CC5066 – Network Forensics and Incident Response

CC5066 – Network Forensics and Incident Response

The Coursework Specification

Investigating an Exfiltration - Case Background

M57.biz is a new company that researches patent information for clients. Employees are: 1 president / CEO and 3 additional employees.  The firm is planning to hire more employees, so they have a lot of inventory on hand (computers, printers, etc). Current employees:  President: Pat McGoo,  Information Technology: Terry and Patent Researchers: Jo, Charlie.

Employees work onsite, and conduct most business exchanges over email. All of the employees work in Windows environments, although each employee prefers different software (e.g. Outlook vs. Thunderbird). Note that in the bellow figure “DOMEX” is the local server managing external network access and email

The case: exfiltration of corporate IP

One of the employees in M57 is stealing proprietary research from the company and passing it on to an outside entity. This employee has taken some measures to cover their tracks, but probably did not count on the company machines being imaged in the ongoing investigation of other criminal activity.

In this case study, you have access to the following “Police Evidence”:

• Hard drive images from all workstations in the office: charlie-2009-12-11.E01, jo-2009-12-11-002.E01, pat-2009-12-11.E01, terry-2009-12-11-002.E01
• (Optional) RAM dumps from the machines taken during the police visit (mdd or windd images): charlie-2009-12-11.mddramimage.zip, jo-2009-12-11.mddramimage.zip, pat-2009-12-11.mddramimage.zip, terry-2009-12-11.mddramimage.zip
• Four company USB drives found on-premises and one personal USB drive seized from Jo: charlie-work-usb-2009-12-11.E01, jo-work-usb-2009-12-11.E01, terry-work-usb-2009-12-11.E01 and jo-favorites-usb-2009-12-11.E01
• Full FTK, AXIOM and NUIX version (the world leading digital forensic and investigation toolkits). Free Security Onion and Kali Linux

Link for downloading forensics images is:

https://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/

You are tasked with determining the following:

• Who is exfiltrating the data?
• How are they doing it? Can you identify the specific items they have stolen? What is required to access the data?
• Who is the outside contact?
• Is there anything in your analysis to suggest that this person might be charged with more than one criminal offense?

Required Submission

You are required to write an investigation report in PDF format. The length of the report could be extended up to 2000 words. In addition, your findings presented in the report must be properly interpreted, accompanied by supporting evidence, and/or linked to appendix/appendices to show the relevant evidence supporting your findings. The report filename must follow the convention that is if your student ID number is “123456”, the filename for the investigation report will be “CC5066-123456”. A recommended report template will be provided for your reference.

Marking Scheme (Total 100 marks)

The assessment of the coursework is detailed below.

• Presentation of the report  (Maximum 30 marks)
• quality of communication/expression (Maximum 10 marks)
• overall structure – organisation of material and quality of documentation(Maximum 10 marks)
• bibliography and correct citations (Maximum 10 marks)
• Evidence found/presented/interpreted (Maximum 60 marks)
• Evidence of your learning enhancement (Maximum 10 marks)

END OF THE COURSEWORK SPECIFICATION