Efficient Attack Detection in IoT Devices using Feature Engineering-Less Mach...
Forensic challenges of Internet mobility protocols
1. ELECTRONIC
ASSIGNMENT
COVERSHEET
Student Number 31510992
Surname Dines
Given name Rodney Dines
Email murdoch.edu.au@roddines.com
Unit Code ICT349
Unit name Forensic Data Analysis
Enrolment mode Internal Fulltime
Date Monday 18 May 2015 (Due: 9 amMonday Week 12)
Submitted Tuesday 30 June 2015 under arrangement.
Assignment number 1
Assignment name Research Essay (2000 words)
Tutor Danny Toohey
Student’s Declaration:
Except where indicated, the work I am submitting in this assignment is my own work and has
not been submitted for assessment in another unit.
This submission complies with Murdoch University's academic integrity commitments. I am
aware that information about plagiarism and associated penalties can be found at
http://www.murdoch.edu.au/teach/plagiarism/. If I have any doubts or queries about this, I am
further aware that I can contact my Unit Coordinator prior to submitting the assignment.
I acknowledge that the assessor of this assignment may, for the purpose of assessing this
assignment:
o reproduce this assignment and provide a copy to another academic staff member; and/or
o submit a copy of this assignment to a plagiarism-checking service. This web-based service
may retain a copy of this work for the sole purpose of subsequent plagiarism checking, but
has a legal agreement with the University that it will not share or reproduce it in any form.
I have retained a copy of this assignment.
I will retain a copy of the notification of receipt of this assignment. If you have not received a
receipt within three days, please check with your Unit Coordinator.
I am aware that I am making this declaration by submitting this document electronically and by using
my Murdoch ID and password it is deemed equivalent to executing this declaration with my written
signature.
Optional Comments to Tutor:
E.g. If this is a group assignment,listgroup members here
2. Forensic Data Analysis – Assign 1 – Research Essay
Chosen Topic:
The consequences of Internet mobility protocols on network forensics
Contents
Forensic Data Analysis – Assign 1 – Research Essay...................................................2
Overview of the consequences of Internet mobility protocols on network forensics ....3
Background ................................................................................................................3
Types of mobility protocols ...................................................................................4
Brief explanation of Mobility protocol components..............................................4
Consequences of the Internet mobility architecture type.......................................5
Consequences of the transparency of mobility ......................................................5
Consequences of the Internet mobility mechanism ...............................................6
Consequences of the speed of mobility .................................................................6
Consequences of the heterogeneity of wireless communications ..........................7
Identifying the use of Internet mobility .................................................................7
Conclusions............................................................................................................8
References..................................................................................................................9
Appendix – Assignment Information and Supporting Material Provided ...................11
ICT349 Forensic Data Analysis (s1, 2015) .........................................................11
Research Essay.......................................................................................................11
Grading criteria .................................................................................................13
3. Overview of the consequences of Internet mobility
protocols on network forensics
Background
The Internet infrastructure we use today was originally designed in a very different
context and era. The architecture of the predominant Internet Protocol (IP), IPv4 we
use today was designed for static hosts on fixed networks without and initially
without a Domain Naming System (DNS). Many features of the Internet have
evolved over time to utilise the underlying concept of the Internet in new and
interesting ways, such as the World Wide Web (WWW) and their web browsers.
However todays’ ubiquitous computing world is increasingly being dominated by the
use of smartphone and other mobile technologies and this has the implication that a
number of changes to the technology we use for communicating are occurring. Cisco
estimates mobile data traffic will increase more than sixfold in the next four years
(Cisco, 2015).
At the nexus of the increasingly ubiquitous mobility and more powerful hand held
computing devices is a driving demand for the requirement to remain connected as we
utilise a range of heterogeneous mobility enabling wireless communications. This is
being met with an increasing number of Internet mobility protocols, which attempt to
resolve the disparity between the static notion of the Internet of old and the mobility
desired and increasingly required in today’s Internet (Hou, Liu, & Gong, 2010;
Johnson et al., 2004; Oki, Rojas-Cessa, Tatipamula, & Vogt, 2012; Zhu, UCLA,
Wakikawa, Toyota ITC, & Zhang, 2011). Many of the forensics tools, techniques and
procedures utilised today to analyse Internet activities are bedded in the architecture
of the Internet of old, and new challenges are being presented to investigators on how
to forensically decipher user activity in the growing presence and use of these new
mobility protocols.
