Download assessment for 2025 lancaster and more Summaries Applied Computing in PDF only on Docsity!
Academic Year: 2025 - 2026
Assessment Introduction:
Assignment 1 is worth 50% of your overall module mark. This Assessment Pack consists of a detailed assignment brief, guidance on what you need to prepare, and information on how class sessions support your ability to complete successfully. You’ll also find information on this page to guide you on how, where, and when to submit. If you need additional support, please make a note of the services detailed in this document.
How, when, and where to submit:
Assignment 1 part 1 Submission date: 20/02/2026 12:00 pm (noon) Submissions are via the CO2517 Blackboard area under Assessments - > Assessment 1 Submission area. Feedback will be provided by: 13/03/26 9:00 am Note: If you have any valid mitigating circumstances that mean you cannot meet an assessment submission deadline and you wish to request an extension, you will need to apply online, via MyUCLan with your evidence prior to the deadline. Further information on Mitigating Circumstances via this link. We wish you all success in completing your assessment. Read this guidance carefully, and any questions, please discuss with your Module Leader. Module Code: CO2517 Module Title : Digital Evidence and Incident Response Title of the Brief: CO2517 Assignment 1 Brief Type of assessment : Report/Essay
Additional Support available : All links are available through the online Student Hub
- Optional: Academic support for this assessment will be provided by contacting Chris Finnigan [email protected] via email or Teams or in person in CM214.
- Our Library resources link can be found in the library area of the Student Hub or via your subject librarian at [email protected].
- Support with your academic skills development (academic writing, critical thinking and referencing) is available through WISER on the Study Skills section of the Student Hub.
- For help with Turnitin, see Blackboard and Turnitin Support on the Student Hub
- If you have a disability, specific learning difficulty, long-term health or mental health condition, and not yet advised us, or would like to review your support, Inclusive Support can assist with reasonable adjustments and support. To find out more, you can visit the Inclusive Support page of the Student Hub.
- For mental health and wellbeing support, please complete our online referral form, or email [email protected]. You can also call 01772 893020, attend a drop-in, or visit our UCLan Wellbeing Service Student Hub pages for more information.
- For any other support query, please contact Student Support via [email protected].
- For consideration of Academic Integrity, please refer to detailed guidelines in our policy document. All assessed work should be genuinely your own work, and all resources fully cited.
- For advice on the use of Artificial Intelligence, please refer to Categories of AI tools guidance. For this assignment, you are not permitted to use any category of AI tools to create your own content.
The Simulated Scenario The Chief Security Officer for the YouClan university has asked you to investigate a potential breach of confidentiality by one of the academic staff. Dr Susan Pecter, Course Lead for Computing, is believed to be involved in the unauthorised sale of highly confident student information, specifically their health and marks obtained. Records from network traffic and other intelligence suggest this activity was between June 2024 and October 2025. You have been provided with a virtual image of the hard drive of a suspected USB drive that was discovered within Susan’s PC. This USB drive was initially discovered by the Incident Response Site Team and entered correctly as evidence into the evidence locker prior to your investigation. The suspected user’s portable USB drive is believed to be involved in the storage of university confidential information. You have been asked to investigate this drive thoroughly and create Incident Response Procedures or Standard Operating Produces to complete specific tasks. You should also produce a report of arfefacts and items of interest.
Task 1: Create an Incident Response Plan and Procedures for Image Acquisitions
Prior to the incident taking place, you were tasked by the CISO to develop an Incident Response Plan (IRP) for the organisation. This plan should aim to explain how to capture digital evidence from company-owned desktops and laptops. Your plan should be designed to discuss, but not perform , the capturing evidence from both a live system (e.g., one that is currently switched-on). It should also discuss and demonstrate how to perform a dead-box system (e.g., one that is currently switched-off). Your incident response plan should consider the four principles of digital evidence that are identified in the ACPO good practice guide for digital evidence.
- Your evidence recovery techniques should not alter any evidence
- If you find it necessary to access original data, then you must be competent to do so and be able to explain the consequences of your actions
- An audit trail of all processes should be created; the audit trail should contain enough detail that all actions are repeatable by a third party
- The person in charge (an information security manager) has overall responsibility for ensuring the law and these principles are adhered to. You should create the two (2) key procedures for acquiring digital evidence – one set of procedures for dealing with a live system, and another for dealing with a dead - box system. These could be from open-source or commercial products. You should include a chain of custody form and briefly explain its importance in such procedures.
Task 2: Write Incident Response Procedures to Assess the MBR and to
Analyse the Evidence.
