Description

ICT378 2022

Cyber Forensics & Information

Technology

2012 National Gallery DC
Assume that you’re a Forensic Investigator given the following case
The 2012 National Gallery DC scenario spans approximately 10 days and encompasses two
distinct yet intertwined story arcs. The scenario is centered around an employee at the
National Gallery DC Art Gallery. Criminal plans for both theft and defacement are discussed
amongst actors during the scenario, and evidence may remain across the digital devices they
used.
Alex, a wealthy businessman with Krasnovian ties contacts Carry, a Krasnovian supporter in
the US. Alex is seeking to embarrass America and damage public relations by defacing
Foreign Art, belonging to Majavia and currently on display in the National Gallery during the
month of July.
Alex knows Carry through her Krasnovian parents, who also have strong anti-American
sentiment. Alex contacts Carry through her father and recruits her to assist with his cause. He
is sending some “tourists”, Krasnovian militants, to Washington, DC to do the deed. Carry is
to develop the plan to get them into the museum with the tools they need to damage the
artwork.
Tracy works as a supervisor at the National Gallery and is an acquaintance of Carry. Carry
contacts Tracy and starts communicating small data as a back and forth under the auspices

Assignment Information

You must submit your assignment online using the Assignment course tool.
You must submit your assignment as ONE word-processed document containing all of
the required question answers.
You must keep a copy of the final version of your assignment as submitted and be prepared
to provide it on request.
The University treats plagiarism, collusion, theft of other students’ work and other forms of
dishonesty in assessment seriously. For guidelines on honesty in assessment including
avoiding plagiarism, see:
http://www.murdoch.edu.au/Curriculum-and-Academic-Policy/Student-Integrity/

ICT378 2022 ASSIGNMENT

ICT378 Cyber Forensics and Information Technology Assignment – V2- Last Updated April2022
that Carry wants to organize a Flash mob at the gallery and needs a little help. Carry will give
money to Tracy for this help.
Items transferred are suspicious in nature but not outright illegal. Tracy’s money troubles help
her overlook the suspicious nature of the requests. Subsequently, Tracy has been having an
ongoing dialog with her brother about stealing specific items (Stamps) from the National
Gallery. Tracy will have correspondence on her work computer, personal phone, and home
computer relating to her conspiracy to have some valuable items stolen.
Carry is technically savvy in that she knows about steganography tools and encryption. She
hides many of her correspondence in steg files and encrypted files. She purchases a tablet
computer and sets it up to use her catsumtwelve email account dealings with Alex, setting up
the flash mob, Carry is interested in security, schedules, events, and locations where art will
be displayed.
Unfortunately for everyone involved, Joe, Tracy’s ex-husband, installed a key logger onto her
computer prior to the divorce to monitor Terry, discovers the conspiracy to commit theft and
turns her into the police. This reveals the contact between Tracy and Carry leading to Carry’s
Tablet and phone being seized as well revealing the separate defacing plot.
The scenario is terminated upon suspicious activity being reported to law enforcement at
which point certain devices are seized and network traffic logs are requested.

Suspects Descriptions
Tracy
Tracy is a recently divorced mother in the middle of a child custody battle. Unfortunately,
Tracy’s daughter is in an expensive private school, which Tracy can no longer afford on her
salary. Her ex-husband will only pay for the school if Tracy will give over custody of their
daughter to him. Worse, Tracy’s daughter, Terry, age 15, has stated that she would rather live
with her dad if it comes to staying in school.
Pat
Pat is Tracy’s brother. He is a police officer of the D.C. Enforcers Bureau. He holds the status of
detective. He is very devoted to his sister and niece Terry, to this point he isn’t an outright

ICT378 2022 ASSIGNMENT

ICT378 Cyber Forensics and Information Technology Assignment – V2- Last Updated April 2022
criminal, but walks the line very closely. He busted King with some items that were against his
parole, but hasn’t arrested him on the promise of a future “favor.”
Joe
Joe is the father of Terry and is currently going through the divorce with Tracy. Joe is financially
well-off, and still bitter about the relationship problems. He previously installed a key logger on
the MacBook Air in an attempt to keep track of Terry’s online behavior. Now that Joe and Tracy
are going through a divorce, he has motivation to utilize the key logger to spy on both Tracy and
Terry. Joe used to have an account on the family MacBook Air however it was deleted. The home
folder may have been preserved.
Alex
Alex is a Krasnovian supporter who wishes to embarrass the United States. He is a foreigner and
lives outside the country presumably in a region called Krasnovia. He knows Carry through
extended family connections and contacts her as both having similar family ties and a fellow
Krasnovian. He plans to deface foreign works that are on exhibit in the National Gallery DC.
Defacing said artwork will embarrass the United States and possibly degrade the reputation
between the United States and the foreign country providing the foreign exhibit to America. (In
some documentation this is referred to as ‘Majavia’, a second pseudo-nation)
Carry
Carry is a somewhat criminally involved individual that shares family ties with Alex. She is a
Krasnovian supporter. Carry is both technologically savvy and an occasional social media user.
She is contacted by Alex in the beginning of the scenario and asked to orchestrate the defacing of
the artwork because she is both aligned with Krasnovia and because she has ‘Connections’. She
has a slight familiarity as friends/acquaintances with Tracy.
Terry
Terry is the daughter of Tracy and Joe. Terry attends an expensive private school. (Prufrock
Preparatory School). She wants to stay in school to avoid having to start over and so that she can
keep her current friends, despite the fact that her mother can no longer afford to pay the tuition.

