Introduction to digital forensics

Assignment Part 1: hands-on tasks

On your virtual computer, please create a small hard disk of 84 MB, of the fixed size type and named by your student number.

Please create 2 partitions on this newly created hard disk, 1 partition in the FAT file system and 1 partition in the NTFS file system. You can decide the size of each partition, ranging from 21 MB to 63 MB each. Note: depending on your choice in Step 6, you may need to create 3 partitions.

Mount the 2 partitions to your virtual computer and format each of them.

In the FAT partition, please randomly copy and delete the text files, in a few rounds, from the virtual hard disk “GutenbergText.vdi”, the zip file downloadable from the Canvas site. Some files are repeated by themselves to make the files very big (well, relatively big, under the context of a 84 MB hard disk).

Do the same on the NTFS partition, and make sure that you have at least a non-resident file on the NTFS partition.

Come up a unique string with the prefix “IDF2021_”, for example IDF2021_nice8secrecy. Please hide the string in 2 locations. Hint: you can hide the string in a hidden partition, a slack space, and a cluster of a deleted file. If you choose to hide the string in a hidden partition, you hard disk must have 3 partitions. The extra partition to be hidden is a FAT one. Please note that a NTFS partition can also be hidden. For the sake of being manageable within the scope of the assignment, the hidden partition, should it exist, is a FAT partition only.

Shutdown your virtual computer and make a copy of this virtual disk file for a groupmate, who are going to use this hard disk to continue their hands-on tasks below. When passing on the hard disk file, please also provide the following information:
- the cluster number of an occupied cluster, on the FAT partition, which belongs to an active file in your newly created hard drive for this assignment purpose. Please report the number via DiskView. This is the active cluster number required in the cover page of the report.
- the cluster number of a cluster, on the FAT partition, which does not belong to any active file, but previously occupied, in your newly created hard drive for this assignment purpose. Please report the number via DiskView. This is the residual cluster number required in the cover page of the report.
- the name of a non-resident file on your NTFS partition. This is the specified non-resident file needed in the cover page of the report.

Please also receive the virtual hard disk file produced by a groupmate, who has followed the aforementioned steps, with the same extra information - the 2 cluster numbers and the name of the non-resident file. Please continue the following investigation steps on the virtual hard disk you have just received from your group mate.

Please make a forensic acquisition of the “hard disk” you have just received and restore the copy onto another newly create hard disk of yours, pretending that you have a write-blocker in the middle when you mount the received virtual hard disk. This another newly create hard disk is your work hard disk for your forensic investigation purpose.

Please find out the hexadecimal values of the first 16 bytes of each cluster of the 2 clusters.

Please find out the locations of the 2 hidden strings.

Please find out the MFT record and the first data run of the non-resident file.

You have now completed your hands-on tasks.

Assignment Part 2: the report

Part 2 forms the report body of your whole report. It has 2 section.

Section 1: your hard disk for the others’ to investigate (5 marks)

Please write a summary report on how you conduct the required hands-on tasks to create the hard disk for your groupmate. Your report should be reasonably self-contained. Without referring to this assignment sheet, by reading your report alone, one should have a good understanding on what you have performed. In your report, please make sure that you have the following:

[1 mark] the hexadecimal numbers of the first 16 bytes of each of the 2 identified clusters in the right partition of your hard disk,
[2 marks] the MFT record and the first data run of the identified non-resident file; for the MFT record, please provide a screen dump with a brief explanation; for the first data run, please provide the 3 hexadecimal numbers with the explanation of each number. Please also mark the data run in the MFT record screen dump.
[2 marks] the secret string you have come up with and the 2 locations where you hide the string; wherever applicable, you should report the partitions and the cluster numbers, in addition to explaining the nature of the hidden locations.

Note: please do not provide this level of details to your groupmate, who is supposedly to investigate this hard disk of yours to independently find out the information.

