certified degree in association with national cyber security centre 20
Search for question
Question
Certified Degree
in association with
National Cyber
Security Centre
2023-2024 ASSESSMENTS
Lancaster
University
Postgraduate
-
Masters Degree in Cyber Security – Individual Programming Exercise
Recommended Completion Time
[24 Hours]
[40%]
DIGITAL FORENSICS
Assessment Weighting
SCC.443
Academic Honesty and Integrity
Students at Lancaster University are part of an academic community that values trust, fairness and
respect and actively encourages students to act with honesty and integrity. It is a University policy
that students take responsibility for their work and comply with the university's standards and
requirements-found in the Manual of Academic Regulations and Practice. By submitting their
answers students will be confirming that the work submitted is completely their own. Academic
misconduct regulations are in place for all forms of assessment and students may familiarise
themselves with this via the university website:
https://www.lancaster.ac.uk/academic-standards-and-quality/regulations-policies-and-
committees/manual-of-academic-regulations-and-procedures/
Plagiarism
Plagiarism involves the unacknowledged use of someone else's work and passing it off as if it were
one's own. This covers every form of submitted work, from written essays, video vignettes, and
coding exercises. However, deliberately plagiarism with the intent to deceive and gain academic
benefit is unacceptable. This is a conscious, pre-meditated form of cheating and is regarded as a
serious breach of the core values of the University. More information may be found via the
plagiarism framework website. All coursework is to be submitted electronically and will be run
through our plagiarism detection mechanisms. Please ensure you are familiar with the University's
Plagiarism rules and if you are in any doubt please contact your module tutor.
https://www.lancaster.ac.uk/academic-standards-and-quality/regulations-policies-and-
committees/principles-policies-and-guidelines/plagiarism-framework/
O 2024 Andrew Scott General Guidance:
This is an individual exercise, which must be completed in the Python programming language. As
this is a coding exercise, you must work independently of tools, existing filesystem libraries, and
third-party code. Your code should not be specific to just one filesystem image and must generate the
output you submit. Your solution should be generic and work with similar filesystem images.
Your program must work on the SCC.443 mylab environment as this will be used for marking.
You should submit one zip file containing your Python files and the required output. All submissions
will be tested with the Python configuration used on the lab machines - ensure your submission
works as expected before submission. No additional libraries will be installed to test submissions.
Assessment Details:
With the help of Miss Terry, head of terrys-digital.uk and heir to her late uncle's world-famous
Chocolate Orange empire, new evidence has been found.
A disk was found next to an employee's computer that appears to be corrupt. As part of the Acme-
Forensics team responding to the incident, you have been given the task of trying to recover data from
the partially wiped disk.
Marking Guidelines:
• 10%
•
10%
•
10%
●
20%
○
•
5%
○
○
○
O
•
15%
О
О
●
10%
O
•
5%
•
5%
•
10%
○
Quality of code, including commenting and code structure
Identifying form of corruption, as evidenced in summary report
Identification of number of files on disk; should be stated in summary report
Producing directory of correctly recovered files
The directory must be named RecoveredFiles and submitted in your zip file
Recovered files must be named FILE0001.BIN, FILE0002.BIN etc.
These files will almost certainly have incorrect lengths as each will be a whole
number of clusters, but should otherwise be correct
Files must be recovered without making assumptions about the filesystem layout,
e.g., making assumption that adjacent blocks will be part of same file is not enough
Trimming files to correct lengths
Trimmed files must be named FILE0001.TXT, FILE0002.TXT etc.
These files must be stored along with the .BIN files in the RecoveredFiles directory
Identifying which, if any, of the recovered files are in fact directories
A listing of these directories and the files they contain must be added to the zip file
Correctly named copies of these files must be in a GoodFiles directory in your zip
These files must have the correct length as given in the directory
Identifying unlinked files, i.e., those not part of a recovered directory
Corresponding .BIN and .TXT files must be in a directory named Unlinked in the zip
Submission of paperwork (completed as necessary), submitted in your zip file
Identification of any files of forensic interest
Properly structured and well-formatted forensics report (a PDF in the zip):
1 page summary of findings
O 2024 Andrew Scott Submission
Your submitted zip file should contain the following content... Six top-level directories, as follows:
•
Python files
○
Code to complete exercise, including sub-directories if required
•
•
•
•
○
Report
Brief text file with essential instructions on how to operate your program to produce
all expected output. This should be complete but not contain unnecessary detail – this
is not intended to be full user documentation.
Associated paperwork, completed as necessary (PDF format)
о PDF copy of your summary report – maximum 1 page
Describe form of corruption seen in filesystem
RecoveredFiles
This must identify number of files and directories found
Recovered .BIN and trimmed .TXT files, named as described above
GoodFiles
-
- a single file called listing.txt
О List of directories and the files they contain
O Files identified from recovered directories with their correct names and lengths
Unlinked
○
Any files not appearing in identified directories - .BIN and .TXT files
A copy of any files of particular forensic interest
Evidence
О
Making a Start
Overleaf you will find sample code that implements a basic FAT16 class that can be called as follows:
fat = FAT ( 'fat16.img')
print( fat )
fat.close( )
Note that this only handles FAT16, i.e., volumes with 4085 to 65524 clusters, which should be fine
for what you are doing. That said, make sure you are testing your code with FAT16 images – the
script from the FAT lab will always create a FAT16 filesystem.