There are a number of different approaches to implementing Internet mobility; these
differing approaches result in different impacts on network and cyber forensics. At
the core of the issue is that Internet mobility must break the end to end transparency
that has been a core design principle of the Internet of the past (Carpenter, 2000). We
already experience this in some application layer communication infrastructures such
as Skype and instant messaging; even email is a form of indirect communication that
utilises the Internet. However these communication systems are now well understood
and in most cases, they leave some recorded data or meta-data on both the end client
and network-devices that can be used to glean or infer additional information about
the communication that took place and the path it took; this information can often be
corroborated through additional evidence from elsewhere, including network
forensics.
The nature of Internet mobility requires that it must in some way orchestrate a
redirection of IP traffic destined for a specific IP identity address, which serves to
identify the mobile device, to the actual IP address that locates where the device is
currently attached to the Internet. This is a deception designed to facilitate the
functionality of mobility but it also becomes an additional problem for the forensic
analysis of Internet activities. This essay is not intended to exhaustively survey all the
protocols available for deploying Internet mobility; instead it examines common
4. aspects of how these protocols work, and attempts to briefly explore the impact they
have on cyber forensics techniques.
Types of mobility protocols
In the last fifteen years or so the development of Internet mobility protocols has
progressed and today we have a few primary candidates that appear to be making in-
roads into the world of use and acceptance. These protocols include: Mobile IP (MIP)
(Johnson et al., 2004) and derivatives like Proxy MIP (PMIP) (Kong, Lee, Han, Shin,
& You, 2008) and NEtwork MObility Basic Support (NEMO-BS) (Devarapalli et al.,
2005); Locator/ID Splitting Protocol (LISP) (Farinacci, Cisco Systems, Fuller,
Meyer, & Lewis, 2013) and its Mobile Node (MN) derivative LISP-MN (Rodríguez
Natal et al., 2013) and Mobile Router (MR) derivative LISP-MN-NEMO (Yizhen,
Ke, Kaiping, & Dan, 2014) ; and Host Identity Protocol (HIP) (Moskowitz et al.,
2015; Moskowitz et al., 2008) and HIP-NEMO (Chen, Hu, Chai, & Dong, 2011).
These all utilise differing methods of implementing Internet mobility with different
cyber and network forensic consequences.
Architecture
Network Vs
Client Based
Mechanism
Tunnelling Vs
Map-Encap
Speed
of Mobility
Heterogeneous
Network
Multihoming
MIP Client + Net Tunnelling Medium No
PMIP Network Tunnelling Med-Fast No
NEMO-BS Network Tunnelling Medium No
LISP Network Map-Encap Slow No
LISP-MN Client + Net Map-Encap Med-Fast Yes
LISP-MN-NEMO Network Map-Encap Med-Fast Yes
HIP Client Map-Encap Med-Fast Yes
HIP-NEMO Network Map-Encap Med-Fast Yes
Table 1: Internet mobility protocol characterisitics
The different types of Internet mobility have differing characteristics as per Table 1
above. The consequences of these different characteristics are discussed in the
following sections.
Brief explanation of Mobility protocol components
Mobility protocols utilise indirection to distinguish between a host identity (identity)
and its network location (locator) (Zhu et al., 2011). This implies that in order for
network traffic to find an appropriate route requires that there is a mechanism to track
and link changes between these two aspects. This “mapping” mechanism must
resolve the correct network locator for which to route or forward the traffic for a
specific host identity; and then route the traffic to it. In simple terms you can think of
the metaphor of asking a telephone operator for a phone number (locator) based on
the person’s name (identity), and having them connect you.
