Disk Forensics Assignment
To complete this part of the assignment you need to download a disk image from
the following link:
https://drive.google.com/file/d/1tgC-6pSsYgfM40jkGJQCutntqi5ZufWw/view?usp=s
haring
The SHA256 hash of the disk image is:
08c5b9429c1a02cdab86c5710bdae64fab20d47f4e678c12ce1b720e19edfed9
Check the hash of the image to make sure you have the right disk image as all the
answers are relevant to the image associated with this question set. Also to verify
that your downloaded image is not corrupted. To check the hash of the disk image,
either use Linux openssl command or download CyberChef and use the local copy to
generate the hash of the image.
Important Note: Various parts of the forensics disk images are randomised. Any
name similarity is coincidental. The news web sites, and pictures downloaded are
similar to a user browsing the Internet. As part of the process a fake crime related
web site was created with minimal keywords and no actual criminal artefacts. To
identify forensically interesting artefacts tags are used. If any of this, however, raises
any issues for you due to your personal circumstances please do not hesitate to
contact Monash University Counselling Service.
User and Registry Information
The provided disk image contains the profile folder of a user.
The Windows Registry files are exported and stored under the
[root]\Users\[username]\Registry directory in the provided disk image. Use
appropriate Registry file to answer the following questions.
Answer the following questions for this user.
1. What is the user name (the user account name) [1 Mark(s)]:
Answer 1 Question 1
2. What is the complete SID of the user (e.g.
S-1-5-21-1234567890-1234567890-1234567890-2021)[2 Mark(s)]:
Answer 2 Question 1
3. What is the fullname of the user, enter Firstname space Lastname [2 Mark(s)]:Answer 3 Question 1
4. When the user account is created [2 Mark(s)]:
Multiple choice 1 Question 1
2021-09-03 11:03:22Z
2021-09-04 19:04:37Z
2021-09-03 18:02:44Z
2021-09-05 05:55:56Z
2021-09-05 13:40:17Z
2021-09-04 22:12:38Z
2021-09-04 07:58:04Z
2021-09-03 17:33:28Z
5. What is the user's last login timestamp [2 Mark(s)]:
Multiple choice 2 Question 1
2021-09-04 17:41:20Z
2021-09-04 22:31:22Z
2021-09-04 00:39:11Z
2021-09-05 16:33:41Z
2021-09-04 11:29:37Z
2021-09-05 19:08:35Z
2021-09-04 14:34:29Z
2021-09-03 08:49:12Z
6. Select the machine's timezone [2 Mark(s)]:
Multiple choice 3 Question 1
Tasmania Standard Time
Montevideo Standard Time
UTC-08
Easter Island Standard Time
Greenland Standard Time
Sao Tome Standard Time
Central European Standard Time
Yukon Standard Time
Myanmar Standard Time
Magallanes Standard Time
China Standard Time
Volgograd Standard Time
Ekaterinburg Standard Time
Argentina Standard Time
E. Australia Standard Time
Singapore Standard Time
7. What is the most recent IP address of the machine received from a DHCP server [2
Mark(s)]:
Answer 4 Question 1This may be useful in corporate environment or when using public wireless network
to assist in network forensics.
8. What is the name of the most recent document the user has opened [2 Mark(s)]:
Answer 5 Question 1
Evidence Items
Perform disk-based forensics on the provided disk image and answer the following
questions related to individual evidence items. Each evidence item has a 16 digit hex
flag to identify it as relevant to the case. Answer the questions relevent to each item
after you have discovered and identified that item using its flag.
Item 1
This artefact is a picture. The picture is tagged with a 16 digit hex value. You need to
visually inspect the picture to see this hex value.
