Skip to content

formative assessment

Data Security
1 data storage
identify options for storing data including cloud solutions
identify data which references a person (personal) and other data (non-personal)
identify confidentiality status of data: private or public
identify personal data related social media sites and apps
2 ethics
ethical considerations by organisation for storing personal data
processes to collect and use data in an ethical manner
discriminate for inclusion or exclusion of sensitive data on ethical grounds
3 laws
laws for human freedoms (right to family life)
key provisions of Freedom of Information Act
responsibilities of controllers and processors required by GDPR
Legal purpose of GDPR, related laws
key provisions of GDPR
exemptions for Freedom of Information
4 companies and sectors (L6)
5 best practice (same as L6)
6 physical, perimeter and internal network security (same as L6)
7 risk of sharing data (same as L6)
8 keeping data secure (same as L6)
9 cause and effect of breaches (same as L6)
10 strategies to protect data (same as L6)

DS-LO 1, 2, 3
1 storage: (looks like L5?)
identify options for storing data including cloud solutions
identify data which references a person (personal) and other data (non-personal)
identify confidentiality status of data: private or public
identify personal data related social media sites and apps
4 companies and sectors LO1d p10
recognise profile for a small company, medium, large
identify sector for a company type
match job titles with typical responsibilities / duties
5 best practice LO1c, f p15, task 13
sources of government advice
techniques for physical network
organisational resilience and business continuity (techniques)
key cyber-resilience techniques
best practice techniques and strategies
securing personal mobile devices of employees
6 physical, perimeter and internal network security LO1e p17
explain network structure vocabulary
describe functionality of network components
identify strategies belonging to physical, perimeter and internal
describe the various information publications from NCSC
describe cyber resilience
7 risks with sharing data LO1a, b p20
describe how publicly available personal data might be used by 3rd parties
describe additional data stored along with file contents
describe basic actions for cyber hygiene
describe AI applications related to personal data eg on social media
8 keeping data secure LO1f, g p23
describe general principles for keeping data secure online
malware risks
encryption for data storage and data transfer
additional security options available
wifi risks
9 cause and effect of breaches LO1a, b (L5)
describe key facts about real life breaches
describe consequences of breaches for the company affected
describe consequences of breaches for the individuals affected
describe how to check if an account has been part of a breach
common causes of data breach
10 strategies to protect data LO2 a, b, c, d, e, f p38
anti-virus techniques and suppliers
biometric security techniques
firewall functions
table top exercises
software patching
work of the ICO
digital forensics

Resources for Developing Small business Security Strategy
Self-assessment for a business or organisation

Booklets for download or viewing

More technical detail for mid-large companies with some specialist support

Profile and assess the company and its data systems
Identify: list, assess value, assess potential risks and vulnerabilities for:
Systems (hardware, software and infrastructure)
People (users)

Actions for the company to implement, security policies to set up
Actions and policies to manage risk to data
Actions and policies to manage risk related to systems
Actions and policies to manage risk related to people

Digital Forensics
level 4
level 5
df process L5
Describe the aim or purpose of the Digital Forensic process
State the four principles of DF examinations
State which laws are most relevant to DF (in Scotland)
Describe the main activities in carrying out a DF examination
Describe the role of the lead investigator in DF examination
Describe the role of senior investigators in an DF examination
Identify other personnel who might be in the DF examination team
Describe the effect of Laws in carrying out a DF examination
Why are DF processes increasingly important to crime investigation
Describe the factors that might lead to a DF examination being launched
Describe the role of the Investigatory Powers Commission
Why must Digital forensic examinations be carried out within a 'legal framework'?
What are the main offences covered by the Computer Misuse Act?
What is the main ‘human right’ that affects the conduct of a digital forensic examination?
df act (laws and legislation) L5
State the main offences under the Computer Misuse Act
Explain why might an DF investigation team request encryption keys
Explain why the members of the DF teams need to know about how the Computer Misuse Act affects their work
Identify how human rights in Scotland was covered before the Human Rights Act was passed
Explain how the HRA has helped investigations in Scotland
Explain why RIPA allows secret monitoring of ISP customers.
Outline the powers given to investigators under the RIPA law.
Identify the offences defined by the Computer Misuse Act.
Describe the purpose of the Investigatory Powers Commission
Describe how the HRA relates to DF, identify the main feature that is relevant.
Explain why RIPA is needed in addition to Computer Misuse Act.
Explain the developments that led to the passing of the Computer Misuse Act.
Describe the action that should be taken if a DF teams finds evidence that may relate to another crime.
Explain why the members of the DF team need to be aware of the legal framework.
DF seizure L5
Explain the use of “Faraday bags” in DF
Explain why proper training is needed for DF personnel who will be securing digital devices
Explain the meaning of the term “forensic ready” and why it is important for companies to be “forensic ready”
Describe the kinds of evidence that should be captured before removing poser from a digital device
Explain why an investigating DF team may ask for a warrant, explain how this may help the investigation.
Describe the process for obtaining a warrant.
Explain what is meant by a “chain of custody” and how it might be set up.
Explain the role of the owner of a device in giving permission for the devices to be examined.

level 6
From ASP
The types of evidence that you may wish to include are:
files hidden within picture files that contain details of customers, products, usernames, passwords etc
browser history showing sites visited that would produce evidence that might incriminate the suspect, such as visits to courier companies, internet banking websites etc
communication between the employee and unknown customers
spreadsheets showing income and customers of the alleged illicit sales either on
the drive or recently deleted which shows details of the sales of the prototypes

