1

School of Science and Technology

COURSEWORK 2 ASSESSMENT SPECIFICATION
Referral Aug 2021

Details of Module and Team

What Learning Outcomes are assessed?
What are my Deadlines and how much does this
assessment contribute to my Module Grade?

What am I required to do in the assessment?

What are my assessment criteria? (What do I
have to achieve for each grade?)
Can I get formative feedback before submitting ?
If so, how?
What extra support could I look for myself?

How and when do I submit this assessment?

How and when will I get summative feedback?
What skills might this work evidence to
employers?
2

MODULE CODE COMP40571

MODULE TITLE Computer Forensics

MODULE LEADER Dr John Kingston
TUTOR(S) Dr John Kingston
COURSEWORK TITLE Computer Forensics Investigation
LEARNING OUTCOMES K2, K4, S2, S3
ASSESSED
CONTRIBUTION TO ELEMENT 50% of the total coursework
mark
50% of the total module mark
DATE SET 27 Sep 2021
DATE OF SUBMISSIION 1 November 2021
METHOD OF SUBMISSION Module Dropbox in NOW
DATE OF FEEDBACK 22 November 2021
METHOD OF FEEDBACK Via Module Dropbox
Work handed in up to five working days late will be given a maximum Grade of
Low Third whilst work that arrives more than five working days will be given a
mark of zero.

Work will only be accepted beyond the five working day deadline if satisfactory
evidence, for example, an NEC is provided. Any issues requiring NEC
https://ntu.ac.uk/current_students/resources/student_handbook/app
eals/index.html

The University views plagiarism and collusion as serious academic

irregularities and there are a number of different penalties which may be
applied to such offences. The Student Handbook has a section on Academic
Irregularities, which outlines the penalties and states that plagiarism includes:

“The incorporation of material (including text, graph, diagrams, videos etc.)

derived from the work (published or unpublished) of another, by
unacknowledged quotation, paraphrased imitation or other device in any work
submitted for progression towards or for the completion of an award, which in
any way suggests that it is the student's own original work. Such work may
include printed material in textbooks, journals and material accessible
electronically for example from web pages.”

Whereas collusion includes:

“Unauthorised and unacknowledged copying or use of material prepared by

another person for use in submitted work. This may be with or without their
consent or agreement to the copying or use of their work.”

If copied with the agreement of the other candidate both parties are considered
guilty of Academic Irregularity.
3
Penalties for Academic irregularities range from capped marks and zero marks
to dismissal from the course and termination of studies.

To ensure that you are not accused of plagiarism, look at the sections
on Plagiarism Support and Turnitin support.

I. Assessment Requirements
This assignment allows you to build your knowledge and critical evaluation of
computer forensics investigations. To pass the coursework you must demonstrate
your understanding of the practice of digital investigations as they are conducted
in an organisation. This is achieved through the investigation of computer-based
evidence using tools and techniques that you have been introduced to during the
module delivery. You are allowed to make use of any references during your
digital investigation but are encouraged to use academic sources such as
conference and journal papers. This is an individual coursework.

Assessment Scenario/Problem

You work for a US law enforcement agency. You have recently received a summary
report (download “Final Report – Summary”) from a forensic analyst describing how
analysis of various computing devices revealed two planned criminal offences at the
National Gallery DC. The report consists of a summary of the planned offences and of
the events leading up to them, and their discovery. It also gives brief biographies of
the people involved and lists all the files from which evidence was extracted.

Unfortunately, the forensic analyst’s services are no longer available to you after he
spent too long walking down the street staring at his cellphone. All you have is his
summary report and a draft of one of his reports on evidence from individual devices
(Carry’s phone). The case is due to come to court in late May and your boss wants the
evidence laid out in a manner that the lawyers can easily use. There is no alternative
but to re-analyse the files yourself; to extract the relevant evidence to support the
summary; and to prepare reports on data extracted from individual devices.
4
The relevant files can be downloaded from Digital Corpora » 2012 National Gallery DC Attack .
Most are too large to upload to NOW. The files that you may need to consider are:
a) Network logs
b) The email log provided by the keylogger
c) Carry’s tablet
d) Tracy’s Macbook Air (you need to download both the .E01 and the .E02 file but
you only need to open the .E01 file)
e) Tracy’s external hard drive
f) Tracy’s iPhone
You do NOT need to re-analyse Carry’s phone.

