IM521 Digital Forensics
Assessment Task 3: Case Study Report and Presentation
Case Study Report: 2500 words | Presentation: 15 minutes | Weighting: 50% | Due: Week 14
| Assessment item | Details |
| Assessment title | Case Study Report and Presentation: Complex Digital Forensic Investigation |
| Weighting | 50% |
| Due date | Week 14 |
| Length | Written report: 2500 words; Presentation: 15 minutes |
| Assessment type | Individual assessment |
| Unit learning outcomes assessed | LO1, LO2, LO3, LO4 and LO5 |
The purpose of this assessment is to evaluate students’ ability to investigate, analyse, and report on a complex digital forensic case using appropriate forensic methods, tools, ethical reasoning, legal awareness, and professional judgement.
Students are required to prepare a detailed case study report and deliver a professional presentation that explains the investigation approach, key findings, forensic reasoning, legal and ethical issues, financial and organisational implications, and practical recommendations.
| Learning outcome | How the outcome is assessed through this task |
| LO1 | Demonstrate detailed understanding of theories and practice in digital forensics through a structured analysis of a complex case. |
| LO2 | Apply advanced tools and techniques to effectively conduct and conclude a digital forensic investigation. |
| LO3 | Critically analyse legal, ethical, privacy, confidentiality, proportionality and professional responsibility issues. |
| LO4 | Critique and explain forensic methods and tools used to preserve digital evidence and maintain evidence integrity. |
| LO5 | Identify, interpret and explain digital artefacts and their significance in a complex forensic investigation. |
Students must select one of the following options:
The lecturer may provide a simulated digital forensic case involving one or more of the following:
Students may select a real-world digital forensic case, provided that:
Students must prepare a 2500-word case study report that addresses the following required sections.
This section should address:
This section should address:
Students must identify and analyse the key digital evidence sources relevant to the selected case. For each major artefact or evidence source, explain what the artefact is, how it may be recovered or examined, its forensic significance, and any limitations or risks in relying on it.
Students must critically justify the tools and techniques selected for the investigation. Appropriate tools may include Autopsy, FTK Imager, EnCase, Cellebrite, Wireshark, Volatility, X-Ways Forensics, Magnet AXIOM, The Sleuth Kit, Plaso/log2timeline, mobile forensic tools, cloud forensic tools, and open-source intelligence tools. Students are not required to use all tools; selection must be case-appropriate.
This section should address:
This section should address:
This section should address:
Students must present findings clearly and logically. The report must show how a forensic investigator moves from technical evidence to professional interpretation.
Recommendations must be specific, realistic and clearly linked to the findings of the case study.
This section should address:
This section should address:
| Section | Suggested word count |
| Introduction and case background | 250 words |
| Forensic investigation methodology | 350 words |
| Digital evidence sources and artefacts | 400 words |
| Forensic tools and techniques | 350 words |
| Chain of custody and evidence preservation | 250 words |
| Legal and ethical analysis | 350 words |
| Financial and organisational implications | 200 words |
| Findings and interpretation | 200 words |
| Recommendations | 100 words |
| Conclusion | 50 words |
| Total | 2500 words |
The word allocation is a guide only. Students may vary the structure slightly where appropriate, but all required areas must be addressed.
Students must deliver a 15-minute professional presentation based on the written case study report. The presentation should be suitable for an audience of digital forensic investigators, cybersecurity managers, organisational decision-makers, or legal/compliance stakeholders.
| Presentation component | Expected coverage |
| Case overview | Briefly explain the incident, background and investigative scope. |
| Investigation methodology | Summarise the forensic process used. |
| Evidence and artefacts | Identify the most important evidence sources and artefacts. |
| Tools and techniques | Explain the tools or techniques selected and why they were appropriate. |
| Legal and ethical issues | Highlight the main legal, ethical, privacy and professional responsibility challenges. |
| Financial and organisational implications | Explain the broader financial, operational, reputational and organisational impact. |
| Findings and recommendations | Present key conclusions and practical recommendations. |
| Reflection on limitations | Acknowledge limitations in evidence, method or interpretation. |
Students should prepare approximately 8-12 slides. Slides should be clear, professional and not overloaded with text. Students may include diagrams, investigation timelines, evidence maps, tables, screenshots of tool outputs, or chain-of-custody examples where appropriate. Students must be prepared to answer questions from the lecturer following the presentation.
Appendices are not included in the word count but must be directly relevant. Appendices must not be used to avoid the word limit.
This assessment must be the student’s own work. Students must:
Where generative AI tools are used for brainstorming, editing or structuring, this must be acknowledged in accordance with institutional requirements. Generative AI must not be used to fabricate forensic analysis, evidence, references or tool outputs.
