Assignment 2 (Introduction to Digital Forensics, UG/G, S1, 2024) Please carefully read the whole assignment description before you start your work. Assignment 2 weights 15% of the total marks of this Unit and is due on 05/04/2024, Friday, Week 9, at 23:55pp, with a 2-days grace period, i.e., till 23:55pm, 07/04/2024, Monday, the latest. The deadline is of the local time in Canberra, ACT, Australia. It is your responsibility to correctly adjust your clock. Submissions are through Canvas. If a student chooses to submit their assignment via the Internet off the campus, it is the responsibility of the student to manage the accessibility to the Internet. Not being able to access to the Internet at the location which is off the campus is not an excuse for extension. No other forms of submission will be accepted. Please be reminded the following statements from the unit outline about assignment submission. Extensions Students can apply for an extension to the submission due date for an assessment item through extenuating, evidenced circumstances (specific details are found through the Assessment Policy and Procedures, Section 9.12). Extensions must be applied for before the due date. Documentary evidence (e.g. medical certificate) will be expected for an extension to be granted, however this will not guarantee that the application will be successful. The Unit Convener or relevant Discipline Convener will decide whether to grant an extension and the length of the extension. An Assignment Extension form is available from the Student Forms page. Late submission of assignments without an approved extension will result in a penalty of 5% reduced marks from the total available, per calendar day late. An assignment submitted over 7 days late will not be accepted. The whole report is in a single file and has 3 parts: a cover page, the report body, and appendices. The report body is up to 4 pages in A4 size, single-sided, size 10 Arial font, portrait orientation, and narrow margins, if you use Microsoft Word, or similar settings if you use other editing software. You can include any supporting materials in the appendix part. The cover page and appendices do not count towards the 4-pages limit. In the cover page, please include the following items: • • assignment title, your student number (please do not include the names, and please make sure that the student numbers are correct), the student number of your assignment partner's, from whom you receive their newly created hard drive for this assignment purpose, and • the date of completion. Failing to comply with the format requirements will result in the reduction of the marked assignment marks by 10%. Proper writing is expected. Your writing should be meaningful, concise, and self-contained. Any statement and claim should be backed up by evidence or explanation. The lines of argument should be firmly established in your report. After reading your report, one with reasonable knowledge and experiences in the fields should have the basic understanding without referring to the other sources. A full report with just a collection of only key words or phrases will not attract any mark. Your own writing in your report should account for at least 70% of the content. The materials from any other sources should be properly quoted and referenced, and not exceeding 30%. If you quote from other sources, the reference part does not count towards the 4-pages limit. 1 Important Notes Note 1: The assignment is for this co-taught unit, Introduction to Digital Forensics (9074) and Introduction to Digital Forensics G (9075). The assignment requirements prescribed in this file are strictly under the context of the unit, not beyond. The text in this file is the base for marking. The memory of any verbal discussion on the assignment matters without the associated written confirmation, should there be any discrepancy, does not overwrite the text in this file. Note 2: The unit convenor reserves the right to question students on any of their submitted work for moderation and academic integrity purposes, which may result in an adjustment to the marks awarded for a specific task. Note 3: This is an individual assignment, although you need the help from a group mate (your assignment partner) of yours to complete. Everyone must submit their own report. The assignment has individual marks. Note 4: you are writing a report covering the required key points, not addressing a collection of short-answer questions in isolation. The marking rubrics is in Page 7. 2 PART 1: HANDS-ON TASKS When you are performing these tasks, please make notes on what you've done and how you do it, because you will have to report how you perform these tasks. 1. On your virtual computer, please create a small virtual hard disk of 40 MB exactly, of the fixed size type, and name the virtual hand disk file by your student number plus FAT, e.g., u1234567_FAT, and another virtual small hard disk of 50 MB exactly, also of the fixed size type, and name the virtual hand disk file by your student number plus NTFS. e.g., u1234567_NTFS. The former will be formatted to a FAT file system, and thus called the FAT disk or the FAT partition, interchangeably, and the latter will be formatted to an NTFS file system, and thus called the NTFS disk or the NTFS partition. 2. Create a primary partition on the FAT disk and a primary partition on the NTFS disk, respectively. 3. Format each accordingly, and bring both to your virtual machine, say, to drives X: and Y: respectively. A kind reminder: Step 4 and 5 require careful planning on the sequence of the actions. You may not be able to make it in your first attempt. After learning (a careful reflection needed) from your previous mistakes, if any, you will soon find out a solution. 4. On the FAT partition, fully occupy the whole partition by copying files from “C:\000 - IDF home\data for activities\Gutenberg Text”, shortcut available on Windows Desktop "IDF home", onto it. Some files in the source folder are repeated by themselves to make the files very big (well, relatively very big, under the context of your partition size). The number in a file name indicates how many repeats of its content. Carefully choose the sequence of your copying actions to make the partition as full as possible. You should have at least a copy of "2024 big.txt" and "2024 small.txt". Failing to follow this instruction WILL RESULT a 0 mark for Part 1 of your report. 