216SE PRACTICE PHASE TEST 2019/2020

The Phase Test will comprise 2 elements: there will be a series of general computer related questions and
ones that will require usage of the FTK VM in examining evidence files to determine answers to specific
questions.

Name: .........................................................................

SID Number: .................................................................

READ THESE INSTRUCTIONS CAREFULLY AND FOLLOW THE STEPS OUTLINED.

Open the FTK Virtual Machine. You can make use all software on the VM, but not the Internet.

Default settings should be used, no data carving is required, and where it asks for a timezone, use
Europe/London.

All your working files should be created and located in the 216SE folder on your Desktop. The test has 95 marks.

There will be no solutions posted before the assessment.

READ THE QUESTIONS CAREFULLY AND ANSWER ACCORDINGLY.

SECTION A KNOWLEDGE ELEMENT

A2. What is file slack?

a. The space in a file left by deleting part of the file

b. The space between a start of sector mark and start-of-file
c. The space between start-of-file and the logical end-of-file
d. The space between the logical end-of file and the physical end-of-file

a( ) b( ) c( ) d( ) (1 mark)

A3. ACPO Principle 2 states that: (1 marks)

A4. What is inculpatory evidence? (1 mark)

A5. What is exculpatory evidence? (1 mark)

/9

1
 216SE PRACTICE PHASE TEST 2019/2020

A6. What is Phishing and what legislation deals with Phishing in the UK? (2 Marks)

A7. Which of the following regular expressions would find B5 4BU and CV32 5EL but NOT GL15 8YX

(a) \<[\u\l][\u\l]?\d\d?\s\d[\u\l][\u\l]\>

(b) \<[\u\l][\u\l]?\d\d?\s[0-5][\u\l][\u\l]\>

(c) \<[A-F][A-Z]\d\d\s[0-5][A-F][A-F]\>

(d) \<[\u\l][\u\l]\d\d\s[0-5][\u\l][\u\l]\>

a( ) b( ) c( ) d( ) (1 mark)

A8. The Police and Justice Bill 2006 amended the original Section 3 (Computer Misuse Act 1990) offence, what
changes were introduced?

(a) S3 Unauthorised Acts with Intent to Modify Systems and S3A Making, Supplying or Obtaining Articles for Use
in Section 1 or Section 3 offences

(b) S3 Unauthorised Acts with Intent to Impair Operation and S3A Unauthorised acccess with intent to commit
or facilitate commission of further offences

(c) S3 Unauthorised access to computer material, punishable by 6 months' imprisonment or a fine and S3A
Unauthorised Acts with Intent to Modify Systems

(d) S3 Unauthorised Acts with Intent to Impair Operation and S3A Making, Supplying or Obtaining Articles for
Use in Section 1 or Section 3 offences

(a) ( ) (b) ( ) (c) ( ) (d) ( ) (1 Mark)

A9. Name three terms describing components of hard-disk geometry and detail their functions

1.

2.

3.

(6 marks)

A10. Explain the terms universality and repeatability from a forensic perspective

(2 marks)

A11. What type of volatile data has no forensic value?

(a) State of running processes

(b) State of network connections /12

2
 216SE PRACTICE PHASE TEST 2019/2020

(c) CPU Cache and register contents

(d) RAM contents

a( ) b( ) c( ) (d) ( ) (1 Mark)

A12. Name 5 hives of Windows Registry and quickly outline the kind of data stored within them:

Name Typical Data

(5 marks)

A13. Describe what is data carving is: (3 marks)

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________

/9

3
 216SE PRACTICE PHASE TEST 2019/2020

A14. Read the contemporaneous notes excerpt below:

15/10/2013 14:20:48
I connected the seized hard-drive (of size 20Gb) to a Tableau write blocker via a red SATA cable,
ensuring that the switches on the end are set to read-only, with the other end of the tableau writer connected
to a forensically safe workstation in order to image the seized hard-drive. I opened up FTK Imager 3.1.0 and
selected “create disk image”. I then used all default settings and created an image of format E01.

15/10/2013 14:10:29
The image has been created successfully and the MD7 hashes have verified, the checksum being
45SAFJ34890SAFDLTCDBO400. I bagged the evidence in evidence bag no. 2380495, signed it and
handed it over to the exhibits officer.
______________________________________________________________________________

A14A. Which ACPO Principle(s) would the excerpt ‘s author be observing and what does it state?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________

(6 marks)

A14B. Name 3 things a forensic investigator from the defence counsel might question from the excerpt above
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(3 marks)

A15. You arrive on scene where a 'suspected' incident has taken place. What is the first thing you should do
before you touch anything?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________

(4 Marks)

A16. What file systems do the following operating systems use as standard? (4 marks)

Operating system File system

MacOSX
Kali Linux
Any Windows 2000+
Windows XP

4
/17
 216SE PRACTICE PHASE TEST 2019/2020

A17. Which of the following does not apply to evidence analysis?

a. Keyword search
b. Bit-by-bit copy
c. Honeypotting
d. Identification of file anomalies

a( ) b( ) c( ) d( ) (1 Mark)

A18. Define the term “cluster” in the context of data storage and its relation to “slack space”
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(4 marks)

A19. Every file or directory in an NTFS file system has an entry in the __________________
a) File Allocation Table
b) Master File Table
c) Master Allocation Table
d) File Master Table
a( ) b( ) (c) ( ) (d) ( ) (1 Mark)

A 20. Define Locard’s Exchange Principle

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________

(2 Mark)

A21 Explain SSD Wear levelling

__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
(3 Marks)

A22 The GDPR provides the following rights for individuals: (8 Marks)

1. :
2. :
3. :
4. :
5. :
6. :
7. :
8. :

5
/19
 216SE PRACTICE PHASE TEST 2019/2020

SECTION B INVESTIGATIVE SKILLS

You are given 5 evidence files to work on:

• Application.evtx
• Security.evtx
• SAM,
• Software
• System

Once you have downloaded the evidence files listed above, you are to examine the evidence and
answer specific questions concerning it. Work methodically and identify the items required. Rather than
answering each question in consecutive order, you may wish to examine the evidence and conduct some
searches in order to get a better understanding of the material.

B1: Analyse the Application.evtx and Security.evtx file attached produced by the Windows logging provider.
Your scope is restricted to entries happening in the evening of December the 4th, 2017 between 19.00 and
21.00.
Answer the following questions:

What applications have been installed?

What application at first failed to install?

Which account has been deleted and by which user?

Which account has been disabled and by which user?

Which account has been enabled and by which user?

Which account name has been changed on SAM and by which user? (18 Marks)

6
 216SE PRACTICE PHASE TEST 2019/2020

B2: Given the hive files SAM, Software and System, use Registry Viewer to answer the following questions:
1. What is the computer name? (1Mark)

2. Who is the Registered Owner? (1Mark)

3. Which Operating System has been installed? (1Mark)

4. What is the Timezone in use on the machine? (1Mark)

5. When was the computer shutdown the last time? (1Mark)

6. In addition to users normally present in a Windows environment (Administrator, DefaultAccount,

Guest, WDAGUtilityAccount – Windows Defender Application Guard) how many and which users were
created? (2Marks)

7. What is the default mail client? (2Marks)

8. What are the installed web browsers? (2Marks)

9. Which version of Windows Explorer was in use? (2Marks)

10. Which USB device was connected to our machine on December 15th 2017 at 19:40:19 UTC? (3Marks)

7 /16