A digital forensics report

Posted: February 3rd, 2022

Is Ben a Terrorist?
Investigation/Case Report
We will be conducting a digital forensics investigation as our final project.  You will be graded on the case report you prepare.
A USB thumb drive has come into your possession under the following scenario:
 
You work for the Anne Arundel Metro Police, a small police agency where you are the only digital forensic investigator. You are required to respond to any incident involving digital evidence. You are solely responsible for the investigation from the initial incident to the last day of trial.
 
The scenario of the case is detailed below. Your assignment is to produce a final investigation case report.  The report must be well organized and include all the crucial aspects of assessment, collection, preservation, documentation, acquisition, analysis, and reporting that would allow you to recreate the crime for a judge or jury. Your findings must be able to withstand scrutiny. Your report should start with a case summary and brief bio. Feel free to be creative regarding your qualifications and your vision of the Anne Arundel Metro Police.
 
The Scenario
Bonnie Bergmancalled your police department and reported that her husband, Ben, has been acting strangely. She believes she found evidence of radical extremist communications with an unknown individual known as “Sophia” on a laptop belonging to her husband.  She also reports that her husband, who is unemployed, has suddenly come into large sums of money. Bonnie and Ben had a heated argument, after which Ben left the house taking his laptop with him.  Bonnie, however, has discovered a USB thumb drive that reportedly belongs to Ben in his desk drawer. Following an interview with Bonnie, you have been issued a search warrant to search the USB thumb drive for evidence of a potential terrorist threat.
 
This project is 50% about the report, 50% about the evidence. There are 16 possible pieces of relevant evidence. Please locate at least ten unique evidence types for your report. “Unique” means one type of artifact from each category listed in the evidence hints below.
 
In the field of Digital Forensics your ability to write reports and communicate findings clearly is critical. Therefore, spelling, grammar and cohesive thought always count.  You are free to choose the format of your report. The only formatting requirement is 12-point font. There is no criterion for length, however all the critical components of an investigation must be addressed. References are REQUIRED.
 
PLEASE be sure to review the assignment rubric before AND after you complete your report.
Crucial aspects of a digital forensics investigative report:
This is not an all-inclusive list of possibilities. Feel free to add as you deem important.  However, these are the things I will be looking for. Remember to use the Samples provided in class as a guide.
How did you get the media? (Who, where, when)
Who gave you the authority to investigate the media?
What is the scope of investigation?
What steps did you take in planning your investigation (think assessment, collection, preservation, documentation, acquisition, analysis, and reporting)
Describe the media (physical and logical)
Did you write a receipt for the media, include it on a chain of custody form and start a documentation sheet for the handling of the media?
How did you transport, store and preserve the media?
How did you create a working copy? (An image? A disk to disk clone?)
How did you verify the working copy? Did you include the verification log in the report?
How did you analyze the media?
What did you look for?
What did you find?
How did you find it?
Where did you find it? (logical artifact location on the image)
Did you include any reports, screenshots, images, etc… of the evidence?
What software did you use? Is it legally licensed? How did you confirm the reliability of the software?
Did you document ALL of your steps so that if you had to recreate this case five years from now, you would understand what you did?
Can the client understand your report? Is it well organized? Is it grammatically correct?
Did you wrap it up with a conclusion?
 
Evidence Hints:
The image contains at LEAST one of the following types of evidence relevant to the case:
Resident files
Deleted files
Incorrect/missing file extensions
Password protected files
Photo metadata
Link file analysis
Steganography
URL trace
GPS activity
Network packet capture