ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024


ICT600 2024 Cyber Forensics & Incident


2019 Narcos


Due to intelligence provided by the Australian government, two passengers were intercepted by Customs upon arriving in Wellington, New Zealand from Brisbane. The Intel stated that Jane Esteban and John Fredricksen may be involved in illegal activity.


The suspects were each searched by a customs officer. John Fredricksen’s baggage consisted of clothing, toiletries and a Windows laptop. Jane Esteban’s baggage also consisted of clothing, toiletries and a small windows laptop.


Upon further search of the lining of the suitcase, one kilogram of Methamphetamine was located. Both suspects were taken into separate interview rooms where they were interrogated. John Fredricksen refused to answer any questions.


Jane Esteban stated all she knew was that she had to deliver the suitcase to the Eastbourne library but if all else failed then they were to deliver it to 666 Rewera Avenue, Petone as told by John. Customs and police subsequently raided that address. There was nobody present at the address.


Customs did, however, find drugs, guns and a desktop computer in the living room of the suspect’s house.


You are a Customs forensics investigator. Customs officers have delivered images and memory dumps of the 2 laptops and 1 desktop computer to you. Your task is to carry out a forensic examination of John Fredricksen, Jane Esteban and the unknown suspect’s laptops and desktop computers to further understand their motives, goals and objectives. It should be noted that all three devices contain different Windows 10 builds and resulting artefacts may not be located in the same location or even be present.




Assignment Information


You must submit your assignment online using the Assignment course tool.


You must submit your assignment as ONE word-processed document containing all of the required question answers.


You must keep a copy of the final version of your assignment as submitted and be prepared to provide it on request.


The University treats plagiarism, collusion, theft of other students’ work and other forms of dishonesty in assessment seriously. For guidelines on honesty in assessment including avoiding plagiarism, see:






ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024


Suspects Descriptions


Personas: John Fredricksen


John has been communicating with Steve Kowhai (NZ dealer) via with what he believes is a secure and private chat room (Discord) to discuss his new consignment. Their chat contains information on where they are going and what he wants John Fredricksen to deliver. Furthermore, Steve shares some documents via (email, cloud, etc) that will assist with his job.


John Fredricksen now has enough information to concoct his plan of smuggling the 1kg of methamphetamine into New Zealand, but he needs to find some cover that can take the heat off of himself if any surprises were to happen. John identifies Jane Esteban as a regular user of his business’s product (meth) and thinks she will make a great mule for smuggling the drugs.


Jane Esteban


Jane is an undercover Australian Federal Police (AFP) officer tasked with gathering evidence about a drug ring involving John Fredricksen and his associate Steve Kowhai in New Zealand.


Jane will be using the following persona while working undercover. She has a terrible addiction and has been visiting John to feed her addiction, which has led to a transactional friendship with him as a result. John approaches Jane soon after discussing with Steve to convince her to assist with his job.


Steve Kowhai


Steve is a big player drug distributor/dealer in the lower north island of New Zealand and is wanting to find some quality product to expand his growing empire even more. Steve has contacted a source (John) in the US to smuggle in a taster of the product he plans to buy in larger quantities later. Steve has provided John with information about New Zealand and points on how best to smuggle the product into Wellington without raising any alarms at customs. Steve knows a thing or two about digital forensics and decided to use steganography to hide the document within a picture.




ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024


Materials – Drive Image


The evidence for this scenario includes Steve Kowhai drive image, Jane Esteban drive image, John Fredricksen drive image, Steve Kowhai memory image, Jane Esteban memory image, and John Fredricksen memory image. The materials can be downloaded from




Drive Images
Actor File Name MD5 Hash
Steve Kowhai Narcos-1a.001-021 996182c381ec9e7025f40519107615e4
Jane Estaban Narcos-3a.001-021 ce707bf783dde13ed42196cd6e473083
John Fredricksen Narcos-2a.001-021 56823dee9b24a40407bec184f80261c2
Memory images
Actor File Name MD5 Hash
Steve Kowhai Narcos-Mem-1a.001-003 3469089f9a26b0b51a4ee985cd1c3008
Jane Estaban Narcos-Mem-3a.001-003 7c155dae658fb059586b3ab5144e21d2
John Fredricksen Narcos-Mem-2a.001-003 fd7027c7bffedd653226355467c2b1ef




ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024


Deliverable Report Task Description


You should follow forensics procedures, such as taking a hash of the image before using it and checking regularly to ensure you have not modified it. You can select and use any proprietary or open source tools that you have been introduced to or find yourselves to perform the analysis and extract any evidence present.


Your report should detail the investigation process and the findings (including copies of relevant evidence), including obstacles and problems that you encountered and how you overcame them. You can assume that the reader has a light understanding of digital forensics, so any complicated terms/techniques/etc should be explained.


