CMP507 – Digital Forensics Coursework Assessment Instructions 2025/26 | Abertay University
| Module | CMP507 – Digital Forensics |
| Module Lecturers | Prof. Ian Ferguson & Dr Karl van der Schyff |
| Due Date | 10th of December 2025 @ 12 noon |
| ASSESSMENT CONTRIBUTION | |
| This assessment is worth 100% of the module marks. It will normally be marked within 15 working days ofthe submission date. | |
| ROLE OF YOUR LAB SESSIONS | |
| The weekly, timetabled lab sessions will guide you through the process of performing a basic investigation.During each session, you will be required to undertake some tasks, either a practical task or more reflective research activity. The labs are all available via the CMP507 module webpage on MLS. | |
| SOFTWARE AND EQUIPMENT TO USE | |
|
· Although the labs will introduce you to specific forensic software, you are free to use any tools and techniques to uncover evidence.· We have made a Linux analysis VM available for those who wish to use it.· You may, however, complete the labs (and this assessment) using any operating system provided that you are able to conduct a thorough investigation. You will find that in many instances the software we use are available for Windows and Linux. We will leave the choice up to you. |
|
ASSESSMENT INSTRUCTIONS |
|
| WHERE (and what) TO SUBMIT?WHAT ABOUT USING AI? |
· Complete all the labs associated with this module. In particular, labs 1 to 12 should be completed, but we encourage you to also do some additional research and to include that in your court report, if applicable.· Once you have completed labs 1 to 12 (and any additional research/work), submit your Cryptic Wilds court report as a consolidated PDF document via the hand-in link on MLS.· Your court report should be about 5000 words in length (excl. the appendices).· Use of Generative AI Tools such as ChatGPT, DALL-E, Bard etc. is explicitly prohibited for this module’s assignment (i.e., the court report). The output gleaned or generated from the tools mentioned, and others that are similar, relates to sources already published/available. Also, be aware that the information obtained can be inaccurate or incomplete. Thus, all work should be your own. If the assignment (i.e., court report) is found to have been plagiarised or to have used unauthorised AI tools, you will be referred to the Student DisciplinaryOfficer within the School and this may result in an Academic Misconduct charge. |
ASSESSMENT SCENARIO |
|
| In your capacity as a digital forensic investigator, you have been asked to investigate and analyse digital evidence in relation to a suspect (Sonya Macoit) who has been arrested in connection with the suspected trade in exotic wildlife (possibly poaching?). Your investigation should focus on:· Reconstructing the events that have taken place based on the evidence uncovered,· Retrieving all the images that depict wildlife trading, wildlife reconnaissance (or poaching for that matter), and· Most importantly, providing us with an accurate reflection of what Sonya Macoit has done and adetailed description of how you know this (evidence to back up your claims). |
|
CORE MODULE LEARNING OUTCOMES |
|
|
After completing this assessment (and the module as a whole), you should have achieved the following: 1. Understand the principles of computer forensic investigation with regard to the legal definitions of computer misuse. 2. Devise an appropriate professional level plan for a forensic investigation and carry out this plan within a context of a specific scenario. 3. Analyse and evaluate the results of a computer forensic investigation. |
Marking of the Assessment – the assessment criteria to be used
Marking is performed in accordance with the criteria outlined below. Additionally, note that we do not simply award marks for finding illicit material but rather for the manner in which you have conducted your investigation. In other words, forensic soundness, thoroughness and professionalism as well as the quality of its presentation in the court report.
