Assignment 2
Subject: CSE3CFN and CSE5CFN
Submission deadline: 23rd
of September, 2022
Total Mark: 30
Word Limit: 2000 words (+/- 10%)
Academic integrity
Academic integrity means being honest in academic work and taking
responsibility for learning the conventions of scholarship. The University
requires its instructors and course participants to observe the highest ethical
standards in all aspects of academic work.
You can demonstrate academic integrity by:
using information appropriately according to copyright and privacy
laws
acknowledging where the information you use comes from
not presenting other people’s work as your own
not commissioning or purchasing work and submitting it as your own
producing assignments independently, except when you are asked to
participate in a group project.
Instructions for Assignment:
Your report must
include:
1.
Evidence description.
2.
Standard procedure (example:
collection steps, imaging, chain of custody, etc)
3.
Examination of NTFS file
structure (include tables for NTFS file system, description of each item)
4.
In detail explanation of $MFT
file record findings (include table showing all the attribute values and data
run)
Question 1
(20% of
the total mark of 30)
You are a digital forensic examiner.
Your task is to process and perform a forensically sound acquisition of the
following memory card:
![Graphical user interface<br><br>Description automatically generated]()
The SSD card is formatted with
NTFS
file system.
a)
Describe your
steps in details, including specific forensic equipment, hardware and software
that you will use, to complete forensic acquisition of the SSD device and
create a forensic image.
b)
How would you
examine the NTFS file system? Discuss how the files are stored and access in
NTFS file system.
Question 2
(30% of
the total mark of 30)
The following is a MBR snapshots. Find
the following information for each partition.
(Hints: watch this youtube video: https://www.youtube.com/watch?v=jRj_HzbHeWU)
1.
Find Boot
indicator bits/flag (check if bootable or not)
2.
Find types of
File System Type (e.g., FAT32, NFTS, EXT3 etc.)
3.
Starting LBA Address (Relative Sectors)
4.
Size of the partitions (sector size is 512 bytes).
![]()
Question 3 (50% of the total mark of 30)
Please examine the $MFT FILE Record
below and report on its content.
Hints:
Read chapter 5 of the textbook and week 6
lecture slides to prepare for your response. You can also look into week 8
lecture slides for the sample structure of your report.
For conversion you can use DCode
software (
https://www.digital-detective.net/dcode/
)
You answers need to include the detail
description of the following attributes and their corresponding values.
·
Attributes x010
·
Attributes x030
·
Attributes x080
![]()