nnmIBIn UNIVERSITY

OF SCIEFICE HHD TECHNOLOGY

FACULTY OF COMPUTING AND INFORMATICS

DEPARTMENT OF COMPUTER SCIENCE

QUALIFICATION: BACHELOR OF COMPUTER SCIENCE IN CYBER SECURITY

QUALIFICATION CODE: 07 BCCS LEVEL: 7

COURSE: DIGITAL FORENSICS 1 — FORENSIC COMPUTING COURSE CODE: DFC7llS

DATE: JUNE 2017 SESSION: THEORY

DURATION: 2HOURS MARKS: 100

FIRST OPPORTUNITY EXAMINATION QUESTION PAPER

EXAMINER: MR. A.M. GAMUNDANI

MODERATOR:MR. M. TJIKUZU

THIS QUESTION PAPER CONSISTS OF 5 PAGES

(Excluding this front page)

INSTRUCTIONS

Answer ALL the questions in Section A and Section B.

Write clearly and neatly.

Begin answering each question in Section B on a new page.

Number the answers clearly as per the question paper numbering.

Marks/Scores per question paper are given in H.

NUST examination rules and regulations apply.P‘WPWN!‘PERMISSIBLE MATERIALS

1. Scientific Calculator

SECTION A [20 MARKS]:

Answer all questions in this Section. Answer questions on this section on the same page.

Question 1

Which ofthe following does NOT leave e-evidence? [1 Mark]

A. Instant message

B. Word processing document file

C. Hard copy

D. Digital camera

Question 2

Crimes against computers can include which of the following? [1 Mark]

A. Attacks on networks

B Unauthorized access

C. Tampering with data

D. All the above

Question 3

In order to be legally defensible, methods used in the recovery of data must ensure that [1 Mark]

A. The original evidence was not altered.

B No data was added to the original.C. No data was deleted from the original.

D. All of the above

Question 4

Which of the following is NOT considered one of the five stages of a computer investigation?A. Intelligence [1 Mark]

B. Hypothesis

C. Conviction

D. Conclusion

Question 5

To protect original data from any alteration, you [1 Mark]

A. Use gloves when working with the hard drive

B Make a forensic copy of the original data

C. Do your forensic work as quickly as possibleD. Use the operating system to copy all relevant files

Question 6

Which factor(s) determine the type of tools needed for an analysis? [1 Mark]

A. The environment

8. The power sources available where the analysis will be done

C. The make of the equipment to be analyzed

D. None of the above

Page 2

Question 7

Which of the following is NOT an item generally included in a forensic kit?

A. Flashlight

B. USB external drive

C. General case intake form

D. Latex gloves

Question 8

Which of the following would NOT be part of a standard report?A. Brief summary

B. Body of the report

C. Brief biography ofthe suspect

D. Conclusion section

Question 9

A primary function of a SIM card is to

A. Control a cell phone’s memory

B. Track the power usage of the phoneC. Identify the subscriber to the phone network

D. Display user information during a call

Question 10

Operating systems employ which of the following to ensure security?A. Rights

B. Permissions

C. Authentication

D. All may be employed

Question 11

All data transmitted across a network has two addresses encapsulated. They are the

A. Logical and application addresses

B. Network and physical addresses

C. Logical and physical addresses

D. Transport and Internet addresses

Question 12

In a forensics context, hidden information about files and folders is called

A. Artifact data

B. Metadata

C. Archive data

D. Read-only data

Question 13

Which factor(s) determine the type of tools needed for an analysis?A. The environment

B. The power sources available where the analysis will be done

C. The make of the equipment to be analyzedD. None of the above

[1 Mark]

[1 Mark]

[1 Mark]

[1 Mark]

[1 Mark]

[1 Mark]

[1 Mark]

Page 3

Question 14

What is considered to be the first line of defense for networks? [1 Mark]

A. IDSS

B. Firewalls

C. Routers

D. Switches

Question 15

Which of the following is considered an excellent source to obtain information on when passwordswere last changed within a Linux system? [1 Mark]

A. /etc/sysconfigB. /etc/shadow/passwdC. /etc/shadow

D. /etc

Question 16

If you change a file extension by renaming the file, [1 Mark]