Marking Rubric
| Criterion | Weighting | Fail | Pass | Credit | Distinction | High Distinction |
| 1. Case understanding and investigative scope | 10% | Provides little or no understanding of the case context. Investigation scope is unclear, incomplete, or inappropriate. Key forensic issues are missing or misunderstood. | Demonstrates basic understanding of the case. Identifies some relevant background information and investigative issues, but scope may be broad, descriptive, or underdeveloped. | Demonstrates sound understanding of the case context. Defines the investigation scope reasonably well and identifies relevant forensic issues, systems, and stakeholders. | Demonstrates strong understanding of the case and its forensic significance. Clearly defines the investigative scope, key questions, relevant systems, actors, risks, and constraints. | Demonstrates sophisticated and insightful understanding of the case. Establishes a precise, professionally framed investigative scope with well-developed investigative questions, clear boundaries, and strong awareness of complexity, risk, and forensic significance. |
| 2. Forensic investigation methodology | 15% | Methodology is absent, inaccurate, or not forensically sound. Shows little understanding of investigation stages, evidence handling, or forensic process. | Describes a basic forensic process, but discussion may be general, partially incomplete, or weakly connected to the case. Some stages of investigation are identified. | Applies a sound forensic methodology covering key stages such as identification, preservation, acquisition, examination, analysis, and reporting. Links methodology to the case with reasonable clarity. | Applies a clear, structured, and appropriate forensic methodology. Demonstrates strong understanding of forensic soundness, repeatability, documentation, reliability, and admissibility. | Applies a rigorous, advanced, and case-specific forensic methodology. Demonstrates excellent understanding of forensic soundness, repeatability, validation, reliability, documentation, admissibility, and professional standards. Methodology is logically justified and highly suitable for the case. |
| 3. Digital evidence sources and artefact interpretation | 15% | Fails to identify relevant evidence sources or artefacts. Interpretation is inaccurate, unsupported, or absent. Shows limited technical understanding. | Identifies some relevant evidence sources or artefacts, but analysis is mostly descriptive. Interpretation may be limited, incomplete, or not clearly linked to the case. | Identifies relevant evidence sources and artefacts and provides a sound explanation of their forensic significance. Interpretation is generally accurate and linked to the investigative questions. | Provides strong analysis of relevant evidence sources and artefacts. Explains how artefacts may be recovered, examined, interpreted, and linked to the case. Recognises limitations and risks. | Provides sophisticated and technically accurate interpretation of digital artefacts. Clearly distinguishes facts, inferences, and assumptions. Demonstrates advanced understanding of artefact significance, evidentiary value, limitations, corroboration, and investigative relevance. |
| 4. Selection and critique of forensic tools and techniques | 10% | Tool selection is absent, inappropriate, or technically inaccurate. Little or no critique of tools or methods is provided. | Identifies basic forensic tools or techniques, but explanation is general and descriptive. Limited justification of suitability or limitations. | Selects generally appropriate tools and techniques. Provides reasonable explanation of their purpose, suitability, and some limitations. | Selects appropriate tools and techniques and critically justifies their use. Discusses strengths, limitations, forensic soundness, and risks of error or misinterpretation. | Provides an advanced, well-justified, and case-specific critique of forensic tools and techniques. Demonstrates strong awareness of validation, reliability, evidentiary limits, tool comparison, error risk, and professional judgement in tool selection. |
| 5. Chain of custody and evidence preservation | 10% | Does not adequately address chain of custody or evidence preservation. Major gaps in evidence integrity, documentation, or handling procedures. | Provides a basic explanation of evidence preservation and chain of custody. Some key elements are mentioned, but discussion lacks detail or case application. | Provides a sound explanation of evidence preservation, hashing, storage, documentation, and access control. Applies these reasonably to the case. | Provides a clear and detailed explanation of chain of custody and evidence preservation. Demonstrates strong understanding of evidence integrity, secure handling, documentation, and admissibility. | Provides a comprehensive and professionally rigorous approach to evidence preservation. Demonstrates excellent understanding of hashing, forensic imaging, secure storage, access control, audit trails, documentation, contamination risks, and legal/professional implications of chain of custody. |
| 6. Legal and ethical analysis | 15% | Legal and ethical issues are absent, superficial, inaccurate, or unrelated to the case. Little awareness of privacy, authority, proportionality, or professional obligations. | Identifies some legal and ethical issues, but discussion is basic, descriptive, or incomplete. Limited connection to the case. | Provides sound analysis of relevant legal and ethical issues, including privacy, confidentiality, lawful access, consent, and professional responsibility. | Provides strong critical analysis of legal and ethical issues. Demonstrates awareness of privacy, proportionality, admissibility, jurisdiction, organisational obligations, and professional conduct. | Provides sophisticated and balanced legal and ethical analysis. Critically evaluates competing obligations, stakeholder impacts, privacy risks, evidentiary requirements, proportionality, professional duties, and jurisdictional or regulatory complexities. |