5. Still on this partition, please carefully arrange a sequence of deleting and copying actions to make disk fragmentation and with unallocated clusters. The final state of the partition does not have to be fully occupied. You must not delete the files "2024 big.txt" and "2024 small.txt". 6. When performing Task 4 and 5, please use DiskView to check the state of your partition. 7. On the NTFS partition, perform the same actions as on the FAT partition, Step 4-5. At the end of your actions, you should have at least 1 resident file and at least 1 fragmented nonresident file. Please note that the required nonresident file must be a fragmented one. 8. Come up with a unique string (secret string) by the prefix "IDF2024_", for example IDF2023_nice+secrecy. Please hide the string in 2 possible locations, a slack space and a cluster of a deleted file. Please complete this task on the FAT partitions. Please note that a NTFS partition can also be used. For the sake of being manageable within the scope of the assignment, this task is restricted to a FAT partition only. 9. Eject the 2 virtual hard disks and make a copy of each virtual disk file for your assignment partner(s), who are going to use these hard disk files to continue their hands-on tasks below. 10. Please receive the virtual hard disk files produced by your assignment partner, who has followed the aforementioned steps. Please continue the following investigation steps on the virtual hard disks, represented by the 2 virtual hard disk files, which you have just received from your assignment partner. 3 11. (important) Please make a forensic acquisition of each of the virtual hard disks you have just received and restore the copies onto yet another 2 newly create hard disks of yours, respectively, pretending that you have a write-blocker in the middle when you mount the received virtual hard disk. These two newly create hard disks are your working hard disks for your forensic investigation purpose. (Hint) from Week 3 hands-on tasks, you should work out easily how to "Attach VHD". Please also take the words "Attach VHD" as a part of the hint. 12. On the forensic copies, i.e., your investigation disks, discover the following: . • • On the FAT partition, what is the residual text in the first unallocated block (cluster), counting in the order from the smallest cluster number to the largest one? On the NTFS partition, find out the MFT record for "2023 small.txt" and the MFT record for a fragmented nonresident file. Where are the locations of the 2 hidden strings, and what is the string (strings)? 13. You have now completed your hands-on tasks. When working with your assignment partner(s), you can give them some hints on what you have done, but please refrain telling them exactly what you have done. Making discoveries by themselves is a part of the assignment, and also the expected the learning outcomes. After they completes their discoveries, you two can verify the discoveries together. If they do not make the right discoveries, you can give them more hints to redo their discoveries. Possibilities do exist that you didn't do your hands-on tasks well. Your assignment partner(s) will then ask you to re-do the tasks. Your assignment partner(s) is expected to take the same approach towards you. You are strongly encouraged to hand over your completed virtual disk file to your assignment partner(s) by the end of Week 6 to allow them enough time to complete their assignment(s). Your assignment partner is expected the same by handing over to you their completed virtual disk file by the end of Week 6. Please do not forget your group's “house rules” agreed in your Assignment 1. 4 PART 2: THE REPORT Please do not repeat the text of this file in your assignment. On the one hand, it will trigger a plagiarism report on the attempt due to the same text. On the other hand, it will make your report over the page limit. Part 1: the report on your hands-on tasks [5 marks in total] Please write a summary report on how you conduct the required hands-on tasks to create the hard disk for your assignment partner(s). Your report should be reasonably self-contained. Without referring to this assignment sheet, by reading your report alone, one should have a good understanding on what you have performed. In your report, please make sure that you include the following in specific: • • the first 16 bytes of the residual text in the first unallocated block (cluster), counting in the order from the smallest cluster number to the largest one, in your FAT partition. Please provide a screen dump of the 16 bytes also containing the title bar (i.e., the top) of the display window. the MFT record and the first data run of a fragmented nonresident file, with a screen dump of the MFT record, including the part with the data runs. Please also explain how the fragmented nonresident file was achieved. the secret string you have come up with and the 2 locations where you hide the string; wherever applicable, you should report the cluster numbers, in addition to explaining the nature of the hidden locations; otherwise, please explain why the cluster numbers are not available to report. Please note that you are writing a report, not addressing a collection of short-answer questions in isolation. The textbook is your sample on properly writing. Part 2 - your investigation and your findings [10 marks in total] Please note that it is your responsibilities to find an assignment partner. You are strongly encouraged to secure your assignment partner earlier and work on the tasks together with your assignment partner. If you fail to have an assignment partner, you won't be able to complete Part 2 of this report and its associated hands-on tasks, and you will end up with O mark for this Part. In this part, please explain the relevant concepts and the process in the digital forensic investigation by using your investigation as examples. The focus is the explanation of the concerned concepts and the process. You can treat your report as the textbook pages on the relevant concepts. So, in your report, you will explain the required topics, why and how you conducted your investigation, and your findings. Please note that the context of writing your report is the textbook, rather than the broad Internet. The textbook is treated as the authoritative source for the assignment purpose. If there is any discrepancy, the textbook is the base for marking. The marking is done under the context of the textbook. Possible perfect answers under different contexts may not render the same outcomes under the context of the textbook. Please make sure you have studied the relevant chapters before attempting the assignment. 5