Environment and Experiment Plan

Paper, Order, or Assignment Requirements



Environment and Experiment Plan



Prepare a controlled environment to run experiments.

Write a summary report that justifies the controlled environment.

Write an experiment plan that explains the approach taken to understand the artefacts created by the software.



You will prepare and demonstrate a controlled environment. You should identify any environment control mechanisms you have added to avoid any confounding factors having an impact upon your experiments.


Your controlled environment would normally be contained within a virtual machine. It is highly advisable for you to use a virtual machine.


Your controlled environment should be well-considered and not simply be an installation of Windows. You should consider the setup of the operating system, the setup of the hardware, and ensure that only necessary services or background programs are running. Anything that can have an adverse effect on the data should be prevented from running. You should consider which services are necessary to run the software correctly, and disable any unnecessary services. Be careful not to disable too many, otherwise you may prevent some artefacts from being created that would normally be created.

You will create an experiment plan for each file system artefact. The software contains 4 file system artefacts and you must therefore provide 4 individual plans, one for each file system artefact.


The experiment plan should provide enough information that you could give it to another forensic investigator for them to run the experiments on your behalf. You should use divide and conquer techniques to identify a list of experiments that you will perform. Each experiment you identify should contribute towards identifying the data structures contained within the data files created by the software.


Your plan should contain enough information so that another forensic investigator would know exactly how to approach the experimentation task.


The list of experiments (produced using divide and conquer techniques) should provide a summary of what you intend to achieve.

There are 4 file artefacts for you to examine. For each data artefact you should provide a list of experiments that you will perform to understand the data inside those file artefacts. For one of those experiments you should provide a detailed plan of how you will perform the experiment.


Important: Don’t use the same experiment 4 times. You should choose a different experiment each time – you will lose marks for repeating the same experiment.

Your plan should identify how you will:-


  • Move from one file artefact state to another
  • Isolate each individual data structure artefact
    • Isolate grouped data structure artefacts
    • Isolate individual data structure artefacts
  • Understand what the software does to update the file system artefact metadata
    • Modified, Accessed, Created – and other metadata
  • Analyse the data and draw conclusions


1.The 4 file system artefacts for the assignment are:


  1. Registry
  2. Modules.XML (ignore modules.dat)
  3. Student data (contained information about the student and their emergency contacts)
  4. Studentname.dat (e.g. Dempsey_john.dat) which contained information about which modules they had


  1. For each data artefact (file) I’m expecting,


  1. A list of experiments – using divide and conquer – that explain what the experiment will achieve
  2. Take one item from this list of experiments and turn it into a detailed experiment design


For example, if I used divide and conquer to design something along the lines of,

  1. ABC

1.1   ABC.XY

1.2   ABC.XZ

1.3   ABC.XYZ

1.3.1          ABC.XZ

1.3.2          ABC.YZ

1.4   PROBLEM 1

1.5   PROBLEM 2

1.5.1          PROBLEM 2.1

1.5.2          PROBLEM 2.2



The list above is meant to demonstrate that you are breaking down a big problem into lots of little experiments.


Which one would I want you to turn into an experiment? Any. I don’t really care – I want to see that you can design a scientific experiment.

If you design an experiment for 1 (ABC) then it will encompass 1.2, 1.3, 1.4 and 1.5.

If you design an experiment for 1.1 then you are only designing 1.1

If you design an experiment for 1.5.1 then you are only designing 1.5.1


If it was me, I wouldn’t design an experiment for 1 (ABC) as this would be a relatively large experiment to design (because it would include 9 other smaller experiments).


The only stipulation is that you should choose the same type of experiment to design over and over again – if your experiment design looks exactly the same, but with a few words different, then it is not original and you should consider changing it.




You don’t have to take this advice – you can ignore it if you want.

You can choose your experiments around the following,


  1. Experiment to isolate and prove the data type of 1 piece of data within the first data artefact (file)
  2. Experiment to isolate and attempt to disprove the data type of 1 piece of data within second data artefact (file)
  3. Experiment to explain how MAC times are created when data is entered within the third data artefact (file)
  4. Experiment to check that nothing else is created within the file system when data is added/changed/deleted within the fourth data artefact (file)


If you follow this type of experiment then each attempts to do something differently.