1. Select the flag of the artefact in the following list [3 Mark(s)]:
Multiple choice 4 Question 1
E78918630E75FA04
0868FF761FC77A59
1ECC688C30653645
D863759A0A46B349
353E9B07A3851232
37A59F816104741F
FDCBF0A3C16A6EAC
63B44ACF2BF1E6F1
7FD62E9176507F02
C4838078C1732E33
83CB5848C9DB4428
9A629E4AC9F99923
EF8624FFAA084365
1A005EA78AAB0CD8
1D3222B44464E5D4
7BBF466571124CF7
2. MD5 Hash of this artefact [2 Mark(s)]:
Answer 6 Question 1
3. SHA1 Hash of this artefact [2 Mark(s)]:
Answer 7 Question 14. GPS Coordinates recorded in exif metadata of the artefact (only type in numerical
values for Degrees, Minutes, and Seconds without any symbols):
Latitude
Longitude
Reference
Answer 8 Question 1
SouthNorth[1 Mark(s)]
Answer 9 Question 1
EastWest [1 Mark(s)]
Degrees
Answer 10 Question 1
[1 Mark(s)]
Answer 11 Question 1
[1 Mark(s)]
Minutes
Answer 12 Question 1
[1 Mark(s)]
Answer 13 Question 1
[1 Mark(s)]
Seconds (up to 2 decimal
points)
Answer 14 Question 1
[1 Mark(s)]
Answer 15 Question 1
[1 Mark(s)]
5. Using the GPS coordinate in previous question identify and select the city from the
following list [1 Mark(s)]:
Multiple choice 5 Question 1
canberra
melbourne
bogota
rome
new delhi
tunis
amsterdam
jakarta
6. Using the exif metadata, what is the Modify Date (a different field from File
Modification Date) of the artefact[1 Mark(s)]
Multiple choice 6 Question 1
2017:01:11 15:50:38
2018:05:07 06:05:57
2020:09:17 21:42:54
2020:05:09 22:35:18
2014:04:09 17:51:11
2017:04:03 19:13:58
2014:03:22 16:10:59
2019:08:23 17:36:04
Item 2
This artefact is a video tagged with a 16 digit hex value. You need to watch this video
in order to notice the tag which appears some time during the playback.1. Select the flag of the artefact in the following list [3 Mark(s)]:
Multiple choice 7 Question 1
08E88F613734D874
AB2F2F16389B26F6
35EAF85701914B25
6B9156A4961144C0
DF30CBD1D768DF9F
06255E469283ADF5
8E7490E17FF20BC9
1C09ABD84A9219E8
E9D68861E3807BFB
4238C9733F03C47A
A65DAD7CDCCACC58
7E5EE64FCD47B1C5
B6AFD8F75A0FD5BE
52E37633920C65AC
5B43311CCC656657
8E816EE1F8F866D9
2. MD5 Hash of this artefact [2 Mark(s)]:
Answer 16 Question 1
3. SHA1 Hash of this artefact [2 Mark(s)]:
Answer 17 Question 1
4. GPS Coordinates recorded in exif metadata of the artefact (only type in numerical
values for Degrees, Minutes, and Seconds without any symbols):
Latitude
Longitude
Reference
North or South:
Answer 18 Question 1
[1 Mark(s)]
East or West:
Answer 19 Question 1
[1 Mark(s)]
Degrees
Answer 20 Question 1
[1 Mark(s)]
Answer 21 Question 1
[1 Mark(s)]
Minutes
Answer 22 Question 1
[1 Mark(s)]
Answer 23 Question 1
[1 Mark(s)]
Seconds (up
to 2 decimal
points)
Answer 24 Question 1
[1 Mark(s)]
Answer 25 Question 1
[1 Mark(s)]
5. Using the GPS coordinate in previous question identify and select the city from the
following list [1 Mark(s)]:Multiple choice 8 Question 1
tehran
istanbul
darwin
toronto
marseille
los angeles
madrid
kuala lumpur
Item 3
This artefact is a text file.
This task was not supposed to be this easy, but things sometimes don't work out the
way you anticipate, so don't tell me I didn't do anything to help you out :), here are
some easy to get marks, enjoy, Sepehr.