Section 2 – your investigation and your findings (10 marks)

Please write a summary report on how you conduct the investigation hands-on tasks on the hard disk you have received from your groupmate. Your report should be reasonably self-contained. Without referring to this assignment sheet, by reading your report alone, one should have a good understanding on what you have performed. In your report, please make sure that you also have the following:

[2 marks] making the forensic copy (bit-stream copy) of the hard disk you have received; this forensic copy is referred as the investigation hard disk in this section of your report.
[2 marks] the hexadecimal numbers of the first 16 bytes of each of the 2 specified clusters in the right partition on the investigation hard disk; the 2 cluster numbers are specified by your groupmate. Please note that the cluster numbers are reported via DiskView, which has a different cluster numbering system to WinHex.
[3 marks] the MFT record and the first data run of the specified non-resident file in the right partition on the investigation hard disk; The file name is specified by your groupmate. For the MFT record, please provide a screen dump with a brief explanation. For the first data run, please provide the 3 hexadecimal numbers with an explanation of each number. Please also mark the data run in the MFT record screen dump.
[3 marks] the secret string your groupmate has come up with and the 2 locations where they hide the string; wherever applicable, you should report the partitions and the cluster numbers, in addition to explaining the nature of the hidden locations.

The marking rubrics for the report

Please note that a report is marked in its entirety based on the marking rubrics also in their entirety. A report cannot be marked by its individual keywords in isolation; nor can any individual marking rubric be applied in isolation by itself alone. For example, the irrelevant content in the report cannot be treated as if it does not exist. To the contrary, any irrelevant content weakens the logic flow and reduces the relevance of the report.

85%-100%

75%-84%

65%-74%

50%-64%

<50%

comprehensive

understanding of the

topics covered

thoroughly coherent

relevant and accurate with in-depth analysis

convincible, sound, and smooth logic

excellent writing, concise, clear, and complete

all claims backed up by evidence or argument

no irrelevant nor inaccurate statements

good understanding of the topics covered

well coherent

relevant and accurate

sound logic

clear writing, concise, and complete

majority claims backed up by evidence or argument

no irrelevant nor inaccurate statements

reasonable understanding of the

topics covered

coherent

largely relevant and accurate

good logic

generally clear writing, reasonably concise, and mostly complete

most claims backed up by evidence or argument

occasionally irrelevant and inaccurate statements with little impact on the report in a

whole

basic understanding of the topics covered

reasonably coherent

relevant and accurate in general

basic logic

understandable writing, somewhat clear, and

largely complete

claims largely backed up by evidence or argument

a few irrelevant and inaccurate statements with noticeable impact

on the report in a whole

little or no understanding of the topic, with irrelevant content, unstructured and unclear writing

just a few keywords without meaningful sentences

Australia Universities

ACT

Australian Catholic University

Australian National University

Bond University

Central Queensland University

Charles Darwin University

Charles Sturt University

Curtin University of Technology

Deakin University

Edith Cowan University

Flinders University

Griffith University

Holmes Institute

James Cook University

La Trobe University

Macquarie University

Monash University

Murdoch University

Queensland University of Technology

RMIT University

Southern Cross University

Swinburne University of Technology

University of Adelaide

University of Ballarat

University of Canberra

University of Melbourne

University of Newcastle

University of New England

University of New South Wales

University of Notre Dame Australia

University of Queensland

University of South Australia

University of Southern Queensland

University of Sydney

University of Tasmania

University of Technology Sydney

University of the Sunshine Coast

University of Western Australia

University of Wollongong

Victoria University

Western Sydney University

Year 11 - 12 Certification Assignment

Australian Capital Territory Year 12 Certificate

HSC - Higher School Certificate

NTCE - Northern Territory Certificate of Education

QCE - Queensland Certificate of Education

SACE - South Australian Certificate of Education

TCE - Tasmanian Certificate of Education

VCE - Victorian Certificate of Education

WACE - Western Australia Certificate of Education

Introduction to digital forensics

Assignment Part 1: hands-on tasks

Assignment Part 2: the report

Diploma Universities Assignments