Fortunately a colleague agrees to work with you. The colleague performs some of the
analyses but asks you to answer specific questions.

1. Emails carry various information apart from their content.

Name and briefly describe FIVE other types of evidence that can be extracted from
an email. [30 marks]
2. Answer the following questions: [12 marks each. 6 for the answer, 6 for reporting it
in sufficient detail]
a. Are there any files with near-identical names but different file sizes? What
might this suggest?
b. Is there any evidence of communication with King, the ex-convict who is on
parole? If so, who communicates and about what?
c. Please provide at least one of Tracey’s passwords (for any device or
application) and also at least one of her email addresses.
d. Please provide any information you can find about a “flash mob”
e. Can you find any photos taken inside the Gallery? If so, give details of at
least 3.
f. There’s a file called Bit Crypt or some similar name. What is it?
3. Quality of your report [10 marks]

No references or citations are required. There is no word limit but you are encouraged
to report all and only the findings relevant to the questions that you are asked.
5
II. Assessment Criteria
Marking criteria Exceptional Distinction Commendation Pass High fail near miss Fail

absence
ZERO Work of no merit or
Distinction
Types of evidence on Correct answers, Correct answers, very Correct or partly Some correct answers, A few correct answers, Very few or no correct
a phone excellent descriptions good descriptions correct answers, good adequate descriptions poor descriptions answers, very poor or
descriptions no descriptions.
Evidence questions Correct answers, Correct answers, very Correct or partly Some correct answers, Few correct answers, Very few or no correct
excellent reporting good reporting correct answers, good adequate reporting poor reporting answers, very poor or
reporting no reporting

Quality of the report Exceptional written Excellent written Very good written Communication shows Communication shows Inadequate
language and language and language and some clarity little clarity with some presentation;
presentation of presentation of presentation of presentation and acceptable written information can be
arguments; flawless. arguments with few arguments/evidence written language, e.g. language, e.g. major followed and
very minor structural or with some minor some errors in errors in punctuation, understood only with
typographical errors; structural or punctuation, spelling, spelling, and sentence effort.
excellent presentation typographical errors; and sentence construction; the report
and clear throughout. very good presentation construction; the report has some merit but
and clear throughout. follows a logical flow. falls marginally short of
expectations.
6

III. Feedback Opportunities

Formative (Whilst you’re working on the coursework)
You will be given the opportunity to receive informal verbal feedback from your
tutor regarding your coursework development during the teaching sessions. You
are also able to book appointments to discuss the assessment outside of class
time.

Summative (After you’ve submitted the coursework)

You will receive specific feedback regarding your coursework submission
together with your awarded grade when it is returned to you. Clearly, feedback
provided with your coursework is only for developmental purposes so that you
can improve for the next assessment or subject-related module.

IV. Resources that may be useful

Referencing styles please use Harvard as detailed here
Guide to planning your time here and an automated planner here
Guidance on avoiding cheating is here

Remember to use Outlook or physical calendars to block out time between lectures
and labs to work on this coursework.

V. Moderation

The Moderation Process

All assessments will be marked by your tutor. The assessments and grades
awarded are considered by an independent 3rd person to check for consistency
and fairness across the cohort for the piece of work submitted and to ensure
that feedback is fair and appropriate. All courseworks and feedback are made
available to the External Examiner prior to the Exams Board.

VI. Aspects for Professional Development

Employability skills: develop an understanding of cyber related issues and

practical investigatory skills.

Digital skills: identification and use of software appropriate to a digital

investigation.

Transferable skills: ability to research and develop ideas related to a specified

problem.