PricingBlogAbout Us

CIS 6386: OS & File System Forensics Assignment #1 - FAT File System

Verified

Added on  2022/08/22

|4
|966
|28
Homework Assignment
AI Summary
This assignment focuses on OS and File System Forensics, examining a forensic image of a hard drive. The task involves analyzing physical and logical disk structures, identifying file systems (FAT16, FAT32, and NTFS), and performing volume analysis. The scenario presents a case where a suspect is accused of possessing child cornography, and the assignment requires the identification of contraband graphics and the recovery of deleted files. Specific questions address partitioning schemes, file system types, volume names, serial numbers, the number of files and sectors per cluster, and the recovery of a deleted partition. Furthermore, the assignment requires determining the intent to delete data, identifying the file name associated with this intent, and providing details about the recovered contraband graphic, including its size, creation and modification dates, and the text found within the file. The solution provides answers to these questions, detailing the findings from the forensic analysis of the provided disk image.
Document Page
CIS 6386 OS & File System Forensics
Assignment #1
Directions:
The scope of this assignment is physical and logical disk structures, general file system
identification, volume analysis, and the FAT file system. The basis of any file system begins with
the partitioning scheme on the disk coupled with volume creation. In this assignment, you will
examine the media with your tool(s) of choice and answer the following questions. In addition,
you will provide feedback based on the scenario noted below.
Scenario: The suspect is accused of possessing child cornography (considered contraband)
after a fellow employee observed him viewing the images on his computer. The suspect is an IT
technician who was interviewed by Human Resources investigators. The suspect stated there is
nothing on his computer that would constitute such a “disgusting act.” HR investigators
examined his primary hard drive and found nothing, but his secondary hard drive (a slaved
drive) was seized but not examined yet. They have asked you to examine the hard drive to
determine if the suspect is in possession of child cornography graphics (again, simulated
contraband). He told investigators that they would not find anything and was certain this was
an attempt by a fellow employee to get him fired.
1) There are 4194304 physical sectors contained in the forensic image of the media.
2) The size of the forensic image is approximately 2 gigabytes (enter a whole number, not a
decimal value).
3) The MD5 Hash value of the physical media is 65d2c6514057160ed49501f4ccda652e.
4) The SHA1 hash value is 7b3273c3a3c666ff65a9822c0a9984a510ba22e6.
5) The master boot record (MBR) is located in physical sector 1 (enter a numeric value, do
not spell the number).
6) The partition table begins at sector offset 128.
7) The partition table contains 4 entries, and each entry is 512 bytes in length.
8) The first partition begins in physical sector 128 and contains 1024000 sectors within the
volume.
9) The first partition contains the FAT16 file system.
10) The file system type is identified by what hexadecimal value?
d41d8cd98f00b204e9800998ecf8427e.
Revised: January 5, 2013
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
CIS 6386 OS & File System Forensics
Assignment #1
11) The file system type as noted in question #10 is located in the partition table at sector
offset FAT16.
12) For the first partition, the volume name is DRIVERS.
13) For the first partition, the volume serial number is 5.
14) The second partition begins in physical sector 1024128.
15) The second partition contains 1024000 sectors within the volume.
16) On the second partition, the file system on the second partition is the FAT32 file system.
17) On the second partition, the volume name is CARS-CRASH.
18) On the second partition, the volume serial number is 36.
19) The third partition begins in physical sector 2048128.
20) The third partition contains 127999 sectors within the volume.
21) The file system on the third partition is the NTFS file system.
22) The identifier for the file system on the third partition is hex
f967576862ea6a3a4102450e65fa2761.
23) On the third partition, the volume name is DATA.
24) On the third partition, the volume serial number is 65.
25) In the first partition, the backup copy of the volume boot record is located in physical
sector 128.
26) In the second partition, the backup copy of the volume boot record is located in physical
sector 1024128.
27) On the third partition, the backup copy of the volume boot record is located in physical
sector 2048128.
Revised: January 5, 2013
Document Page
CIS 6386 OS & File System Forensics
Assignment #1
28) How many user-created files exist on the first partition? 7
29) How many user-created files exist on the second partition? 6
30) How many user-created files exist on the third partition? 4
31) How many sectors per cluster are there on the first partition? 1
32) How many sectors per cluster are there on the second partition? 1
33) How many sectors per cluster are there on the third partition? 8
34) Excluding the first three partitions discussed in this assignment, did you locate any
additional partitions in a deleted state (yes or no)? yes
35) What is the physical sector number of the volume boot record for the deleted partition?
3072128
36) What type of file system is contained within the deleted partition? FAT32
37) If any partitions were recovered, did you discover any text/document files that may
describe the subject’s intent to delete data? yes
38) The name of the file that contains reference to the subject’s intent to delete or conceal
data is POP-CORN.JPG.
39) How many contraband graphics (child cornography) did you recover? 1
40) For the file POP-CORN.JPG, what is the logical size of this file? 26112
41) For the file POP-CORN.JPG, what is the physical size of this file? 13405
42) For the file POP-CORN.JPG, what is the created date and time of this file? 2010-07-25
03:09:57
43) For the file POP-CORN.JPG, what is the last written date and time of this file? 2010-07-
25 03:09:58
Revised: January 5, 2013

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
CIS 6386 OS & File System Forensics
Assignment #1
44) For the file POP-CORN.JPG, what is the last accessed date of this file? 2010-07-25
03:09:58
45) For the file POP-CORN.JPG, the exact text on the box of popcorn is LEAD Technologies
Inc. V1.01.
46) For the file POP-CORN.JPG, the starting cluster is 3072128.
47) For the file POP-CORN.JPG, there are 2 clusters allocated to this file?
48) There are 5 folders on the deleted partition.
49) There are 1 sectors per cluster on the volume within the recovered partition?
50) The volume name of the deleted partition is MSDOS5.
Revised: January 5, 2013
chevron_up_icon
1 out of 4
circle_padding
hide_on_mobile
zoom_out_icon
logo.png

Your All-in-One AI-Powered Toolkit for Academic Success.

  +13062052269
info@desklib.com

Available 24*7 on WhatsApp / Email

[object Object]
Unlock your academic potential

Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.