You must include some screenshots in your reports with the output of the tools or the processes and when necessary to support/show how you reached your conclusions. Screenshots should not be used to excess – they merely serve to demonstrate your understanding of the tools/processes and should be used to support written explanations (not in place of).


You will be marked based on the evidence you extract, the use of appropriate tools, the detail of the process, the explanation on its relevance to the case and documentation. Remember, you report should present the information in an unbiased way. Improper handling/validation of evidence would result in loss of marks except where accurately identified and corrected.


**This assignment can be accomplished either individually or in pairs.


Marking Rubric:


The following table summarizes the marking criteria of the final report.


Sections Marks
Cover Page, Table of Contents, Executive summary 5
Methodology 10
Findings (use of appropriate tools and details of the process)Discussions (the explanation on findings’ relevance to the case)Supporting Evidence (accurate data acquisition) 65
Summary & Appendix 10
References & Formatting 10
Total 100




ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024


Your report must highlight the following requirements (these will be assessed):


A.“Provide a written summary not to exceed two pages that describes what took place”:


• Clear and concise summary.


• The summary is objective, not subjective.


• Report only includes relevant artefacts pertaining to the case.


• “The written summary is free of grammatical, syntax, and spelling errors, e.g., consistent


verb tense, pronoun-antecedent agreement, correct use of parallelism, etc”.


B. “Provide a written description not to exceed four pages of the forensic methodology used to analyse the evidence files and obtain the results identified in the summary. The methodology does not need to provide step-by-step instructions on how software was used; however, it should provide a sufficient description for the findings to be reproduced”:


• A methodology explaining the forensic process of how artefacts were identified.


• The methodology is forensically sound and is defensible.


• The methodology is reproducible for other forensic examiners.


• The methodology and table of findings support the conclusions presented in the Narcos




• “The written methodology is free of grammatical, syntax, and spelling errors, e.g.,


consistent verb tense, pronoun-antecedent agreement, correct use of parallelism, etc”.


C. “Provide a Table of Findings, which contains a list of recovered artefacts with forensic information to build a defensible case”. “User-produced evidence files (include name of file(s), MD5 hash, and locations(s) and comment regarding evidentiary value)”:


Identify relevant user account profiles and computer names associated with the


suspect’s computers.


Identify relevant web activity on each suspect’s computer.


Identify images that help to build a profile of the three suspects’ behaviour.


Identify binary files that could help the investigation.


Identify the means and the content of communications between all the suspects.


Identify any documents that could help the investigation.


Identify any obfuscation methods used by the suspects.


Identify encryption methods used by the suspects and determine two methods that can


circumvent the encryption.


Identify malware used by one of the suspects and determine its purpose.


Identify the vulnerability that allowed the malware to function.


Leverage other Windows artefacts that provide corroborative evidence such as


Windows Timeliner.


Identify whether changes have occurred to these artefacts across the different Win 10




Identify the roles of each suspect.




ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024


Sample Structure for Report


Outline: Use the following as a starting point to structure your report


Cover Page






Student Name / Student Number


Table of Contents


Main contents listed with page number


Be sure to include visible page numbers on all pages


Executive summary


Brief Description of the event


Brief methodology of the investigation


Brief evidence collection and preservation methods


Conclusion with short, generalized reasons (like bullet-points)


Methodology details




Evidence collection and preservation


Finding 1 – Description


Discussion (e.g. Inculpatory or Exculpatory)


Supporting evidence


Finding n – Description


Discussion (e.g. Inculpatory or Exculpatory)


Supporting evidence


Summary and Conclusion


Discuss if there is there any evidence of illegal drug activity (Methamphetamine).


How sound / reliable do you believe your evidence collection to be?


Is the person innocent or guilty? Explain your position.




Description of persons of interest (often shown in table format)




ICT600 Cyber Forensics and Incident Response Assignment – V1- Last Updated February 2024


Association Diagram of persons of interest


Evidence listing


Evidence Timeline (present any evidence in a timeline format, signposting the points


where you believe any offence may have occurred and other significant dates/times in the




Software and tools used in the investigation


Other important listings and information as needed




Your report should be your own, and you should use appropriate citation and referencing formats. All sources that you use as supporting material to your reports must be referenced according to the convention. Failure to do so will result in the loss of marks! You should use APA as a referencing style. The IEEE format is also acceptable.




1. Paragraph text: Font size 12 with Calibri or Times New Roman font. 1.5 line


spacing. Justify alignment (ctrl+j in word).


2. Use Word (or equivalent) styles for headings, paragraphs, etc., to ensure consistency.


3. Number chapters (1, 2, etc.) and sub-chapters (e.g. 1.1, 2.1, 2.2) – and consistently.


4. Figures should have a figure number and a caption (right click and insert a caption in Word).


5. Write in the third person.


6. Word limit: maximum 3500 words. Note that the word limit for group work is


maximum 5000 words


Cyber Forensics