SVKM’S NMIMS

MUKESH PATEL SCHOOL OF TECHNOLOGY MANAGEMENT& ENGINEERING

Academic Year: 2023-2024

Program: BTECH Stream :CYBER Year:2024 Semester: VI

Subject: DFIR Time: 45 Minutes. ( __ to ___)
Date: 3/2/24 No. of Pages: 2
Marks: 20
Test-I (SET –A)

Instructions: Candidates should read carefully the instructions.

1) Answer to each new question to be started on a fresh page.
2) Figures in brackets on the right hand side indicate full marks.
3) Assume Suitable data if necessary.
4) all questions are compulsory.

Answer briefly (Each question is for two marks):

Q1 [08]

a. Refers to the documentation that establishes a record of the control,

transfer, and disposition of evidence in a criminal case. Evidence in a
criminal case may include DNA samples, photographs, documents,
personal property, or bodily fluids that were taken from a defendant or
discovered at the scene of an alleged crime. To prove someone guilty, a
CO- ; SO- ; prosecutor must prove that the evidence presented in court is the same
BL- evidence that was recovered at the scene of an alleged crime. They must 2
Understand be able to show that the evidence was handled properly and was not
contaminated or tampered with. If law enforcement does not properly
handle evidence, the evidence can be challenged on the grounds that it
was tampered with, that test results are faulty or inaccurate, or that
evidence was planted at the scene of a crime.

b. When a subject’s computer starts, you must make sure it boots to a

forensically configured CD, DVD, or USB drive, because booting to the
hard disk overwrites and changes evidentiary data. To do this, you
access the CMOS setup by monitoring the computer during the
bootstrap process to identify the correct key or keys to use. The
bootstrap process, which is contained in ROM, tells the computer how
to proceed. As the computer starts, the screen usually displays the key
CO- ; SO- ; or keys, such as the Delete key, you press to open the CMOS setup 2
BL-
Understand
screen. You can also try unhooking the keyboard to force the system to
tell you what keys to use. The key you press to access CMOS depends
on the computer’s BIOS. If necessary, you can change the boot
sequence so that the OS accesses the CD/DVD drive, for example,
before any other boot device. Each BIOS vendor’s screen is different,
but you can refer to the vendor’s documentation or Web site for
instructions on changing the boot sequence.

CO- ; SO- ; c. Data pertaining to programs that are (or were at one time) installed on a 2
 system can also be found in the following registry
BL- Apply
locations: SOFTWARE\Microsoft\Windows\CurrentVersion\AppPaths
d. Hard link allows multiple files to point to the same data using different
names. The inode number of files connected by a hard link will be the
CO- ; SO- ; same. This is useful if there are multiple people working on a file on
BL- their different accounts and call them by different names. Everyone will 2
understand the file in their account or directory, but it is all pointing to the same file
in memory

When a file is deleted in Windows Explorer or with the MS-DOS delete

command, the OS inserts a HEX E5 (0xE5) in the filename’s first letter
position in the associated directory entry. This value tells the OS that the
file is no longer available and a new file can be written to the same
cluster location.
Q2
In the FAT file system, when a file is deleted, the only modifications
CO- made are that the directory entry is marked as a deleted file, with the [04]
; SO-; HEX E5 character replacing the first letter of the filename, and the FAT
BL- chain for that file is set to 0. The data in the file remains on the disk
Understand
drive. The area of the disk where the deleted file resides becomes
unallocated disk space (also called “free disk space”). The unallocated
disk space is now available to receive new data from newly created files
or other files needing more space as they grow. Most forensics tools can
recover data still residing in this area.

Raw format - Makes it possible to write bit-stream data to files.

This supports fast data transfers and is supported by most forensic
tools. It will require as much space as the original data.
Q3
Proprietary formats - Most forensics tools have their own
formats that can compress images, split images into smaller
CO-; SO-; segments. The disadvantage is that the image may not be able to [04]
BL-
be shared across different tools.
Understand
Advanced Forensics Format (AFF) - It is an open-source
acquisition format that provides compressed or uncompressed
image files.It is supported across multiple OSs and platforms.

