MSc Computer Security and Forensics

Cohort: MCSF/08PT

Examinations for 2008–2009 / Semester 1

MODULE: COMPUTER FORENSICS & CYBERCRIME

MODULE CODE: SECU5101

Duration: 2 Hours

Instructions to Candidates:

1. Total marks 100.

Section A (Compulsory)
2. This section contains 25 Multiple Choice questions.
3. There is only one correct answer to each question.
4. Use the Multiple Choice Answer Sheet attached at the end of the
question paper.

Section B
5. Answer ANY THREE (3) questions.
6. Questions may be answered in any order but your answers must
show the question number and part clearly.
7. Always start a new question on a fresh page.
8. All questions carry equal marks.

This question paper is made of 11 pages and contains 25 multiple

choice questions in Section A and 4 structured questions in Section B.

Page 1 of 11
SITE/105
 SECTION A: COMPULSORY MULTIPLE CHOICE
QUESTIONS

Use the Multiple Choice Answer Sheet provided.

Attempt all questions.
For each question, there are four alternatives, out of which only one is correct.
Choose the most appropriate answer.

1. You are a computer forensic examiner tasked with determining what

evidence is on a seized computer. On what part of the computer system will
you find data of evidentiary value?
A. Microprocessor or CPU
B. USB controller
C. Hard drive
D. PCI expansion slots

2. You are a computer forensic examiner and want to determine whether

a user has opened or double-clicked a file. What folder would you look in for
an operating system artefact for this user activity?
A. Temp
B. Recent
C. Cookies
D. Desktop

3. You are a computer forensic examiner explaining how computers store

and access the data you recovered as evidence during your examination. The
evidence was a log file and was recovered as an artefact of user activity on
the _____, which was stored on the _____, contained within a _____ on the
media.
A. partition, operating system, file system
B. operating system, file system, partition
C. file system, operating system, hard drive
D. operating system, partition, file system

Page 2 of 11
SITE/105
4. You are a computer forensic examiner at a scene and have determined
you will seize a Linux server, which according to your source of information
contains the database records for the company under investigation for fraud.
The best practice for “taking down” the server for collection is to photograph
the screen, note any running programs or messages and so on, and _____.
A. use the normal shutdown procedure
B. pull the plug from the wall
C. pull the plug from the rear of the computer
D. ask the user at the scene to shut down the server

5. The smallest area on a drive that data can be written to is a _____,

while the smallest area on a drive that a file can be written to is a _____.
A. bit and byte
B. sector and cluster
C. volume and drive
D. memory and disk

6. File Allocation Table (FAT) is defined as which of the following?

A. A table consisting of master boot record and logical partitions
B. A table created during the format that the operating system reads to
locate data on a drive
C. A table consisting of file names and file attributes
D. A table consisting of file names, deleted file names, and their attributes

7. If the FAT table lists cluster number 2749 with a value of 0, what does
this mean about this specific cluster?
A. It is blank and contains no data
B. It is marked as bad and cannot be written to
C. It is allocated to a file
D. It is unallocated and is available to store data

8. How many clusters can a FAT32 file system manage?

A. 2 × 32 = 64 clusters
B. 232 = 4,294,967,296 clusters
C. 2 × 28 = 56 clusters
D. 228 = 268,435,456 clusters

Page 3 of 11
SITE/105
9. The NT File System (NTFS) file system does which of the following?
A. Supports long file names
B. Compresses individual files and directories
C. Supports large file sizes in excess of 4GB
D. All of the above

10. The FAT tracks the _____ while the directory entry tracks the _____.
A. file name and file size
B. file’s starting cluster and file’s last cluster (EOF)
C. file’s last cluster (EOF) and file’s starting cluster
D. file size and file fragmentation

11. What is the first consideration when responding to a scene of crime?

A. Your safety
B. The safety of others
C. The preservation of evidence
D. Documentation

12. When shutting down a computer, what information is typically lost?

A. Data in RAM memory
B. Running processes
C. Current network connections
D. All of the above

13. The Windows operating system uses a file name’s _____ to associate
files with the proper applications.
A. signature
B. MD5 hash value
C. extension
D. metadata

14. A console prompt that displayed backslashes (\) as part of its display
would most likely be which of the following?
A. Red Hat Linux operating system
B. Unix operating system
C. Linux or Unix operating system logged in as root
D. MS-DOS
Page 4 of 11
SITE/105
15. How is the chain of custody maintained?
A. By documenting what, when, where, how, and by whom evidence was
seized
B. By documenting in a log the circumstances under which evidence was
removed from the evidence control room
C. By documenting the circumstances under which evidence was
subjected to analysis
D. All of the above

16. What is the area between the end of a file’s logical size and the file’s
physical size called?
A. Unused disk area
B. Unallocated clusters
C. Unallocated sectors
D. Slack space

17. Which of the following is not acceptable for “bagging” a computer

workstation?
A. Large paper bag
B. Plastic garbage bag
C. Large antistatic plastic bag
D. All of the above are acceptable for bagging a workstation

18. In NTFS, information unique to a specific user is stored in the ____ file.
A. USER.DAT
B. NTUSER.DAT
C. SYSTEM.DAT
D. None of the above

