Subject: CSE3CFN and CSE5CFN
Submission deadline: 15th of May, 2022
Total Mark: 30
Word Limit: 2000 words (+/- 10%)
Instructions for Assignment:
Your report must include:
- Evidence description.
- Standard procedure (example: collection steps, imaging, chain of custody, etc)
- Examination of NTFS file structure (include tables for NTFS file system, description of each item)
- In detail explanation of $MFT file record findings (include table showing all the attribute values and data run)
Question 1 (20% of the total mark of 30)
You are a digital forensic examiner. Your task is to process and perform a forensically sound acquisition of the following USB drive:
The SD card is formatted with FAT 32 file system.
- Describe your steps in details, including specific forensic equipment, hardware and software that you will use, to complete forensic acquisition of the USB device and create a forensic image.
- How would you examine the file system?
Question 2 (30% of the total mark of 30)
The following is a MBR snapshots. Find the following information for each partition (
- Find Boot indicator bits
- First sector number
- Total Number of Sectors
- If sector size is 512 bytes, what is the size of each partition.
Question 3 (50% of the total mark of 30)
Please examine the $MFT FILE Record below and report on its content.
Hints: Read chapter 5 of the textbook and week 6 lecture slides to prepare for your response. You can also look into week 8 lecture slides for the sample structure of your report.
For conversion you can use DCode software (https://www.digital-detective.net/dcode/)
You answers need to include the detail description of different Attributes (e.g., x10, x30, x80 etc) and their corresponding values.
You are expected to work on this assignment independently and MUST NOT DISCUSS IT WITH ANYONE.