| 7. Financial and organisational implications | 5% | Financial and organisational implications are missing, inaccurate, or not linked to the case. | Identifies basic financial or organisational impacts, but discussion is brief or descriptive. | Provides reasonable discussion of financial, operational, reputational, or compliance impacts. | Provides clear analysis of financial and organisational implications, including business interruption, investigation costs, remediation, reputation, and risk management. | Provides insightful analysis of financial, organisational, strategic, regulatory, reputational, and stakeholder implications. Clearly links forensic findings to organisational decision-making and risk management. |
| 8. Findings, recommendations, and professional judgement | 10% | Findings are unclear, unsupported, or inconsistent with the evidence. Recommendations are missing, unrealistic, or not linked to the case. | Presents basic findings and recommendations, but they may be general, weakly supported, or only partly linked to the evidence. | Presents sound findings and practical recommendations. Demonstrates reasonable professional judgement and links conclusions to evidence. | Presents clear, evidence-based findings and well-developed recommendations. Demonstrates strong professional judgement and distinguishes between evidence, inference, and opinion. | Presents highly persuasive, evidence-based findings and targeted recommendations. Demonstrates excellent professional judgement, critical reasoning, awareness of uncertainty, and ability to distinguish clearly between facts, assumptions, inferences, and expert opinion. |
| 9. Presentation quality | 5% | Presentation is unclear, poorly structured, incomplete, or significantly under/over time. Slides are ineffective or missing. Limited ability to explain the case. | Presentation communicates basic information but may lack structure, clarity, confidence, or professional polish. Slides are basic but usable. | Presentation is clear and reasonably structured. Slides support the main points and the student explains the case, methodology, findings, and recommendations adequately. | Presentation is professional, well-structured, and clearly delivered. Slides are effective, visually appropriate, and support a strong explanation of the case. | Presentation is highly professional, engaging, concise, and well-paced. Slides are polished and clearly support expert-level communication of methodology, evidence, findings, implications, and recommendations. Responses to questions demonstrate strong command of the material. |
| 10. Academic writing, structure, referencing, and presentation of report | 5% | Report is poorly written, poorly structured, or difficult to follow. Referencing is absent, inadequate, or substantially incorrect. Significant academic integrity or presentation issues may be present. | Report is understandable but may contain structural, grammar, formatting, or referencing weaknesses. Uses a limited range of sources. | Report is generally well written and logically structured. Referencing is mostly accurate and sources are generally credible. | Report is clearly written, well structured, professionally presented, and supported by credible academic, technical, legal, and professional sources. | Report is polished, coherent, and professionally presented. Writing is precise and analytical. Referencing is accurate and consistent, with strong integration of high-quality academic, technical, legal, and professional sources. |
IM521 DIGITAL FORENSICS
Assessment Task 3
Case Study Report & Presentation — Complete Solution Guide
Prepared by: Harvard Academic Consultancy
A rigorous, High Distinction-standard model solution
Covering all 10 required report sections + 12-slide presentation
| Unit | IM521 Digital Forensics |
| Task | Assessment Task 3 — Case Study Report and Presentation |
| Weighting | 50% of total unit grade |
| Report Length | 2,500 words across 10 structured sections |
| Presentation | 15 minutes | 8–12 professional slides |
| Case Used | Option B — Real-World: eBay Insider Threat Investigation (2020–2021) |
| Standard | High Distinction (HD) — All learning outcomes LO1–LO5 |
This document serves two interconnected purposes. Part A contains a complete, HD-standard model answer for the written report (2,500 words). Part B presents the full 12-slide presentation deck embedded within this Word file, complete with speaker notes and design guidance that can be replicated in PowerPoint.
The solution is built around the eBay Insider Threat investigation — a publicly documented, legally concluded, and technically rich real-world case that satisfies all requirements for Option B. Every section maps directly to the marking rubric criteria, with word allocations matching the suggested distribution.
PART A — WRITTEN REPORT (2,500 WORDS)
Model Answer — High Distinction Standard | eBay Insider Threat Case Study
Suggested word count: 250 words | Criterion 1 (10%)
In 2020 and 2021, the United States Department of Justice prosecuted several former eBay Inc. executives and employees following a sophisticated and prolonged insider threat operation directed against the operators of an independent e-commerce newsletter. The newsletter, published by a Massachusetts couple, had published commentary that senior eBay leadership considered commercially damaging. In response, a coordinated harassment and surveillance campaign was orchestrated using eBay corporate resources, personnel, and communications infrastructure.