It follows that all these Internet mobility protocols can be summarised into three
essential components (Zhu et al., 2011):
1. A stable identifier for a Mobile Node (MN);
2. A current locator, which is usually an IP address representing the MN’s
current Internet topographical location; and
5. 3. A mechanism for mapping between the identifier and the locator, which is
updated as the MN/MR1 moves between Layer-Three (L3) networks and
detected as having done so.
4. The Correspondent Node (CN) with which IP communication is occurring;
5. The MAPing server (MAP) which is a server where the mapping information
for the resolution between Identifiers and their Locators are kept.
6. An optional component is a Rendezvous Server (RVS): The network device
that can provide the function of enabling a fixed point for the connecting of
the MN/MR with the CN. This may be married to the MAP server function.
These components are identified in a conceptual diagram shown in Figure 1 below of
a generalised indirection based Internet mobility protocol.
Figure 1: Conceptual components of a generalisedindirection basedInternet mobility protocol
Consequences of the Internet mobility architecture type
Internet mobility protocols can be delivered by utilising network devices within the
network infrastructure or within the mobile device itself, or with a combination of
both. When the mobility enabling aspect is embedded in the end device then it may
leave clues as to what type of mobility architecture has been utilised and end-point or
near end-point network traffic analysis is likely to yield clues as to what type and
nature of Internet indirection has occurred. When the mobility is enabled only
through the network infrastructure then the deception of the specific redirection may
be completely lost to the forensic investigator; in this case the deception will likely
remain undisclosed without specific access to mechanisms of auditing and
accountability within the network based mobility enabling infrastructure. This is akin
to similar problems that complicate network forensics in Peer-to-Peer (P2P)
networked applications such as Bit Torrent file sharing (Taylor, Haggerty, Gresty, &
Fergus, 2010). For some time now security researchers have proposed a series of
Network Forensic Frameworks (NFFs) to provide the required assistance for such
complex tasks but these all remain proposals only with no known formal acceptance
and implementation by providers and their regulators (Khan et al., 2014).
Consequences of the transparency of mobility
In contrast to the desire for NFFs current forensic techniques typically rely on slow
investigative activities in tracking down a correspondent’s IP address location. The
IP address when correlated with time and date typically locates the place through ISP
records where the traffic terminated. The meta-data in ISP records that link IP
1 A MR is like an MN when but is instead a mobile network in a NEtwork MObility (NEMO) scenario.
6. addresses to customers are often required by law to be archived for some specific
period (Parliament of Australia, 2015). When indirection for mobility has occurred,
the meta-data that would reveal this may not have ever been recorded. You can think
of this as akin to the content and not just the meta-data of DNS lookups. It is likely
there is no requirement to retain the content or result of the mobility mapping
system’s lookups by law; this is likely due to a lack of technical understanding by law
makers, and their advisors, they may also have not mandated and facilitated the
required level of accountability that later allow for a redirected route to be traced and
attributed to a client account. At the very least the indirection creates another level of
confusion that potentially needs to be explained in a court to non-technical judges and
jurors. Potentially not knowing where an end point is located at a particular time and
date makes it far more difficult for investigators to determine and prove situational
clarity and for prosecutors alike to present a strong argument for the case. The result
could be likened to Internet users deliberately utilising route obfuscation techniques
like The Onion Router (TOR) (Hansen, 2013).
Consequences of the Internet mobility mechanism
Independent of where the indirection required for mobility occurs, the indirection
technique may also add an additional burden to forensic analysis. There are two
primary types of indirection technique employed by Internet mobility protocols.
These are known as tunnelling and map and encapsulate (or map and encap).
Tunnelling mobility protocol architectures effectively maintain one fixed globally
known IP address for the Mobile Node (MN) then tunnel traffic to and from the
mobile device to the Correspondent Node (CN). One mobility protocol called Mobile
IP (MIP) typically directs traffic through a tunnel between the MN and a Home Agent
(HA) – which is like the RVS in Figure 1 above – before that network device redirects
traffic to and from the CN. In either case network traffic that is captured through a
local mobile operator may possibly be used to analyse the mobility traffic. Depending
on the version of MIP there is an encryption key used for securing traffic between the
FA/HA and this may possibly be decrypted using discoverable shared configuration
information.
