Assignment title: Information
The following tasks should be performed by every student, with the cooperation of your partner in
your group. When you are performing these tasks, please make notes on what you've done and
how you do it, because you will have to report how you perform these tasks.
1. On your virtual computer (Windows OS), create a small hard disk of 80 MB, of the fixed size
type and named by your student number. Other sizes of the hard disk will not be accept.
Failing to follow this instruction may result a 0 mark for your assignment.
2. On this newly created hard disks, create 3 partitions, 2 FAT (or FAT32) partitions and 1 NTFS
partition. The NTFS partition should be the largest of the three, and one of the 2 FAT partitions
should be very small. You decide the sizes of the 3 partitions.
3. Mount the 3 partitions to your virtual computer and format each of them.
A kind reminder: Step 4 and 5 require careful planning on the order of the actions. You may
not be able to make it in your first attempt. After learning (careful reflection needed) from
your previous mistakes, if any, you will soon find out a solution.
4. (Failing to follow any instruction in this step WILL RESULT a 0 mark for your
assignment) Now, on the larger FAT partition, fully occupy the whole partition by coping files
onto it. Please use the text files provided1. Some files are repeated by themselves to make
the files very big (well, relatively big, under the context of a 80M hard disk). The number in a
file name indicates how many repeats of its content. Carefully choose the sequence of your
copying actions to make the partition as full as possible. You may have to select "Copy but
keep both files" to achieve the goal. You should have at least a copy of "2016, big.txt" and
"2016, small.txt" each on this FAT partition.
5. (Failing to follow any instruction in this step WILL RESULT a 0 mark for your
assignment) Still on this partition, please carefully arrange a sequence of deletion and copying
actions to make some fragmentation and also unallocated clusters. The final state of the
partition does not have to be fully occupied. You must not delete the files "2016, big.txt" and
"2016, small.txt".
6. When performing Task 4 and 5, please use DiskView to check the state of your partition. Below
is a sample outcome. The screen dump below has the current file, or the highlighted file,
(yellow blocks) of "f:\the adventures of sherlock holmes (6).txt". When check your disk layout,
please make a similar screen dump with either "2016, big.txt" or "2016, small.txt" as the
current file, or the highlighted file.
1 These text files are downloaded from Project Gutenberg http://www.gutenberg.org/, with large and small files.
7. (Failing to follow the instruction in this step WILL RESULT a 0 mark for your assignment)
On the smaller FAT partition, copy either "2016, big.txt" or "2016, small.txt" on to it, but not
both.
8. (Failing to follow any instruction in this step WILL RESULT a 0 mark for your
assignment) On the NTFS partition, perform the same actions as on the larger FAT partition,
Step 4-6. At the end of your actions, you should have at least 1 resident file and at least 1
fragmented nonresident file, and also enough space for yet another nonresident file (The
concepts of resident and nonresident files will be discussed in Week 6 and 7).
9. Copy a file to the NTFS partition and then delete it. Empty the Recycle Bin. The file should be
big enough for being a nonresident file.
10.Make the smaller FAT partition hidden.
11.Shutdown your virtual computer and make a copy of this virtual disk file for your partner, and
also receive the similar file produced by your partner.
12.You are now asked to perform forensic analysis on the virtual hard disk files you received.
13.Create another small virtual hard disk to store the forensic copy of the "hard disk" you just
received.
14.(Failing to follow the instruction in this step WILL RESULT a 0 mark for your assignment)
Make a forensic acquisition of the "hard disk" you just received and store the image on your
newly create hard disk. Pretending that you have a write-blocker in the middle when you mount
the received virtual hard disk.
15.On the forensic copy, discover the following:
On the larger FAT partition, what is the residual text in the first unallocated block
(cluster)?
On the smaller FAT partition, what is the size of the partition, and which file is copied
onto it?
On the NTFS partition, find out the MFT record for "2016, small.txt" and the MFT record
for a nonresident file. Please see the detailed report requirement in the Report section
below.
On the NTFS partition, recover the last deleted file, done by your partner in his/her Step
9. Some independent research is needed for this task.
16.By now, you complete your hands-on tasks.
When working with your partner, you can give him/her some hints on what you have done, but
please refrain telling him/her exactly what you have done. Making discoveries himself/herself
is a part of the assignment, and also the expected the learning outcomes. After he/she completes
his/her discoveries, you two can verify the discoveries together. If he/she doesn't make the right
discoveries, you can give him/her more hints to redo his/her discoveries. Possibilities do exist that
you didn't do your job well. Your partner will then ask you to re-do your work.
Your partner is expected to take the same approach towards you.
Part 1
This part should have your name, student number, date, and your assignment partner's
name and student number etc.
Part 2 [5 marks in total]
This part of your report is standalone, not relating to the experiments done.
Item 3 of "ACS Code of Ethics" reads: "Honesty: You will be honest in your representation
of skills, knowledge, services and products". Please consider the following scenario:
There are 2 students. Kim is very smart. Kim decides to buy his/her assignments.
Kim receives good marks. Alex works extremely hard. Alex is not so smart as Kim.
Alex only manages to barely pass his/her assignments and the final exam. Kim
receives better final grade than Alex.
[1 marks] From a student point of view, whose behaviour, Kim's or Alex's, do you approve?
Why?
[2 marks] What could be the impact of Kim's behaviour to the rest of the class in the
semester and to the course, from which every student graduates, in a long run? Why?
[2 marks] If you were the lecturer-in-charge, for a class of 150 students, where both Kim
and Alex belong, upon the discovery of the nature of Kim's assignment(s), what approach
do you take? Why?
Part 3 [8 marks in total]
[3 marks] In this part, you report the actions you performed up to Step 10. Please include a
copy of the screen dump you made in Step 6.
In addition, please also report the following, as the result of your actions. You may include
screen dumps to help you reporting.
• [1 marks] On the larger FAT partition, the residual text on the first unallocated block
(cluster).
• [1 marks] On the smaller FAT partition, the size of the partition and the name of the
file on it.
• [2 marks] On the NTFS partition, how you make sure that there is at least 1 resident
file and 1 nonresident file, and what their file names are.
• [1 marks] On the NTFS partition, the name of the file copied and deleted in your
Step 9 actions?
Part 4 [12 marks in total]
In this part, you report your discoveries from the virtual hard disk received from your partner.
Please report the following. You may include screen dumps to help you reporting.
• [2 marks] Please report the actions you take and the software tools you use, from
the time you receive the virtual hard disk copy from your assignment partner, to
analyze the received hard disk. How do you maintain the validity of the evidences
found?
• [2 marks] On the larger FAT partition, please report the residual text on the first
unallocated block (cluster).
• [2 marks] On the smaller FAT partition, please report the size of the partition and the
name of the file on it.
• [2 marks] On the NTFS partition, Please produce a screen dump or two similar to
Figure 5-10, textbook page 202, for a resident file. Please mark the starting
position of the resident data and also report the size of the data. Please also
produce a screen dump or two similar to Figure 5-12 (page 203) and Figure 5-15
(page 207) for a nonresident file.
• [2 mark] Please produce a screen dump similar to Figure 5-19 (page 210) and mark
the starting position of the first data run. Please report the 3 components of the
data run and explain the meaning of each component.
• [2 marks] On the NTFS partition, please report the file names of the deleted files
which you can fully recover. Step 9 above performed by your partner guarantees
that at least 1 file can be fully recovered. You may find out more.