Task 1: Forensic Investigation



Module Title: Principles of Digital Security and Forensics
Module Number: KF5005
Academic Year: 2023–2024
% Weighting (to overall module): 100%
Coursework Title: Investigative Report
Average Study Time Required by Student: 40–50 study hours


Dates and Mechanisms for Assessment Submission and Feedback

Date of Handout to Students:

Week commencing 05 February, 2024


Mechanism for Handout to Students:

Via Blackboard


Date and Time of Submission by Student:

Thursday 16th May, 2024 by 23:59

Mechanism for Submission of Work by Student:

Via Turnitin on Blackboard


Date by which Work, Feedback and Marks will be returned to Students:

20 working days after submission (week ending 14th June, 2024)


Mechanism for return of assignment work, feedback and marks to students:





This assignment is worth 100% of the total mark for the module. It is an individual report and should be all your own work. Students should not collude or plagiarise work. Appropriate action will be taken, according to Northumbria University regulations, if collusion or plagiarism is suspected. Please see the section on Academic Misconduct for clarification.

Module Learning Outcomes Assessed

  • Knowledge & Understanding:
  1. Communicate and present written investigative findings. Distinguish appropriate computer forensics tools and basic principles of digital forensics, which would allow advanced forensic examination and analysis of operating systems and networks whilst preserving evidential integrity throughout that analysis, in relation to current relevant research topics.
  2. Evaluate how the core concepts, knowledge and practice of digital security and forensics have developed through research.
  3. Analyse and evaluate the professional requirements and to critically discuss the challenges facing the security and digital forensic practitioner.
  • Intellectual/professional skills & abilities:
  1. Identify and evaluate findings obtained from digital security or forensic investigations and apply appropriate procedural principles to that evidence.
  • Personal Values Attributes (global/cultural awareness, ethics, curiosity) (PVA):
  1. Communicate and present written investigative findings in such ways that they meet the expected standards.

Scenario Brief

You are asked to carefully read the scenario on Blackboard which details the context for a forensic investigation. You will find the scenario brief in the Assessments Resources subfolder (under the Assessment master folder) folder along with the image files and any other supplementary materials.

The Tasks

Task 1: Forensic Investigation (50 marks)

You have been tasked to conduct a full forensic investigation of the recovered hard disk (see the Scenario Brief on Blackboard) to understand how the incident happened and what parties were involved.

Using Autopsy, you are expected to identify, recover and logically document all the relevant and appropriate evidence in your report. You are expected to produce two reports:

  • A report generated using Autopsy (the Forensic Report) where you will use bookmarks and comments to catalogue the relevant evidence for the case. This is worth 10 marks.
  • A 2000 word Reflective Report in which you will explain and justify your investigative methodology and reflect on the process you took during the investigation. You are expected to clearly explain how the artefacts you have found relate to the case and support your conclusions. You will also be expected to reflect on your approach, and how this could be improved in the future. This will be generated using any word processing software of your choice. This is worth 40 marks.

Further guidance is available during seminars or outside of teaching where a time has been agreed in advance.

Evidence location: The E01 files for the case study are located on the Network drive (Resources) in the folder KF5005\Assignment, which is accessible from the labs (CIS 201, 202, 203). It is strongly recommended you download them to a portable drive for ease of use. You can also find the evidence files on Blackboard (Assessment => Assessment Resources).

The Forensic Report generated with Autopsy should only include artefacts that are relevant to the case. There is no page limit for the Forensic Report, but any artefacts that have been included without justification will be penalised.

Task 2: Cyber Security Report (50 marks)

In the incident you investigated above you discovered details of a crime which would have allowed a malicious adversary to carry out further cyber-attacks on an organisation. As a cyber security professional, it is your responsibility to help organisations manage their cyber security risks by evaluating these attacks and adopting appropriate security measures.

Different types and sizes of organisations will have different risk- and threat-profiles and, consequently, will need to tailor their cyber defence posture to fit their particular circumstances. Small businesses lack the technical infrastructure and financial resources of larger organisations and, consequently, can be easy targets for cyber criminals.