HIP and LISP based protocols utilise a map and encapsulate approach. While LISP
based mobility protocols often do not encrypt traffic it is however encapsulated in
another header, depending on where it is forensically captured and what type of
mobility protocol is in use. HIP based protocols always use an Internet Protocol
Security (IPsec) mechanism to encrypt all traffic between HIP network nodes. They
also use transient encryption keys based on a Public Key Infrastructure (PKI) and
these are negotiated per session like in the case of Secure Sockets Layer
(SSL)/Transport Layer Security (TLS) and are effectively not going to be recoverable
at all. And unlike SSL/TLS which is invoked at an application level HIP will encrypt
all network traffic between HIP nodes regardless of what application is in use. Since
HIP can be configured as a pure client configuration it acts a lot like a Virtual Private
Network (VPN). It is conceivable it could be explicitly being used for securing
communications channel for the express purpose of avoiding scrutiny and also
providing the benefits of mobility while adding obscurity.
Consequences of the speed of mobility
Mobility can cause another problem to arise through the lack of time accuracy of
meta-data records. In the past even non-static DHCP assigned IP addresses of users
7. changed rarely and the consequences of small time differences in records could
usually be disregarded or alleviated by surrounding data that could be correlated to
determine recorded time differences. But when fast mobility is occurring between
heterogeneous wireless network infrastructures time differences of minutes or even
tens of seconds may make it very difficult to establish and prosecute a link between
network records and actors.
Consequences of the heterogeneity of wireless communications
When MN/MRs and their underlying mobility protocols are deliberately utilising a
heterogeneous or hybrid sets of wireless communications it may no longer be possible
for investigators to require one provider to collate disparate sources of network meta-
data together and provide a uniform data set for forensic analysis. Now the
investigator may have to determine a series of many different sets of disparate
network data, perhaps with significant time error offsets and somehow weave this
back together in a coherent manner in order to derive the required data set for through
analysis. You might think of this as a criminal using five different mobile phones
with five different mobile service providers and then only saying every fifth word
through any one device, and changing to the next for each following word. In this
scenario examining one network’s data may reveal very little information on its own.
Identifying the use of Internet mobility
For a cyber-forensic investigator to successfully investigate mobile-device network
forensics they will need to start to understand Internet mobility protocols. Self-
education and training preparation can make the task a lot easier. Identifying the
protocol in use will require an understanding of the key characteristics of client based
mobility protocols in order to know what to look for to identify them. Just being
aware they exist will greatly help to avoid some confusion when analysing network
traffic that may be difficult to understand. Certainly the traffic may appear to be
something like a VPN in many cases. In the case of HIP it is its own transport layer
protocol, but it also utilises IPsec.
Network Forensic Analysis (NFA) tools like Wireshark already have protocol
knowledge of the primary protocols in use today. More information is listed in Table
2 below:
Base Mobility
Protocol
Network layer &
Assigned port numbers
Further information
MIP (IPv4)
(Perkin & WiChorusInc,
2010)
App layer protocol
UDP:434
https://www.wireshark.org/docs/dfref/m/mip.html
https://tools.ietf.org/html/rfc5944
http://www.iana.org/assignments/mobileip-
numbers/mobileip-numbers.xhtml
MIPv6 / NEMO
(Johnson et al., 2004)
App layer protocol
UDP:434
https://www.wireshark.org/docs/dfref/m/mipv6.html
https://tools.ietf.org/html/rfc6275
https://tools.ietf.org/html/rfc3963
LISP
(Farinacci et al., 2013)
App layer protocol
UDP:4341 lisp-data
UDP:4342 lisp-control
https://www.wireshark.org/docs/dfref/l/lisp.html
https://tools.ietf.org/html/rfc6830
HIP
(Moskowitz et al., 2015;
Moskowitz et al., 2008)
Transport layer protocol
IP:139
https://www.wireshark.org/docs/dfref/h/hip.html
http://www.networksorcery.com/enp/protocol/hip.htm
https://tools.ietf.org/html/rfc4423
Table 2: Base mobility protocol information
8. Conclusions
Internet mobility protocols offer a new challenge to cyber forensic investigators.