Hints
1. You must not make assumptions about the filesystem layout; however, there is no need to
fully decode everything... you are trying to find and reconstruct files, and then check whether
they are regular files or directories. If you are going much beyond this and just dumping
blocks/clusters to your h-drive, you may be overthinking what is expected.
2. You are not required to handle long filenames; you can safely stick to the main 8.3 entries.
3. While the level of corruption is significant, the problem should be easily identifiable if you
followed and understood the FAT lab. The hex dump utility can be useful for spotting issues.
4. Big hint: remember that in a FAT, every file has a clearly identifiable end.
5. The first directory entries are special and easily identifiable – the first in more than one way.
6. You can easily test your program on known content by using the script from the FAT lab.
O 2024 Andrew Scott Getting Going: basic FAT16 code
import sys
import struct
class FAT :
def getSector ( self, sector: int ) -> bytes :
self. fatFile.seek( sector * self. Byts PerSec )
return self.fatFile.read(self.Byts PerSec )
def
init ( self, imageFileName: str ) -> None :
self.fatFile = open( imageFileName, 'rb')
self. BytsPerSec = 512 # We assume 512 bytes until we know better
block0 = self.getSector ( 0 )
# Read metadata from first sector
#
Unpack filesystem metadata
#
self.jmpBoot, self. OemName, self. Byts PerSec, self. SecPerClus, \
self. ResvdSecCnt, self. NumFATs, self. RootEntCnt, \
self. TotSec16, self.Media, self. FATSz16, self. SecPerTrk, \
self. NumHeads, self. HiddSec, self. TotSec32, self. FATSZ32 = 1
struct.unpack ( '<3s8sHBHBHHBHHHLLL', block0 [ 40 ] )
Calculate some useful values
--
See Microsoft Whitepaper
#
self. RootDirSectors = int(
( self. RootEntCnt * 32 + self. Byts PerSec
self. BytsPerSec )
self. FirstDataSector = self. ResvdSecCnt + (
1 ) /
self. NumFATS * self. FATSZ16 ) + self.RootDirSectors
self.DataSec = self. TotSec16
-
( self. ResvdSecCnt +
( self. NumFATs * self. FATSZ16 ) + self.RootDirSectors )
self. CountOfClusters = int( self.DataSec / self. SecPerClus )
self. FATStart = self. ResvdSecCnt #23 Sectors; and 1st root sector is:
self. RootDirStart = self.ResvdSecCnt + self.NumFATs * self. FATSZ
def
str ( self ) -> str :
return f'\n{self. BytsPerSec=} bytes\n{self. SecPerClus=}
sectors \n{self. ResvdSecCnt=} sectors\n{self. NumFATs=}\n{self.RootEntCnt=}
entries \n{self. TotSec16=} sectors\n{self. FATSZ16=} sectors\n{self. HiddSec=}
sectors\n\n'
def close ( self ) -> None :
self.fatFile.close( )
O 2024 Andrew Scott Learning Outcome Mapping (As Required by the External Certification Bodies)
Subject Specific Learning Outcomes: Knowledge, Understanding and Skills
Outcome
Covered
Demonstrate an understanding of the process
How is it covered
Paperwork and report
involved in effective digital forensic
investigations, including procedures relating
X
to first response, appropriate evidence
handling and presentation.
Explain and discuss the legal aspects
surrounding digital forensics, and the role
X
forensics has to play in the digital age
Apply a range of modern tools and methods
for gathering and investigating digital
evidence.
X
Identification of mode of corruption and what, if anything, might be
recovered. Recovery of data from corrupt filesystem
Apply strategies for recovery of deleted,
corrupted or hidden information from a range
X
of storage devices and technologies.
Demonstrate awareness and critical analysis
of the latest technologies, methods and other
X
issues in the digital forensics landscape.
General Learning Outcomes: Knowledge, Understanding and Skills
Outcome
Covered
Reason critically
Apply relevant theoretical concepts
X
Identify and solve problems, both individually
and working in groups and formulate
appropriate methods for troubleshooting.
Demonstrate and exercise independence of
mind and thought.
X
Evaluate research and different types of
X
information & evidence arguments critically.
Synthesise and select appropriate information
X
from a number of sources.
Structure and communicate ideas effectively
in writing
X
Plan, undertake and report on an individual
piece of research-based work.
X
How is it covered
Demonstrate in-depth understanding of file-systems, understand what
has been done to corrupt filesystem by investigation, develop and
execute strategies to recover data, and produce summary report.
Assessment question summary table (As required by the External Certification Bodies)
Question
Question type
Assigned marks/out of total marks per Q
Number
K: Knowledge
C: Comprehension
A: Application
Q1
K, C, A
O 2024 Andrew Scott
100%/n