A. You also change the data in the file

B. You will not be able to open the file

C. Windows will change the icon that represents the file

D. You also change the data header

Question 17

Cybercriminals are using hijacked computers to perform which of the following feats? [1 Mark]

A. Spy on peopleB. Spam peopleC. Steal identities

D. All are being performed

Question 18

Which of the following is the preferred way to make a forensic copy? [1 Mark]

A. Create a mirror image.

B. Produce a sector-by-sector copy.

C. Copy residual data only.

D. Make a back-up tape image.

Question 19

What is considered to be the first step in cyber investigations? [1 Mark]

A. Shutting down all infected machines

B. Finding out as much as possible about the attacker

C. Calling in the authorities

D. Trying to contact the attacker

Question 20

Before accepting a case, a good investigator will check [1 Mark]

A. That there is enough money to make it worthwhile

B. That there are enough witnesses

C. That there are no physical dangers involved

D. That there is no conflict of interest

Page 4

SECTION B [80 MARKS]:

Answer all questions in this section. Begin answering each question on a new page.

Question 1

(a) Digital evidence can be located in many areas, can you cite any four such areas and indicate

the type of evidence you would find there. [8 Marks]

(b) Explain what you understand by chain of custody. [2 Marks]

(c) There are a number of uses ofthe Internet by criminals, which amongst them can you rank

as your personally identified highest five (5)? [5 Marks]

(d) Match the terms in Table 1 (i) to (v) to their respective definitions (A) to (E) [5 Marks]

Table leatching terms to their definitions

(i). Active, online data (A).Stored data not organized for retrieval of individual

documents or files

(ii). Near-line data (B).Data is available for access as it is created and processed

(iii). Offline storage (C). Data tagged for deletion that may still exist on a system

(iv). Backup tapes (D). Data is typically housed on removable media

(v). Erased or fragmented (E). Data on removable media that has been placed in storage

data

Question 2

(a) Identify and explain any two challenges of network forensics. [4 Marks]

(b) Outline the procedure for establishing forensically sterile conditions. [6 Marks]

(c) Design a short template of a forensic report just showing the main features of a forensic

report. [5 Marks]

(d) Match the following investigative objectives (i) to (v) in Table 2, to their respective proper

chain of custody practices (A) to (E). [5 Marks]

Table 2: Matching investigative objectives to their proper chain of custody practices.

(i)Document the activities (A).Verify the integrity of the copy to the source

(ii) Authenticate the copy (B).Ensure fairness in the evaluation

(iii) Acquire the evidence (C).Create a copy without altering the original

(iv) Be objective and unbiased (D). Keep detailed records and photographs

(v) Analyze and filter the (E). Perform the technical analysis while retaining its

evidence integrity

Question 3

(a) If you are testifying in court as a forensic expert, what two attributes may help your

standing as an expert? [4 Marks]

(b) You have been tasked to investigate a network—based crime at organisation Z. Explain at

least four key on-scene activities that you will execute during your investigation. [8 Marks]

(c) List and elaborate on two (2) acquisition procedures for mobile device evidence. [4 Marks]

(d) A mobile phone can directly and indirectly be involved in a crime. Illustrate any direct

involvement and any indirect involvement by way of an example. [4 Marks]

Page 5

Question 4

(a) Consider investigating an internet abuse allegations at Company Y. Outline the steps you

would take to conduct such an investigation [10 Marks]

(b) Outline at least five (5) pre-search activities that you need to complete before any

investigation. [5 Marks]

(e) Match the following questions (i) to (v) in Table 3 to their respective considerations (A) to

(E) [5 Marks]

Table 3: Matching questions to considerations

(i) What am I looking for? (A).ldentify the operating system or network topology

(ii) What is the skill level of the (B).There may be fingerprints or other trace evidence

user?

(iii)What kind of hardware is (C).You would use different tools to locate different items

involved? such as photographs or spreadsheets

(iv) Do I need to preserve other (D).This determines how you will extract the data

evidence?

(v) What is the computer (E).The more skilled the user, the more likely it is that he

environment? can alter or destroy evidence

*****END OF EXAMINATION PAPER*****

Page 6