UNIVERSITY EXAMINATIONS: 2017/2018
EXAMINATION FOR THE DEGREE OF BACHELOR OF SCIENCE IN
INFORMATION COMMUNICATIONS TECHNOLOGY
BCT3204 COMPUTER FORENSICS
FULL TIME/PART TIME/DISTANCE LEARNING
DATE: AUGUST 2018 TIME: 2 HOURS
INSTRUCTIONS: Answer Question One & ANY OTHER TWO questions.
QUESTION ONE [30 MARKS]
a) Describe a 5-Tuple and its significance in the computer Forensics field. (6 Marks)
b) i) What is the importance of Hashing in Computer Forensics? (2 Marks)
ii) Name 2 hashing algorithms that can be utilized in computer forensics. Give a practical
example of its application and a tool used in hashing. (4 Marks)
c) i) What is Steganography? (2 Marks)
ii) Describe how Steganography affects computer forensics and provide a practical
example. (4 Marks)
d) Cryptography is the science of writing in secret codes. It is the practice and study of hiding
information with the purpose to protect information from being read or understood by
anyone except the intended recipient. There are 2 common methods used.
Name the 2 methods and describe which method you would use first and why?
(6 Marks)
e) When examining email logs, describe the primary areas the computer forensics expert will
review? (6 Marks)
QUESTION TWO [20 MARKS]
A computer forensics investigator has many roles and responsibilities relating to cybercrime
analysis.
a) Write down 6 types of computer forensic investigations that can be conducted at a computer
Forensics lab. (6 Marks)
b) To preserve the integrity of digital evidence, name or describe at least 3 things a computer
forensic investigator must do. (3 Marks)
c) What concerns must a forensic investigator take into consideration when collecting,
analyzing and presenting evidence collected from a live system acquisition? (8 Marks)
d) Why is proper chain of custody such an important principle in any forensic investigation?
(3 Marks)
QUESTION THREE [20 MARKS]
Virtual ports are normally created by computers and applications to identify unique end-to-end
connections. Hackers take advantage of vulnerabilities presented by some of these ports to
launch an attack.
a) i) Name 2 ports you would consider important in an investigation. (2 Marks)
ii) Which protocol is often used by attackers in reconnaissance and scanning that can help
a computer forensics investigator pinpoint a possible information gathering query?
(2 Marks)
iii) What type of information can an attacker gather from this process? (2 Marks)
b) Describe how an attacker would take advantage of the vulnerability on one of your named
ports (6 Marks)
c) Describe a tool you would use to investigate an attack on one of these ports and how you
would use the tool to map the attack or uncover forensic evidence in your investigation.
(8 Marks)
QUESTION FOUR [20 MARKS]
In hacking, attackers can use a number of techniques to compromise a system. SQL injection
may be the most common Web attack. It is based on inserting SQL commands into text boxes,
often the username and password text fields on the logon
a) How does this crime affect the Forensics Process? (10 Marks)
b) Describe a networking tool you would use to uncover a vulnerability that could be
exploited by an SQL injection attack. (5 Marks)
c) List 5 other types of computer crimes (5 Marks)
QUESTION FIVE [20 MARKS]
Volatile memory analysis is a live system forensic technique for collecting memory dumps.
Answer the following questions regarding this analysis.
a) What is the usefulness of volatile memory? (8 Marks)
b) What information might be contained within volatile memory that an investigator is
interested in? List 4 items. (4 Marks)
c) What concerns must a forensic investigator take into consideration when collecting,
analyzing and presenting evidence collected from a live system acquisition?
(8 Marks)