For the sake of this assessment, you should assume the suspect evidence drive has already been acquired and the virtual drive image ( in a dd format) provided will represent the evidence device image you will examine.
being awarded. Finally, you should include all evidence/artefacts relating to this breach of confidential scenario in an appendix. Refer to the Module Information Pack to understand the Learning Outcomes and Marking Criteria. Submission Requirements You are required to produce a report that is limited to 2,000 words. Grading will stop at the 2000 - word threshold and anything that is written beyond that will be penalised by 5 marks per 10% (200 words) over the wordcount. Please note that references, appendices, cover page and table of contents are NOT included in the 2000 - word limit. You should use Microsoft Word to complete this assignment. If you use a word processor other than Microsoft Word, then you should check to ensure that the document layout is the same as Microsoft Word. The essay should be in a single column format with the default settings (font, margin, space) of MS Word. The submission should be done via Turnitin on Blackboard. As part of your submission, you need to include a completed Coursework Cover Sheet available within the Assessment area of Blackboard (this does not count as part of your word count). Penalties for late submission Except where an extension of the hand-in and/or discussion deadline dates have been approved (using extenuating circumstances forms), lateness penalties will be applied in accordance with university policy as shown in table 1. Table 1. Late submission penalty Mitigating circumstances and extensions Extensions are granted when there are serious and exceptional factors outside your control. Everyday occurrences such as colds and hay fever do not normally (Working) Days Late Penalty Up to 5 Maximum mark 40% More than 5 0%
qualify for extensions. Where possible, requests for extensions should be made before the hand-in date. Information about how to submit: https://www.lancashire.ac.uk/students/support/extensions. php Academic Misconduct The University operates an electronic plagiarism detection service (Turnitin) where your work will be automatically uploaded, stored, and cross-referenced against other material. You should be aware that the software searches the World Wide Web, extensive databases of reference material and work submitted by members of the same class to identify duplication. To avoid accusations of plagiarism, give an in-text citation and provide bibliographic details of any source used in the references list. Remember that you can reuse ideas from various sources but not literal text. Plagiarism is not acceptable, and you will face consequences when it is detected by Turnitin. For detailed information on the procedures relating to plagiarism, please see the current version of the University Academic Regulations. Reassessed Work Reassessment in written examinations and coursework is at the discretion of the Course Assessment Board and is dealt with strictly in accordance with university policy and procedures. Revision classes for referrals will take place during
(40-48) (^) • Demonstrate a basic understanding of the purpose of an incident response plan but is incomplete contains major errors/emissions.
- Very limited discussion of live or dead-box image acquisition processes.
- The audit trail or chain of custody does not contain enough detail in relation to the simulated incident
- Identifies the need for an MD5 checksum, but not used in testing and/or the chain of custody is correctly used/missing.
- Relevant laws and guidelines have been considered but not followed correctly
- Partition validation process discussed but testing presented or lacks screenshots.
- Evidence Data not accessed; thus, limited analysis completed.
- Minimal artifacts are presented from the simulated incident data
- Encase Report procedure outlined but investigation report not attached. (52-58) (^) • A detailed description of the incident response procedures, clear structure, clear communication plan and prioritisation procedures
- Incident response plan contains instructions for both live and dead-box evidence recovery
- The procedures for acquiring digital evidence are correct with the correct set of assumptions and tools
- A chain of custody template has been provided, and an attempt has been made to produce a copy for the simulated incident, but is missing some information
- There is a separation between the incident response plan, the audit trail, and the chain of custody
- A MD5 hash has been calculated, but is incorrect for the simulated incident
- Partition analysis and resolution is done well, evidence of this procedure being use is present.
- Evidence Data retrieval process is missing key explanations.
- Only three relevant evidence/artifacts are found in the testing of incident investigation procedures.
- Encase Report included in findings, but findings are not titled/easy to identify relevance.
- Relevant laws and guidelines have been considered and somewhat followed correctly.
(62-68) (^) • As above, with a chain of custody in the correct format, used correctly throughout.
- The acquired evidence is verified correctly by providing the correct MD5 checksum value
- The incident response plan is systematic and produces forensic level documentation
- Partition analysis and resolution is done with detail and concisely explained, evidence of this procedure being use is present.
- Auditing/testing actions have been undertaken, but are missing a few details or steps in data carving and analysis or limited evidence of these in testing.
- Only five relevant evidence/artifacts are found in the testing of incident investigation procedures or more found - but presented without explanation.
- Encase Report included in findings, all clearly identifiable.
- Relevant laws and guidelines have been considered and followed correctly (74-100) (^) • Incident response plan is systematic and produces forensic level documentation
- Correct format of chain of custody is provided with all relevant and detailed information throughout.
- Partition analysis and resolution is excellent, concise and explained well. Evidence of procedures showing in audit phase.
- Audit of actions is complete, thorough, and systematic.
- Evidence Data retrieval process is explained well.
- All artifacts have been recovered from simulated image and justified.
- Encase Report included in findings, all findings detailed and justified in some manner.
- Relevant laws and guidelines have been considered and followed correctly
