School of Engineering

Higher Diploma in Infrastructure and Networks

A201IN
Forensics and Security Management

Course Work

November 2023 Term

INSTRUCTIONS TO CANDIDATE

1. Answer all the 5 Coursework Questions.

2. In total, this paper is worth 50 Marks.
3. Coursework 1 represents 50% of the total assessment for this module.
4. Completion Date is on Week 10 (Date will be informed by your Lecturer)
5. Submit the softcopy of the diagram, screenshots and notes of the solution
via Microsoft Teams - Assignments
6. It is an individual work. Copied work will be awarded with zero mark.
7. Format your work upon submission.
 Student Name, ID, Lecturer Name and Date of Submission
 Proper header and footer
 Format File name as:
Nov2023_HDIN_StudentName_A201IN_CW_MS
8. Each question has its own weight of score. Execute and show the resultant state
of each question. Marks are not given for the incorrect answers or un-answered
questions. Detailed explanation may be required for some questions.

Page 1 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
Questions.
Task 1

You are given a memory dump file for forensics investigation. The required dump
file was uploaded at https://shorturl.at/msWX1. You may have to use any suitable
tool to analyze the following.

(a) Determine OS and build number of the system or computer from which the
dump was extracted for evidence.
(b) What is the PID of SearchIndexer?
(c) What is the last directory accessed by the user?
(d) There are many suspicious open ports, which are these? (protocol:port)
(e) Identify malicious code on captured evidence and analyse any one process
from a list of processes that Volatility suspects may contain injected code in
VIRUSTOTAL to detect malware and security breaches.
(10 marks)

Task 2

This task shall require a virtual machine installed with Windows Server 2012 OS.
After deploying this VM, modify the group policy of Windows Server in related
with password policy to perform the required tasks -
- Minimum password length – 3 characters
- Password must meet complexity requirements - disabled
(a) Create 3 users with the following password requirement on Windows Server.
- The first user account’s password should have at least 5 characters and not
more than 6 characters, with Numbers, Uppercase and Lowercase letters,
and without using any special characters.
- The second user account’s password should have 5 characters with
Uppercase and Lowercase letters only, and without using any Numbers or
special characters.
- The third user account’s password length and complexity should meet PCI
DSS standards requirement.
Page 2 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
(b) A recent security news described that print spooler service is vulnerable to a
remote attack.
- Find out one CVE for that vulnerability of remote attack to print spooler
service. Investigate which application is representing and running for that
service in Windows Server.
(c) Perform memory dump of Windows Server to a file.
(d) Analyse and discover the hash value of user accounts, and the process list on
memory dump file. Show your workings.
(e) After exporting the hash value of user accounts to a file, crack them with
suitable software to reveal weak passwords of the first and second user account.
(10 marks)
Task 3

This task requires you to work with your Windows system for the following:
(Show your workings with related screenshots and codes.)

(a) Discover a tool in Windows Operating system machine that can show which
application is using how much network bandwidth and going to which
destination.
(b) Find out at least three opening or listening ports on IP address 8.8.8.8
(c) Turn on Windows Firewall Logging for all network profiles. Log size should
be at least 10 MB. Log should be stored under (C:\Firewall-Log\) directory
and enable logging for all packets.
(d) Block the access of all web traffic from your Windows system to the website
of testphp.vulnweb.com by using Windows Firewall rule. Analyze DROP
rules for testphp.vulnweb.com in firewall logging as your organization’s
policy.

Page 3 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
(e) Create a virtual disk with size of 2GB, and mount it with drive letter “V”.
Encrypt this drive partition with BitLocker encryption and print or export the
recovery key file to a different storage location.
(10 marks)

Task 4

A crime had happened in an office, and a related computer was seized and
controlled with the compliance of chain of custody. From that computer, the disk
image of hard disk drive was taken out for further investigation to trace back. This
disk image was upload on the following links –
https://download.vulnhub.com/ha/sherlock.ova
https://drive.google.com/file/d/
1UQMOphUUezNWwwTXGvdcMO1aLboETt6w/view?usp=sharing
(a) You need to download that file from any link and import into VMware
Workstation as a virtual machine in a directory. After that you have to find the
virtual disk file “.vmdk” in that directory of your machine.