Q4 In NTFS (New Technology File System), logical cluster numbers [04]

(LCNs) and virtual cluster numbers (VCNs) are used to manage the
CO-;SO-;
allocation of disk space and facilitate the organization of files.
BL-Apply
1. Logical Cluster Numbers (LCNs):
 LCNs represent the actual physical clusters on the disk.
A cluster is the smallest unit of disk space allocation.
It's a contiguous set of sectors, and sectors are the
smallest addressable unit on a disk.
 Each cluster is assigned a unique LCN. These numbers
start from 0 and increase sequentially across the disk.
 The file system uses LCNs to track the location of file
data on the disk. When a file is created or modified, the
file system allocates clusters to store its data, and these
clusters are referenced by their corresponding LCNs.
2. Virtual Cluster Numbers (VCNs):
 VCNs are used within the file system to represent the
 logical ordering of clusters within a file. They are
virtual in the sense that they represent clusters in the
logical space of the file rather than their physical
location on the disk.
 Files are logically organized into clusters, and each
cluster within a file is assigned a VCN.
 The VCN of the first cluster in a file is typically 0, and
subsequent clusters are numbered sequentially. For
example, if a file has ten clusters, they might be
numbered from 0 to 9.
 VCNs allow the file system to navigate the file's data
sequentially, regardless of how the clusters are
physically arranged on the disk.
How LCNs and VCNs are used together:
1. Mapping between VCNs and LCNs:
 NTFS maintains a mapping between VCNs and LCNs
to locate the actual clusters on the disk that store the
data for a given file. This mapping is often stored in a
data structure called a runlist.
 The runlist contains a series of mappings between
consecutive VCN ranges and the corresponding ranges
of LCNs.
 SVKM’S NMIMS
MUKESH PATEL SCHOOL OF TECHNOLOGY MANAGEMENT& ENGINEERING
Academic Year: 2023-2024

Program: BTECH Stream :CYBER Year:2024 Semester: VI

Subject: DFIR Time: 45 Minutes. ( __ to ___)
Date: 3/2/24 No. of Pages: 2
Marks: 20
Test-I (SET –B)

Instructions: Candidates should read carefully the instructions.

1) Answer to each new question to be started on a fresh page.
2) Figures in brackets on the right hand side indicate full marks.
3) Assume Suitable data if necessary.
4) All questions are compulsary

Answer briefly (Each question is for two marks):

Q1 [08]

a. Exculpatory evidence refers to evidence that tends to clear, excuse, or

CO- ; SO- ; absolve an individual from blame or fault in a legal context. This type of 2
BL-
Understand
evidence is particularly relevant in criminal cases where the prosecution
is attempting to prove the guilt of the accused.
CO- ; SO- ; b. Transporting magnetic media, such as hard disk drives (HDDs), solid- 2
BL- state drives (SSDs), magnetic tapes, or floppy disks, requires careful
Understand handling to prevent data loss or damage. Here are some basic steps to
follow when transporting magnetic media:
1. Backup Data: Before transporting any magnetic media, ensure
that you have a current backup of all the data stored on the
media. This ensures that even if the media is lost or damaged
during transport, you still have a copy of your important data.
2. Secure Packaging: Use appropriate packaging materials to
protect the magnetic media during transport. This may include
anti-static bags, bubble wrap, foam padding, or sturdy
cardboard boxes. Ensure that the media is securely cushioned
and cannot move around inside the packaging.
3. Avoid Magnetic Fields: Magnetic media can be sensitive to
magnetic fields, which can corrupt or erase the data stored on
them. Avoid placing magnetic media near sources of magnetic
fields, such as speakers, electric motors, or other magnetic
devices. Additionally, keep magnetic media away from security
checkpoints with magnetic scanners, as they can also affect the
data.
4. Handle with Care: Handle magnetic media with care to
prevent physical damage. Avoid dropping or shaking the media,
and always hold it by the edges to avoid touching the surface
where data is stored. Do not stack heavy objects on top of
magnetic media during transport.
5. Temperature and Humidity Control: Extreme temperatures
and humidity levels can damage magnetic media. Avoid
 exposing magnetic media to temperatures above 120°F (49°C)
or below 41°F (5°C), and humidity levels above 80%. During
transport, try to maintain a stable temperature and humidity
environment to minimize the risk of damage.
6. Labeling: Clearly label packages containing magnetic media
with appropriate handling instructions, such as "Fragile" or
"Handle with Care." Include information about the contents of
the package and any special handling requirements to ensure
that it is treated appropriately during transport.
7. Track Shipments: If shipping magnetic media through a
courier or postal service, use a reliable shipping method that
allows you to track the progress of the shipment. This can help
ensure that the media arrives at its destination safely and allows
you to monitor its progress throughout the journey.
By following these basic steps, you can help minimize the risk of data
loss or damage when transporting magnetic media and ensure that your
important data remains safe and secure.

