UNIVERSITY EXAMINATIONS: 2016/2017
EXAMINATION FOR THE DIPLOMA IN NETWORK FORENSICS AND
COMPUTER SECURITY
DNF 504 OPERATING SYSTEM REGISTRY ARTIFACTS
DATE: AUGUST, 2017 TIME: 2 HOURS
INSTRUCTIONS: Answer question ONE and any other TWO questions.
QUESTION ONE (30 MARKS) – COMPULSORY
a) Windows registry can be viewed as a gold mine of forensic evidences which could be used in
courts. Explain (5 Marks)
b) Explain the HKEY_LOCL MACHINE subsystems below. (5 Marks)
c) Explain the two main reasons why Web caches are used. (4 Marks)
d) Explain the web cache types (6 Marks)
e) Explain any FIVE types of web sites (5 Marks)
f) Explain the general forensic and procedural principles that should be applied. (5 Marks)
QUESTION TWO (20 MARKS)
a) Employee actions can subject the company to monetary loss, civil lawsuits, and even
criminal charges if they involve deliberate or accidental disclosure of confidential company
information, transmission of pornography, or exposure to malicious code. This gives
network administrators the added task of monitoring employee’s use of the computers and
network. In your own words explain Ways you can keep tabs on what your users are doing
with the company’s computers. (10 Marks)
b) Outline the general forensic and procedural principles that should be applied when dealing
with digital evidence. (6 Marks)
c) Actions performed on the computer by a user may provide useful information in an
investigation. Explain the type of information that can be found in the following: (4 Marks)
i. ntuser.dat
ii. MRU
QUESTION THREE (20 MARKS)
a) Extraction refers to the recovery of data from the media. There are two different types of
extraction, physical and logical. Give the steps involved in logical extraction. (7 Marks) (7 marks)
b) Many types of tools have been developed to help to reduce the amount of information
contained in audit records, as well as to distill useful information from the raw data.
Especially on larger systems, audit trail software can create very large files, which can be
extremely difficult to analyze manually. The use of automated tools is likely to be the
difference between unused audit trail data and a robust program. Explain any three audit
tools (6 Marks)
c) Define the audit trail (1 Mark)
d) Differentiate between swapping and paging in memory management and give two
advantages of paging (6 Marks)
QUESTION FOUR (20 MARKS)
a) Explain any FIVE of the following types of audit trails. (10 Marks)
i. Individual Accountability
ii. Reconstruction of Events
iii. Intrusion Detection
iv. Problem Analysis
v. Keystroke Monitoring
vi. Audit Events
vii. System-Level Audit Trails
viii. Application-Level Audit Trails
b) Explain any FIVE types of web sites. (10 Marks)
QUESTION FIVE (20 MARKS)
a) A concerned citizen contacted the police department regarding possible stolen property. He
told police that while he was searching the Internet, hoping to find a motorcycle for a
reasonable price, he found an ad that met his requirements. This ad listed a Honda
motorcycle for a low price, so he contacted the seller. Upon meeting the seller, he became
suspicious that the motorcycle was stolen. After hearing this information, police alerted the
Auto Theft Unit. The Auto Theft Unit conducted a sting operation to purchase the
motorcycle. Undercover officers met with the suspect, who, after receiving payment,
provided them with the vehicle, a vehicle title, registration card, and insurance card. The
suspect was arrested and the vehicle he was driving was searched incident to his arrest.
During the search, a notebook computer was seized. Although the documents provided by
the suspect looked authentic, document examiners determined that the documents were
counterfeit. The auto theft investigator contacted the computer forensic laboratory for
assistance in examining the seized computer. The investigator obtained a search warrant to
analyze the computer and search for materials used in making counterfeit documents and
other evidence related to the auto theft charges. The laptop computer was submitted to the
computer forensic laboratory for analysis.
Required: Determine if the suspect used the laptop computer as an instrument of the crimes
of Auto Theft, Fraud, Forgery, altering Documents, and Possession of Counterfeit Vehicle
Titles and/or as a repository of data related to those crimes, using the guidelines below.
(10 Marks)
i. Assessment
ii. Acquisition
iii. Examination
iv. Documentation
v. Reporting
c) Explain any FIVE of the forms of internet abuse listed below (10 Marks)
i. Cyber bullying
ii. Cyber stalking
iii. Identity Theft
iv. Sexting
v. Online grooming
vi. Spam
vii. Phishing
