Module Details

Module Code UFCFP4-30-1 Run


Module Title

Computer Crime and Digital Evidence

Module Leader

Panagiotis Andriotis

Module Coordinator


Module Tutors, Panagiotis Andriotis, Lindsey Gillies, Theo Spyridopoulos
Component and Element Number  B: CW1 Weighting: (% of the Module’s assessment)  50%
Element Description


Total Assignment time  40 hours


Date Issued to Students   03/10/2018 Date to be Returned to Students  19/12/2018
Submission Place




Submission Date  22/11/2018
Submission Time

2.00 pm



You must submit your individual report as a compressed (zip file) Microsoft Word (.doc or .docx) or .pdf document via Blackboard. NO paper submission is required.

Module Leader Signature

Dr Panagiotis Andriotis


Section 1: Overview of Assessment            page                                                          2 

Section 2: Task Specification              page                                                                   2

Section 3: Deliverables                page                                                                           4

Section 4: Marking Criteria               page                                                                     4



Coursework 1


Section 1: Overview of Assessment


This assignment assesses the following module learning outcomes:

  • Use of tools and techniques for investigating computer crime, enabling the identification of low level information structures and hardware file formats.
  • Evaluation of appropriate forensic computing investigative strategies and selection of available tools based on their appropriateness for a given investigation.
  • Comprehension of how to use software tools to investigate the contents of electronic storage devices.
  • Creation of reports that use a language and format appropriate to their use in a court of law.


The assignment is worth 50% of the overall mark for the module.


Broadly speaking, the assignment requires you to write an individual report on the Encase Demonstration Case, showing not only report writing skills but also a knowledge of the technical aspects of forensic recovery and analysis.


The assignment is described in more detail in section 2.


You should work individually for this assignment.


Working on this assignment will help you to demonstrate your ability to investigate digital evidence, and practice your report writing skills. If you have questions about this assignment, please post them to the discussion board on Blackboard.


Aims of this assignment 


The principle aims of this assignment are to allow you to demonstrate:

  • The ability to investigate digital evidence to establish facts and opinions;  Report writing skills.


Section 2: Task Specification




You will be provided with a copy of the EnCase demo forensic image file.


There are two evidence files, namely “Hunter XP” and “MS Email Files”.  Note that these evidence files are from two different cases.


You will only be studying the Hunter XP evidence file.



You should:


  1. Investigate the evidence for potential criminal activity.
  2. Keep contemporaneous notes of your examination.
  3. Write a report presenting the facts you have discovered;
  4. Create a timeline of the sequence of significant events in the case.
  5. Write a brief summary of your opinion of what occurred, based on the facts you discovered.



Suggested time planning

Investigating case (a-b): 24 hours
Writing report (c-e): 16 hours

For information on how your work will be assessed, see Assessment (Marking) Criteria below.  Submission

You must submit your report as a Microsoft Word (.doc or .docx) or as a PDF document via Blackboard – NO paper submission is required. Please compress your report (zip file) before uploading it on Blackboard.




Your report will comprise the following four Sections.


Note that apart from Section 4 there is no specified word count (word limit).


The size of deliverables (or Sections) 1-3 will depend on your findings during your investigation.


However, credit will be given to reports that are concise and avoid unnecessary verbiage.


You must submit ONE individual report that consists of the following sections by the submission date indicated below:


  Tasks – Sections Marks Submission Date and Place
1. Contemporaneous Notes


Your contemporaneous notes will document the steps you took to examine the evidence; they will probably be based on the standard template, provided in Appendix A.


Factors you need to consider are:

i.          The notes need to be sufficiently detailed to demonstrate that you have performed a complete and coherent examination,

ii.         Repeatability: The notes should be sufficiently detailed to allow an independent analyst to repeat your examination with the same results.

iii.        Dual verification: Choose 2 key evidence items, and provide their provenance, using 2 separate tools such as EnCase and Autopsy.





2. A concise written summary of the evidence file you have studied. 


This section of the report will typically be around 4-5 pages long and will document the most significant evidence items e.g. picture, document, email files, which you have identified within the forensic image.


This section of the report should document facts, not opinion, for example, the presence of a picture file, rather than a discussion of how this file possibly arrived on the disk.


You should include the bulk of the evidence items within an appendix, including a provenance block for each item.


3. A timeline of the sequence of events that occurred during this crime. 


The timeline should be clearly laid out to show what happened when, with appropriate comments.


You should concentrate upon the significant events in the case.


You should look for evidence corroborating that the times are correct (this evidence should be mentioned in Section 2).


4. A statement of your opinion of what occurred during this crime.


This should be around 300 words and must not exceed 500 words.


You should build your opinion based on the facts given in Section 2.


  TOTAL 100 22/11/2018


Submit on



.DOC or

.PDF file.



Section 3: Deliverables


You must submit via Blackboard ONE individual report compressed as a zip file that consists of the aforementioned four sections listed in “Section 2: Task Specification” in this document.


The report must be submitted by the submission date indicated below:


Submission date: Thursday 22/11/2018


Follow this link to get advice about how to submit your coursework via Blackboard:



Section 4: Marking Criteria


See the assessment criteria below for additional information on how your work will be assessed.



