COMP1541 Coursework 2023-2024

Overview

This coursework comprises three (3) tasks, two (2) of which are individual tasks, and the last
(1) task is a group (1-3 members) report:

There is a single deadline, and all students must hand in a single report containing all 3 of
their own tasks. A template is provided for the report, but you are responsible for ensuring
that the Tasks 1 and 2 are your own work and that the Task 3 section is the same for all
members of the group.

 Task 1: Imaging Exercise (20%)

 Task 2: Search and Seizure Exercise (20%)
 Task 3: Investigation and Report (60%)

Student Collusion / Peer Learning

For Tasks 1 and 2 you may discuss your work with other students in the class, but you must
produce the work individually. For Task 1, it must be the file assigned to you and the
diagram must be of your own creation. For Task 2, the photographs and diagrams must be
from your own house/place of residence, and they must be your reference numbers.

For Task 3 you may only discuss the work in generalities in class, and only in detail with
members of your own group. It is not acceptable for groups to share work and findings.

1
Software Tools

You may use any appropriate tools or software to solve the problems presented to you in
this case. If you are an experience security or forensics analyst and you have a toolkit you
are happy with, you may use those. We initially suggest FTKi, Autopsy, and Hash My Files as
these tools are taught on the course, so if you use any alternative tools or methods you are
responsible for the accuracy and your familiarity of those tools.

It should be noted that the techniques taught in the labs for this module may be employed
in the coursework, although we cannot assure you that all the techniques or data hiding
tools are used in every case. If you are familiar with other tools or techniques that have not
been taught on the module you are welcome to use those, and they will be accommodated
in the marking as best as we can. It is probably best to provide as much information as you
can as your assessor may not be as familiar with the technique as you, if you are using
alternative tools or methods.

AI Assistance

You may use AI tools and any other supporting literature where appropriate in line with the
university policy – I.e. you declare its usage.

However, you are strongly discouraged from using AI because it produces stupid answers
that never answer the questions in this coursework. Students that rely on AI always fail, not
because it is prohibited, but because the material produced are a big ol’ pile of ****.

On your own heads be it if you rely on this technology at its current state of maturity.

2
Task 1: Imaging Exercise

THIS IS AN INDIVIDUAL ASSIGNMENT.

Each student has been assigned an Image File (ImageFile.001-045.dd). You are to work on
these exercises individually, and you must work on the correct Image File, otherwise your
answers will not be accepted (and we will very likely consider this as a case of collusion).

We do check your results match the file assigned to you. You are assessed on getting the
results assigned to you.

Task 1.1 Imaging Exercise

Using the ‘ImageFile***.dd’ image file that you have been assigned, produce a brief report
showing that you can perform the following tasks:

a) Demonstrate that you are working on a correct image file. I.e. Show me the hash on
Moodle that has been assigned to you, and show me using a tool like Hash My Files that
it produces the same result.

b) Create a single EWF/E01 image file, using (max) compression (level 9 if available).
Demonstrate that it has been correctly and accurately created.

c) Create an EWF/E01 image that has been split up into at least 5 parts (there is no need
for these to be equally sized, and it is a good idea to use no compression (level 0)).
Demonstrate that it has been correctly and accurately created.

d) Provide a list of files for each of these stages, showing the filename and extension, the
size of the file, and the hash of the file. N.b. there should therefore be list of at least 7
files (the original image, the compressed file and at least 5 split files).

It is essential that all of these stages are documented with screenshots and a very, very brief
explanation. You are not handing in the image files you will only be marked on if the picture
evidences that you have produced the correct result.

3
Make your screenshots large, clear and legible or you will be marked down substantially if
the marker has to press the zoom in button.

Task 1.2 Verification Exercise

Using an image file you created in Part A (i.e. not the .dd file), demonstrate using two
different methods/pieces of Forensic software that the image is verifiably correct.

Using two forensic tools to achieve the same result is a standard Digital Forensics technique
called Dual Tool Verification. You are strongly advised to use software such as FTKi,
Autopsy, EnCase or suchlike. Hash My Files will not produce the correct result.

