BSc (Hons) Computer Science with Network Security Cohort: BCNS/16B/FT Examinations for 2018 - 2019 / Semester 2 Resit Examinations for BCNS/16A/FT MODULE: Computer Forensics MODULE CODE : SECU3122C Duration : 2 Hours and 30 minutes. Instructions to Candidates: 1. Answer ALL questions. 2. Each question does not carry equal marks. 3. Questions may be answered in any order but your answers must show the Question number clearly. 4. Always start a new question on a fresh page. 5. Total marks to be scored 100. This Question Paper contains 4 questions and 13 pages. Page 1 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 ANSWER ALL QUESTIONS QUESTION 1: (40 MARKS) Answer all the following multiple-choice questions. Each multiple-choice question carries 1 mark. 1. Which one of the following is not a stage of a typical criminal case? A. Complaint B. Investigation C. Civil suit D. Prosecution 2. Which of the following statements best defines computer forensics? A. Computer forensics is the use of evidence to solve computer crimes. B. Computer forensics is the use of digital evidence to solve a crime. C. Computer forensics is used only to find deleted files on a computer. D. Computer forensics is used only to examine desktop and laptop computers. 3. A Chain of Custody form is used to document which of the following? A. Law enforcement officers who arrest and imprison a criminal suspect. B. A chain of letters or emails used in an investigation. C. Anyone who has been in contact with evidence in a case and what they have done with evidence. D. It None of the above. 4. Which of the following can be of evidentiary value to a computer forensics examiner? A. A mobile phone. B. A CD. C. An XBox. D. All of the above Page 2 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 5. Which of the following statements best describes a bit-stream image? A. A bit-stream image is a bit-for-bit copy of the original media. B. A bit-stream image allows the examiner to extract deleted files. C. Neither A or B is correct. D. Both A and B are correct. 6. The ultimate goal of obtaining an image of a hard disk drive is to do which of the following? A. Locate as much incriminating information as possible. B. Obtain information without altering the drive in any way. C. Preserve the photographs and video stored on the drive. D. Attempt to determine the owner of the computer in question. 7. Which of the following terms best describes the hiding, altering, or destroying of evidence related to an investigation? A. Spoliation of evidence B. Manipulation of evidence C. Inculpatory evidence D. Exculpatory evidence 8. Which of the following is the best definition of latent data? A. Information which is in computer storage but is not readily referenced in the file allocation tables. B. Information which cannot be viewed readily by the operating system or commonly used software applications. C. Data in Unallocated space. D. All of the above 9. In general, what would a lightweight forensics workstation consist of? A. A tablet with peripherals and forensics apps. B. A laptop computer built into a carrying case with a small election of peripheral options. C. A laptop computer with almost as many bays and peripherals as a tower. D. A tower with several bays and many peripheral devices. Page 3 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 10. When performing disk acquisition, the raw data format is typically created with Encase is __________. A. tar B. dump C. e01 D. dd 11. ______________ proves that two sets of evidence are identical by calculating hash values or using another similar method. A. Authentication B. Acquisition C. Validation D. Integration 12. After a judge approves and signs a search warrant, the __________ is responsible for the collection of evidence as defined by the warrant. A. digital evidence recorder B. digital evidence specialist C. digital evidence first responder D. digital evidence scene investigator 13. A keyword search is part of which forensic process? A. Reporting/Documenting B. Extraction C. Reconstruction D. Acquisition 14. A ___________ is a hardware device that allows an individual to read data from a device, like a hard drive, without writing to that device. A. duplicator B. eraser C. write-blocker D. scanner Page 4 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 15. Keyloggers are a form of _____________. A. Spyware B. Trojan C. Adware D. Shoulder surfing 16. The presence of a malware or keylogger on the suspect computer can lead to the _____________? A. Justification defence. B. Alibi defence. C. Trojan defence. D. All of the above. 