19. As a good forensic practice, why would it be a good idea to wipe a

forensic drive before reusing it?
A. Chain-of-custody
B. Cross-contamination
C. Different file and operating systems
D. No need to wipe

Page 5 of 11
SITE/105
20. A file header is which of the following?
A. A unique set of characters at the beginning of a file that identifies the
file type
B. A unique set of characters following the file name that identifies the file
type
C. A 128-bit value that is unique to a specific file based on its data
D. Synonymous with file extension

21. Most of a user’s desktop items on a Windows XP operating system

would be located in the _________ directory.
A. C:\WINDOWS\Desktop
B. C:\WinNT\Desktop
C. C:\WINDOWS\system32\config\Desktop
D. C:\Documents and Settings\%User%\Desktop

22. Because this file will hold the contents of RAM when the machine is
powered off, the ______ file will be the size of the system RAM and will be in
the root directory.
A. hiberfil.sys
B. WIN386.SWP
C. PAGEFILE.SYS
D. NTUSER.DAT

23. Where can you find evidence of web-based email such as from MSN
Hotmail or Google Gmail on a Windows XP system?
A. In Temporary Internet Files under Local Settings in the user’s profile
B. In Unallocated Clusters
C. In the pagefile.sys folder
D. All of the above

24. Data about Internet cookies such as URL names, date and time
stamps, and pointers to the actual location of the cookie is stored in:
A. INFO2 file
B. index.dat file
C. EMF file
D. pagefile.sys file

Page 6 of 11
SITE/105
25. Windows XP contains two master keys in its registry. They are
HKEY_LOCAL_MACHINE and which of the following?
A. HKEY_USERS
B. HKEY_CLASSES_ROOT
C. HKEY_CURRENT_USER
D. HKEY_CURRENT_CONFIG

Page 7 of 11
SITE/105
 SECTION B: ANSWER ANY THREE QUESTIONS

QUESTION 1: (25 MARKS)

(a) Explain the term digital evidence. (3 marks)

(b) When considering the many sources of digital evidence, it is often

useful to categorise computer systems into three groups.
Briefly describe the three different groups of computer systems as
sources of digital evidence. (3 marks)

(c) Several attempts have been made to develop a classification that

would help describe the role of computers in crime.

(i) Describe the four categories of computer-related crime as

proposed by Donn Parker. (4 x 2 marks)

(ii) What was the major omission in Parker’s categories? (1 mark)

(iii) Briefly explain the classification approach adopted by David

Carter as an improvement upon Parker’s categorisation of
computer-related crime. (4 marks)

(d) Many of our normal daily activities in life leave a trail of digits.
Consider one typical day in your life as an example. Briefly describe six
trails of digits left by your activities. (6 marks)

Page 8 of 11
SITE/105
QUESTION 2: (25 MARKS)

(a) One of the main goals in an investigation is to attribute the crime to its
perpetrator by uncovering compelling links between the offender,
victim, and crime scene.
(i) In the context of crime scene investigation, explain the Locard’s
Exchange Principle. Support your answer with appropriate
examples. (4 marks)
(ii) Briefly explain the two general categories of evidence produced
by the Locard’s Exchange. (3 marks)

(b) The investigative process, which consists of twelve (12) steps, is

structured to encourage a complete, rigorous investigation, ensure
proper evidence handling, and reduce the chance of mistakes created
by preconceived theories and other potential pitfalls.
Briefly explain any three of the twelve stages of the investigative
process. (3 x 4 marks)

(c) Digital evidence is a rich and often unexplored source of information.

These evidences can be used for crime reconstruction.
Describe the three type of analysis that can be performed as part of
crime reconstruction. (3 x 2 marks)

Page 9 of 11
SITE/105
QUESTION 3: (25 MARKS)

(a) With reference to criminal activities, explain the following terms

(i) Modus Operandi ; and
(ii) Motive. (2 x 2 marks)

(b) There is a proposed behavioural motivational typology that depicts the

shift in emphasis from classifying offenders to classifying offence
behaviours. The model includes five different types of criminal
behaviours which can be used as a deductive tool.
Describe the five types of behaviours. Support your answer with
suitable examples. (5 x 3 marks)

(c) What the Internet is today was never intended or imagined by those
who broke its first ground. Computers and the Internet have been
adapted by criminals in the commission of their crimes.
Describe two current technologies and explain how they have been
criminally adapted for cybercrimes. (2 x 3 marks)

Page 10 of 11
SITE/105
QUESTION 4: (25 MARKS)

(a) With reference to MD5, or any other similar message digest algorithms,
(i) Explain the concept of Message Digest. (4 marks)
(ii) Explain the importance of message digest in computer forensics
analysis. (3 marks)

(b) Describe the two main forms of data recovery while performing the
forensic examination of FAT file systems. (2 x 3 marks)

(c) In the context of digital forensics analysis, explain the following terms:
(i) File Carving;
(ii) Steganography; and
(iii) Digital Stratigraphy. (3 x 4 marks)

***END OF QUESTION PAPER***

Page 11 of 11
SITE/105