Task 1.3

Draw a sketch/diagram that would be suitable for members of a jury who are not
technically knowledgeable, on what a “Write blocker” is. Within your answer you must
explain the purpose, and available options for Write Blocking.

Hint 1: DO NOT just draw and label a tableau device, that does not answer this question.

Hint 2: Only a diagram will be marked, so do not provide an answer which has a wall of
supporting text as only the sketch will be marked.

4
Task 2: Search and Seizure

THIS IS AN INDIVIDUAL ASSIGNMENT.

So as to demonstrate the search and preservation of potential Digital Forensics evidence,

you are required to set up an example of a small office or domestic environment,
demonstrate a search of this environment and produce a report documenting your search.

The Scene

The scene should include at least 1 significant large device (laptop or larger) and a small
collection (at least 4 items) of media or smaller significant artefacts, such as phones, USB
sticks, CD/DVD etc. ID cards etc. The scene should also contain non-digital artefacts that
may be relevant such as paperwork, post-it notes etc.

If your room looks like Figure 1, you can specify a small ‘zone’ for the purposes of the report.

Figure 1 – A Complex Digital Forensics Search Environment

5
Task 2.1 A diagram of the scene

Provide a hand-drawn diagram of the room, and highlight the area you are searching. In
addition to the sketch of the room you should BRIEFLY highlight the following issues relating
to your scene:

a) Note any Safety issues –

b) people, animals and specific hazards found
c) Anticipated Assistance you would require for this kind of setting
d) Interview, and Information Gathering you would need to conduct.

Please keep your plan related to your specific scenario, and do not put irrelevant general
information (e.g., a SWAT team just incase there is a gun on the premises. Just no). You are
not searching a crack den, so make sure it is relevant to the domestic setting.

Task 2.2 Photograph of the Scene

Provide two (2) clear photographs showing the search scene: Photograph 1 should show a
wide view of the room

a) Photograph 2 should show a view of your search area

Photograph 1 should cover broadly the same area as the Task 2.1 scene sketch, although
often the sketch is a wider view, and the photo is more detailed.

Task 2.3 Labelling the Artefacts (high level view)

Provide Photograph 3, which will be the same area as covered in Photograph 2, but each of
the artefacts will have a reference number next to them.

The reference numbers must be your initials followed by an incrementing number. For
example David W. Gresty will have artefacts DWG/1 to DWG/7, if there are 7 artefacts at
the scene.

Task 2.4 Close-Up Photographs

6
Provide Individual photographs of all the exhibits you noted in Photograph 3, such as shown
in Figure 2.

a) highlighting exhibit reference numbers.

b) You do not need to photograph all sides of the objects, but it is advantageous to capture
serial numbers so you should photograph both sides of an object.

Figure 2 - An example of an in situ photograph showing the exhibit reference number of an

item.

Task 2.5 Exhibits Table

Produce an Exhibits Record table for your ‘seized’ items (i.e. the items you would be taking
away in a real search). Each item must have the following information recorded for it (even
if some information is duplicated):

• Record location (zone) where all the exhibits come from

• Who seized the item.

• What time the item was taken

• The seal number of the bag (or if improvising a signature seal you need a record of the
signature) – you can make this up, but it is essential in the real world.

7
Remember this must be a table, and that each individual item needs its own record on the
table, because in the real world multiple people would be seizing different items.

Task 2.6 An Improvised Seal

You are to bag and photograph an (1 only) item from your crime scene using an improvised
seal.

a) A clear evidence reference number is needed to be visible

b) A signature seal must be visible
c) A clear sealing of the bag must be shown (this may require a couple of close-in pictures
as cello tape is particularly hard to see). Again your marker will not be zooming in to
check this, so you must make a zoomed in photo if it is not clear.

You do not need to photograph the intermediate stages of constructing the improvised seal,
a final single sealed exhibit is sufficient.

8
Task 3: Investigation and Reporting

This is a somewhat realistic scenario of a law enforcement hi-tech crime unit investigation of
a laptop computer. This can be completed as an individual or as a small group (1-3 group
members), however discussion with other students outside of this group is considered an
academic offense.

