ISSM 536 2013 Test

1. Suppose a disk has 6 heads, 10 cylinders, and 20 sectors per cylinder. What is the LBA (logical block
address) corresponding to CH8 (Cylinder, Head, Sector) 0,1, I? (Hint: recall that CHS addresses count
cylinders and heads from 0 (zero), and sectors from I (one).) Unless you are certain you are correct, show
your work. /3
2. During lectures we elaborated on the fact that the output of live response tools - tools executed on a
suspect operating system - are not reliable. Describe the three ways in which an attacker can cause such
tools to produce false output, and when possible, describe the ways in which a responder can increase the
likelihood of obtaining correct output. 17
3. When acquiring an image of a disk drive, it is important to use the noerror and sync options to dd( 1) and,
if used, it is then also important that the disk size is a multiple of the block size you instruct dd( I) to use
(with bs=). Explain the importance of all this. /7
4. Suppose you want to hide a 2 kilobyte file in a portion of the unallocated space of a disk drive. Suppose
that unallocated space begins at LBA 1 and extends to LBA 5, inclusive. Construct a dd(l) command that
will achieve this. Assume the file is named file.dat, and the disk is accessible via Idev/sda. IS ,
5. dclfdd(1) is an enhanced version of dd(1). It can be instructed to simultaneously acquire and calculate a
checksum on a disk drive. It can also be instructed to calculate checksums on arbitrary chunks of that disk
drive. What are the advantages of these two features of dclfdd(l)? 14
6. sigfind(1) can be used to search a disk for a file header signature, but not easily used to search for a file
trailer signature. Why? 13
.
.
7. Under what circumstances do you need to consult the file allocation table of a FAT file system, in order
to retrieve a file stored on that file system? Justify your response. /3 ,
8. Briefly describe the use of the following three NTFS administrative

files: $MFT, $BOOT, $BITMAP.

/3

9. Briefly describe the use (or at least a use) of the following NTFS attributes: $DATA, $INDEX_ROOT,
$BITMAP, $ATTRIBUTE
LIST. /4
-

J O. Consider the following output from fsstat( I):

First Cluster ofMFT: 2005
Size ofMFT Entries: 1024 bytes
Cluster Size: 2048
Total Cluster Range: 0 - 6015
Construct a dd( I) command to extract the fifth NIFT entry (counting from zero). You may choose the names
of the input and output files. /4
11. In our last lecture (and the corresponding lecture notes) we made a distinction between two kinds of 'file
slack'. Explain the difference between these two kinds, and explain the importance of this distinction to
digital forensics. /5
12. Suppose that a directory entry in a FAT file system identifies a file of 2048 bytes in size, and starting at
cluster 12. Assume clusters are one kilobyte in size. How would you discover which cluster contains the
second half of that file? /5
'
\. '

13. Suppose you wanted to perform a case insensitive search for the filename 'img.gif', but only if that
filename occurs on a line by itsel(\=onstruct
a regular expression for this search. (Hint: you are not to use
the --i option to grep(l), but construct an actual regular expression. /5

-.