CIS8708 – Written Assessment

This assignment has four questions to be completed. Compile your answers into a Word document
to be uploaded to Study Desk, with or without the optional Excel Spreadsheet in Question 1. Include
your Name, Student Number and course code (CIS8708) in the header of each page and include
references and a bibliography where appropriate.

When submitting your document/s, the file will be submitted to Turnitin for originality checking. You
will be able to see the report come back and can make adjustments if required before resubmitting.

Question 1 – 25 marks, 600 word maximum

Your team leader has asked you to research current data acquisition tools. Looking at the vendors
listed in Week 4 (ProDiscover, EnCase, FTK, Sleauth-Kit, X-Ways, your own option), prepare a report
containing the following information for each tool and stating which tool you would prefer to use
and why:

● Forensics vendor name

● Acquisition tool name and latest version number
● Features of the vendor’s product

With this data collected, prepare a table or spreadsheet listing vendors in the rows. For the column
headings, list the following features:

● Raw format
● Proprietary format
● AFF format
● Other proprietary formats the tool can read
● Compression of image files
● Remote network acquisition capabilities
● Method used to validate (MD5, SHA-1, and so on)
● Any other comparatives you would like to add such as cost/licensing model, acquisition
speeds based on image format or other features.

Note: if you prefer to do this comparative table in an Excel spreadsheet, which would be acceptable
to submit as a second file.

Question 2 – 25 marks, 750 word maximum

Trevor Smith is the primary suspect in a fraud investigation. Trevor works at a large local business
and the case reports that he has one computer at work and another at home.

Write a one-to-two-page report, placing yourself in the shoes of a digital forensics detective for the
local police office (investigating the home computer), and a digital forensics practitioner for the local
business (investigating the work computer). Detail in the report, what you need to do to gather
evidence from each of these computers and what obstacles might you expect to encounter during
the investigation case?

Questions 3 and 4 on the following page…

Question 3 – 25 marks, 300 word maximum.
You are working as a Forensic Investigator and have been presented with a file to investigate. The
Word1.docx file (available from StudyDesk assignment section) has been forensically extracted from
an employee’s USB drive. This employee is being investigated for suspicious bank transactions in
their capacity as a Finance Officer, to an account number starting with 4848. Investigate the file for
any references to the account number. Write a report on the steps you took to investigate the file
and detail anything relevant that you may find.

Question 4 – 25 marks, 500 word maximum.

As a Forensic Investigator who knows Splunk, you have been asked to do some investigating using
Splunk at the company Frothly, an alcoholic beverage producer.

You have 7 questions to answer using Splunk at https://splunk-teach.usq.edu.au (access will be

demonstrated in lectures/tutorials). To view all data, search “index="botsv2" earliest=0 ” in the
Search and Reporting App. The consider search conditions that can be added to filter down, based
on the information in each question.

For each question, show the search term that you used and the text/numeric answer to the
question. In conclusion, write an evidence report to the HR investigator to summarise all the things
that you discovered (consider this person to be non-technical and detail the report with this in
mind).

1. Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell
through, but visited their website to find contact information for their executive team. What
is the website domain that she visited? Answer format example: google.com
2. Amber found the executive contact information and sent him an email. What is the CEO's
name? Provide the first and last name.
3. After the initial contact with the CEO, Amber contacted another employee at this
competitor. What is that employee's email address?
4. What is the name of the file attachment that Amber sent to a contact at the competitor?
5. What is Amber's personal email address?
6. What version of TOR did Amber install to obfuscate her web browsing? Answer guidance:
Numeric with one or more delimiter.
7. What is the public IPv4 address of the server running www.brewertalk.com?