MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1



Similar documents
Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

EC-Council Ethical Hacking and Countermeasures

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Hands-On How-To Computer Forensics Training

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Incident Response and Computer Forensics

Computing forensics: a live analysis

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

(b) slack file space.

Chapter 7 Securing Information Systems

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

File System Forensics FAT and NTFS. Copyright Priscilla Oppenheimer 1

Digital Forensics: The aftermath of hacking attacks. AHK Committee Meeting April 19 th, 2015 Eng. Jamal Abdulhaq Logos Networking FZ LLC

Computer Forensics Principles and Practices

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Course Title: Computer Forensic Specialist: Data and Image Files

Digital Forensics. Larry Daniel

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Digital Forensics for Attorneys Overview of Digital Forensics

Computer Forensic Capabilities

Digital Forensic. A newsletter for IT Professionals. I. Background of Digital Forensic. Definition of Digital Forensic

CDFE Certified Digital Forensics Examiner (CFED Replacement)

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Overview of Computer Forensics

Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

Modern Digital Forensics!!

Computer Forensics Basics, First Responder, Collection of Evidence

CYBER FORENSICS. KRISHNA SASTRY PENDYALA Cyber Forensic Division Central Forensic Science Laboratory Hyderabad.

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Design and Implementation of a Live-analysis Digital Forensic System

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

Computer Forensics Processing Checklist. Pueblo High-Tech Crimes Unit

Scientific Working Group on Digital Evidence

Forensics on the Windows Platform, Part Two

To Catch a Thief: Computer Forensics in the Classroom

State of the art of Digital Forensic Techniques

Getting Physical with the Digital Investigation Process

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

Computer Forensics as an Integral Component of the Information Security Enterprise

EnCase Portable. Extend Your Forensic Reach with Powerful Triage & Data Collection

X-Ways Capture. The program executes the following steps unless you specify a different procedure in the configuration file:

New Technologies File System (NTFS) Priscilla Oppenheimer. Copyright 2008 Priscilla Oppenheimer

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

Incident Response and Forensics

Computer Hacking Forensic Investigator v8

Guide to Computer Forensics and Investigations, Second Edition

Digital Evidence Search Kit

F-Secure Internet Security 2014 Data Transfer Declaration

Investigation Techniques

Best Practices for Computer Forensics

Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics

CERIAS Tech Report GETTING PHYSICAL WITH THE DIGITAL INVESTIGATION PROCESS. Brian Carrier & Eugene H. Spafford

How To Get A Computer Hacking Program

What is Digital Forensics?

Open Source and Incident Response

Where is computer forensics used?

Open Source Digital Forensics Tools

Keywords: Computers, digital evidence, digital evidence bags, forensics, forensics tools

Scene of the Cybercrime Second Edition. Michael Cross

information security and its Describe what drives the need for information security.

KINDLE FORENSICS: ACQUISITION & ANALYSIS

Digital Forensics, ediscovery and Electronic Evidence

Presentation Title Presentation Subtitle. The Unique Alternative to the Big Four

Detection of Data Hiding in Computer Forensics. About Your Presenter

Digital Forensic Techniques

Technical Procedure for Evidence Search

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

Legal Notices. AccessData Corp.

Practice Exercise March 7, 2016

Security Best Practice

Live System Forensics

File System Management

Design Document for Implementing a Digital Forensics Laboratory

Computer Forensics CHAPTER

EnCase v7 Essential Training. Sherif Eldeeb

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Ten Deadly Sins of Computer Forensics

PRODISC VER. Computer Forensics Family. User Manual. Version 4.8 9/06

Evidentiary Authentication within the EnCase Enterprise Process

Computer Forensics Discipline

Chapter 8: On the Use of Hash Functions in. Computer Forensics

COMPUTER FORENSIC Ibrahim Khoury, Eralda Caushaj

(Instructor-led; 3 Days)

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver KYOCERA MITA Corporation

GENERAL DIRECTIONS OF DEVELOPMENT IN DIGITAL FORENSICS

Transcription:

MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates: 1. Total marks 100 Section A (Compulsory) 2. This section contains 25 Multiple Choice questions. 3. There is only one correct answer to each question. 4. Use the Multiple Choice Answer Sheet attached at the end of the question paper. Section B 5. Answer ALL THREE (3) questions. 6. Questions may be answered in any order but your answers must show the question number and part clearly. 7. All questions carry equal marks. This question paper contains 2 Sections and 10 pages. Page 1 of 10

SECTION A: COMPULSORY MULTIPLE CHOICE QUESTIONS Use the Multiple Choice Answer Sheet provided. Attempt all questions. For each question, there are four alternatives, out of which only one is correct. Choose the most appropriate answer. 1. What is the most significant legal issue in computer forensics? A. Preserving Evidence B. Seizing Evidence. C. Admissibility of Evidence. D. Discovery of Evidence. 2. When a file is deleted A. The file remains intact. B. The FAT entry for the file is zeroed out so it shows that the area is available for use by a new file. C. The first character of the directory entry file name is changed to a special character. D. All of the above. Page 2 of 10