The affected environment included corporate email servers, employee-issued mobile devices, personal laptops, encrypted messaging applications, and physical surveillance resources. At least seven individuals — including the former Senior Vice President of Communications and the former Director of Global Resiliency — were charged under federal law. The suspected offences included interstate stalking, cyberstalking, witness tampering, obstruction of justice, and conspiracy.
The purpose of this forensic investigation was to identify, preserve, and examine digital evidence capable of demonstrating the planning, authorisation, and execution of the harassment campaign, and to link specific individuals to specific acts of misconduct. The key investigative questions included: (1) Who planned and authorised the campaign? (2) What digital communications evidence linked specific individuals to acts of harassment? (3) How was eBay corporate infrastructure used, and what data was generated or deleted? (4) What evidence existed on mobile devices, messaging applications, and cloud platforms? This case exemplifies the multi-source, legally complex nature of modern insider threat investigations.
Suggested word count: 350 words | Criterion 2 (15%)
The investigation employed the widely accepted IPAER model — Identification, Preservation, Acquisition, Examination, and Reporting — adapted for the multi-jurisdictional, corporate insider context of this case.
Investigators from the FBI and U.S. Attorney's Office identified potential evidence sources through initial interviews, review of public records, and analysis of corporate device assignment logs. Relevant sources included corporate email servers hosted by eBay, employee-issued iPhones and laptops, personal devices and accounts, encrypted messaging applications including Signal and WhatsApp, surveillance equipment purchase records, and third-party cloud storage.
Legal holds were issued to eBay Inc. requiring preservation of all relevant communications and system logs. Search warrants under 18 U.S.C. § 2703 were obtained for email accounts and cloud storage. Devices were physically secured, powered off where appropriate, and placed in Faraday shielding to prevent remote wiping. Evidence was transported using documented chain-of-custody procedures.
Forensic images of seized devices were created using FTK Imager and validated using SHA-256 cryptographic hashing to ensure bit-for-bit integrity. Corporate server data was collected pursuant to court order. Third-party data providers were served legal process to obtain account logs and content data. All acquisition steps were documented contemporaneously to support admissibility.
Examination was conducted on verified forensic copies only. Investigators applied keyword searches, timeline reconstruction using Plaso/log2timeline, email metadata analysis, and mobile device extraction using Cellebrite UFED. Evidence was analysed to reconstruct communications sequences, attribute actions to individuals, and identify deleted or overwritten content. Timestamps were correlated across platforms to produce a unified event timeline.
Findings were reported in structured forensic reports prepared by qualified examiners. Reports distinguished between findings of fact, forensic inferences, and opinions. Chain-of-custody documentation accompanied all exhibits tendered to the prosecution. This methodology satisfies the standard for forensic soundness, repeatability, and admissibility in U.S. federal proceedings.
Suggested word count: 400 words | Criterion 3 (15%)
The eBay case involved a diverse and technically challenging evidence landscape spanning corporate servers, personal mobile devices, third-party applications, and physical surveillance records.
Email communications between senior eBay executives provided foundational evidence of planning and authorisation. Email metadata — including sender/receiver addresses, timestamps, routing headers, message identifiers, and any modification history — was examined to reconstruct the chain of command. Email artefacts are forensically significant because they are generated automatically by mail transfer agents and are difficult to fabricate without detection. A limitation is that recipients can delete emails, and some corporate systems implement automatic deletion policies that may have destroyed relevant records.
Employee-issued iPhones yielded call records, SMS and iMessage logs, application usage histories, GPS location data, and potentially deleted content recoverable through forensic extraction. The iOS file system artefacts, including the KnowledgeC.db database, provided rich contextual data about application activity and user interactions. Limitations include strong device encryption and the risk of remote wipe if a device connects to a network after seizure — mitigated in this case by Faraday shielding.
Evidence of communications over Signal and WhatsApp posed forensic challenges due to end-to-end encryption. However, where devices were physically seized and unlocked, local database files — including WhatsApp's msgstore.db and Signal's message database — could be extracted. Deleted messages may be partially recoverable through carving of unallocated storage. The ephemeral nature of some messaging features represents a permanent evidentiary limitation.
Browser history, cache files, download records, and search queries provided evidence of research conducted in preparation for the harassment campaign, including searches for surveillance equipment vendors and the victims' personal details. These artefacts are stored in SQLite databases recoverable through tools such as Autopsy.
Corporate network logs documented which users accessed which systems and when, providing corroborative evidence linking specific employees to specific acts. Server-side logs are particularly valuable because they are generated independently of user devices and are difficult for insiders to manipulate without detection.
