CSCI 388 Computer Forensics Fall 2014
Quiz 1

• Open Material
• Answer all questions. Each question - 25 points
• Write your answers in the TEXT file. Name the file your_last_nameQuiz1.txt
• Upload your answers and ALL files your created on Campus Cruiser Quiz 1 assignment. You should upload 4 files: file with answers your_last_nameQuiz1.txt, ex1.txt, ex1New.txt, ex1NewNew.txt

Questions

1. Assume that two files were collected as evidence on December 10, 2011. The MD5sum was calculated for each file on that day. Today, you would need to present the evidence in the court and to prove that the evidence files didn't change since December 10, 2011. List your actions.
2. You are the owner of the computer that contains important information. You collect and document the MD5 sums for the important files every Friday. You came to your office after the weekend on Monday and have a suspicion that your computer was compromised during the weekend and could be some of the important files were changed. How you would investigate this issue and how you will find the files that were changed? Would you be able to find what exactly was changed? Explain.
3. • Create a text file with the following text: Computer Forensics. Name this file ex1.txt

     Calculate the MD5sum for this file and write the value of MD5sum in your_last_nameQuiz1.txt

   • RENAME the file to be ex1New.txt and calculate the MD5sum value for the new file. Write the MD5 value for this file in your_last_nameQuiz1.txt
   • Did you get the same value? Explain your answer.
   • Delete the file ex1New.txt
   • Create a file with the same text as before and the following name ex1NewNew.txt
   • Calculate the MD5sum value again for the file ex1NewNew.txt and write the MD5 value for this file in your_last_nameQuiz1.txt
   • Did you get the same value as before? Explain
   • Make the following change in the file ex1NewNew.txt - add NEW LINE at the beginning of the file
   • Recalculate the MD5sum value for the file and write the MD5 value for this file again in your_last_nameQuiz1.txt
   • Did you get the same value as before? Explain

4. Assuming you have a following HEX value in the memory

   HEX Value

   Address	Value
   1000	A0
   1001	C6
   1002	10
   1003	11

   1. Assuming, that the system is Big Endian, find the decimal value of the HEX value written above.

   2. Assuming, that the system is Little Endian, find a decimal value of the HEX value written above