Search for question
Question

Certified Degree in association with National Cyber Security Centre 2023-2024 ASSESSMENTS Lancaster University Postgraduate - Masters Degree in Cyber Security – Individual Programming Exercise Recommended Completion Time [24 Hours] [40%] DIGITAL FORENSICS Assessment Weighting SCC.443 Academic Honesty and Integrity Students at Lancaster University are part of an academic community that values trust, fairness and respect and actively encourages students to act with honesty and integrity. It is a University policy that students take responsibility for their work and comply with the university's standards and requirements-found in the Manual of Academic Regulations and Practice. By submitting their answers students will be confirming that the work submitted is completely their own. Academic misconduct regulations are in place for all forms of assessment and students may familiarise themselves with this via the university website: https://www.lancaster.ac.uk/academic-standards-and-quality/regulations-policies-and- committees/manual-of-academic-regulations-and-procedures/ Plagiarism Plagiarism involves the unacknowledged use of someone else's work and passing it off as if it were one's own. This covers every form of submitted work, from written essays, video vignettes, and coding exercises. However, deliberately plagiarism with the intent to deceive and gain academic benefit is unacceptable. This is a conscious, pre-meditated form of cheating and is regarded as a serious breach of the core values of the University. More information may be found via the plagiarism framework website. All coursework is to be submitted electronically and will be run through our plagiarism detection mechanisms. Please ensure you are familiar with the University's Plagiarism rules and if you are in any doubt please contact your module tutor. https://www.lancaster.ac.uk/academic-standards-and-quality/regulations-policies-and- committees/principles-policies-and-guidelines/plagiarism-framework/ O 2024 Andrew Scott General Guidance: This is an individual exercise, which must be completed in the Python programming language. As this is a coding exercise, you must work independently of tools, existing filesystem libraries, and third-party code. Your code should not be specific to just one filesystem image and must generate the output you submit. Your solution should be generic and work with similar filesystem images. Your program must work on the SCC.443 mylab environment as this will be used for marking. You should submit one zip file containing your Python files and the required output. All submissions will be tested with the Python configuration used on the lab machines - ensure your submission works as expected before submission. No additional libraries will be installed to test submissions. Assessment Details: With the help of Miss Terry, head of terrys-digital.uk and heir to her late uncle's world-famous Chocolate Orange empire, new evidence has been found. A disk was found next to an employee's computer that appears to be corrupt. As part of the Acme- Forensics team responding to the incident, you have been given the task of trying to recover data from the partially wiped disk. Marking Guidelines: • 10% • 10% • 10% ● 20% ○ • 5% ○ ○ ○ O • 15% О О ● 10% O • 5% • 5% • 10% ○ Quality of code, including commenting and code structure Identifying form of corruption, as evidenced in summary report Identification of number of files on disk; should be stated in summary report Producing directory of correctly recovered files The directory must be named RecoveredFiles and submitted in your zip file Recovered files must be named FILE0001.BIN, FILE0002.BIN etc. These files will almost certainly have incorrect lengths as each will be a whole number of clusters, but should otherwise be correct Files must be recovered without making assumptions about the filesystem layout, e.g., making assumption that adjacent blocks will be part of same file is not enough Trimming files to correct lengths Trimmed files must be named FILE0001.TXT, FILE0002.TXT etc. These files must be stored along with the .BIN files in the RecoveredFiles directory Identifying which, if any, of the recovered files are in fact directories A listing of these directories and the files they contain must be added to the zip file Correctly named copies of these files must be in a GoodFiles directory in your zip These files must have the correct length as given in the directory Identifying unlinked files, i.e., those not part of a recovered directory Corresponding .BIN and .TXT files must be in a directory named Unlinked in the zip Submission of paperwork (completed as necessary), submitted in your zip file Identification of any files of forensic interest Properly structured and well-formatted forensics report (a PDF in the zip): 1 page summary of findings O 2024 Andrew Scott Submission Your submitted zip file should contain the following content... Six top-level directories, as follows: • Python files ○ Code to complete exercise, including sub-directories if required • • • • ○ Report Brief text file with essential instructions on how to operate your program to produce all expected output. This should be complete but not contain unnecessary detail – this is not intended to be full user documentation. Associated paperwork, completed as necessary (PDF format) о PDF copy of your summary report – maximum 1 page Describe form of corruption seen in filesystem RecoveredFiles This must