Assessment instructions
You have been employed as a Forensic Examiner on a freelance basis by a company called CyberAssured. CyberAssured is a digital equipment manufacturing company with bases across the globe. They design, develop and build digital equipment for both business and military use.
The Product Development Manager has been made aware that some prototype military equipment technology is being leaked. There is a suspicion that a member of the Product Development team is selling the technology to a third party.
They are looking for a quick, concise resolution to the investigation, they wish to keep this investigation internal to the company and obviously do not wish the suspicious activity to be leaked for fear of bad publicity. To this end, they have asked you to sign a non-disclosure agreement.
You must forensically examine the computer system of the main suspect, this machine has been left switched on. You are looking for evidence that the employee has been illegally selling prototype technologies.
You should keep records of the steps taken during the investigation using the following three forms.
You should select and use a range of relevant forensic tools in order to undertake this task and do so in a forensically sound manner, by preserving acquired data and verifying it to ensure it has been preserved accurately.
In order to fully investigate the incident you should undertake hard disk and network analysis.
The results should be delivered to your assessor by submitting a brief report outlining your procedures, conclusions and findings. The report should be evaluative in nature and should incorporate the three forms.

Collection — Completion of pro forma 1
Documentation of securing the crime scene.
Seizing the evidence (PC or Raspberry Pi, pen drive, USB drive etc).
Documentation and qualifications of person(s) undertaking analysis.
Continuity of evidence (bagging tagging evidence).
Examination — Completion of pro forma 2
Examination of the machine under test.
Recording of system specific information.
Copy disk using write blocker or software write blocker.
Analysis — Completion of pro forma 3
Analysis of files copied.
Full contemporaneous notes of the process taken.
Reporting — Written or oral report including pro forma
Report outlining procedures, conclusions and findings, delivered via written or oral means.
A checklist is provided to ensure that each candidate has met the Performance Criteria for Outcomes 2 and 3.

Explain the complex forensics techniques used to acquire data.
Select a range of forensic tools to acquire data.
Use a range of relevant forensic tools to acquire data.
Preserve acquired data.
Verify acquired data.
Identify system specific information.
Perform hard disk analysis.
Perform network analysis.
Record the findings of the process.
Evaluate the results of the digital forensic examination.
Communicate the evaluation results of the forensic examination.


Forensic image of a HD and an image of a USB stick.

On the USB stick, Auntie Mary, Poems and Holidays are all lists of banned drugs. Their file extensions have been changed to disguise them but they are all openable with Notepad++ or similar.

There is a jpg photo of his cohort, some pills and a beach scene, all of which might be relevant

And a couple of web pages showing interesting related items

The laptop hard drive will give you some emails (openable with Notepad++) and some text files, you don't have to hunt too hard, if I remember correctly there is an Excel file as well, all of these are on the desktop or My Documents. The user account name ties the laptop to the suspect. The students will have fun trawling through the E01 files looking for clues.

We basically used the ASP but split it up into 4 parts to make marking easier, because you don't want everything coming in at once (probably too late for you now this year, sorry, but you'll know for next time). We did part 1 after 4 weeks, part 2 after 8 weeks, part 3 I think was week 9/10 and part 4 week 12. Mark as you go, then for the final case report, I gave them a template where they can just copy/paste their answers and any corrections into a nice report. I make my level 5s do a properly formatted report with front cover etc, appendices, screenshots etc but they have already collected all the content by doing parts 1 to 4. They submit final reports through SafeAssign or Turnitin and there is hardly any marking to do at that point.
We put our 4 parts on the VLE so it's not copied over very well, but you should get the idea. Some questions make reference to OSF so you'll have to amend those depending on what you are using. Our 5's get HexBrowser, FTK Imager, OSF (an older free version) and I can give you a link to those tools if you need it.
The zip files show the questions on the VLE - if you are using Blackboard I can try and send export files, there's our in-house Chain of Custody form, the final report template and the ASP.

Download GBLOKE.e01.001, 002, 003 and 004 and put them in a folder along with the GBLOKE.e01.txt file.

Download FFJS, install and run it.

Choose "join", point it to GBLOKE.e01.001 and run (it is OK to delete the split parts). You should now have an E01 file of about 3.8 GB in size.

Download the zip file and extract it. You should now have a folder called Frenergy USB. This is a copy of the suspect's Hello Kitty USB. You should now use FTK Imager to make an E01 file from this folder, this is the second piece of evidence. Also keep the text file that will be auto-generated.

You can now mount both E01 files in whatever Forensics suite you are using as this will be part of your assessment evidence.

Created By AccessData® FTK® Imager

Case Information:
Acquired using: ADI3.4.2.6
Case Number: 20160709_GBLOKE_WD_HDD_Part_8.30GB
Evidence Number: 001
Unique description: Western Digital Hard Drive
Examiner: Chrissie Nyssen
Notes: HDD removed from red Lenovo G5080


Information for C:\Users\Student\Desktop\GBLOKE\Evidence001:

Physical Evidentiary Item (Source) Information:
[Device Info]
Source Type: Logical
[Drive Geometry]
Bytes per Sector: 512
Sector Count: 17,414,397
[Physical Drive Information]
Removable drive: False
Source data size: 8503 MB
Sector count: 17414397
[Computed Hashes]
MD5 checksum: b6aa00632f175580776e20ee16ea9506
SHA1 checksum: 654f0e77a0d15e155079fb2e8429f71405657e84

Image Information:
Acquisition started: Thu Jul 09 09:31:38 2015
Acquisition finished: Thu Jul 09 09:38:42 2015
Segment list:

Image Verification Results:
Verification started: Thu Jul 09 09:38:43 2015
Verification finished: Thu Jul 09 09:40:13 2015
MD5 checksum: b6aa00632f175580776e20ee16ea9506 : verified
SHA1 checksum: 654f0e77a0d15e155079fb2e8429f71405657e84 : verified

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
) instead.