Air University

(Mid-Term Examination: Fall 2021)

Department of Cyber Security

Subject: Digital Forensics Lab Total Marks: 30

Course Code: CY334L Duration: 3 Hours
Class: BSCYS F18 FM Name: Mehmood ul Hassan
Section: A

Instructions:
• This question paper has 02 page(s) and 03 questions along with parts (Q1-Q3).
• Understanding of questions is part of examination.
• Attempt all questions on your computer and make a report of steps you are performing while
approaching towards your solution.
• Calculators are allowed.
• This paper is open book/notes/lab manuals/internet exam.
• Student must have to show his/her roll number and full name in each screenshot to prove
his/her solution for given question. Failing to do so will result NO credit.
• Student must have to submit a Word file only with naming convention “Roll Number – Full
Name – Mid Exam.docx”. Failing to do so will result in deduction of 5 marks.

Scenario: A flamingo bird has been stolen from Chester Zoo on the 27th of February 2021
and two suspects have been arrested on suspicion of committing the crime. The two suspects
are denying knowledge of each other and denying the offence. Both suspects had a pen drive
in their pocket when arrested and you are to investigate the contents of one of the pen drives
belonging to Nigel Davidson. The forensic image of their pen drive is given with name
“LabExamEvidenceFile.zip”. Neither of the suspects had phones or any other digital
technology on them when arrested.
Being a forensic investigator, analyze the provided image and add your responses to
following questions. Use password without quotes “DigitalForensicsF18A” to unzip the
evidence file.

Question 01: (15 Marks)

Decode the First Partition entry of provided forensics Image and answer the following
questions.?
(Note: Your answer must contain screen shot of answer and must have your roll number and name in
background. Save your answers with question number on answer sheet in a word file.)
i. What is the partitioning system of provided image? GPT/MBR? (02 Marks)
ii. What is the filing system? (02 Marks)
iii. Is the first partition bootable or not? (02 Marks)
iv. What is the starting CHS address in decimal (calculate LBA only)? (02 Marks)
v. What is the last CHS address in decimal (calculate LBA only)? (02 Marks)
vi. What is the size of partition in MB? (03 Marks)
vii. How many deleted files are there related to flamingo bird? (02 Marks)

Page 1 of 2
Question 02: (05 Marks)
Recover deleted data from the forensic image and identify what type of data was deleted.?
Calculate MD5 hashes of deleted files and include in your solution.

Question 03: (10 Marks)

Registry files and registry data is a gold mine for forensic investigator. Being a forensic
investigator, answer the following questions along with screenshot of answers.
i. What is the operating system name, installation time, and version of the operating
system.? (3 Marks)
ii. What are the Usernames and their SID/RID.? (2 Marks)
iii. Find the Last Login user on the system? (2 Marks)
iv. How many devices were connected to the system and what drive letter were assigned
to them? (3 Marks)

Hint: Registry files can be found at ./Windows/system32/

***************** End of Examination Paper *********************

Page 2 of 2