1. Select the flag of the artefact in the following list [2 Mark(s)]:
Multiple choice 9 Question 1
83878562C634EF8F
0D3BDE3C20719AA5
1679348DE720F7C1
CF3689867E32A24D
1AA95020C2665FD8
33AEC58C703A9681
D483A1EA5CD3BD5E
04F9B94F44FF8BF3
DE7D8F86FD32C4E2
6C923405CFBA54FE
AD8A84C9C4CC7FC3
D0F5DE6148D6A3E8
E84DBF6D07DD768B
C624DB59A14140DE
3D1CBEC151EE0746
7535CBBB0A8AFB38
2. MD5 Hash of this artefact [2 Mark(s)]:
Answer 26 Question 1
3. SHA1 Hash of this artefact [2 Mark(s)]:
Answer 27 Question 1
4. This artefact contains multiple credit cards information. Enter one of the credit
card numbers here [2 Mark(s)]:
Answer 28 Question 15. Select the bank, issuing network (brand), and country of the identified credit cards
in the pervious step. You may use web sites such as
https://payspacemagazine.com/bin-card/, or
https://www.bincodes.com/bin-checker/ or others to check for the bank information
of a credit card. [1 Mark(s)].
Multiple choice 10 Question 1
CENTRAL BANK OF INDIA, MASTERCARD, INDIA
BANK OF GUANGZHOU, VISA, CHINA
AMP BANK, VISA, AUSTRALIA
BANCO POPULAR, VISA, COLOMBIA
BANK OF SYDNEY, VISA, AUSTRALIA
CITI BANK, VISA, UNITED STATES
COMMONWEALTH BANK, MASTERCARD, AUSTRALIA
AMEX BMW CARD, AMERICAN EXPRESS, GERMANY
SKANDIABANKEN, VISA, SWEDEN
Item 4
The user has visited a suspicious web site related to domestic violence. In addition
to FTK Forensics Toolkit you can also use Linux strings command to inspect and
identify this artefact. The web page content is tagged with a 16 hex digit value.
1. Select the flag of the artefact in the following list [2 Mark(s)]:
Multiple choice 11 Question 1
5445948FAA75907B
122E4956FAB8D04C
18CC0D404F9172D6
1DB83D2D55097191
E34948A0DBC8712C
4CF425A56762768D
4E31D3D90EE20638
97351B327FC5B652
4BF857A1233A2A4F
6DB376AAD23418B9
5268590967AFA4E8
1AF5A62971C57281
D18B4EDF0B1EF112
758A393CD3891F86
FD8E2F0D09AAF1DB
4992E55F8BD34F292. What is the url of this web site (excluding http/https, resource locators, and ending
forward slash e.g. www.crime-123.com) [2 Mark(s)]:
Answer 29 Question 1
3. What is the IP address of this web site [2 Mark(s)]:
Answer 30 Question 1
User Searches
The user has used a search engine and has made few searches.
1. Identify the name of the search engine that user has used [2 Mark(s)]:
Multiple choice 12 Question 1
Bing
Info
AOL
DuckDuckGo
Ecosia
Google
Yandex
Youtube
Excite
WebCrawler
Search
2. Identify one of user's searches from the following list [2 Mark(s)]:
Multiple choice 13 Question 1
make the perfect tea
what is gluten
is earth flat
chicken or egg
cold brew coffe
is smoking bad
how to remember things
can sun rise from west
One last thing
I saved this one for last as it may be difficult, not to discourage you from trying. I
have hidden some information in the slack space. I don't want to send you in a wild
goose chace hence the allocated marks may not be quite representative of the
effort. It may turn out to be an easy task though, who knows.
Good Luck
Sepehr
1. Enter the name of the tool that is used to hide information in the slack space (e.g.
MysterousTool.exe) [1 Mark(s)]:
Answer 31 Question 12. Enter the 16 hex digit flag of the hidden information [2 Mark(s)]:
Answer 32 Question 1