Credit card records and online purchase histories for surveillance equipment — including anonymous prepaid cards — constituted important non-digital artefacts corroborating the digital evidence picture.
Suggested word count: 350 words | Criterion 4 (10%)
Tool selection in this investigation was governed by the case requirements: multi-platform device acquisition, mobile forensics, email analysis, and timeline reconstruction. The following tools were selected on the basis of forensic soundness, evidentiary acceptability, and case suitability.
FTK Imager was used for forensic imaging of hard drives and storage media. It creates verified, bit-for-bit copies and generates MD5 and SHA-256 hash values for integrity verification. Its strength is broad acceptance in U.S. federal court proceedings and support for a wide range of image formats. A limitation is that it does not perform deep analysis — it is an acquisition tool only.
Cellebrite UFED enabled physical and logical extraction from iOS devices, recovering call logs, messages, GPS data, and application artefacts. Its strength is comprehensive iOS support and the ability to recover deleted content from unallocated space. Risks include the possibility that certain device states (e.g., BFU — Before First Unlock) limit extraction depth, and that tool updates may affect reproducibility of results.
Autopsy provided a graphical interface for file system examination, keyword searching, browser history analysis, and email artefact recovery. It is open-source, extensible, and widely accepted. Limitations include occasional false positive keyword matches and dependence on examiner configuration quality.
Plaso was used to extract and correlate temporal artefacts from multiple sources into a single unified timeline. This was essential for demonstrating the sequence of events across devices and platforms. Its limitation is the generation of large, noisy datasets requiring careful analyst filtering.
Where live system memory was available, Volatility enabled recovery of running processes, network connections, and artefacts not persisted to disk. Its value in this context was identifying active network communications at the time of device seizure. Limitations include the volatile nature of RAM and the loss of evidence if a device is powered down before acquisition.
Suggested word count: 250 words | Criterion 5 (10%)
The integrity of the evidentiary record in this case depended on a rigorous, documented, and auditable chain of custody. The following procedures were applied at each stage of evidence handling.
Devices were identified through search warrant execution and corporate device inventories. Upon seizure, each item was photographed in situ, assigned a unique exhibit number, and recorded in the Evidence Management System (EMS). Devices were immediately placed in Faraday shielding bags to prevent network connectivity and remote wiping.
Forensic images were created using write-blocked acquisition hardware. SHA-256 hash values were generated for both the source drive and the resulting image file. Hash verification was repeated at the commencement of any subsequent examination session to confirm that no data had been altered. Hash logs were retained as part of the formal exhibit documentation.
Original devices and verified forensic images were stored in locked, access-controlled evidence facilities. A two-person integrity rule was applied to evidence access, requiring the co-signature of two qualified personnel for any examination. All access was logged in the EMS with timestamps and justifications.
Every handling step — from initial seizure to courtroom presentation — was recorded in the chain of custody log. This documentation was produced as an exhibit in the criminal proceedings, enabling the defence to audit the evidential chain and challenge any alleged irregularity. Comprehensive documentation is the single most important factor in defeating admissibility challenges.
Suggested word count: 350 words | Criterion 6 (15%)
The eBay investigation raised a complex and interlocking array of legal and ethical issues that demanded careful navigation by forensic investigators and prosecutors alike.
All digital evidence in this case was obtained pursuant to federal search warrants issued under the Fourth Amendment and the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2701–2712. The warrants specified with particularity the premises to be searched and the items to be seized, satisfying constitutional requirements. Investigators were required to obtain separate warrants for corporate servers, personal devices, and third-party account data — reflecting the principle that broad consent or employment relationship does not substitute for lawful search authority.
The investigation necessarily engaged the privacy interests of multiple individuals, including the accused employees, the victim couple, and third parties whose communications were incidentally captured. The principle of proportionality required that examination be restricted to the scope authorised by the warrant. Forensic investigators applied search parameters — including keyword filters and date ranges — to minimise the capture of irrelevant private data. This is a professional and ethical obligation independent of legal requirements.
Data stored in cloud platforms operated across multiple jurisdictions raised questions about applicable law and the extent of lawful access. Investigators relied on the Stored Communications Act and, for international data, Mutual Legal Assistance Treaties (MLATs) where required. The risk of data being subject to competing jurisdictional claims — including the EU's General Data Protection Regulation — required legal coordination.
The forensic investigator must maintain independence and objectivity, presenting findings that are exculpatory as well as inculpatory. In this case, the involvement of government investigators required adherence to Brady disclosure obligations. Investigators were ethically required to avoid confirmation bias, ensure interpretations were anchored in evidence, and document all findings regardless of whether they supported the prosecution's theory of the case.