3. Which of the following is not a property of computer evidence? A. Authentic and Accurate. B. Complete and Convincing. C. Duplicated and Preserved. D. Conform and Human Readable. 4. You can use, a powerful search tool, to perform keyword searches in Linux and in EnCase software. A. grep. B. grub. C. gcc. D. gnu. 5. You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which according to your source of information contains the database records for the company under investigation for fraud. The best practice for taking down the server for collection is to photograph the screen, note any running programs or messages and so on, and. A. Use the normal shutdown procedure B. Pull the plug from the wall C. Pull the plug from the rear of the computer D. Ask the user at the scene to shut down the server Page 3 of 10

6. When a forensic copy is made, in what format are the contents of the hard drive stored? A. As compressed images. B. As bootable files. C. As executable files. D. As operating system files. 7. Which of the following is not a type of volatile evidence? A. Routing Tables B. Main Memory C. Log files D. Cached Data 8. In establishing what evidence is admissible, many rules of evidence concentrate first on the of the offered evidence. A. Relevancy B. Search and Seizure C. Material D. Admissibility 9. Which of the following is a proper acquisition technique? A. Disk to Image B. Disk to Disk C. Sparse Acquisition D. All of the above Page 4 of 10

10. Traditional crimes that became easier or more widespread because of telecommunication networks and powerful PCs include all of the following except A. Money laundering B. Illegal drug distribution C. DoS attacks D. Child pornography 11. devices prevent altering data on drives attached to the suspect computer and also offer very fast acquisition speeds. A. Encryption B. Imaging C. Write Blocking D. Hashing 12. Which duplication method produces an exact replica of the original drive? A. Bit-Stream Copy B. Image Copy C. Mirror Copy D. Drive Image 13. To verify the original drive with the forensic copy, you use. A. a password B. a hash analysis C. disk to disk verification D. none of the above Page 5 of 10

14. The Windows operating system uses a file name s to associate files with the proper applications. A. Signature B. Extension C. MD5 hash value D. Metadata 15. As a good forensic practice, why would it be a good idea to wipe a forensic drive before using it? A. Chain of Custody B. No need to wipe C. Different file and operating systems D. Cross-contamination 16. The ability to hide data in another file is called A. Encryption. B. Steganography. C. Data parsing. D. A and B. 17. When two hard drives are on the same data cable, both drives must have which two settings for them to work? A. Default and Cable Select B. Primary and Secondary C. Master and Slave D. First and Second Page 6 of 10

18. USB drives use. A. RAM memory B. Cache memory C. Flash memory D. None of the above 19. Which of the following is a proper search technique? A. Manual Browsing B. Keyword Search C. Regular Expression Search D. All of the above 20. A file header is which of the following? A. A unique set of characters at the beginning of a file that identifies the file type B. A unique set of characters following the file name that identifies the file type C. A 128-bit value that is unique to a specific file based on its data D. Synonymous with the file extension 21. Which of the following is not a true operating system? A. DOS B. Windows 3.1 C. Windows 2000 D. UNIX Page 7 of 10

22. Computer memory files written to the hard drive are called. A. Metadata B. Swap files C. Spool files D. User profiles 23. When shutting down a computer, what information is typically lost? A. Data in RAM memory B. Running processes C. Current network connections D. All of the above 24. is the science of hiding messages in messages. A. Scanning B. Spoofing C. Steganography D. Steganalysis 25. If the Internet History file has been deleted, may still provide information about what Web sites the user has visited. A. Cookies B. Metadata C. User profiles D. Sessions Page 8 of 10

SECTION B: ANSWER ALL QUESTIONS QUESTION 2: (25 MARKS) (a) What is a digital watermark? (5 marks) (b) How would you use netcat to image a disk on the network. (5 marks) (c) Identify and explain the commands use in sleuthkit. (10 marks) (d) Identify 5 different types of volatile evidence. (5 marks) QUESTION 3: (25 MARKS) (a) Explain the term digital forensics. (3 marks) (b) Identify and describe the three different data lifetime for computer data. (7 marks) (c) Identify types of evidence data and sort it by their lifetime. (5 marks) (d) Identify and describe the constraints and dangers of live forensics. (5 marks) (e) dd is a tool that can be used for memory acquisition during live forensics. How do we use dd to dump the memory and what are the problems we face with this technique. (5 marks) Page 9 of 10

QUESTION 4: (25 MARKS) (a) Identify the different data acquisition methods we use in digital forensics. (5 marks) (b) Making a bit-stream image is simple in theory, but the accuracy of the backup must meet evidence standards. i. How do we verify the accuracy of a bit stream copy? (3 marks) ii. Name and explain a hashing technique used for verification. (2 marks) (c) In the context of digital forensic analysis, explain the following terms: i. Alternate Data Streams (5 marks) ii. Steganography (5 marks) (d) Explain with appropriate examples how to identify an Alternate data stream on an NTFS system. (5 marks) ***END OF QUESTION PAPER*** Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information