CSE5CFN Computer Forensics

Instructions for Assignment:

Your report must include:

  1. Evidence description.
  2. Standard procedure (example: collection steps, imaging, chain of custody, etc)
  3. In detail explanation of $MFT file record findings (include table showing the attribute values such as 0x10, 0x30, 0x80 and data run)

Question 1 (5 marks)

You are a digital forensic examiner. Your task is to process and perform a forensically sound acquisition of the following memory card:

Describe your steps in details, including specific forensic equipment, hardware and software that you will use, to complete forensic acquisition of the SSD device and create a forensic image. Use the following evidence form to document the evidence given to you.

Question 2 (5 marks)

The following is a MBR snapshots. Find the following information for each partition.

(Hints: watch this youtube video: https://www.youtube.com/watch?v=jRj_HzbHeWU)

  1. Find Boot indicator bits/flag (check if bootable or not)
  2. Find types of File System Type (e.g., FAT32, NFTS, EXT3 etc.)
  3. Starting LBA Address (Relative Sectors)
  4. Size of the partitions (sector size is 512 bytes).

Question 3 (10 marks)

Please examine the $MFT FILE Record below and report on its content.

Hints: Read chapter 5 of the textbook and week 6 lecture slides to prepare for your response.

For conversion you can use DCode software (https://www.digital-detective.net/dcode/)

Your answers need to include the detail description of the following attributes and their corresponding values.

  • Attributes x010
  • Attributes x030
  • Attributes x080

In your Data run (0x80), show the calculations of starting cluster number, number of clusters. Carefully consider the VCN while calculating the starting position of cluster.