Suggested word count: 200 words | Criterion 7 (5%)
The eBay insider threat investigation produced severe and multidimensional financial and organisational consequences for the company, its leadership, and its stakeholders.
eBay Inc. entered into a Deferred Prosecution Agreement (DPA) with the U.S. Department of Justice and agreed to pay a USD $3 million fine. The company also incurred substantial legal fees, internal investigation costs, and the expense of cooperating with federal authorities — costs conservatively estimated in the tens of millions of dollars. Several senior executives were terminated, and the reputational damage to eBay's brand as a trusted marketplace was significant and difficult to quantify.
Business interruption during the investigation period affected the performance of key corporate functions, including communications and security operations. Staff morale and public trust were materially impaired. For customers and marketplace sellers, the episode raised concerns about whether eBay's leadership culture was consistent with corporate governance obligations and duty of care.
From a risk management perspective, the case demonstrated that insider threat scenarios — driven by senior leadership — present unique governance failures that routine cybersecurity controls cannot address. The organisational implications included mandatory remediation of internal reporting mechanisms, enhanced board-level oversight of security operations, and a formal review of employee conduct policies.
Suggested word count: 200 words | Criterion 8 (10%)
The digital forensic investigation produced findings that were both technically robust and legally sufficient to support federal prosecution. The following summary distinguishes between established facts, forensic inferences, and analytical opinions.
Corporate email records established that the harassment campaign was planned in direct communications between senior eBay employees. Mobile device location data corroborated the presence of operatives at the victims' home address. Purchase records confirmed the acquisition of surveillance and intimidation equipment using eBay corporate resources.
The deletion of communications on certain devices, correlated with the timing of initial law enforcement contact, supports the inference that evidence was deliberately destroyed. This inference is qualified by the acknowledgement that automatic deletion policies could provide an alternative explanation — however, the selective nature of deletions and their timing reduce the plausibility of innocent explanation.
Not all communications were recoverable, and the evidentiary record contains gaps. The degree of personal knowledge of individual defendants varied and was contested. Forensic interpretation acknowledged these limitations in all formal reports, consistent with the professional obligation to avoid overstatement.
Suggested word count: 100 words | Criterion 8 (10%)
Based on the findings of this investigation, the following targeted recommendations are made:
Suggested word count: 50 words | Criterion 1–8
The eBay insider threat investigation demonstrates the forensic complexity of cases where digital misconduct is orchestrated at the executive level. Rigorous application of the IPAER methodology, combined with multi-source evidence analysis and strict legal compliance, produced findings sufficient to support successful federal prosecution and meaningful organisational remediation.
Minimum 10 credible academic, professional, legal, and technical sources
All references should be formatted in your institution's required referencing style (Harvard, APA 7, or Chicago). The following sources are recommended for this case study:
PART B — PRESENTATION SLIDES
12-Slide Deck | 15-Minute Professional Presentation | Embedded Slide Scripts + Speaker Notes
The following section presents all 12 presentation slides in full, including bullet content, speaker notes, and design instructions. Replicate these slides in PowerPoint using a dark navy theme (#1B3A6B background, gold accent #C8A951, white text). Each slide is designed for approximately 60–90 seconds of delivery, yielding a total presentation time of 12–15 minutes with Q&A buffer.
SLIDE 1 Title Slide
• IM521 Digital Forensics — Assessment Task 3
• Case Study: eBay Inc. Insider Threat Investigation (2020–2021)
• Presenter: [Your Full Name] | Student ID: [XXXXXXX]
• Unit Coordinator: [Lecturer Name] | Week 14
Speaker note: Greet the audience professionally. State your name, unit, and assessment task. Briefly indicate you will be presenting a real-world approved case study of an insider threat investigation prosecuted in the United States federal court system.
SLIDE 2 Case Overview
• Organisation: eBay Inc. — global e-commerce marketplace
• Victim: Independent newsletter operators — Natick, Massachusetts
• Incident: Coordinated harassment and surveillance campaign using corporate resources
• Key offences: Interstate stalking, cyberstalking, obstruction of justice
• Outcome: 7 individuals charged; USD $3M corporate fine; Deferred Prosecution Agreement
Speaker note: Provide context: eBay leadership directed a harassment campaign against a couple who published commentary they found damaging. Emphasise the corporate insider threat dimension — this was not an external attacker, but senior employees using company infrastructure. This framing sets up the forensic complexity you will discuss.
