CIS8708 – Written Assessment
This assignment has four questions to be completed. Compile your answers into a Word document to be
uploaded to Study Desk, with or without the optional Excel Spreadsheet in Question 1. Include your Name,
Student Number and course code (CIS8708) in the header of each page and include references and a
bibliography where appropriate.
When submitting your document/s, the file will be submitted to Turnitin for originality checking. You will be
able to see the report come back and can make adjustments if required before resubmitting.
Question 1 – 10 marks, 600 word maximum
Your supervisor has asked you to research current data acquisition tools. Using your preferred Internet search
engine and the vendors listed in Week 4 (ProDiscover, EnCase, FTK, Sleauth-Kit, X-Ways, iLook), prepare a
report containing the following information for each tool and stating which tool you would prefer to use and
Forensics vendor name
Acquisition tool name and latest version number
Features of the vendor’s product
With this data collected, prepare a table or spreadsheet listing vendors in the rows. For the column headings,
list the following features:
3/2/2021 63317 – CIS8708 – Written AssessmentThis assignment has four
Other proprietary formats the tool can read
Compression of image files
Remote network acquisition capabilities
Method used to validate (MD5, SHA-1, and so on)
Any other comparatives you would like to add such as cost/licensing model, acquisition speeds based on
image format or other features.
Note: if you prefer to do this comparative table in an Excel spreadsheet, which would be acceptable to submit
as a second file.
Question 2 – 10 marks, 500 word maximum
To continue your learning in digital forensics, you should research new tools and methods often. For this
project, download the user manuals for VirtualBox and ProDiscover. Write a guide for a junior investigator
(including screenshots) on how to convert a ProDiscover .eve image file to a VHD file and load the VHD file
in VirtualBox. You can download the user guide for VirtualBox at www.virtualbox.org/wiki/Downloads. The
ProDiscover manual should be in the following path, under the folder where you installed ProDiscover:
Program Files (x86)Technology PathwaysProDiscoverProDiscoverManual.pdf.
Question 3 – 10 marks, 300 word maximum.
You are working as a Forensic Investigator and have been presented with a file to investigate. The
Word1.docx file (available from StudyDesk assignment section) has been forensically extracted from an
employee’s USB drive. This employee is being investigated for suspicious bank transactions in their capacity
as a Finance Officer, to an account number starting with 4848. Investigate the file for any references to the
account number. Write a report on the steps you took to investigate the file and detail anything relevant that
you may find.
Question 4 – 10 marks, 500 word maximum.
As a Forensic Investigator who knows Splunk, you have been asked to do some investigating using Splunk at
the company Frothly, an alcoholic beverage producer.
You have 7 questions to answer using Splunk at https://splunk-teach.usq.edu.au (access will be demonstrated
in Week 6 tutorial). To view all data, search “ index=-botsv2- earliest=0 ” in the Search and Reporting App.
The consider search conditions that can be added to filter down, based on the information in each question.
For each question, show the search term that you used and the text/numeric answer to the question. In
conclusion, write an evidence report to the HR investigator to summarise all the things that you discovered
(consider this person to be non-technical and detail the report with this in mind).
Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited
their website to find contact information for their executive team. What is the website domain that she
visited? Answer guidance: Do not provide the FQDN. Answer example: google.com
Amber found the executive contact information and sent him an email. What is the CEO’s name? Provide the
first and last name.
After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that
employee’s email address?
What is the name of the file attachment that Amber sent to a contact at the competitor?
What is Amber’s personal email address?
What version of TOR did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one
or more delimiter.
What is the public IPv4 address of the server running www.brewertalk.com?
CIS8708 – Written Assessment