c. If a file has been permanently deleted or overwritten, its data may still
exist in the unallocated space on the disk until it is overwritten by new
CO- ; SO- ; data. Data recovery software can scan unallocated space to attempt to 2
BL- Apply recover deleted files, but the success of this process depends on various
factors, including how much new data has been written to the disk since
the file was deleted.
CO- ; SO- ; d.
BL- 2
understand

Fragmentation results in one file being stored across multiple clusters

and this will result in (1) a much longer time to read a file from a
cluster because the disk has to move back and forth across many
clusters/platters (2) it increases the wear and tear on the disk drive
mechanism.

NTFS pre-allocates disk space for files based on their expected size,
reducing the need for frequent dynamic allocation and fragmentation.
Q2 When a file is created, NTFS reserves contiguous space on the disk to
CO- accommodate its expected size. This helps minimize fragmentation by
reducing the likelihood of file data being scattered across non- [04]
; SO-;
BL- contiguous disk clusters.
Understand
NTFS uses different cluster allocation policies based on the size of the
file being stored. For small files, NTFS tries to allocate contiguous
clusters whenever possible to minimize fragmentation. For larger files,
NTFS uses a technique called "extent-based allocation," where it
allocates non-contiguous clusters in extents, optimizing disk space
usage while still minimizing fragmentation.

Q3 1. All flash memory devices have a feature called wear-leveling - wear [04]
leveling is a technique that some SSD controllers use to increase the
CO-; SO-;
BL-
lifetime of the memory. The principle is simple: evenly distribute
Understand
writing on all blocks of an SSD so they wear evenly. All cells receive
the same number of writes, to avoid writing too often on the same
 blocks. Flash memory in Solid State Drives (SSD’s) allows only a
certain number of reading and writing processes. It usually ranges from
10,000 to 100,000. If we write 100 GB of data daily on a SSD with 400
GB of space, wear leveling ensures that the 100 GB of data is not
always at the same location in the physical flash blocks. The data will
be distributed evenly over all the physical cells of the SSD. An internal
firmware feature used in solid-state drives that ensures even wear of
read/writes for all memory cells. When dealing with solid-state devices,
making a full forensic copy as soon as possible is crucial in case you
need to recover data from unallocated disk space.

• Disk drives are made up of one or more platters coated with

magnetic material
• Disk drive components
• Geometry
• Head
• Tracks
• Cylinders
• Sectors
• Heads:-
• The head of a hard disk drive represents the total number of
sides on all the platters that store data. For example if d disk
drive has 8 platters, the hard disk drive can have maximum up
to 16 heads
• Cylinders:-
• All the data on a hard disk drive is stored on concentric circles
on the surface of each head. Each concentric circle is called
track. All tracks are numbered, starting from zero, starting at the
outside of the platter and increasing as you go in. A set of all
Q4 tracks of same diameter present on a head is called a cylinder. It
is the number of cylinder that is used for measuring the drive
CO-;SO-; [04]
geometry and the number of tracks.
BL-Apply • The number of cylinders in a drive and the number of tracks on
platter in drive are exactly same. Both these number are
determined by the manufacturing the drive. In most hard disks,
the number of cylinders is set by a magnetic pattern called a
servo pattern.
• Sector per Tracks:
• A sector is the basic unit of data storage on a hard disk. The
term “sector” emanates from a mathematical term referring to
that pie shaped angular section of a circle, bounded on two sides
by radii and the third by the perimeter of the circle. An
explanation in its simplest form, a hard disk is comprised of a
group of predefined sectors that form a circle. That circle of
predefined sectors is defined as a single track.
• A group of concentric circles (tracks) define a single surface of
a disks platter. Early hard disks had just a single one-sided
platter, while today’s hard disks are comprised of several
platters with tracks on both sides, all of which comprise the
entire hard disk capacity.