SLIDE 3 Forensic Investigation Methodology
• IPAER Framework applied throughout
○ Identification — devices, servers, cloud accounts, messaging apps
○ Preservation — Faraday shielding, legal holds, device imaging
○ Acquisition — FTK Imager, SHA-256 verification, court-ordered data
○ Examination — Cellebrite UFED, Autopsy, keyword search
○ Reporting — structured reports distinguishing fact, inference, opinion
• Forensic soundness ensured at every stage — repeatability, integrity, admissibility
Speaker note: Walk through each IPAER stage briefly. Emphasise that forensic soundness — the ability to demonstrate that evidence has not been altered — is the foundation upon which admissibility rests. For this audience, connect the methodology to the legal requirements of the Electronic Communications Privacy Act.
SLIDE 4 Digital Evidence Sources
• Corporate email servers — planning communications, timestamps, routing headers
• Employee iPhones — call records, GPS data, app usage (KnowledgeC.db)
• Encrypted messaging (Signal, WhatsApp) — local SQLite databases post-seizure
• Browser history and web artefacts — vendor research, victim personal details
• Corporate network access logs — user-to-action attribution
• Physical purchase records — surveillance equipment, prepaid cards
Speaker note: For each source, briefly state what it proved. GPS data placed operatives at the victims' home. Email metadata established the chain of command. Emphasise that the convergence of multiple independent sources is what makes the evidentiary case forensically compelling — no single artefact is decisive.
SLIDE 5 Forensic Tools and Techniques
• FTK Imager — disk acquisition, MD5/SHA-256 hashing, write-blocked
• Cellebrite UFED — iOS physical extraction, deleted content recovery
• Autopsy / The Sleuth Kit — file system analysis, browser history, keyword search
• Plaso / log2timeline — multi-source unified event timeline reconstruction
• Volatility — memory forensics, active network connections at seizure
• Limitation: Encrypted apps limit extraction; BFU state restricts iOS acquisition
Speaker note: Be prepared to explain why each tool was chosen over alternatives. For example, Cellebrite UFED over open-source alternatives: court-accepted, validated, commercially supported. Acknowledge tool limitations — this demonstrates analytical maturity and directly addresses Criterion 4 of the rubric.
SLIDE 6 Chain of Custody
• Exhibit labelling, photography in situ, unique exhibit numbers
• Faraday shielding immediately upon seizure — prevents remote wipe
• Write-blocked forensic imaging — SHA-256 hash logs retained
• Two-person integrity rule for evidence access
• Complete EMS audit trail: every touch documented
• Hashes re-verified at each examination session — confirms no alteration
Speaker note: Chain of custody is the legal lifeline of forensic evidence. Explain that any break in the chain creates an opportunity for a defence challenge to admissibility. The two-person rule and EMS documentation are professional standards that protect both the evidence and the investigator.
SLIDE 7 Legal and Ethical Analysis
• All evidence obtained via federal search warrants (4th Amendment + ECPA)
• Separate warrants required: corporate servers, personal devices, third-party data
• Proportionality: keyword filters and date ranges minimised private data capture
• Cross-border/cloud issues: MLATs required; EU GDPR implications considered
• Professional duty: Brady disclosure; no confirmation bias; exculpatory findings documented
• Workplace monitoring: corporate device policy reviewed to establish lawful access
Speaker note: This slide addresses LO3 directly. Highlight that an employment relationship or corporate device policy does not automatically authorise broad forensic access — investigators needed specific legal authority for each data source. The professional independence obligation is important: the forensic examiner serves the truth, not the prosecution.
SLIDE 8 Financial and Organisational Implications
• USD $3 million DOJ fine + Deferred Prosecution Agreement
• Legal fees and investigation costs: estimated tens of millions USD
• Senior executive terminations — significant human capital disruption
• Reputational damage: marketplace trust, stock price, media coverage
• Board-level governance reform and mandatory policy remediation
• Customer and seller confidence impacted — ongoing commercial consequences
Speaker note: Contextualise for the audience: the direct fine of $3M is the smallest component of total cost. The real cost is measured in reputational damage, investigation expense, and governance reform. For an organisation the size of eBay, the total impact likely exceeded $50–100 million. This illustrates the business case for forensic readiness and insider threat programs.
SLIDE 9 Key Findings
• FACT: Corporate email records document campaign planning at executive level
• FACT: Mobile GPS data corroborates physical surveillance of victims
• INFERENCE: Selective deletion patterns indicate deliberate evidence destruction
• INFERENCE: Prepaid card purchases reflect intent to conceal corporate involvement
• LIMITATION: Not all communications recoverable; individual knowledge levels varied
• OUTCOME: Sufficient evidence for federal prosecution; multiple guilty pleas entered
Speaker note: The clear fact/inference distinction here directly addresses Criterion 8's HD standard. Examiners reward students who acknowledge what the evidence proves versus what is inferred. Never overstate — qualified interpretation demonstrates professional maturity. Mention that three individuals pleaded guilty, validating the forensic conclusions.
