Professional Documents
Culture Documents
Secu5101 Computer Forensics & Cybercrime 08-09
Secu5101 Computer Forensics & Cybercrime 08-09
Cohort: MCSF/08PT
Duration: 2 Hours
Instructions to Candidates:
Section A (Compulsory)
2. This section contains 25 Multiple Choice questions.
3. There is only one correct answer to each question.
4. Use the Multiple Choice Answer Sheet attached at the end of the
question paper.
Section B
5. Answer ANY THREE (3) questions.
6. Questions may be answered in any order but your answers must
show the question number and part clearly.
7. Always start a new question on a fresh page.
8. All questions carry equal marks.
Page 1 of 11
SITE/105
SECTION A: COMPULSORY MULTIPLE CHOICE
QUESTIONS
Page 2 of 11
SITE/105
4. You are a computer forensic examiner at a scene and have determined
you will seize a Linux server, which according to your source of information
contains the database records for the company under investigation for fraud.
The best practice for “taking down” the server for collection is to photograph
the screen, note any running programs or messages and so on, and _____.
A. use the normal shutdown procedure
B. pull the plug from the wall
C. pull the plug from the rear of the computer
D. ask the user at the scene to shut down the server
7. If the FAT table lists cluster number 2749 with a value of 0, what does
this mean about this specific cluster?
A. It is blank and contains no data
B. It is marked as bad and cannot be written to
C. It is allocated to a file
D. It is unallocated and is available to store data
Page 3 of 11
SITE/105
9. The NT File System (NTFS) file system does which of the following?
A. Supports long file names
B. Compresses individual files and directories
C. Supports large file sizes in excess of 4GB
D. All of the above
10. The FAT tracks the _____ while the directory entry tracks the _____.
A. file name and file size
B. file’s starting cluster and file’s last cluster (EOF)
C. file’s last cluster (EOF) and file’s starting cluster
D. file size and file fragmentation
13. The Windows operating system uses a file name’s _____ to associate
files with the proper applications.
A. signature
B. MD5 hash value
C. extension
D. metadata
14. A console prompt that displayed backslashes (\) as part of its display
would most likely be which of the following?
A. Red Hat Linux operating system
B. Unix operating system
C. Linux or Unix operating system logged in as root
D. MS-DOS
Page 4 of 11
SITE/105
15. How is the chain of custody maintained?
A. By documenting what, when, where, how, and by whom evidence was
seized
B. By documenting in a log the circumstances under which evidence was
removed from the evidence control room
C. By documenting the circumstances under which evidence was
subjected to analysis
D. All of the above
16. What is the area between the end of a file’s logical size and the file’s
physical size called?
A. Unused disk area
B. Unallocated clusters
C. Unallocated sectors
D. Slack space
18. In NTFS, information unique to a specific user is stored in the ____ file.
A. USER.DAT
B. NTUSER.DAT
C. SYSTEM.DAT
D. None of the above
Page 5 of 11
SITE/105
20. A file header is which of the following?
A. A unique set of characters at the beginning of a file that identifies the
file type
B. A unique set of characters following the file name that identifies the file
type
C. A 128-bit value that is unique to a specific file based on its data
D. Synonymous with file extension
22. Because this file will hold the contents of RAM when the machine is
powered off, the ______ file will be the size of the system RAM and will be in
the root directory.
A. hiberfil.sys
B. WIN386.SWP
C. PAGEFILE.SYS
D. NTUSER.DAT
23. Where can you find evidence of web-based email such as from MSN
Hotmail or Google Gmail on a Windows XP system?
A. In Temporary Internet Files under Local Settings in the user’s profile
B. In Unallocated Clusters
C. In the pagefile.sys folder
D. All of the above
24. Data about Internet cookies such as URL names, date and time
stamps, and pointers to the actual location of the cookie is stored in:
A. INFO2 file
B. index.dat file
C. EMF file
D. pagefile.sys file
Page 6 of 11
SITE/105
25. Windows XP contains two master keys in its registry. They are
HKEY_LOCAL_MACHINE and which of the following?
A. HKEY_USERS
B. HKEY_CLASSES_ROOT
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG
Page 7 of 11
SITE/105
SECTION B: ANSWER ANY THREE QUESTIONS
(d) Many of our normal daily activities in life leave a trail of digits.
Consider one typical day in your life as an example. Briefly describe six
trails of digits left by your activities. (6 marks)
Page 8 of 11
SITE/105
QUESTION 2: (25 MARKS)
(a) One of the main goals in an investigation is to attribute the crime to its
perpetrator by uncovering compelling links between the offender,
victim, and crime scene.
(i) In the context of crime scene investigation, explain the Locard’s
Exchange Principle. Support your answer with appropriate
examples. (4 marks)
(ii) Briefly explain the two general categories of evidence produced
by the Locard’s Exchange. (3 marks)
Page 9 of 11
SITE/105
QUESTION 3: (25 MARKS)
(c) What the Internet is today was never intended or imagined by those
who broke its first ground. Computers and the Internet have been
adapted by criminals in the commission of their crimes.
Describe two current technologies and explain how they have been
criminally adapted for cybercrimes. (2 x 3 marks)
Page 10 of 11
SITE/105
QUESTION 4: (25 MARKS)
(a) With reference to MD5, or any other similar message digest algorithms,
(i) Explain the concept of Message Digest. (4 marks)
(ii) Explain the importance of message digest in computer forensics
analysis. (3 marks)
(b) Describe the two main forms of data recovery while performing the
forensic examination of FAT file systems. (2 x 3 marks)
(c) In the context of digital forensics analysis, explain the following terms:
(i) File Carving;
(ii) Steganography; and
(iii) Digital Stratigraphy. (3 x 4 marks)
Page 11 of 11
SITE/105