or guilty? Explain your position.

Appendix
• Description of persons of interest (often shown in table format)

ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024
 ICT600 2024 ASSIGNMENT

• Association Diagram of persons of interest

• Evidence listing
• Evidence Timeline (present any evidence in a timeline format, signposting the points
where you believe any offence may have occurred and other significant dates/times in the
case).
• Software and tools used in the investigation
• Other important listings and information as needed

References:

Your report should be your own, and you should use appropriate citation and referencing formats.
All sources that you use as supporting material to your reports must be referenced according to the
convention. Failure to do so will result in the loss of marks! You should use APA as a referencing
style. The IEEE format is also acceptable.

Formatting:

1. Paragraph text: Font size 12 with Calibri or Times New Roman font. 1.5 line
spacing. Justify alignment (ctrl+j in word).
2. Use Word (or equivalent) styles for headings, paragraphs, etc., to ensure consistency.
3. Number chapters (1, 2, etc.) and sub-chapters (e.g. 1.1, 2.1, 2.2) – and consistently.
4. Figures should have a figure number and a caption (right click and insert a caption in Word).
5. Write in the third person.
6. Word limit: maximum 3500 words. Note that the word limit for group work is
maximum 5000 words

ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024