If you can see this check that

Main Page

CSN11125 Mock Exam 2019/20
User:
Password:

Assessment

This is a mock assessment for CSN11125/26 practical exam. Within the question each check button awards marks with equal weighting to that question. For instance, a question with 10 check buttons means that each check button is worth 10% of that question, i.e. contributes 10/3 % to the overall assessment mark.

Note some buttons do not carry any marks. These buttons relate to setting up scenarios, or installing scripts for your use. All percentage marks shown in the paper are the scores for that particular check button only!

You can press each button as often as you like. Only the highest mark for each check button is used to calculate your overall mark.

The paper DOES NOT show question totals nor your overall final mark anywhere. This is calculated and emailed to you later.

Good luck.

To reset all the check buttons from a previous attempt click here

Question 1: Deleted Partition

There is a deleted partition on the image disk01.dd (/images/disk01.dd)

Most of the time files are stored in directories for easy management. In FAT file system directories and files are located in the "Root Directory". If the file system is corrupted or missing for any reason, it would be very hard to see and analyse files/directories stored on the physical media. To search for directories in unallocated space and when file system is not available, you have to use sigfind command and search for 0x2e202020 directory signature (ASCII representation of a "period" and three "spaces", e.g. ". "). Then by using dd command open the location of that possible directory and see if there are any file located in that directory.

Use sigfind command to locate a FAT directory on the image. There is only 1 FAT directory on the image. What sector is this directory in?
FAT directory sector:

Tests - not attempted
FAT sector UNTESTED
Current Question Score: 0%
Question Score: 0%

Examine the disk sector you discovered in the previous question using a hex/ascii data viewer.

What is the first 6 characters of the first filename located in the FAT directory identified in the previous question? Do not type any spaces and remember the filename is case sensitive.
First directory entry:

Tests - not attempted
First entry UNTESTED
Current Question Score: 0%
Question Score: 0%

Staying in that directory used above, use the record metadata information to answer the following questions.

To complete the task you need to recall the FAT directory structure, shown below.

Starting ByteByte LengthContents
0 8Filename
8 3Extension
111File attribute
121Case
131Creation time (ms)
142Creation time (hrs+mins)
162Creation date
182Last Accesed date
202Reserved
222Last Modification time
242Last Modification date
262Starting Cluster
284File size

The File Attributes are an OR of the following information:

FlagDescription
0000 0001 (0x01)Read-only
0000 0010 (0x02)Hidden file
0000 0100 (0x04)System file
0000 1000 (0x08)Volume label
0000 1111 (0x0f)Long file name
0001 0000 (0x10)Directory
0010 0000 (0x20)Archive

Using dd and xxd, scan this FAT directory you have discovered and calculate the offset for the file IMAGES.JPG. Format it in three digit hex, e.g. 0x000.
Offset:

Tests - not attempted
Offset of file UNTESTED
Current Question Score: 0%
Question Score: 0%

The creation time, held in the FAT record for IMAGES.JPG starts at offset 13. The first byte is the ms part of the time, so for simplicity focus on the two bytes starting at offset 14 (which relates to hours, minutes, and seconds).
Bits 0-4 are seconds/2: 10001 = 17, then *2 is 34 seconds.
Bits 5-10 are Minutes: 000100 = 4 minutes.
Bits 11-15 are Hours: 01000 = 8 hours.
So the creation time is 08:04:34

What is the hex native endian creation time (at offset 14) of IMAGES.JPG? Format as 0x0000.
Native endian:

Tests - not attempted
Correct bytes UNTESTED
Current Question Score: 0%
Question Score: 0%

What is the hex big endian creation time of IMAGES.JPG? Format as 0x0000.
Big endian:

Tests - not attempted
Big endian UNTESTED
Current Question Score: 0%
Question Score: 0%

What is the binary big endian creation time of IMAGES.JPG? Format as 10000000000 with no leading zeros.
Big endian binary:

Tests - not attempted
Big endian UNTESTED
Current Question Score: 0%
Question Score: 0%

What is the creation time in hr:mn:sc?
Creation Time:

Tests - not attempted
Big endian UNTESTED
Current Question Score: 0%
Question Score: 0%

Dates are similar in procedure to convert, except that:
Day is bits 0-4
Month is bits 5-8
Year is bits 9-15 + 1980

What is the creation day of IMAGES.JPG in the format 1 JAN 2012.
Creation Date:

Tests - not attempted
Day correct UNTESTED
Month correct UNTESTED
Year correct UNTESTED
Current Question Score: 0%
Question Score: 0%

What is the starting cluster shown in this directory entry?

Tests - not attempted
Starting Cluster UNTESTED
Current Question Score: 0%
Question Score: 0%

What is the file size in bytes?

Tests - not attempted
Starting Cluster UNTESTED
Current Question Score: 0%
Question Score: 0%
Centos 7 intro: Paths | BasicShell | Search
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 log Mail
Caine 10.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
CPD: Cygwin | Paths | Files and head/tail | Find and regex | Sort | Log Analysis
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Kali 2020-4: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7 | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2023 Edinburgh Napier University