Materials – Drive Image
The materials include disk images of hard drives and both logical and physical images of mobile
devices uploaded on the LMS. Network captures were performed using the SSLstrip tool,
allowing for capture files to be available with and without encrypted SSL traffic.

ICT378 2022 ASSIGNMENT

ICT378 Cyber Forensics and Information Technology Assignment – V2- Last Updated April 2022
Deliverable Report
Task Description
You should follow forensics procedures, such as taking a hash of the image before using it and
checking regularly to ensure you have not modified it. You can select and use any proprietary
or open source tools that you have been introduced to or find yourselves to perform the analysis
and extract any evidence present.
Your report should detail the investigation process and the findings (including copies of
relevant evidence), including obstacles and problems that you encountered and how you
overcame them. You can assume that the reader has a light understanding of digital forensics, so
any complicated terms/techniques/etc should be explained.
You must include some screenshots in your reports with the output of the tools or the processes
and when necessary to support/show how you reached your conclusions. Screenshots should not
be used to excess – they merely serve to demonstrate your understanding of the tools/processes
and should be used to support written explanations (not in place of).
You will be marked based on the evidence you extract, the use of appropriate tools, the detail of
the process, the explanation on its relevance to the case and documentation. Remember, you
report should present the information in an unbiased way. Improper handling/validation of
evidence would result in loss of marks except where accurately identified and corrected.
**This assignment can be accomplished either individually or as a group of up to three
students.

Marking Rubric:
The following table summarizes the marking criteria of the final report.

Sections Marks
Cover Page, Table of Contents, Executive summary 5
Methodology 10
Findings (use of appropriate tools and details of the process)
• Discussions (the explanation on findings’ relevance to the case)
• Supporting Evidence (accurate data acquisition)

65

Summary & Appendix 10
References & Formatting 10
Total 100

ICT378 2022 ASSIGNMENT

ICT378 Cyber Forensics and Information Technology Assignment – V2- Last Updated April 2022
Your report should highlight the following areas (these will be
assessed):
A. Discuss if there is any evidence of any theft and defacement. Explain your position
on this. What evidence did you find if any? How sound / reliable do you believe your
evidence collection to be? [20 marks]
B. Present any evidence in a timeline format, signposting the points where you believe
any offence may have occurred and other significant dates/times in the case. Compare any
evidence found and timeline information side by side with the different tools available to
you (e.g. ProDiscover/ OSFOrensics/ FTK Imager/ Magnet Axiom/ Autopsy, etc) and
highlight any differences. Be sure to state the pros and cons of using one tool over the other.
[20 marks]
C. You were provided with some sets of hard drive images. What do you think has
occurred here? What are the differences between the sets of the drive images? How do you
think the sets of drive images were created? [20 marks]
D. A common defence is that the actions were committed unintentionally or that the
perpetrator did not know the actions were illegal. With these possible defences in mind,
address how you would respond to these defences. Are there any clues that indicate intent
or knowledge of criminal activity? [20 marks]
E. Conduct some research into ways that image files (graphic images) could be
“tampered with”. Are there ways that are undetectable, or difficult to detect? Present your
findings in a short section – written in a formal referenced style. You are only expected to
have approximately 5 references (good quality: reputable journal or conference papers). [20
marks]

ICT378 2022 ASSIGNMENT

ICT378 Cyber Forensics and Information Technology Assignment – V2- Last Updated April 2022
Sample Structure for Report
Outline: Use the following as a starting point to structure your report
Cover Page
• Title
• Date
• Student Name / Student Number
Table of Contents
• Main contents listed with page number
• Be sure to include visible page numbers on all pages
Executive summary
• Brief Description of the event
• Brief methodology of the investigation
• Brief evidence collection and preservation methods
• Conclusion with short, generalized reasons (like bullet-points)
Methodology details
• Investigation
• Evidence collection and preservation
Finding 1 – Description
• Discussion (e.g. Inculpatory or Exculpatory)
• Supporting evidence
Finding n – Description
• Discussion (e.g. Inculpatory or Exculpatory)
• Supporting evidence
Summary and Conclusion
• Discuss if there is there any evidence of theft and defacement
• How sound / reliable do you believe your evidence collection to be?
• Is the person innocent or guilty? Explain your position.
Appendix
• Description of persons of interest (often shown in table format)

ICT378 2022 ASSIGNMENT

ICT378 Cyber Forensics and Information Technology Assignment – V2- Last Updated April 2022
• Association Diagram of persons of interest
• Evidence listing
• Evidence Timeline (present any evidence in a timeline format, signposting the points
where you believe any offence may have occurred and other significant dates/times in the
case).
• Software and tools used in the investigation
• Other important listings and information as needed
References:
Your report should be your own, and you should use appropriate citation and referencing formats.
All sources that you use as supporting material to your reports must be referenced according to the
convention. Failure to do so will result in the loss of marks! You should use APA as a referencing
style. The IEEE format is also acceptable.
Formatting:
1. Paragraph text: Font size 12 with Calibri or Times New Roman font. 1.5 line
spacing. Justify alignment (ctrl+j in word).
2. Use Word (or equivalent) styles for headings, paragraphs, etc., to ensure consistency.
3. Number chapters (1, 2, etc.) and sub-chapters (e.g. 1.1, 2.1, 2.2) – andconsistently.
4. Figures should have a figure number and a caption (right click and insert a caption inWord).
5. Write in the third person.
6. Word limit: maximum 3500 words. Note that the word limit for group work is
maximum 5500 words