Skip to content
Digital Forensics

icon picker
outcomes and performance criteria

Level 4

df4outcome
df4PC

Level 4 outcomes and performance criteria

Outcome 1

Describe the steps in the digital forensics process.
Performance Criteria
(a) Describe the role of forensic readiness in conducting a digital forensics investigation.
(b) Identify the legal, professional and ethical issues in digital forensics.
(c) Describe the phases of acquisition, analysis and reporting.
(d) Identify the tools and techniques which could be used during the digital forensics process.

Outcome 2

Apply basic techniques of data acquisition.
Performance Criteria
(a) Identify the type of data under investigation.
(b) Apply software tools to acquire the data from a basic investigation.
(c) Describe the importance of preservation in data acquisition.

Outcome 3

Examine digital evidence.
Performance Criteria
(a) Select appropriate tools.
(b) Perform analysis of the digital evidence.
(c) Construct a timeline of events using the digital evidence.

Level 5

df5outcome
df5PC

Level 5 outcomes and performance criteria

Outcome 1

Explain the digital forensics process.
Performance Criteria
(a) Explain the legal, professional and ethical issues in conducting a digital forensics examination.
(b) Explain the tools and techniques used to conduct a digital forensics examination
(c) Explain the phases of the digital forensics process.
(d) Explain the importance of recording all actions.

Outcome 2

Apply relevant techniques in acquiring data.
Performance Criteria
(a) Identify forensically sound techniques to acquire data.
(b) Select appropriate forensic tools.
(c) Use forensic tools to acquire data.
(d) Preserve acquired data.
(e) Record relevant actions.

Outcome 3

Examine digital evidence.
Performance Criteria
(a) Identify system specific information.
(b) Perform an analysis of the evidence using software tools.
(c) Record the findings of the process.

Level 6

df6outcome
df6PC

Level 6 outcomes and performance criteria

Outcome 1

Explain the digital forensics process and job roles.
Performance Criteria
(a) Explain the main stages in the digital forensics process.
(b) Explain the main job roles associated with the digital forensics process.
(c) Explain the legal, professional and ethical issues in conducting a forensic examination.
(d) Describe the essential elements involved in securing a crime scene.
(e) Identify potential sources of digital evidence.
(f) Explain the tools and techniques used to conduct a digital forensics examination.
(g) Explain the importance of recording all actions.

Outcome 2

Apply complex techniques in acquiring data.
Performance Criteria
(a) Explain complex forensic techniques used to acquire data.
(b) Select a range of forensic tools to acquire data.
(c) Use a range of relevant forensic tools to acquire data.
(d) Preserve acquired data.
(e) Verify acquired data.

Outcome 3

Evaluate digital evidence.
Performance Criteria
(a) Identify system specific information.
(b) Perform hard disk analysis.
(c) Perform network analysis.
(d) Record the findings of the process.
(e) Evaluate the results of the digital forensic examination.
(f) Communicate the evaluation results of the forensic examination.

df6 evidenceTask

EoU test LO 1, 2a, 3a SOLAR multiple choice
coursework LO 2, 3, acquire date, evaluate evidence, Assessment checklists, Pro forma 1, Pro forma 2, report of the findings and assessor’s checklist.

df6 coursework

Assessor instructions
The machine/setup to be forensically examined could be a digital device such as a desktop computer, laptop computer, Raspberry Pi, USB storage device etc.
The evidence that is evaluated must contain both hard disk and network analysis.
The types of evidence that could be included are:
files hidden within picture files that contain details of customers, products, usernames, passwords etc
browser history showing sites visited that would produce evidence that might incriminate the suspect, such as visits to courier companies, internet banking websites etc
communication between the employee and unknown customers
spreadsheets showing income and customers of the alleged illicit sales either on the drive or recently deleted which shows details of the sales of the prototypes
Scenario
You have been employed as a Forensic Examiner on a freelance basis by a company called CyberAssured. CyberAssured is a digital equipment manufacturing company with bases across the globe. They design, develop and build digital equipment for both business and military use.
The Product Development Manager has been made aware that some prototype military equipment technology is being leaked. There is a suspicion that a member of the Product Development team is selling the technology to a third party.
They are looking for a quick, concise resolution to the investigation, they wish to keep this investigation internal to the company and obviously do not wish the suspicious activity to be leaked for fear of bad publicity. To this end, they have asked you to sign a non-disclosure agreement.
You must forensically examine the computer system of the main suspect, this machine has been left switched on. You are looking for evidence that the employee has been illegally selling prototype technologies.
You should keep records of the steps taken during the investigation using the following three forms.
You should select and use a range of relevant forensic tools in order to undertake this task and do so in a forensically sound manner, by preserving acquired data and verifying it to ensure it has been preserved accurately.
In order to fully investigate the incident you should undertake hard disk and network analysis.
The results should be delivered to your assessor by submitting a brief report outlining your procedures, conclusions and findings. The report should be evaluative in nature and should incorporate the three forms.
Proformas
Collection
Examination
Analysis
Learner material checklist
Evidence presented should consist of the four main areas of forensics:
Collection — Completion of pro forma 1
Documentation of securing the crime scene.
Seizing the evidence (PC or Raspberry Pi, pen drive, USB drive etc).
Documentation and qualifications of person(s) undertaking analysis.
Continuity of evidence (bagging tagging evidence).
Examination — Completion of pro forma 2
Examination of the machine under test.
Recording of system specific information.
Copy disk using write blocker or software write blocker.
Analysis — Completion of pro forma 3
Analysis of files copied.
Full contemporaneous notes of the process taken.
Reporting — Written or oral report including pro forma
Report outlining procedures, conclusions and findings, delivered via written or oral means.
A checklist is provided to ensure that each candidate has met the Performance Criteria for Outcomes 2 and 3.
Completion checklist
Explain the complex forensics techniques used to acquire data.
Select a range of forensic tools to acquire data.
Use a range of relevant forensic tools to acquire data.
Preserve acquired data.
Verify acquired data.
Identify system specific information.
Perform hard disk analysis.
Perform network analysis.
Record the findings of the process.
Evaluate the results of the digital forensic examination.
Communicate the evaluation results of the forensic examination.


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.