BSc (Hons) Computer Science with Network Security

Cohort: BCNS/16B/FT

Examinations for 2018 - 2019 / Semester 2

Resit Examinations for BCNS/16A/FT

MODULE: Computer Forensics

MODULE CODE : SECU3122C

Duration : 2 Hours and 30 minutes.

Instructions to Candidates:

1. Answer ALL questions. 2. Each question does not carry equal marks. 3. Questions may be answered in any order but your answers must show the Question number clearly. 4. Always start a new question on a fresh page. 5. Total marks to be scored 100.

This Question Paper contains 4 questions and 13 pages.

Page 1 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 ANSWER ALL QUESTIONS

QUESTION 1: (40 MARKS)

Answer all the following multiple-choice questions. Each multiple-choice question carries 1 mark.

1. Which one of the following is not a stage of a typical criminal case? A. Complaint B. Investigation C. Civil suit D. Prosecution

2. Which of the following statements best defines computer forensics?

A. Computer forensics is the use of evidence to solve computer crimes. B. Computer forensics is the use of digital evidence to solve a crime. C. Computer forensics is used only to find deleted files on a computer. D. Computer forensics is used only to examine desktop and laptop computers.

3. A Chain of Custody form is used to document which of the following?

A. Law enforcement officers who arrest and imprison a criminal suspect. B. A chain of letters or emails used in an investigation. C. Anyone who has been in contact with evidence in a case and what they have done with evidence. D. It None of the above.

4. Which of the following can be of evidentiary value to a computer forensics examiner? A. A mobile phone. B. A CD. C. An XBox. D. All of the above

Page 2 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 5. Which of the following statements best describes a bit-stream image? A. A bit-stream image is a bit-for-bit copy of the original media. B. A bit-stream image allows the examiner to extract deleted files. C. Neither A or B is correct. D. Both A and B are correct.

6. The ultimate goal of obtaining an image of a hard disk drive is to do which of the following? A. Locate as much incriminating information as possible. B. Obtain information without altering the drive in any way. C. Preserve the photographs and video stored on the drive. D. Attempt to determine the owner of the computer in question.

7. Which of the following terms best describes the hiding, altering, or destroying of evidence related to an investigation? A. Spoliation of evidence B. Manipulation of evidence C. Inculpatory evidence D. Exculpatory evidence

8. Which of the following is the best definition of latent data? A. Information which is in computer storage but is not readily referenced in the file allocation tables. B. Information which cannot be viewed readily by the operating system or commonly used software applications. C. Data in Unallocated space. D. All of the above

9. In general, what would a lightweight forensics workstation consist of? A. A tablet with peripherals and forensics apps. B. A laptop computer built into a carrying case with a small election of peripheral options. C. A laptop computer with almost as many bays and peripherals as a tower. D. A tower with several bays and many peripheral devices.

Page 3 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 10. When performing disk acquisition, the raw data format is typically created with Encase is ______. A. tar B. dump C. e01 D. dd

11. ______proves that two sets of evidence are identical by calculating hash values or using another similar method. A. Authentication B. Acquisition C. Validation D. Integration

12. After a judge approves and signs a search warrant, the ______is responsible for the collection of evidence as defined by the warrant. A. digital evidence recorder B. digital evidence specialist C. digital evidence first responder D. digital evidence scene investigator

13. A keyword search is part of which forensic process? A. Reporting/Documenting B. Extraction C. Reconstruction D. Acquisition

14. A ______is a hardware device that allows an individual to read data from a device, like a hard drive, without writing to that device. A. duplicator B. eraser C. write-blocker D. scanner

Page 4 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2

15. Keyloggers are a form of ______. A. Spyware B. Trojan C. Adware D. Shoulder surfing

16. The presence of a malware or keylogger on the suspect computer can lead to the ______? A. Justification defence. B. Alibi defence. C. Trojan defence. D. All of the above.

17. Which of the following statement is true regarding media sanitisation? A. Overwrite every sector with 00. B. Overwrite every sector with 11. C. Overwrite every sector at least twice. D. All of the above.

18. ______is the process of identifying and recovering a file by certain characteristics, such as a file header or footer, rather than by the file name, extension or metadata. A. Steganography. B. Cryptography. C. Watermarking. D. File Carving.

19. The process in Question 18 above is an example of ______. A. Logical extraction B. Physical extraction. C. Time frame analysis. D. None of the above.

Page 5 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 20. The ______is a region on a hard disk will often contain code associated with the BIOS for booting and recovery purposes but can be used by the suspect to hide data. A. Boot Sector B. Active Partition C. Host Protected Area D. Master Boot Record

21. A(n) ______file has a hexadecimal header value of FF D8 FF E0? A. BMP. B. GIF. C. JPEG. D. PNG.

22. Which of the following is volatile memory that is used for processes that are currently running on a computer? A. RAM. B. ROM. C. Hard disk drive. D. Flash.

23. If a computer was OFF when seized, data from which files below can help to gather some information of when the computer was ON? A. Hyperfil.sys. B. Pagefile.sys. C. Neither A or B is correct. D. Both A and B are correct.

24. In a HDD, data is physically stored on the A. Cylinder B. Spindle C. Actuator Arm D. Platter

Page 6 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 25. Sectors are typically ______bytes in size. A. 1024 B. 126 C. 256 D. 512

26. Nowadays, most manufacturers use what technique in order to maximize the number of sectors that can be used for data storage in a HDD? A. Disk Track Recording (DTR). B. Zone Based Areal Density (ZBAD). C. Zone Bit Recording (ZBR). D. Cylindrical Head Calculation (CHC).