Written Work


Please note that all written work should:


  • Be properly researched and referenced (if needed) using the UWE Harvard method of referencing;
  • Have all sources critically evaluated;
  • Have word counts applied according to UWE regulations. Further information available here:         Be professionally formatted in .PDF or .DOC(X) format.



General Points


  1. You should not expect to get any reminders from tutors about any of these responsibilities.
  2. You should familiarise yourself with UWE Academic Regulations with regard to assessment. These are available on the UWE Home page.
  3. Non submissions are covered by UWE Academic Regulations, and will be given zero marks.





Assessment Criteria


NON-SUBMISSIONS are covered by UWE Regulations and generally attract zero marks.


Tasks 0-25% 26-39% 40-49% 50-59% 60-69% 70+%



(25 Marks)

Insufficient detail throughout, raises serious concerns over the completeness, coherence and competence of the examination.


Major omissions in processes, no justification.

Insufficient detail in a large number of areas.


Documents an incomplete, incoherent examination, with a significant number of missing actions with no justification.

Sufficient detail to provide reasonable confidence in the coherence and completeness of the examination. There will be places where more detail is required to enable full repeatability.


Possibly a small number of omissions in the stages of the examination (including a key process, such as dual verification or the comparison of the acquisition-verification hashes).

Sufficient detail to provide increased confidence in the quality of the examination.


With a small number of additions, the examination would be repeatable.

A small number of minor omissions in the documentation.


Documents a mostly logical, complete and coherent examination.


With a few minor additions, there is considerable confidence in the quality of the examination and in its repeatability.

Documents a logical, complete and coherent examination.


Actions or lack of action are fully justified.


Sufficient detail to allow repeatability.


Complete confidence in the quality of the examination.

Written Summary of evidence, including



(25 Marks)

Major omissions in evidence items identified.


No provenance of evidence items provided.


Poorly structured.

Poorly presented summary which

misses significant evidence items and which provides severely limited provenance.

Too few (the examiner missed key items) or too many evidence items

(failure to identify significance) included in the summary.


Provenance provided for all items in the Appendix; however provenance block structure may be incorrect.

Most of the significant items are identified and properly provenanced.  However, a small number of key evidence items have been missed.


Good structure, with the appendix used to provide provenance of all evidence items.

Generally accurate summary, competent, well-written, and presented. Summary concentrates upon key evidence items only. Good use of the Appendix to document

the remaining evidence items.


Full provenance provided for evidence items.

Detailed and highly accurate summary; concise, professional presentation.


Full provenance provided for all evidence items, using the reporting feature in EnCase.



(25 Marks)

Incorrect timeline, missing significant items, or alternatively including all items (so not identifying the main significant ones).


Very poor visual representation makes the timeline difficult to interpret.

Poor visual representation; identifies a small number of the key events,

insufficient/too much details provided.

Reasonably clear timeline which includes most of the key elements.


Possibly includes less significant events.


Limited use of layout, colour shape, etc.

Timeline includes all key events, possibly cluttered with the addition of less significant events.


Limited contextual information such as user accounts used, email addresses.

Easy to follow timeline which conveys the sequence of significant events and includes additional relevant contextual information.


Good visual representation which could be strengthened

by additional appropriate use of colour/layout, etc.

Clear, uncluttered timeline which concentrates upon the main events and provides relevant contextual information.


Excellent visual representation which makes effective use of text, layout, colour, etc.


Conveys information in a meaningful manner.



(25 Marks)

No opinion, or unjustified opinion expressed.


Assumptions made without any basis or discussion.


Possibly biased.

Little opinion expressed, with limited justification.


Possibly biased.


Independent opinion, mostly justified, but not clearly expressed; overall, difficult to follow the argument. Independent opinion, justified.


Reasonably well structured and

expressed – may be difficult to follow in places.

Professional, independent, justified opinion, clearly expressed, well structured. Professional, independent, justified opinion.


Clearly expressed, well structured.


Placed within a legal context.














End of Coursework Specification.

The following appendix provides a template for your contemporaneous notes.

Appendix A


Contemporaneous Notes

(Note: if you decide to omit a process, then you should provide your reasons for doing so).

Examiner   Exam commenced  
Other relevant information   Software used, versions and licensing  



Action Done? Date Time Notes
Load case & verify image
Recover lost folders (FAT16 & 32).

Mount archives; zip, thumbs.db, etc.

File signature analysis, compute hash values

Perform data carving
Retrieve operating system information, accounts information, software, time zone information etc.).  



Timeline analysis –

Note date of last activity on the computer.



Action Done? Date Time Notes
Log-on passwords –

use SAMInside/Ophcrack/Encase

Registry analysis and

Registry protected area


Internet History, favourites. Other browsers?


Run relevant keyword searches
Emails, local & web-based.
IM clients
Examine different file types.


Export doc / office & exe files; look at Meta data if required

Clean-up utilities. Check log files
Encryption, Steg
Action Done? Date Time Notes
Link files
Print artefacts
CD/DVD burning apps; check log files
Load Case into second forensic tool for  dual verification of 2 key artefacts  




Additional Notes:






Posted in Uncategorized

Leave a Reply