Bahria University, Islamabad Campus

Department of Computer Sciences

Final Term Examination
(Fall 2020 Semester)
Paper Type: Descriptive

Course: Computer and Network Forensics Date: 07 /12/2020

Course Code: ISC 737 Time: 1800-1930hrs

Faculty’s Name: AP Waseem Iqbal Max Marks: 30

Time Allowed: 90 Mins Total Pages: 2 (including this)
INSTRUCTIONS:
I. Understanding the question is part of examination
II. If you have any query, mention it on answer sheet and continue with your logics

Student’s Name: _____________________________Enroll No: _01-245191-

010______________________

Question No 1
a) Decode MBR printed on back of question sheet?

b) Decode starting and ending addresses of partitions using CHS to LBA decoding scheme. (10)

Partition 1:

(starting sector)
Header = 02 = 00000010 = 2
Sector = 03= 0000 0011= 3
Cylinder = 00 = 00000000 = 0

LBA (starting sector)=(c x hpc +h) x spt + (s-1) = (0 x 255 + 2)x63+(3-1)

= 128
(Ending Sector)

Header = 00 = 00000000 = 0
Sector = 0D = 00100111 = 13
Cylinder = 33 = 00011001 = 51

LBA (Ending Sector)= (c x HPC +h) x SPT + (s-1) = (51 x 255 + 0) x 63 + (13-1)
= 819327
Size of the partition = Ending Sector – Starting Sector + 1 = 819327 – 128 + 1
= 819200 sectors
=819200 x 512 / 1024*1024
=400 MB

PARTITION TYPE = 07 =NTFS

Partition 2:

(starting sector)
Header = 00 = 00011111 = 0
Sector = 0E = 00011010 = 14
Cylinder = 33 = 01001010 = 51
Shortcut : p.2 ending + 1 = p.3 starting
= 819327 +1 = 819328
(Ending Sector)
Header = 1E = 00111110 = 30
Sector = 05 = 00100101= 5
Cylinder = 59 = 01011001 = 89
LBA (Ending Sector)= (c x HPC +h) x SPT + (s-1) = (89 x 255 + 30) x 63 + (5 -1)
= 1431679
Size of the partition = Ending Sector – Starting Sector + 1 = 1431679– 819328+ 1
= 612351 sectors
=612351 x 512 / 1024*1024
=299 MB

Partition 03
00 Bootable: False.
01 Beginning sector header number: 1
16 Beginning sector: 22
AC Beginning cylinder#: 172
0B System indicator: N/K
C0 Ending sector head number: 192
08 Ending sector: 8
B8 Ending cylinder#: 184
80000000 Number of sectors preceding the partition: 128
00200300 Number of sectors in the partition: 204800

Partition 04
00 Bootable: False.
03 Beginning sector header number: 3
25 Beginning sector: 37
DF Beginning cylinder#: 223
06 System indicator: BigDOS FAT16
62 Ending sector head number: 98
3D Ending sector: 61
E5 Ending cylinder#: 229
80000000 Number of sectors preceding the partition: 128
00900100 Number of sectors in the partition: 102400

Partition 05
00 Bootable: False.
65 Beginning sector header number: 101
0D Beginning sector: 13
F8 Beginning cylinder#: 248
05 System indicator: N/K
A2 Ending sector head number: 162
5E Ending sector: 94
04 Ending cylinder#: 4
00CB2000 Number of sectors preceding the partition: 2149120
80F80200 Number of sectors in the partition: 194688

c) Identify size of each partition using LBA decoding scheme.

partition size of first table
 Partition 01=819200*512= 400Mb

Partition 02=509952*512= 249 Mb

Partition 03=204800*512=100Mb

Partition 04=102400*512=50Mb

Partition 05=194688*512= 95.06 Mb

d) Identify partition type(s). (2)

Partition 01 NTFS and Not Bootable

Partition 02 NTFS and Not Bootable

Partition 03 N/K and Not Bootable

Partition 04 BigDOS FAT16 and Not Bootable

Partition 05 N/K and Not Bootable

e) Total size of the hard disk using CHS decoding scheme. (Hint: use shortcut) (2)
Ans: 894 Mb

d) Identify partition type(s).

Partition 1 Partition 2 Partition 3
07 NTFS 07 NTFS 0B DOS 32Bit FAT
0B DOS 32Bit FAT 05 Extended Partition 05 Extended Partition
06 DOS16 bit FAT 00 Non bootable 00 Non bootable
05 Extended Partition 00 Non bootable 00 Non bootable

Partition 4 Partition 5
06 DOS16 bit FAT 05 Extended Partition
05 Extended Partition 00 Non bootable
00 Non bootable 00 Non bootable
00 Non bootable

e) Total size of the hard disk using CHS decoding scheme. (Hint: use shortcut)
f) Ending sector –Starting sector+1
And then multiply with 512 (as one sector contains 512 bytes)a
g) Identify hidden space(s) if any, their size, starting and ending addresses
.
There are no hidden spaces (5
h) Diagrammatic relationship of all partitions.
 ANs: in 16-bit partition first bit tells that the disc is bootable or not. Next three bits are starting
address of CHS.5th bit tells the partition type. Next 3 bits are last CHS address. Next 4 bits are LBA
of first sector in partition. And last 4 bits tell the total sectors in partition

Question No 2 Write one or two liner answers to following questions: (5)

1. When you arrive at the scene, why should you extract only those items you need to acquire
evidence?
Ans: To minimize how much you have to keep track of at the scene. ... Sensitive corporate
information being mixed with data collected as evidence

2. How can you prove that you made no changes to an original image during analysis ?
Ans. By using photo forensic technique.
3. Why should you critique your case after it's finished?

Ans: To improve your work in future. And self evaluation

4. With newer Linux kernel distributions, what happens if you connect a hot-swappable device,
such a USB drive, containing evidence?

Ans: Newer Linux distributions automatically mount the USB device, which could alter data on it.

5. What is the most critical aspect of computer evidence?

Ans: Validation is the most critical aspect of computer evidence.

Page 1 of 2

Enrollment Number: 01-245191-010

The End of Question Sheet

Page 2 of 2