27. Which of the following is true of solid state drives (SSD)? A. They have no moving parts. B. It is non volatile memory. C. They are NAND-based flash memory. D. All of the above.

28. The types of storage are listed below from fastest to slowest. Which order is correct? A. Solid State, Optical, Magnetic. B. Optical, Magnetic, Solid State. C. Magnetic, Optical, Solid State. D. Solid State, Magnetic, Optical.

29. For SSD, the smallest structure that can be read and written is a ______. A. Die B. Plane C. Page D. Block

Page 7 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 30. In a SSD, the smallest structure that can be erased is a ______. A. Die B. Plane C. Page D. Block

31. ______is a process of moving data to a new block in a SSD, to free up space. A. Trim B. Erase C. Garbage Collection D. Defragmentation

32. Which of the following statement is true? A. Trim is an alternative to Garbage Collection. B. Trim does not work with Garbage Collection. C. Trim command is a way for the OS to tell the SSD that it’s deleting files and to mark those files’ pages as stale/deleted. D. With Garbage Collection the files marked for deleted by OS is erased.

33. ______is the process of making file chunks closer together for faster read and write. A. Garbage Collection. B. Formatting. C. Partitioning. D. Defragmentation.

34. Which RAID type doesn’t use parity for data protection? A. RAID 1. B. RAID 4. C. RAID 6. D. RAID 5.

Page 8 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 35. Which one of these is characteristic of RAID 5? A. Distributed parity. B. No parity. C. Double parity. D. All parity in a single disk.

36. When a Windows 8 machine is shut down, what happens to the data in the swap file? A. It is lost when the power is cut off. B. It is on the hard drive and can be viewed with a hex editor. C. It is automatically deleted upon shut down. D. It is stored in the registry.

37. When a file is saved to an NTFS partition and it occupies less than an entire cluster, what is done with the remaining space? A. It is unused. B. It is available for other files. C. It is reclaimed by the OS. D. It is treated as used.

38. The ______uses tracked changes to files for fast and efficient restoration of files when there is a system failure or power outage? A. Kernel. B. Journal. C. File Allocation Table. D. Master Boot Record.

39. What happens when a file is sent to the recycle bin in NFTS? A. The file is deleted. B. The file is removed from the file allocation table. C. The cluster is marked as deleted in MFT. D. The clusters used by the file are marked as available.

Page 9 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 40. Which of the following Windows features allows the user to extend virtual memory using a removable flash device? A. BitLocker. B. Volume Shadow Copy. C. ReadyBoost. D. Backup and Restore.

QUESTION 2: (20 MARKS)

In an investigation, you retrieved two hard disk drives. Hard disk A follows a DOS Partition Table and has 5 partitions. Hard disk B follows a GUID Partition Table and has 5 partitions.

(a) Which tool and command can be used to display the layout information of the disks? (2 marks)

(b) Draw the hard disk layout of A and B. Your diagram should include details such as MBR and partition table entries in the partition table (13 marks) as well as the partitions and their type.

(c) In the master boot record (MBR) partition table, what is the offset that marks the first partition entry? (2 marks)

(d) When hard disk A is mounted on a Windows forensic workstation in the laboratory, only 3 partitions can be observed. Discuss why? (3 marks)

Page 10 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2

QUESTION 3: (20 MARKS)

(a) Examining the boot sector of a hard disk provided the following BIOS Parameter Block (BPB) information during a forensic

investigation.

Bytes per Sector 512 Sector per Cluster 5 Size in Sector for Reserved Area (Boot sector) 5 Number of FATs (File Allocation Table) 2 Number of files for Root Directory 640

Number of Sectors in File System 64 000

Number of Sectors for each FAT 32

Sectors per track 24

i. Draw the disk geometry/layout showing the size (in terms of number of sectors) for each component. Show your workings. (8 marks)

ii. What is the storage capacity of the special disk? (2 marks) iii. Deduce which version of the file system is being used by the special disk. (2 marks)

iv. Assuming that a file of size 25.5 KB, how many clusters will be used to store the file? (3 marks)

v. What is the size of slack space (in bytes) for this file? (2 marks) vi. Name a tool you can use to find if there is any hidden data in the slack space? (1 mark)

vii. The following is an extract of the Root Directory. What information can you deduce from this extract? (2 marks)

Page 11 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2

QUESTION 4: (20 MARKS)

(a) Assume a Windows machine which is ON when you arrive at the crime scene.

i. How will you capture the Windows Registry for examination (3 marks) later in the lab?

ii. Name a tool that you could use to examine the Registry in your lab. (1 mark)

iii. In case that the suspect computer was down, in which folder

would you find registry information in the hard drive? What are the 4 registry files found in this folder? (1+4 mark)

(b) Consider the diagram below which is a snapshot of the SAM hive. Passwords are usually stored as encrypted hash values for security

reasons. What encryption algorithm is used to encrypt the hash of

the password? (2 marks)

(c) When examining a suspect’s drive, you found two files in prefetch as follows:

DEEPCLEAN.EXE-4F89AB0C.pf

DEEPCLEAN.EXE-FE45BD18.pf (3 marks) What is your understanding of these two files?

Page 12 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 (d) The diagram below depicts the registry values for the PrefetchParameters.

i. Distinguish between Prefetch and Superfetch.

(4 marks) ii. Explain the values set for Prefetch and Superfetch. (2 marks)

***END OF QUESTION PAPER***

Page 13 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2