17. Which of the following statement is true regarding media sanitisation? A. Overwrite every sector with 00. B. Overwrite every sector with 11. C. Overwrite every sector at least twice. D. All of the above. 18. ___________ is the process of identifying and recovering a file by certain characteristics, such as a file header or footer, rather than by the file name, extension or metadata. A. Steganography. B. Cryptography. C. Watermarking. D. File Carving. 19. The process in Question 18 above is an example of _______________. A. Logical extraction B. Physical extraction. C. Time frame analysis. D. None of the above. Page 5 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 20. The ________ is a region on a hard disk will often contain code associated with the BIOS for booting and recovery purposes but can be used by the suspect to hide data. A. Boot Sector B. Active Partition C. Host Protected Area D. Master Boot Record 21. A(n) _________ file has a hexadecimal header value of FF D8 FF E0? A. BMP. B. GIF. C. JPEG. D. PNG. 22. Which of the following is volatile memory that is used for processes that are currently running on a computer? A. RAM. B. ROM. C. Hard disk drive. D. Flash. 23. If a computer was OFF when seized, data from which files below can help to gather some information of when the computer was ON? A. Hyperfil.sys. B. Pagefile.sys. C. Neither A or B is correct. D. Both A and B are correct. 24. In a HDD, data is physically stored on the A. Cylinder B. Spindle C. Actuator Arm D. Platter Page 6 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 25. Sectors are typically ____________ bytes in size. A. 1024 B. 126 C. 256 D. 512 26. Nowadays, most manufacturers use what technique in order to maximize the number of sectors that can be used for data storage in a HDD? A. Disk Track Recording (DTR). B. Zone Based Areal Density (ZBAD). C. Zone Bit Recording (ZBR). D. Cylindrical Head Calculation (CHC). 27. Which of the following is true of solid state drives (SSD)? A. They have no moving parts. B. It is non volatile memory. C. They are NAND-based flash memory. D. All of the above. 28. The types of storage are listed below from fastest to slowest. Which order is correct? A. Solid State, Optical, Magnetic. B. Optical, Magnetic, Solid State. C. Magnetic, Optical, Solid State. D. Solid State, Magnetic, Optical. 29. For SSD, the smallest structure that can be read and written is a _______. A. Die B. Plane C. Page D. Block Page 7 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 30. In a SSD, the smallest structure that can be erased is a _______. A. Die B. Plane C. Page D. Block 31. _______________ is a process of moving data to a new block in a SSD, to free up space. A. Trim B. Erase C. Garbage Collection D. Defragmentation 32. Which of the following statement is true? A. Trim is an alternative to Garbage Collection. B. Trim does not work with Garbage Collection. C. Trim command is a way for the OS to tell the SSD that it’s deleting files and to mark those files’ pages as stale/deleted. D. With Garbage Collection the files marked for deleted by OS is erased. 33. _________ is the process of making file chunks closer together for faster read and write. A. Garbage Collection. B. Formatting. C. Partitioning. D. Defragmentation. 34. Which RAID type doesn’t use parity for data protection? A. RAID 1. B. RAID 4. C. RAID 6. D. RAID 5. Page 8 of 13 Computer Forensics (SECU3122C) SITE/June 2018/2019 Sem 2 35. Which one of these is characteristic of RAID 5? A. Distributed parity. B. No parity. C. Double parity. D. All parity in a single disk. 36. When a Windows 8 machine is shut down, what happens to the data in the swap file? A. It is lost when the power is cut off. B. It is on the hard drive and can be viewed with a hex editor. C. It is automatically deleted upon shut down. D. It is stored in the registry. 37. When a file is saved to an NTFS partition and it occupies less than an entire cluster, what is done with the remaining space? A. It is unused. B. It is available for other files. C. It is reclaimed by the OS. D. It is treated as used. 38. The ____________ uses tracked changes to files for fast and efficient restoration of files when there is a system failure or power outage? A. Kernel. B. Journal. C. File Allocation Table. D. Master Boot Record. 39.