SIT703 Advanced Digital Forensics Assignment 2

    Need Solution - Download from here

    NO EXTENSIONS allowed without medical or other certification. LATE ASSIGNMENTS will automatically
    lose 5% per day up to a maximum of five days, including weekends and holidays. Assignments
    submitted 6 or more days late will not be marked and are given zero.
    METHOD OF SUBMISSION: Submit electronically via Assignment Dropbox on CloudDeakin.
    Please read the following problem statement and complete the corresponding tasks. You will need to
    use the knowledge and skills learned during the class and practical sessions. You must write your report
    Problem Statement
    Arif works for a university as an IT administrator. He received a call on Sept 8, 2009 from a staff member
    Amy who complained that a suspicious account has been created on her personal laptop without her
    consent. The general IT policy of the university disallows Arif to acquire any research-related files from
    Amy’s laptop because she is participating a top-secret government project. Therefore, Arif asked Amy
    to export the Windows Registry and copy a few Windows log files of her laptop from the directory
    Amy copied 5 files and compressed them in to a ZIP file named “”. Now, Arif receives a
    copy of the ZIP file and starts to analyze what took place on Amy’s laptop (IP:
    Task 1 (Scan your machine)
    To ensure that Arif’s machine is free of rootkit programs which may alter the investigation results, he
    decides to run a thorough scan. Choose at least two programs and provide the screenshots of the scanning
    (1 mark)
    Task 2 (Repairing Windows Logs)
    Arif decompresses the file “” and finds 4 Windows event log files. Describe the information
    stored in each log file and repair those important log files so that they can be viewed in Windows
    (4 marks)
    Task 3 (Which account is created)
    Having repaired the log files, Arif examines one of them in order to identify which account was created
    without Amy’s consents. Which log file and which EventID number Arif should search? Provide a
    screenshot for the account-creation event.
    (1 mark)
    Task 4 (Where is Amy’s password)
    Having identified the event that a new user was created on Amy’s laptop, Arif telephones Amy and asks
    whether she can provide more clues. Amy tells that she has a personal password safe as an encrypted
    ZIP file hidden on the university network. The link to access the password safe is http://www.deakin. But Amy is confident that only she can access her account
    details because this password safe has multiple security protection mechanisms. However, Arif wants to
    demonstrate that Amy’s belief may be too optimistic. Provide screenshots and describe how Arif can
    easily access Amy’s account information.
    (3 marks)
    Task 5 (Amy’s password)
    Arif has extracted Amy’s password safe, but he wants to demonstrate to Amy that her Windows password
    can be easily cracked. So he calls Amy and Amy bets that he cannot get her password. Being challenged
    and authorized, Arif decides to crack Amy’s Windows password used on her laptop. Work out what the
    username and the password are on Amy’s laptop.
    (2 marks)
    Task 6 (When did things go wrong?)
    Amy now realizes that Windows provides a very weak protection and she becomes concerned about the
    safety of her research data. Arif decides to look through the log files again in order to identify when the
    bogus account logged on to Amy’s laptop. Use two screenshots to indicate when the bogus account was
    logged on and logged off.
    (1 mark)
    Task 7 (I know what you did)
    Arif believes that he can find all important activities on Amy’s system during the session time identified
    in Task 6. Which event recorded in the system log file will tell Arif about the actions performed by the
    bogus account? When did this event terminate?
    (1 mark)
    Task 8 (Using LogParser)
    Arif recalls that some events with EnventID 11728 are closely related to the installation of Windows
    programs. He decides to use the program LogParser to search for the events with EventID 11728 in the
    log files. List all the events Arif will find by using LogParser. (screenshots are required.)
    (1 mark)
    Task 9 (The valuable Registry)
    Arif feels that things might be very serious, so he decides to go through the Registry file “Server.reg” in
    the “” file. What program(s) will Arif classify as suspicious? Provide strong reasons.
    (3 marks)
    Task 10 (Before calling the police)
    Arif and Amy feel that they must report to the police about their findings. Before they write a formal
    complaint to the forensic team, Arif recalls that he has intercepted an NTLM authentication session of
    user “helpdesk” and the hash is
    Arif guesses that the password is 3 characters long but contains special symbols. Now, crack this password
    by using your own rainbow tables.
    (3 marks)
    TOTAL: 20 marks

    By |2017-09-10T10:22:57+00:00September 10th, 2017|Categories: computer science|0 Comments

    Leave A Comment