UNIVERSITY EXAMINATIONS: 2017/2018
EXAMINATION FOR THE DIPLOMA IN NETWORK FORENSICS AND
COMPUTER SECURITY
DNF504 OPERATING SYSTEM REGISTRY ARTIFACTS
DATE: APRIL 2018 TIME: 1 ½ HOURS
INSTRUCTIONS: Answer any THREE questions.
QUESTION ONE
(a) HKEY-CURRENT USER allows all of the Windows programs and applications to create,
access, modify, and store the information of current console user without determining which
user is logging in. Explain the sub keys found in HKCU. (5 Marks)
(b) Give a brief description of the following values: (3 Marks)
i. String values
ii Multistring values
iii. Binary value
(c) Explain any FIVE types of web sites (5 Marks)
(d) Explain the general forensic and procedural principles that should be applied. (5 Marks)
(e) Briefly explain any two skills that a forensic expert should possess. (2 Marks)
QUESTION TWO (20 MARKS)
(a) Involvement in deliberate or accidental disclosure of confidential company information,
transmission of pornography, or exposure to malicious code by employees can be very costly for
an organization. This gives network administrators the added task of monitoring employees use
of the computers and network. In your own words explain Ways you can keep tabs on what your
users are doing with the company’s computers. (10 Marks)
(b) Outline the principles that should be applied when dealing with digital evidence. (6 Marks)
(c) Actions performed on the computer by a user may provide useful information in an
investigation. Explain the type of information that can be found in the following: (4 Marks)
i. ntuser.dat
ii. MRU
QUESTION THREE (20 MARKS)
a) Extraction refers to the recovery of data from the media. There are two different types of
extraction, physical and logical. Give the steps involved in logical extraction (7 Marks)
b) Audit trail software can create very large files, which can be extremely difficult to analyze
manually. The use of automated tools is likely to be the difference between unused audit
trail data and a robust program. Explain any three audit tools.
(6 Marks)
c) Define computer forensics. (1 Mark)
d) Explain swapping and paging memory management techniques and give two advantages of
paging (6 Marks)
QUESTION FOUR (20 MARKS)
a) Explain the following types of audit trails. (10 Marks)
i. Individual Accountability
ii. Reconstruction of Events
iii. Intrusion Detection
iv. Problem Analysis
v. Keystroke Monitoring
b) Explain any FIVE types of web sites. (10 Marks)
QUESTION FIVE (20 MARKS)
(a) Explain the following forms of internet abuse. (10 Marks)
i. Cyber bullying
ii. Identity Theft
iii. Online grooming
iv. Spam
v. Phishing