Objective

You are to investigate the case with respect to the circumstances detailed below. Identify if
the information provided is accurate, and that there are Indecent Photographs of Children
(cats) or terminology relevant to the case. Establish if anything you find can be attributed to
the suspect. Report on the case. Identify if there are further offences present, or
information you believe should be brought to the attention of the officer in charge of
investigating the case.

Resources

You will be supplied via Moodle with an Evidence File: ‘Operation Canary Wharf’ – please note there
are 8 files that make up this split image, ‘Operation Canary Wharf.E01’ to ‘Operation Canary
Wharf.E08’.

You will be supplied with Template, which must be used for completion of this case.

9
Case Background

Suspect:

John CHURCHILL (d.o.b. 1/1/2002)

A Computer Science (Artificial Intelligence) B.Sc. Student at STFU. Room 216, Halls of
Residence.

Circumstances of the Case:

Approximately at midnight on the 19 th of November 2022, two students (Harry TURNBULL

and Jade GREY) who were visiting the Lord Gresty Halls of Residence for the South Thames
Fictional University walking into room 216 by mistake.

Both TURNBULL and GREY had drunk a significant quantity of alcohol.

Both TURNBULL and GREY observed the defendant CHURCHILL sat at his desk. GREY
approached CHURCHILL and realizing that they were in the wrong room tried to apologise
and make light of situation. When she tried to look at his screen saying that he “shouldn’t
be looking at porn all night”, CHURCHILL became aggressive. She states that she realized she
was looking at a large-scale indecent photograph of a child on the screen, not adult
pornography.

CHURCHILL’s aggressive behaviour towards GREY caused TURNBULL to intervene, which

lead to loud shouting and a scuffle breaking out between CHURCHILL and TURNBULL.
University security arrived quickly and removed TURNBULL and GREY from room 216.
Officers from the Met Police were called to attend the scene as TURNBULL and GREY were
belligerent towards the security.

When uniformed officers arrived, GREY stated that the defendant was watching Child Porn
on his laptop computer, although TURNBULL states he did not see the computer. When
officers attended room 216 to question the defendant, they noticed that on the screen was
a web page relating to wiping software. As such the laptop computer was seized and at that

10
time the defendant was arrested. A mobile phone has also been seized and sent for
separate examination. Nothing of note is currently reported for the phone.

Police Action Taken:

The computer was processed by the Greenwich Hi-Tech Forensics Unit (HTFU) and an
automated search for indecent photographs was positive. These are present within the web
cache area of the disk. Internet history extraction shows indecent terminology being
searched for.

The defendant has stated that he was researching ‘Deep Fake’ technology as part of his
studies. He admits that he wanted to make humorous meme-type pictures using classmates
or lecturers at university, but whilst researching deepfakes he found articles about
morphing porn actors and regular people.

He acknowledges that whilst trying to find pictures he could use to make deep fake pictures
or “composites”, he may have strayed into pornographic sites that included indecent
photographs, and this may have caused these pictures to be downloaded onto his
computer’s ‘web cache’.

Defendant states categorically that he did not search for indecent terminology, and that he
had no sexual interest in indecent material. Defendant states that there was no attempt to
make ‘revenge porn’, and he just wanted to find out how pornographic deep fake pictures
could be made as he had “read about it on the BBC”.

N.b. Due to a backlog of work at the HTFU, this case – which took place in November 2022 –
must be completed as a priority, as the suspect has been on extended bail. As such the
HTFU has authorised a small team of analysts (1 to 3 analysts as directed by the unit leader)
to complete the analysis in a timely manner.

Scenario Rules

Pictures of the Actor Willem Dafoe shall be considered the Prof. Giles Trent, from STFU.

11
Standard rules: Pictures of cats should be considered Indecent Photographs of Children, or
any terminology relating to cats should be considered notable terminology relating to
Indecency. Pictures or terminology of dogs should be considered legal sexual content.

12