Reference no: EM133438288
Question 1: a) Using an appropriate data source, perform a data carve against JPEG, HTML and Office files and present the results. Provide screenshot evidence of the outputs. b) Explain why files are not always correctly or fully carved.
Question 2: a) Using the NIST Information Leakage case, what are the following values of the PC image. In each case, provide a short definition of that these terms are. a) Sector size b) Cluster size c) Sectors per cluster d) Total image size e) Does the system use a MBR or GPT? In each case, provide a screenshot to evidence how you obtained these values. b) If the number of sectors per cluster were very high, explain what this might mean for an investigator?
Question 3: a) Take a single MFT entry (from any case) and provide a detailed breakdown of the fields and what the values indicate. Please provide a screenshot of the MFT entry with appropriate highlighting to indicate the fields. b) Describe the key differences in an MFT entry describing a directory versus an MFT entry describing a file.
Question 4: a) The COMP5004 case contains several encrypted files and a SAM. Establish all key passwords within the case (associated to both user accounts and files). Please include a screenshot(s) to evidence the results. b) Please detail the process undertaken and explain why passwords have been recovered and not recovered (as appropriate). COMP5004 Digital Forensics & Malware Analysis
Question 5: a) Using an appropriate tool, perform steganography using an appropriate carrier and hidden data. How much hidden data can be included? Explain your choice of both and present screenshots to evidence the process. b) Investigate through experimentation how robust the steganography tool is (i.e. can the hidden data be recovered after a file format change). Are other tools better at achieving robustness?