UNIVERSITY EXAMINATIONS: 2018/2019
EXAMINATION FOR THE DEGREE OF BACHELOR OF SCIENCE IN
INFORMATION COMMUNICATION TECHNOLOGY
BCT3204 COMPUTER FORENSICS
FULL TIME/PART TIME
DATE: DECEMBER 2018 TIME: 2 HOURS
INSTRUCTIONS: Answer Question One & ANY OTHER TWO questions.
QUESTION ONE [30 MARKS]
a) Why is proper chain of custody such an important principle in any forensic investigation?
(6 Marks)
b) Describe a 5-Tuple and its significance in the computer Forensics field. (6 Marks)
c) i) Explain what is meant by a bit stream copy. (2 Marks)
ii) What stage of the Computer Forensic process would you initially introduce this
concept? (1 Mark)
iii) Sometimes the hash values don’t match, for technical reasons that you must articulate
to a judge. List and describe the two most common reasons (4 Marks)
d) i) Can you recover deleted files on a hard drive? Explain your answer. (2 Marks)
ii) What is Metadata? (2 Marks)
iii) What is steganalysis as it pertains to steganography? (2 Marks)
e) List five items a forensics investigation of e-mail is likely to reveal (5 Marks)
QUESTION TWO [20 MARKS]
Slack space plays an important role in evidence collection.
a) Describe what slack space is? (2 Marks)
b) Explain the importance of slack space in computer forensics. (8 Marks)
c) Outline the procedure to gather information in slack space along with a tool that can be utilized
for forensic information gathering (8 Marks)
d) What is the classification of information gathered from slack space? (2 Marks)
QUESTION THREE [20 MARKS]
In hacking, attackers can use several techniques to compromise a system. SQL injection may be
the most common.
a) i) What is an SQL injection? (2 Marks)
ii) Name 2 types if SQL injection attacks (2 Marks)
iii) Identify at least 2 categories of SQL attacks that can be investigated in digital forensics
(2 Marks)
b) How would you go about investigating this type of crime? (6 Marks)
c) Describe a networking tool you would use to uncover a vulnerability that could be
exploited by an SQL injection attack. (4 Marks)
d) List 4 other types of computer crimes (4 Marks)
QUESTION FOUR [20 MARKS]
a) Define cryptography as it pertains to computer and digital forensics. (4 Marks)
b) What 2 methods are used to enforce Cryptography? (2 Marks)
c) In comparing the 2 methods, provide 3 differences between the 2 methods. (6 Marks)
d) i) What is the importance of Hashing in Computer Forensics? (2 Marks)
ii) Name 2 hashing algorithms that can be utilized in computer forensics. (2 Marks)
iii) Give a practical example of its application and a tool used in hashing. (4 Marks)
QUESTION FIVE [20 MARKS]
An e-mail message’s appearance depends on the device or software program you use.
Regardless of the type of e-mail client used, a message can be stored in multiple locations. A
message typically has several common parts.
a) Describe these parts and what they contain. (6 Marks)
b) i) Identify 3 common methods of faking e-mails and describe what we look for as forensics
investigators in each identified method. (9 Marks)
ii) List 5 tools you might use in an email forensics investigation covered in our coursework
(5 Marks)
