Professional Documents
Culture Documents
216SE Practice Phase-Test - 2019
216SE Practice Phase-Test - 2019
The Phase Test will comprise 2 elements: there will be a series of general computer related questions and
ones that will require usage of the FTK VM in examining evidence files to determine answers to specific
questions.
Name: .........................................................................
Open the FTK Virtual Machine. You can make use all software on the VM, but not the Internet.
Default settings should be used, no data carving is required, and where it asks for a timezone, use
Europe/London.
All your working files should be created and located in the 216SE folder on your Desktop. The test has 95 marks.
a( ) b( ) c( ) d( ) (1 mark)
/9
1
216SE PRACTICE PHASE TEST 2019/2020
A6. What is Phishing and what legislation deals with Phishing in the UK? (2 Marks)
A7. Which of the following regular expressions would find B5 4BU and CV32 5EL but NOT GL15 8YX
(a) \<[\u\l][\u\l]?\d\d?\s\d[\u\l][\u\l]\>
(b) \<[\u\l][\u\l]?\d\d?\s[0-5][\u\l][\u\l]\>
(c) \<[A-F][A-Z]\d\d\s[0-5][A-F][A-F]\>
(d) \<[\u\l][\u\l]\d\d\s[0-5][\u\l][\u\l]\>
a( ) b( ) c( ) d( ) (1 mark)
A8. The Police and Justice Bill 2006 amended the original Section 3 (Computer Misuse Act 1990) offence, what
changes were introduced?
(a) S3 Unauthorised Acts with Intent to Modify Systems and S3A Making, Supplying or Obtaining Articles for Use
in Section 1 or Section 3 offences
(b) S3 Unauthorised Acts with Intent to Impair Operation and S3A Unauthorised acccess with intent to commit
or facilitate commission of further offences
(c) S3 Unauthorised access to computer material, punishable by 6 months' imprisonment or a fine and S3A
Unauthorised Acts with Intent to Modify Systems
(d) S3 Unauthorised Acts with Intent to Impair Operation and S3A Making, Supplying or Obtaining Articles for
Use in Section 1 or Section 3 offences
A9. Name three terms describing components of hard-disk geometry and detail their functions
1.
2.
3.
(6 marks)
A10. Explain the terms universality and repeatability from a forensic perspective
(2 marks)
2
216SE PRACTICE PHASE TEST 2019/2020
a( ) b( ) c( ) (d) ( ) (1 Mark)
A12. Name 5 hives of Windows Registry and quickly outline the kind of data stored within them:
(5 marks)
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
/9
3
216SE PRACTICE PHASE TEST 2019/2020
15/10/2013 14:10:29
The image has been created successfully and the MD7 hashes have verified, the checksum being
45SAFJ34890SAFDLTCDBO400. I bagged the evidence in evidence bag no. 2380495, signed it and
handed it over to the exhibits officer.
______________________________________________________________________________
A14A. Which ACPO Principle(s) would the excerpt ‘s author be observing and what does it state?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(6 marks)
A14B. Name 3 things a forensic investigator from the defence counsel might question from the excerpt above
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(3 marks)
A15. You arrive on scene where a 'suspected' incident has taken place. What is the first thing you should do
before you touch anything?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(4 Marks)
A16. What file systems do the following operating systems use as standard? (4 marks)
4
/17
216SE PRACTICE PHASE TEST 2019/2020
a( ) b( ) c( ) d( ) (1 Mark)
A18. Define the term “cluster” in the context of data storage and its relation to “slack space”
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(4 marks)
A19. Every file or directory in an NTFS file system has an entry in the __________________
a) File Allocation Table
b) Master File Table
c) Master Allocation Table
d) File Master Table
a( ) b( ) (c) ( ) (d) ( ) (1 Mark)
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(2 Mark)
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(3 Marks)
A22 The GDPR provides the following rights for individuals: (8 Marks)
1. :
2. :
3. :
4. :
5. :
6. :
7. :
8. :
5
/19
216SE PRACTICE PHASE TEST 2019/2020
• Application.evtx
• Security.evtx
• SAM,
• Software
• System
Once you have downloaded the evidence files listed above, you are to examine the evidence and
answer specific questions concerning it. Work methodically and identify the items required. Rather than
answering each question in consecutive order, you may wish to examine the evidence and conduct some
searches in order to get a better understanding of the material.
B1: Analyse the Application.evtx and Security.evtx file attached produced by the Windows logging provider.
Your scope is restricted to entries happening in the evening of December the 4th, 2017 between 19.00 and
21.00.
Answer the following questions:
Which account name has been changed on SAM and by which user? (18 Marks)
6
216SE PRACTICE PHASE TEST 2019/2020
B2: Given the hive files SAM, Software and System, use Registry Viewer to answer the following questions:
1. What is the computer name? (1Mark)
10. Which USB device was connected to our machine on December 15th 2017 at 19:40:19 UTC? (3Marks)
7 /16