Write a 2000 word report on the threats posed by the type of crime discovered in Task 1.1 as they apply to small businesses and what cybersecurity/information security strategies small businesses could adopt to mitigate the risks arising from such threats. You may discuss issues raised by the findings of your forensic investigation, but make sure you develop your discussions in a way that considers the wider cybersecurity implications raised by your investigation. Also, make sure that you consider the context: the size and type of the organisation involved will affect the scale and cost of any potential mitigation strategies. Draw on recently published cybersecurity research as the basis for your discussion and security strategy design (as found predominantly in journal articles and conference papers published within the last five years).

Report Structure:  Your report should use the following structure:

First, an introductory paragraph that summarises the main theme arising from the forensic investigation and how this introduces risks for small businesses.

Next, a few paragraphs discussing the specific risks found in the investigation and how these risks apply to small businesses, and then discussing some of the wider issues for an organisation related to the specific risks.

Finally, some paragraphs discussing more general issues related to the crime being investigated in task 1 and how small businesses could mitigate the associated risks.

Note, if you cite only news stories, opinion pieces, company product literature, and such like, you are unlikely to score high marks. The key to success is in finding published peer-reviewed research articles and papers that investigate relevant cybersecurity issues in your chosen organisation type. We will look at how to go about searching for relevant literature as well as how to cite it properly in one of the workshops in the second half of the module.

Your report should be fully supported by a relevant bibliography of research articles and papers, and each entry in your bibliography should be cited in the report. You must use the IEEE numbered referencing style — for guidance on using an IEEE numbered referencing style see http://libraryguides.vu.edu.au/ieeereferencing/gettingstarted. For formatting citation labels and the list of references, you will find free tools like Zotero exceptionally helpful. You can download an IEEE style file for Zotero here. All cited sources must be submitted alongside your report and should be annotated to indicate what parts were used to support your report (see example in the Appendix).

How many references should I use? There is no set number of articles you should include in your list of references, but if you are including fewer than ten then it is unlikely that you have engaged broadly enough with the published research.

General guidance and instructions


Your Reflective Report for Task 1.2 and your Cyber Security Report for Task 2 should be submitted to Blackboard by the specified date and time. The two reports should be submitted as a single document, divided into two sections, one for Task 1.2 and another for Task 2. You can submit as either a .pdf or .docx file, but do not use any other file formats as they may not be readable on staff machines. Please include your name at the beginning of your report. Your Forensic Report for Task 1.1 should be submitted separately by the specified date and time using the appropriate link on Blackboard.


All references used in Task 2 should be submitted as separate files. That is, each paper you cite should be downloaded, marked up to show how and where you used it (see Appendix), and included as part of your submission.  Therefore, to make the submission easier, create a single ZIP file containing combined report file for Tasks 1.2 and Task 2 and all the Task 2 references.

Expected size of the submission

Your Forensic Report for Task 1.1 does not have a page limit. Your Reflective Report for Task 1.2 should not exceed 2000 words in length. Your report for Task 2 should not exceed 2000 words (excluding the bibliography). Please note the information below regarding the page limit and word count (from university regulations:

  • Under the word count: No penalty
  • Up to 10% over word count: No penalty
  • More than 10% over word count: Deduction of 10% of the total marks available (i.e., 10 marks)



Marking Scheme

This assignment assesses all the module learning outcomes specified above. In writing your report, please bear in mind the following assessment criteria and guidelines on what is expected for each.

Task 1

1.1 Forensic Report:

  • Recovering all appropriate evidence using Bookmarks.
  • Justifying the evidence found using comments.

1.2  Reflective Report:

  • Clear description and justification for forensic techniques used in the investigation (recovery).
  • Clear description and justification for conclusions (analysis).
  • Detailed reflections on the recovery process (steps taken) and analysis of the forensic evidence (determining relevance).

Task 2

Cybersecurity Report:

  • Identifying likely potential cybersecurity risks (based on recent published research and the Task 1 investigation findings.
  • Critical discussion of the identified issues.
  • Recommending realistic mitigation strategies and policies (drawing on findings from recent published research).
  • Appropriate use of published research articles and papers.
  • Presentation of the report, including correct referencing behaviour.