| Criteria | A+ (4.5) | A (4) | B+ (3.5) | B (3) | C+ (2.5) | C (2) | D+ (1.5) | D (1) | MF (0.5) | F (0) |
|---|---|---|---|---|---|---|---|---|---|---|
| 1. Accuracy and completeness of investigation and recovery of evidence | All relevant images/evidence recovered. All evidence correct, no extraneous material (e.g., no images listed that shouldn’t be) | All relevant images/evidence recovered. All evidence correct, no extraneous material (e.g., no images listed that shouldn’t be) | A few minor errors (e.g., some images missing from listing or extraneous users listed) | Some minor errors (e.g., images missing from listing or extraneous users listed) | Significant errors (e.g., many images missing from listing or irrelevant/extraneous users listed) | Significant errors (e.g., many images missing from listing or irrelevant/extraneous users listed) | Much missing evidence and significant errors (e.g., missing images, or extraneous images discovered) | Limited amount of evidence recovered (e.g., some discovered images) | No images or evidence recovered | Extreme missing or insufficient performance |
| 2. Forensic soundness | Diskspace audit correct and fully used to guide investigation. Evidential integrity fully checked (e.g., checksums throughout and at conclusion of investigation) | Diskspace audit correct and fully used to guide investigation. Evidential integrity fully checked (e.g., checksums throughout and at conclusion of investigation) | Diskspace audit correct and fully used to guide investigation. Evidential integrity checked at beginning and conclusion of investigation | Diskspace audit correct and fully used to guide investigation. Evidential integrity checked at beginning and end of investigation | The following mostly present and correct and a meaningful attempt to guide investigation: Diskspace audit correct and used to guide investigation. Evidential integrity appropriately checked | Some of the following present and correct: Diskspace audit correct. No evidential integrity checking | Some of the following present: Diskspace audit correct. No evidential integrity checking | Some of the following present: Diskspace audit correct. No evidential integrity checking | Few of the techniques covered in the course applied | None of the techniques covered in the course applied |
| 3. Use of a systematic approach | Used list of installed software fully | Used list of installed software fully | Used list of installed software fully | Used list of installed software fully | The following mostly present and correct: Some attempt to use a systematic approach | Some of the following present: Some attempt to use a systematic approach | Some of the following present: Some attempt to use a systematic approach | Some of the following present: Some att |
| Did you go back and reanalyse after you found something later on? | Guide investigation. User accounts investigated and used to guide investigation. Recent Activity/MRU checked and used to guide investigation. Registry analysis used to guide investigation. Internet and execution artifacts used to guide investigation. | Guide investigation. User accounts investigated and used to guide investigations. Recent Activity/MRU checked and used to guide investigation. Registry analysis used to guide investigation. Internet and execution artifacts used to guide investigation. | Guide investigation. User accounts investigated and used to guide investigation. Recent Activity/MRU checked and used to guide investigation. Most of the registry, Internet, and execution artifacts used to guide the investigation. | Used list of installed software to guide investigation. User accounts investigated and used to guide investigation. Recent Activity/MRU checked and used to guide investigation. Most of the registry, Internet, and execution artifacts used to guide investigation. | Some attempt to use them to guide the investigation. List of installed software used. User accounts investigated. Recent Activity/MRU checked. Registry, Internet, execution artifacts checked. | Some attempt to use them to guide the investigation. List of installed software used. User accounts investigated. Recent Activity/MRU checked. Some registry, Internet, execution artifacts checked, but not all or limited use of them. | List of installed software used. User accounts investigated. Recent Activity/MRU checked. Registry, Internet, and execution artifacts checked — real use of them limited. | List of installed software used. User accounts investigated but little real use made of them. | Course techniques applied. | None of the course techniques applied. |
| 4. Use of tools and techniques taught in lab and going beyond basics | All of the techniques covered in the course correctly applied. Tools/techniques beyond those covered in the course fully researched and correctly applied. Created and verified own tools. | All of the techniques covered in the course correctly applied. Tools/techniques beyond the course fully researched and correctly applied. | Most of the techniques covered in the course correctly applied. Some use of tools/techniques beyond those covered in the course. | Most of the techniques covered in the course correctly applied. Little use of tools/techniques beyond those covered in the course. | Some of the techniques covered in the course correctly applied. Little use of tools beyond the course. | Some of the techniques covered in the course applied. Not use of tools/techniques beyond the course. | Few of the techniques covered in the course applied. Limited real progress in the investigation beyond the lab worksheets. | Few of the techniques covered in the course applied. | Few of the techniques covered in the course applied. | None of the techniques covered in the course applied. |
| 5. Reconstruction | Clear, correct reconstruction of events completely supported by sound evidence. Exemplary use of timeline or other appropriate analysis. | Reconstruction of events completely supported by sound evidence. Full use of timeline or other appropriate analysis. | Reconstruction of events mostly supported by sound evidence. Meaningful use of timeline or other appropriate analysis technique. | Reconstruction of events supported by sound evidence. Limited use of timeline or other appropriate analysis technique. | Some attempt to reconstruct events using available evidence but some gaps or errors. Limited use of timeline or other appropriate analysis technique. | No meaningful reconstruction of events attempted. Timeline or analysis impossible to follow. No attempt to move away from a simple technical investigation to an understanding. |