Awareness that these protocols exist and can be used for many different use cases can
help make it easier to better understand what is occurring when they are encountered.
Investigators should be very careful when attempting to capture network traffic and be
careful to investigate if service providers are utilising network based mobility
protocols that may inadvertently obfuscate network information if collected at a
source not directly at the point the MN device connects to the network or on its MR.
In mobile scenarios it will be important to establish this information before planning
the best approach in attempting to capture a specific target’s network traffic.
9. References
Carpenter, B. (2000). RFC2775: Internet Transparency. Network Working Group. doi:
urn:ietf:rfc:2775
Chen, Q., Hu, H., Chai, R., & Dong, T. (2011, 17-19 Aug. 2011). Mobility
management based on HIP-NEMO. Paper presented at the Communications
and Networking in China (CHINACOM), 2011 6th International ICST
Conference on.
Cisco. (2015). Cisco Visual Networking Index: Global Mobile Data Traffic Forecast
Update, 2014–2019 (pp. 42). Retrieved from
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-
networking-index-vni/white_paper_c11-520862.html
Devarapalli, V., Nokia, Wakikawa, R., Keio University, Petrescu, A., Motorola, . . .
Systems, C. (2005). RFC3963: Network mobility (NEMO) - basic support
protocol. Internet Engineering Task Force (IETF), January. Retrieved from
https://tools.ietf.org/pdf/rfc3963.pdf
Farinacci, D., Cisco Systems, Fuller, V., Meyer, D., & Lewis, D. (2013). RFC6830:
The locator/ID separation protocol (LISP) [RFC]. IETF Network Working
Group, January. Retrieved from https://tools.ietf.org/html/rfc6830
Hansen, R. (2013). FIRST GLANCE: AN INTRODUCTORY ANALYSIS OF
NETWORK FORENSICS OF TOR. Proceedings of the Conference on
Digital Forensics, Security and Law, 107-122.
Hou, J., Liu, Y., & Gong, Z. (2010, 27-30 Sept. 2010). Support mobility for future
Internet. Paper presented at the Telecommunications Network Strategy and
Planning Symposium (NETWORKS), 2010 14th International.
Johnson, D., Rice University, Perkins, C., Nokia Research Center, Arkko, J., &
Ericsson. (2004). RFC3775: Mobility support in IPv6 [RFC]. IETF Network
Working Group, June. Retrieved from https://tools.ietf.org/pdf/rfc3775.pdf
Khan, S., Shiraz, M., Abdul Wahab, A. W., Gani, A., Han, Q., & Bin Abdul Rahman,
Z. (2014). A Comprehensive Review on Adaptability of Network Forensics
Frameworks for Mobile Cloud Computing. The Scientific World Journal,
2014, 27. doi: 10.1155/2014/547062
Kong, K.-S., Lee, W., Han, Y.-H., Shin, M.-K., & You, H. (2008). Mobility
management for all-IP mobile networks: mobile IPv6 vs. proxy mobile IPv6.
IEEE Wireless Communications, 14; 15(2), 36-45. doi:
10.1109/MWC.2008.4492976
Moskowitz, R., Consulting, H., Heer, T., Control, H. A. a., Jokela, P., NomadicLab,
E. R., . . . Washington, U. o. (2015). RFC7401: Host identity protocol version
2 (HIPv2) [RFC]. IETF Network Working Group, April. Retrieved from
https://tools.ietf.org/html/rfc7401
10. Moskowitz, R., ICSAlabs, Nikander, P., Jokela, P., NomadicLab, E. R., T, H., &
Company, T. B. (2008). RFC5201: Host identity protocol (HIP) [RFC]. IETF
Network Working Group, April. Retrieved from
http://tools.ietf.org/html/rfc5201
Oki, E., Rojas-Cessa, R., Tatipamula, M., & Vogt, C. (2012). Chapter 14: Mobility
support for IP Advanced Internet Protocols, Services, and Applications (pp.