(b) Setup and use a disk forensics software to investigate the disk image file for the
following –
i. What kind of operating system is installed in the disk image?
ii. One file of waveform audio file format that may have some message
iii. A folder that contains 15 pictures which may reveal the images of online
victim.
iv. Three email message files received from the criminal and parts of filename
are
 1601397957.V801Ie2533M1xxxxxxxxxxx
 1601397722.V801Ie252eM8xxxxxxxxxxx
 1601397590.M663026xxxxxxxxxxxxxx
v. Two text files (10_Points.txt and 25_Points.txt) that have shown you had
found some hints.
(10 marks)
Page 4 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
Task 5

This task includes penetration testing to a windows system that has Windows
Defender service and Windows Security Disabled. You may have to use “Kali
Linux” and any “Windows” systems.
(a) Assign necessary network settings and firewall rules allowed on “Kali
Linux” and “Windows” system. The two systems should have network
connectivity. (You may have to use Host only in network adapter setting of
VMs.)
(b) Make a folder sharing and remote desktop service setup on Windows
system.
(c) Do port scan to “Windows” system by nmap for tcp 21,25,53,80,389,443,
445,465,1433,3389. Show the result which ports are open.
(d) Create a trojan file in Kali Linux and upload the file to Windows system.
(e) Test exploitation – by multi/handler exploit – open trojan file access. Show
the result. And if the exploit is successful, show the system info and active
user id.
(10 marks)

Page 5 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
Student needs to print this cover sheet and attach on the assignment/project report before
submission to the respective tutor

Name of Student: Auston / UNI ID:

Date of Name of
Submission: Lecturer:

Program/ Module: A201IN - Forensics and Security Management

Assignment: Course Work Assessment 1

Plagiarism check Turnitin Percentage: Accept / Reject

Justification:

Collusion check

Page 6 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
 1st Marker 2nd Marker Final
Learning Outcome / Marking Guide Weightage
( ) ( ) Mark

Task 1- Memory Forensic

(a) Determine OS and build number of

1
the system
(b) PID of SearchIndexer 1
(c) Last directory accessed by the user 3
(d) Suspicious open ports 2
(e) Detect malware and security
3
breaches
Task 2 – Password Policy and Cracking
SAM

(a) Setup VM, setting up Password

3
Policy and creating 3 Users
(b) Print Spooler CVE 2
(c) Performing memory dump 1
(d) Analyze and discover the hash
2
value of user accounts
(e) Cracking hash value of User1 and
2
User2
Task 3 – Working with Window Firewall

(a) Discover a tool (resmon) 1

Page 7 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
 (b) Three opening or listening ports 1
(:80)
(c) Enable Firewall Log 2
(d) Block and Check Fire Log 3
(e) BitLocker Drive 3
Task 4- Investigation the disk image file

(a) Setup VM and finding .vmdk file 2

(b) Disk Forensics

(i) OS 1
(ii) Waveform audio file 1
(iii) A folder that contains 15
2
pictures
(iv) Three email message files 2
(v) Two text files 2
Task 5- Penetration Testing to
Vulnerable System

(a) Setup Kali linux & Windows PC

For network setting & Windows 2

Defender Disabled, System Security
Disabled
(b) Folder share & remote desktop setup 1
(c) Port Scanning with NMAP 1
(d) Create trojan file and upload 3
(e) Test exploit – multi/handler 3
Total 50

Module Assessment Feedback

Name of Student: Uni ID:

Name of
Lecturer:

Page 8 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
Module Code & Name: A201IN – Forensics and Security Management

Assessment
Coursework – HDIN A201IN
Title:

Lecturer’s comments – with reference to assessment criteria

Areas for improvement:

Date completed:

Second Marker Comments:

Date completed:

Staff Declaration: We agree that work to be marked anonymously will be treated as such until marking
and internal moderation has been completed.

Page 9 of 9

A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0