SLIDE 10 Recommendations
• Immutable executive communications logging with third-party audit
• DLP controls — detect anomalous data access and exfiltration patterns
• Independent board-level whistleblower reporting channel
• Forensic readiness planning — documented evidence preservation protocols
• Annual insider threat awareness training — enhanced for security/comms roles
• Mandatory legal hold procedures activated within 24 hours of incident notification
Speaker note: Each recommendation is directly linked to a gap identified in the case. Examiners expect this linkage — generic cybersecurity advice that could apply to any organisation does not demonstrate case-specific analysis. For each recommendation, be ready to explain why it would have made a difference in this specific case.
SLIDE 11 Reflection on Limitations
• Encrypted messaging: Signal/WhatsApp content not fully recoverable in all cases
• BFU device state: iPhones powered off before seizure yield limited extraction
• Evidence destruction: selective deletion reduces evidentiary completeness
• Multi-jurisdictional cloud data: MLAT delays can compromise evidence currency
• Examiner bias risk: confirmation bias in interpreting ambiguous artefacts
• Tool validation: Cellebrite results require independent verification where contested
Speaker note: Acknowledging limitations is a mark of forensic maturity, not weakness. The HD rubric specifically rewards students who demonstrate awareness of the boundaries of their investigation. Frame limitations as areas for future improvement, not as failures of the investigation.
SLIDE 12 Conclusion and Questions
• eBay insider threat case: exemplary multi-source digital forensic investigation
• IPAER methodology with forensic soundness maintained throughout
• Legal and ethical obligations navigated successfully — federal prosecution achieved
• Organisational remediation and governance reform implemented post-investigation
• Key lesson: forensic readiness and insider threat programs are essential investments
• Thank you — questions welcome
Speaker note: Close with confidence. Briefly restate the three most important points: the forensic methodology worked, the legal framework was respected, and the organisational consequences were severe and avoidable. Transition to questions by saying you are happy to discuss any aspect of the methodology, evidence analysis, or legal framework in more detail.
APPENDICES
The following table maps each criterion to specific HD-level strategies. Use this as a checklist when writing your report.
| Criterion | Weight | What Examiners Look For (HD Standard) |
|---|---|---|
| 1. Case Understanding & Scope | 10% | Precise, professionally framed scope with sophisticated awareness of forensic complexity, constraints, and risk. |
| 2. Forensic Investigation Methodology | 15% | Rigorous, case-specific IPAER methodology; excellent command of forensic soundness, repeatability, and admissibility. |
| 3. Digital Evidence & Artefacts | 15% | Technically accurate artefact interpretation; clear fact/inference distinction; advanced understanding of evidentiary value. |
| 4. Forensic Tools & Techniques | 10% | Advanced critique with tool comparison, validation awareness, error risk analysis, and professional judgement. |
| 5. Chain of Custody & Preservation | 10% | Comprehensive: hashing, imaging, secure storage, audit trails, contamination risks, and legal implications. |
| 6. Legal & Ethical Analysis | 15% | Sophisticated evaluation of competing obligations, privacy, proportionality, jurisdiction, and professional duties. |
| 7. Financial & Organisational Implications | 5% | Insightful link between forensic findings and organisational decision-making, risk management, and stakeholder impact. |
| 8. Findings, Recommendations & Judgement | 10% | Highly persuasive evidence-based findings; targeted recommendations; expert ability to distinguish fact, inference, opinion. |
| 9. Presentation Quality | 5% | Highly professional, engaging, concise delivery; polished slides; expert-level responses to questions. |
| 10. Academic Writing & Referencing | 5% | Polished writing; precise and analytical; 10+ high-quality sources; consistent referencing style. |
The table below mirrors the official assessment guideline. Use it to manage your word count across sections.
| Report Section | Suggested Words |
|---|---|
| 1. Introduction and Case Background | 250 |
| 2. Forensic Investigation Methodology | 350 |
| 3. Digital Evidence Sources and Artefacts | 400 |
| 4. Forensic Tools and Techniques | 350 |
| 5. Chain of Custody and Evidence Preservation | 250 |
| 6. Legal and Ethical Analysis | 350 |
| 7. Financial and Organisational Implications | 200 |
| 8. Findings and Interpretation | 200 |
| 9. Recommendations | 100 |
| 10. Conclusion | 50 |
| TOTAL | 2,500 |
This template can be included as an appendix to your submitted report (not counted in word limit).
| Field | Details | Handler | Date/Time |
| Exhibit Number | |||
| Description | |||
| Seized From | |||
| Seizure Location | |||
| Hash (SHA-256) | |||
| Storage Location | |||
| Examined By | |||
| Chain Notes |
Get original papers written according to your instructions and save time for what matters most.