197-233): John Wiley & Sons, Inc.
Parliament of Australia. (2015). Telecommunications (interception and access)
amendment (data retention) bill 2015 – Parliament of Australia. Retrieved 28
June, 2015, from
http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Searc
h_Results/Result?bId=r5375
Perkin, C., & WiChorusInc. (2010). RFC5944: IP mobility support for IPv4, revised
[RFC]. IETF Network Working Group, November. Retrieved from
http://tools.ietf.org/html/rfc5944
Rodríguez Natal, A., Jakab, L., Portolés, M., Ermagan, V., Natarajan, P., Maino, F., . .
. Cabellos Aparicio, A. (2013). LISP-MN: Mobile Networking Through LISP.
Wireless Personal Communications, 70(1), 253-266. doi: 10.1007/s11277-
012-0692-5
Taylor, M., Haggerty, J., Gresty, D., & Fergus, P. (2010). Forensic investigation of
peer-to-peer networks. Network security, 2010(9), 12-15. doi: 10.1016/S1353-
4858(10)70115-X
Yizhen, W., Ke, C., Kaiping, X., & Dan, N. (2014, 23-25 Oct. 2014). NEMO-based
mobility management in LISP network. Paper presented at the Wireless
Communications and Signal Processing (WCSP), 2014 Sixth International
Conference on.
Zhu, Z., UCLA, Wakikawa, R., Toyota ITC, & Zhang, L. (2011). RFC6301: A
survey of mobility support in the Internet [RFC]. Internet Engineering Task
Force (IETF), July. Retrieved from https://tools.ietf.org/pdf/rfc6301.pdf
* * * *
END OF ASSIGNMENT
Note: The following appendix material is
--- NOT ASSESSABLE ---
which is included only for this document’s later contextual support
11. Appendix – Assignment Information and Supporting Material
Provided
ICT349 Forensic Data Analysis (s1, 2015)
Research Essay
Some important points worth noting:
The assignment is due at 1130pm on Monday 1st
June (i.e., the last Monday of
semester)
This assignment is worth 25% of your final mark for the unit.
This assignment consists of 100 marks. Marks are allocated as described in the
assignment. Late submissions will be penalised at the rate of 5 marks per day late
or part thereof. Assignments will not be accepted more than 14 days after the
submission date as assignment return will have commenced.
The University treats plagiarism, collusion, theft of other students’ work and other
forms of dishonesty in assessment seriously. Any instances of dishonesty in this
assessment will be immediately forwarded for investigation.
There will be a turn-it-in link available for this assignment.
Research Essay
The purpose of this assignment is for you to research an issue/area related to the unit,
in particular an area that we are not covering in much depth in the unit, and to report
on your research. It is worth discussing your choice of topic with one of the teaching
staff in the unit PRIOR to commencing so a judgement can be made as to whether or
not this is a suitable topic.
It is suggested that the first part of the report explain the topic; for example, if your
chosen topic were “SQL Injection Attacks”, it would be expected that there would be
some explanation as to what an SQL Injection Attack was. The second part of the
report should include some explanation as to the “state of the art” in the chosen area.
This may mean a review of some of the products in that space, or how organisations
are dealing with the particular item. The teaching staff in the unit are more than
happy to help you with how to best go about completing this assignment.
****PLEASE DO NOT WRITE AN ESSAYABOUT SQL INJECTION ATTACKS!
The length of the assignment is ABOUT 2000 words (not counting references) +/- 10%.
Please try to stay within this limit.
Be selective in your choice of sources. Wikipedia (and other similar sites) are low value
in that they are secondary references in that they simply report on other people’s
research.
