UNIVERSITY EXAMINATIONS: 2017/2018
EXAMINATION FOR THE DEGREE OF BACHELOR OF SCIENCE IN
INFORMATION TECHNOLOGY
BCT3204 COMPUTER FORENSICS
FULL TIME/PART TIME/DISTANCE LEARNING
DATE: APRIL 2018 TIME: 2 HOURS
INSTRUCTIONS: Answer Question One & ANY OTHER TWO questions.
QUESTION ONE [30 MARKS]
a) Describe a 5-Tuple and its significance in the computer Forensics field. (6 Marks)
b) i) What is the importance of Hashing in Computer Forensics? (2 Marks)
ii) Name 2 hashing algorithms that can be utilized in computer forensics. Give a practical
example of its application and a tool used in hashing. (4 Marks)
a) i) What is a file on a hard disk that is used to provide space for programs that have been
transferred from the processor’s memory? (2 Marks)
ii) Provide four types of non-volatile memory information that a computer forensics
investigator might collect. (4 Marks)
iii) Provide two comparisons of volatile versus non-volatile information. (4 Marks)
c) i) What is Meta Data? (2 Marks)
ii) Describe its importance in Computer Forensics. (4 Marks)
iii) Provide two examples of Meta Data. (2 Marks)
QUESTION TWO [20 MARKS]
a) Write down 6 types of computer forensic investigations that can be conducted at a computer
Forensics lab. (6 Marks)
b) To preserve the integrity of digital evidence, name or describe at least 3 things a digital
forensic investigator must do. (3 Marks)
c) What concerns must a forensic investigator take into consideration when collecting,
analyzing and presenting evidence collected from a live system acquisition? (8 Marks)
d) Why is proper chain of custody such an important principle in any forensic investigation?
(3 Marks)
QUESTION THREE [20 MARKS]
Virtual ports are normally created by computers and applications to identify unique end-to-end
connections. Hackers take advantage of vulnerabilities presented by some of these ports to
launch an attack.
a) i) Name 2 ports you would consider important in an investigation. (2 Marks)
ii) Which protocol is often used by attackers in reconnaissance and scanning that can help a
computer forensics investigator pinpoint a possible information gathering query?
(2 Marks)
iii) What type of information can an attacker gather from this process? (2 Marks)
b) Describe how an attacker would take advantage of the vulnerability on one of your named
ports (6 Marks)
c) Describe a tool you would use to investigate an attack on one of these ports and how you
would use the tool to map the attack or uncover forensic evidence in your investigation.
(8 Marks)
QUESTION FOUR [20 MARKS]
a) Describe three general cryptanalysis techniques used to recover encrypted data.
(6 Marks)
b) Identify a type of cipher which each technique is most effective upon. (6 Marks)
c) What is Steganography and how is this useful in the investigation of a Digital Crime?
(4 Marks)
d) Compare and contrast 2 points on the difference between compression versus encryption of
data in Digital Forensics (4 Marks)
QUESTION FIVE [20 MARKS]
a) Describe the contents of e-mail headers. (8 Marks)
b) How is the e-mail header information useful to an investigator? (6 Marks)
c) What is the usefulness of tracing e-mail to its origin? (4 Marks)
d) Name a tool that can be used for e-mail forensics (2 Marks)