Academic Writing Skills.

In writing your paper it is strongly recommend that you use the following Northumbria Skills Plus material provided by the library — https://library.northumbria.ac.uk/skillsplus/.

Opportunities for Feedback and Final Feedback Form

During each seminar session, formative activities and discussions will occur on how the learning you are undertaking on how to carry out your investigation and develop your report can both support and evidence successfully meeting the module learning outcomes (listed above).  Informal one-to-one feedback may also be requested via a pre-arranged meeting. Unmoderated marks and feedback for your research paper will be returned to you within 20 working days of the final given submission deadline. As we are using criteria-based marking, the feedback form given at the end of this document will be used.

Academic Misconduct

This is an individual assignment. You should not be discussing your analysis with peers during or outside practical sessions. You should not be sharing screenshots of evidence or discussing any case-related methodology.

Please note, section 3.6.1 of the Academic Misconduct Policy states that ghosting (a form of cheating) exists where:

A student submits as their own, work which has been produced in whole or part by another person or AI system on their behalf, e.g. the use of a ‘ghost writing’ service, AI system or similar. This is also often referred to as ‘contract cheating’ and covers the purchase of services from on-line essay writing sites and the use of AI systems to generate essays.

Therefore, you must not use AI systems (e.g., chatGPT, Bard, CoPilot, etc.) to generate content for you which you then try to pass off as your own work.

You must adhere to the university regulations on academic conduct. Formal inquiry proceedings will be instigated if there is any suspicion of plagiarism or any other form of misconduct in your work. Refer to the Northumbria Assessment Regulations for Taught Awards. If you are unclear as to the meaning of these terms. The latest copy is available on the University website.

Where you have used someone else’s words (quotations), they should be correctly quoted and referenced in accordance with the IEEE referencing style.

For guidance on avoiding plagiarism see

Failure to submit: The University requires all students to submit assessed coursework by the deadline stated in the assessment brief.  Where coursework is submitted without approval after the published hand-in deadline, penalties will be applied as defined in the University Policy on the Late Submission of Work; please refer to the following link https://www.northumbria.ac.uk/about-us/university-services/student-library-and-academic-services/quality-and-teaching-excellence/assessment/guidance-for-students/


  • Example of how to annotate your sources
  • Marking scheme



Appendix — How to Annotate Your Sources

Good academic practice involves supporting your argument by references to evidence found in authoritative external sources. We do this by providing a citation label to an external source at the point in the text that we are drawing upon the ideas found in that source. All those cited sources are then compiled into a list of references at the end of the document. In addition to this standard referencing practice, for this assignment you are required to submit a copy of each referenced source and to mark up that source to indicate which parts of it you have cited. Here is an example fragment of a report, with two citations. The first uses a direct quotation and the second cites an idea or argument from a source.

My Report Fragment

In their work on building a system to sonify network traffic data (that is, communicate properties of the data using sound) Debashi and Vickers claimed that using sonification tools to explore network events and traffic features ‘would bring benefits for network monitoring in general and intrusion detection systems in particular’ [1, p.27]. Indeed, after using a sonification tool and hearing potentially anonymous network traffic, analysis of the data logs revealed the presence of botnet activity that had gone previously undetected by an intrusion detection system [2].


[1]        M. Debashi and P. Vickers, “Sonification of Network Traffic Flow for Monitoring and Situational Awareness,” PLoS One, vol. 13, no. 4, pp. 1–31, 2018, doi: 10.1371/journal.pone.0195948.

[2]        M. Debashi and P. Vickers, “Sonification of Network Traffic for Detecting and Learning About Botnet Behavior,” IEEE Access, vol. 6, no. 1, pp. 33826–33839, 2018, doi: 10.1109/ACCESS.2018.2847349.

My marked-up source documents are embedded in following pages. Note, I have included only the cited pages here, but you must submit the whole document, and you should provide each source as a separate file. Do NOT embed them in your report. I did so here just to show how you could go about marking them up.



Source [1]




Source [2]



Appendix—Marking Scheme