12. If you are going to use vendor web sites/white papers, read them critically (as you
should read everything), and remember that they are there to make money, not
necessarily present a balanced view of a topic
Marking
The essay will be marked as below:
Spelling & Grammar: 20%
Sources: 20%
Referencing: 10%
Introduction/Conclusion: 10%
Organisation of Report: 10%
Content/Information: 30%
Spelling and Grammar: these are important aspects of any written presentation. You
must proofread your report prior to submitting it. As can be seen, this aspect of the
submission is worth 20 marks. There are some very helpful on-line resources to assist
you with grammar. They can be found at http://our.murdoch.edu.au/Student-
life/Study-successfully/Online-and-Print/Resources/
Sources: these are the writings by other people to which you will be referring in your
report. For a definition of quality sources, see above. In this assignment, you would be
expected to refer to at least 10 good quality sources.
Referencing: the marks in this section are allocated to your use of in-text citations.
For help with referencing, see http://library.murdoch.edu.au/Getting-
help/Referencing/ It is preferred in this report that you use the Chicago style. It is
important to note that poor referencing can lead to plagiarism. If you are concerned
about plagiarism, please see http://our.murdoch.edu.au/Student-life/Study-
successfully/Referencing-and-citing/How-to-avoid-plagiarism/
Introduction/Conclusion: the purpose of an introduction in a report such as this is to
“set the scene” for the reader so they understand the context of the report. It is
important to tell the reader what to expect from the report; what topic is being
covered, and what aspects of that topic are the focus of the report. A conclusion will
sum the report up for the reader.
Organisation of Report: It is worthwhile planning the report BEFORE submitting it!
Make sure that there is a logical flow from one section to the next. It is often difficult
in a group assignment to have this flow. It may be worthwhile having one group
member being responsible for “putting” the assignment together.
Content/Information: this is where a judgement as to how well the topic is covered. If
the coverage is not much more than the content of the textbook, or is only very
superficial, then only a low mark will be awarded. In reports such as this, it is often
better to focus on a very specific aspect of the topic and cover that quite deeply,
rather than cover a very broad topic superficially.
13. Grading criteria
Spelling and
Grammar
More than 5
spelling or
grammatical
errors
0points
4 spelling or
grammatical
errors
4points
3 spelling or
grammatical
errors
8points
2 spelling or
grammatical
errors
12points
1 spelling or
grammatical
errors
16points
No spelling or
grammatical
errors
20points
Research
Sources
No sources cited
0points
Single source
only
4points
< 10 sources or
=> 10 sources
but not of high
quality or from
a limited set of
sources
8points
>= 10 sources
of good quality
12points
many (>=10)
sources of high
quality
demonstrating
breadth and
depth in
research
16points
Selection of
sources is
exceptional.
20points
Referencing No referencing
used.
0points
Poor or
incorrect use of
referencing
technique
2points
Accurate use of
referencing
technique, but
with several
errors.
4points
Accurate use of
referencing
technique, but
with few errors.
6points
Accurate use of
referencing
technique, but
with very few
errors.
8points
Referencing
cannot be
faulted
10points
Introduction No introduction
0points
Introduction is
present,but
does not discuss
the content of
the report.
2points
Introduction is
present,but
does not discuss
the content of
the report in any
detail.
4points
Introduction is
present,and
provides some
background as
to the content
6points
Introduction
provides good
discussion as to
the content of
the report.
8points
Introduction
is of
exceptional
quality and
cannot be
faulted.
10points
Organisation of
report
Report is not
organised and
makes little
sense
0points
Report has only
the basic
sections.
2points
Report has
sections,but
they are not
ordered in such
a way as to
develop the
content of the
report.
4points
Sections are
organised and
flow well.
6points
Organisation of
the report is
good and adds
to the content
and flow of the
report.
8points
Report is
VERY well
organised
10points
Content -
information
Poor. The report
does not address
Very basic
coverage of the
Adequate
coverage of the
Good coverage
of the topic,
The report
provides an in-
The report is
VERY good
14. the topic in any
way at all.
0points
topic only.
6points
topic.
12points
provides some
interesting
points.
18points
depth coverage
of the topic.
24points
and of a
publishable
quality.
30points
* * * *
END OF DOCUMENT