identify number of files and directories found Recovered .BIN and trimmed .TXT files, named as described above GoodFiles - - a single file called listing.txt О List of directories and the files they contain O Files identified from recovered directories with their correct names and lengths Unlinked ○ Any files not appearing in identified directories - .BIN and .TXT files A copy of any files of particular forensic interest Evidence О Making a Start Overleaf you will find sample code that implements a basic FAT16 class that can be called as follows: fat = FAT ( 'fat16.img') print( fat ) fat.close( ) Note that this only handles FAT16, i.e., volumes with 4085 to 65524 clusters, which should be fine for what you are doing. That said, make sure you are testing your code with FAT16 images – the script from the FAT lab will always create a FAT16 filesystem. Hints 1. You must not make assumptions about the filesystem layout; however, there is no need to fully decode everything... you are trying to find and reconstruct files, and then check whether they are regular files or directories. If you are going much beyond this and just dumping blocks/clusters to your h-drive, you may be overthinking what is expected. 2. You are not required to handle long filenames; you can safely stick to the main 8.3 entries. 3. While the level of corruption is significant, the problem should be easily identifiable if you followed and understood the FAT lab. The hex dump utility can be useful for spotting issues. 4. Big hint: remember that in a FAT, every file has a clearly identifiable end. 5. The first directory entries are special and easily identifiable – the first in more than one way. 6. You can easily test your program on known content by using the script from the FAT lab. O 2024 Andrew Scott Getting Going: basic FAT16 code import sys import struct class FAT : def getSector ( self, sector: int ) -> bytes : self. fatFile.seek( sector * self. Byts PerSec ) return self.fatFile.read(self.Byts PerSec ) def init ( self, imageFileName: str ) -> None : self.fatFile = open( imageFileName, 'rb') self. BytsPerSec = 512 # We assume 512 bytes until we know better block0 = self.getSector ( 0 ) # Read metadata from first sector # Unpack filesystem metadata # self.jmpBoot, self. OemName, self. Byts PerSec, self. SecPerClus, \ self. ResvdSecCnt, self. NumFATs, self. RootEntCnt, \ self. TotSec16, self.Media, self. FATSz16, self. SecPerTrk, \ self. NumHeads, self. HiddSec, self. TotSec32, self. FATSZ32 = 1 struct.unpack ( '<3s8sHBHBHHBHHHLLL', block0 [ 40 ] ) Calculate some useful values -- See Microsoft Whitepaper # self. RootDirSectors = int( ( self. RootEntCnt * 32 + self. Byts PerSec self. BytsPerSec ) self. FirstDataSector = self. ResvdSecCnt + ( 1 ) / self. NumFATS * self. FATSZ16 ) + self.RootDirSectors self.DataSec = self. TotSec16 - ( self. ResvdSecCnt + ( self. NumFATs * self. FATSZ16 ) + self.RootDirSectors ) self. CountOfClusters = int( self.DataSec / self. SecPerClus ) self. FATStart = self. ResvdSecCnt #23 Sectors; and 1st root sector is: self. RootDirStart = self.ResvdSecCnt + self.NumFATs * self. FATSZ def str ( self ) -> str : return f'\n{self. BytsPerSec=} bytes\n{self. SecPerClus=} sectors \n{self. ResvdSecCnt=} sectors\n{self. NumFATs=}\n{self.RootEntCnt=} entries \n{self. TotSec16=} sectors\n{self. FATSZ16=} sectors\n{self. HiddSec=} sectors\n\n' def close ( self ) -> None : self.fatFile.close( ) O 2024 Andrew Scott Learning Outcome Mapping (As Required by the External Certification Bodies) Subject Specific Learning Outcomes: Knowledge, Understanding and Skills Outcome Covered Demonstrate an understanding of the process How is it covered Paperwork and report involved in effective digital forensic investigations, including procedures relating X to first response, appropriate evidence handling and presentation. Explain and discuss the legal aspects surrounding digital forensics, and the role X forensics has to play in the digital age Apply a range of modern tools and methods for gathering and investigating digital evidence. X Identification of mode of corruption and what, if anything, might be recovered. Recovery of data from corrupt filesystem Apply strategies for recovery of deleted, corrupted or hidden information from a range X of storage devices and technologies. Demonstrate awareness and critical analysis of the latest technologies, methods and other X issues in the digital forensics landscape. General Learning Outcomes: Knowledge, Understanding and Skills Outcome Covered Reason critically Apply relevant theoretical concepts X Identify and solve problems, both individually and working in groups and formulate appropriate methods for troubleshooting. Demonstrate and exercise independence of mind and thought. X Evaluate research and different types of X information & evidence arguments critically. Synthesise and select appropriate information X from a number of sources. Structure and communicate ideas effectively in writing X Plan, undertake and report on an individual piece of research-based work. X How is it covered Demonstrate in-depth understanding of file-systems, understand what has been done to corrupt filesystem by investigation, develop and execute strategies to recover data, and produce summary report. Assessment question summary table (As required by the External Certification Bodies) Question Question type Assigned marks/out of total marks per Q Number K: Knowledge C: Comprehension A: Application Q1 K, C, A O 2024 Andrew Scott 100%/n